Skip to content

Troubleshooting DNS with dig

dig is a DNS lookup utility which is invaluable for helping troubleshoot DNS errors.

To lookup the IPv4 address of a hostname, run:

$ dig example.ircnow.org
; <<>> dig 9.10.8-P1 <<>> example.ircnow.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15341
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.ircnow.org.                    IN      A
;; ANSWER SECTION:
example.ircnow.org.             3600    IN      A       192.168.0.1
;; Query time: 485 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 21 12:31:44 CST 2020
;; MSG SIZE  rcvd: 55

Success or Failure

status: NOERROR\

This indicates that the name lookup succeeded.

status: NXDOMAIN\

This indicates that the name server believes there are no records for the hostname. In other words, the name server for the zone exists, but the record does not.

;; connection timed out; no servers could be reached\

This indicates that your computer cannot reach the nameservers in /etc/resolv.conf. Please reconfigure your local caching nameservers.

Answer Section

;; ANSWER SECTION:
example.ircnow.org.             3600    IN      A       192.168.0.1

The 3600 means that this entry has a time to live (TTL) value of 3600s. After 3600s, or 1 hour, the answer will no longer be valid. A means this is an A record (it tells you the IPv4 address), and the IP address 192.168.0.1.

Other Details

;; Query time: 485 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

This tells you that it took 485 milliseconds to make the request, and that dig asked the nameserver 127.0.0.1 on port 53 for the answer. The server is very important because different nameservers might give different responses. For example, suppose you want to ask the two nameservers, ns1.ircnow.org and ns2.ircnow.org, what the correct answer is:

$ dig @ns1.ircnow.org example.ircnow.org
$ dig @ns2.ircnow.org example.ircnow.org

The two nameservers might give different answers!

To test if your changes have propagated (other nameservers have synced), you can try testing other public nameservers like the ones offered by OpenNIC.

Getting Other Records

By default, dig returns A records, but there are many other records:

$ dig -t any example.ircnow.org # shows all records
$ dig -t mx example.ircnow.org # shows MX (mail exchange) records
$ dig -t ns example.ircnow.org # shows NS (nameserver) records
$ dig -t aaaa example.ircnow.org # shows AAAA (IPv4) records
$ dig -t txt example.ircnow.org # shows TXT (text) records

Getting PTR Record(s) of an IP address

Dig can also be used to retrieve PTR record of an given IPv4/IPv6 address.

$ dig -x 1.1.1.1 # shows PTR record of the IPv4 address
$ dig -x 2001:4860:4860::8888 # shows PTR record of the IPv6 address

Tracing of the delegation path of given address

Delegation path of given address can be traced using dig, this is especially useful to find out if the delegation works as expected.

