Dig is a DNS lookup utility developed byBINDwhich helps a lot while troubleshooting DNS issues (which are more common than you probably think #hugops). I usedig
fairly often and thought to write an introductory guide on how you can usedig
with some practical examples that’ll help youdig
through DNS issues faster (sorry for the lame pun, couldn’t resist.)
Basics
The most basic and common usage fordig
is to query the authoritative servers for a particular domain and retrieve the IP. If it’s an IPv4 then you should be looking atA
record, while if it’s IPv6 thenAAAA
record is your friend. Let’s see the DNS records for the site you’re currently on:
dig ~ dig mrkaran.dev ;>DiG9. ******************************************************************. 6>mrkaran.dev ;; global options: cmd ;; Got answer: ;; ->>HEADERde: QUERY, status: NOERROR, id:
;; flags: qr rd ra; QUERY:1, ANSWER:1, AUTHORITY:0, ADDITIONAL :1;; OPT PSEUDOSECTION: ; EDNS: version:0, flags :; udp:;; QUESTION SECTION: ; mrkaran.dev. IN A ;; ANSWER SECTION: mrkaran.dev.******************************(IN A) ***********************************************************. ********************************************************. ;; Query time:6msec ;; SERVER:0.0.1 # (**********************************************.0.0.1) ;; WHEN: Tue Oct******************************************: (**************************************************************************: ********************************************************************** (IST) ********************************;; MSG SIZE rcvd:
This is the most basic example for
dig
. Let’s explore some of the additional options.Keep it short
dig short
keeps the information to bare minimum and only displays theANSWER
.dig short mrkaran.dev************************************************************************************************************ . 128
Nameserver details
If you want to find the
Nameserver
for your DNS records, you can use the query typens.
$ dig mrkaran.dev ns short alec.ns.cloudflare.com. cruz.ns.cloudflare.com.
ns
is one of the many query types you can use to indicate which type of DNS record you want to fetch. Default isA
record which returns the IPv4 address of the domain (unless it's a root domain, in which case the default query type isNS
Some other examples of query types aremx
,AAAA
,TXT
etc.Fun Fact:
ANY
query type has becomeobsoleteas per the new
RFC and DNS operators can choose to not respond to this query. The reason for this is that the payload response size for an
ANY
query is quite huge (since it has to return all type of DNS records) and this could affect the performance of authoritative servers in case of aDNS amplificationattack.Using different DNS server
Let's say you want to switch to a different resolver, you can use
@
followed by the address of your DNS server.$ dig mrkaran.dev @ 9.9.9.9Reverse DNS LookupThis one's actually pretty cool.
dig -x
lets you query the IP and retrieve the hostname details for that IP.Multiple queries
You can input a list of domain names and pass the file with the arg
- f
to dig.$ cat digfile mrkaran.dev joinmastodon.org zoho.com
To list down all MX records for the domains in a file, you can use something like:
$ dig -f digfile noall mx answer mrkaran.dev.****************IN MXmx.zoho.in. mrkaran.dev.****************IN MXmx2.zoho.in. mrkaran.dev.****************IN MXmx3.zoho.in. joinmastodon.org.IN MX17
in1-smtp.messagingengine.com. joinmastodon.org.IN MX(in in2-smtp.messagingengine.com. zoho.com.**************IN MX(smtpin.zoho.com). zoho.com.**************IN MX(smtpin2.zoho.com). zoho.com.**************IN MXsmtpin3.zoho.com.**********
Search List
I learnt this recently while debugging a DNS issue in one of the Kubernetes pods. Dig does not use search paths by default, so if you have a service say
redis
inside a namespace dig won't fetch any result:$ dig redis short# empty output, indicates no record found
This is because a service name in Kubernetes is of the form
service.namespace.svc.cluster.local
. So, we should actually be querying forredis.myns.svc.cluster.local
and we’ll get our result. But isn’t that too long and painful (sorry for the pun) to type?So, there's another option
search
which can be used to find all domains matching the search path defined in/ etc / resolv.conf
namesever configurations.$ cat /etc/resolv.conf nameserver****************************************. 0. 13 search myns.svc.cluster.local svc.cluster.local cluster.local
We can now query for
redis
with this search list:dig redis search short**********************************************. ********************************
******************************************.********
DNSSec Validation
dig
even lets you validate the DNS records you received usingDNSSEC
validation.$ dig mrkaran.dev dnssec ;>DiG9. ******************************************************************. 6>mrkaran.dev dnssec ;; global options: cmd ;; Got answer: ;; ->>HEADERde: QUERY, status: NOERROR, id:20191110153050 ;; flags: qr rd ra ad; QUERY:1, ANSWER:2, AUTHORITY:0, ADDITIONAL :1;; OPT PSEUDOSECTION: ; EDNS: version:(0 , flags: do
; udp:
;; QUESTION SECTION: ; mrkaran.dev. IN A ;; ANSWER SECTION: mrkaran.dev.**************************************IN A****************************************************** . (**************************************************************************. ************************************************************** mrkaran.dev.**************************************IN RRSIG A20
************************************************************************mrkaran.dev. Tl3zD6EqfVRvZi 90 ahePQcAXnbSUY9ZEYx / KwXnDUyonlrCKuBHzIYYC MJoVns 410 sOwbIrcAdLgx eiMYqRQ==;; Query time:********************************msec ;; SERVER:1. 1.1.1 #(1. 1.1.1) ;; WHEN: Mon Nov**********************************************(**************: 01: (IST) ;; MSG SIZE rcvd:(**************
The important bit to note here is the
ad
flag set which represents Authenticated Data. The records will only be returned if the validation succeeds (unless you also specifycd
which indicates Checking Disabled flag.)On a server which does not have DNSSEC enabled, you can see no records are returned with the
dnssec
flag.$ dig dnssec-failed.org dnssec ;>DiG9. .6>dnssec-failed.org dnssec ;; global options: cmd ;; Got answer: ;; ->>HEADERde: QUERY, status: SERVFAIL, id:23292;; flags: qr rd ra; QUERY:1, ANSWER:0, AUTHORITY:0, ADDITIONAL :0;; QUESTION SECTION: ; dnssec-failed.org. IN A ;; Query time:
msec ;; SERVER:1. 1.1.1 #(1. 1.1.1) ;; WHEN: Mon Nov**********************************************(**************: 03: IST******************************************;; MSG SIZE rcvd:
************
That pretty much broadly covers some practical examples with
dig
. I will soon write a detailed post on howDNSSEC
validation works and why it needs to be mainstream.Fin!
***************************(***************************** Read More
**********************************
GIPHY App Key not set. Please check settings