$ dig example.ircnow.org +trace
; <<>> dig 9.10.8-P1 <<>> example.ircnow.org +trace
;; global options: +cmd
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      RRSIG   NS 8 0 518400 20210516200000 20210503190000 14631 . bnVFcTaX1W1OiurBnLbT4UsUC2krXwFuxUulTcThjei0bDeBbNweZz/e qeps3buVQVL14TTKglTcuuxQOoacUSuznWbU3xaj+Wvxu+HLdBqD+cXP LXY/4qKG9jZLCo1h1sRg5ZUOkL13u8UaBT378Ic6AJyRTfVAiRk3S1Sy 3aWZWOVpnIM0U4RcCUZ4nZ6NPraZVeEapwk2HxkQml+twBO0rwueS0sP XV16tquBGsQhFD3w2/dQHLYhFjiU9LhaM9M6/+A7kPpPp36DpQiwT7kB dQVwWVPsMKOIr8gmrfLjfxXq46Hl/lV9k4HnLyozz3R/xs0Zp5wIxLQG LKIWZA==
;; Received 1097 bytes from 198.41.0.4#53(198.41.0.4) in 9 ms
org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
org.                    86400   IN      DS      26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org.                    86400   IN      RRSIG   DS 8 1 86400 20210516200000 20210503190000 14631 . A3Jr31VIuTGkzUFT/cWJNmkiNFYF8V9aOxwIDdca03xOFVsHzPcU5ZO8 zunq39DAer9PZgaKSSYhlGXC7WkAcrxT/lA9T83cnUTqKmbzWFnzr+wI b7+E3dzg9p63mKq/XuC0keLAAMwXHlqJy4Pe75FgzgPO3wwrqGx4tPev izbhJsUB4nrDWBJfOiGoOFXFGdX4DRdfLsjymteC0IIxPDoKvKByyP1a rDL9kUs23Ps65H6Vz/modC09a40cWNfYZaiOfFp7bkcXFJe7/544Jjki nv31EwHFF5t0TiWEPSrluiPnFC3aNphea/Q8bZ/jxWCrG98xpfSMCGA/ G9zqgA==
;; Received 784 bytes from 198.97.190.53#53(h.root-servers.net) in 95 ms
ircnow.org.             86400   IN      NS      mango.ircnow.org.
ircnow.org.             86400   IN      NS      cherry.ircnow.org.
ircnow.org.             86400   IN      NS      pear.ircnow.org.
ircnow.org.             86400   IN      NS      lemon.ircnow.org.
ircnow.org.             86400   IN      NS      fig.ircnow.org.
ircnow.org.             86400   IN      NS      peach.ircnow.org.
ircnow.org.             86400   IN      NS      plum.ircnow.org.
ircnow.org.             86400   IN      NS      banana.ircnow.org.
ircnow.org.             86400   IN      NS      guava.ircnow.org.
ircnow.org.             86400   IN      NS      jujube.ircnow.org.
1i870vj5h429vj9pci7ar6e9gki74tr7.org. 86400 IN NSEC3 1 1 10 332539EE7F95C32A 1I87R64GAJU4O91MHKBU7I9EKBS7K8UT NS SOA RRSIG DNSKEY NSEC3PARAM
1i870vj5h429vj9pci7ar6e9gki74tr7.org. 86400 IN RRSIG NSEC3 8 2 86400 20210525020414 20210504010414 30453 org. Jr1WNE6PxVRBjPaS2ocx+/QrcSHGo/Igqv2xKJZFmnU3o5CZ5Z321Oab o4aVePLpBu0xvRPMhShwEEp/1R4g+jhH/V3aiREbvV9tJNmYQXtsDVNi vB9KJJyimZRRYzu3Mmbdc0UQIiaI+v9/kuREwCvPge4gBbwRRt+BMM0X y+w=
dd5mibgab03im9bnjrjia69igfiona2m.org. 86400 IN NSEC3 1 1 10 332539EE7F95C32A DD5ND6BTBKEQ2D0352TNPA24DSKUA3DU NS DS RRSIG
dd5mibgab03im9bnjrjia69igfiona2m.org. 86400 IN RRSIG NSEC3 8 2 86400 20210522152710 20210501142710 30453 org. vJlCPFP7u+SJRx7aAwP5WPSWI5IoFZkuoT3BV0MzpxOV+3yb7PKJauKT dh8tx9WWgiQRTo6rlnl7p/uTzAfaqH4dc0qal9UfJiUQnEPwTAlAGcnZ 5EwquV1HyDmDUITNSUE/PiadxjOP4Abn6w7L6CPLv128wXebf/ReJkRB kUs=
;; Received 907 bytes from 2001:500:f::1#53(d0.org.afilias-nst.org) in 29 ms
ircnow.org.             3600    IN      SOA     ns1.ircnow.org. admin.ircnow.org. 2021032508 1800 7200 1209600 3600
;; Received 93 bytes from 198.251.89.130#53(fig.ircnow.org) in 127 ms

Here you can see that we started querying from the end of the address '.' and moving backward.

For each of the name server in the delegation path we query previous part of the address. In this example:

'.'

'org.' (answer from h.root-servers.net)

'ircnow.org.' (answer from d0.org.afilias-nst.org)

'example.ircnow.org' (answer from fig.ircnow.org)

To see your own authoritative name server in action after you have completed nsd tutorial, do:

$ dig username.fruit.ircnow.org +trace