Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
DIG(1)				     BIND9				DIG(1)

       dig - DNS lookup	utility

       dig [@server] [-b address] [-c class] [-f filename] [-k filename]
	   [-p port#] [-t type]	[-x addr] [-y name:key]	[-4] [-6] [name]
	   [type] [class] [queryopt...]

       dig [-h]

       dig [global-queryopt...]	[query...]

       dig (domain information groper) is a flexible tool for interrogating
       DNS name	servers. It performs DNS lookups and displays the answers that
       are returned from the name server(s) that were queried. Most DNS
       administrators use dig to troubleshoot DNS problems because of its
       flexibility, ease of use	and clarity of output. Other lookup tools tend
       to have less functionality than dig.

       Although	dig is normally	used with command-line arguments, it also has
       a batch mode of operation for reading lookup requests from a file. A
       brief summary of	its command-line arguments and options is printed when
       the -h option is	given. Unlike earlier versions,	the BIND9
       implementation of dig allows multiple lookups to	be issued from the
       command line.

       Unless it is told to query a specific name server, dig will try each of
       the servers listed in /etc/resolv.conf.

       When no command line arguments or options are given, will perform an NS
       query for "." (the root).

       It is possible to set per-user defaults for dig via ${HOME}/.digrc.
       This file is read and any options in it are applied before the command
       line arguments.

       A typical invocation of dig looks like:

	dig @server name type


       server is the name or IP	address	of the name server to query. This can
	      be an IPv4 address in dotted-decimal notation or an IPv6 address
	      in colon-delimited notation. When	the supplied server argument
	      is a hostname, dig resolves that name before querying that name
	      server. If no server argument is provided, dig consults
	      /etc/resolv.conf and queries the name servers listed there. The
	      reply from the name server that responds is displayed.

       name   is the name of the resource record that is to be looked up.

       type   indicates	what type of query is required -- ANY, A, MX, SIG,
	      etc.  type can be	any valid query	type. If no type argument is
	      supplied,	dig will perform a lookup for an A record.

       The -b option sets the source IP	address	of the query to	address. This
       must be a valid address on one of the host's network interfaces or
       "" or "::". An optional port may be specified by appending

       The default query class (IN for internet) is overridden by the -c
       option.	class is any valid class, such as HS for Hesiod	records	or CH
       for CHAOSNET records.

       The -f option makes dig operate in batch	mode by	reading	a list of
       lookup requests to process from the file	filename. The file contains a
       number of queries, one per line.	Each entry in the file should be
       organised in the	same way they would be presented as queries to dig
       using the command-line interface.

       If a non-standard port number is	to be queried, the -p option is	used.
       port# is	the port number	that dig will send its queries instead of the
       standard	DNS port number	53. This option	would be used to test a	name
       server that has been configured to listen for queries on	a non-standard
       port number.

       The -4 option forces dig	to only	use IPv4 query transport. The -6
       option forces dig to only use IPv6 query	transport.

       The -t option sets the query type to type. It can be any	valid query
       type which is supported in BIND9. The default query type	"A", unless
       the -x option is	supplied to indicate a reverse lookup. A zone transfer
       can be requested	by specifying a	type of	AXFR. When an incremental zone
       transfer	(IXFR) is required, type is set	to ixfr=N. The incremental
       zone transfer will contain the changes made to the zone since the
       serial number in	the zone's SOA record was N.

       Reverse lookups - mapping addresses to names - are simplified by	the -x
       option.	addr is	an IPv4	address	in dotted-decimal notation, or a
       colon-delimited IPv6 address. When this option is used, there is	no
       need to provide the name, class and type	arguments.  dig	automatically
       performs	a lookup for a name like and sets the
       query type and class to PTR and IN respectively.	By default, IPv6
       addresses are looked up using nibble format under the IP6.ARPA domain.
       To use the older	RFC1886	method using the IP6.INT domain	specify	the -i
       option. Bit string labels (RFC2874) are now experimental	and are	not

       To sign the DNS queries sent by dig and their responses using
       transaction signatures (TSIG), specify a	TSIG key file using the	-k
       option. You can also specify the	TSIG key itself	on the command line
       using the -y option; name is the	name of	the TSIG key and key is	the
       actual key. The key is a	base-64	encoded	string,	typically generated by
       dnssec-keygen(8). Caution should	be taken when using the	-y option on
       multi-user systems as the key can be visible in the output from ps(1 )
       or in the shell's history file. When using TSIG authentication with
       dig, the	name server that is queried needs to know the key and
       algorithm that is being used. In	BIND, this is done by providing
       appropriate key and server statements in	named.conf.

       dig provides a number of	query options which affect the way in which
       lookups are made	and the	results	displayed. Some	of these set or	reset
       flag bits in the	query header, some determine which sections of the
       answer get printed, and others determine	the timeout and	retry

       Each query option is identified by a keyword preceded by	a plus sign
       (+). Some keywords set or reset an option. These	may be preceded	by the
       string no to negate the meaning of that keyword.	Other keywords assign
       values to options like the timeout interval. They have the form
       +keyword=value. The query options are:

	      Use [do not use] TCP when	querying name servers. The default
	      behaviour	is to use UDP unless an	AXFR or	IXFR query is
	      requested, in which case a TCP connection	is used.

	      Use [do not use] TCP when	querying name servers. This alternate
	      syntax to	+[no]tcp is provided for backwards compatibility. The
	      "vc" stands for "virtual circuit".

	      Ignore truncation	in UDP responses instead of retrying with TCP.
	      By default, TCP retries are performed.

	      Set the search list to contain the single	domain somename, as if
	      specified	in a domain directive in /etc/resolv.conf, and enable
	      search list processing as	if the +search option were given.

	      Use [do not use] the search list defined by the searchlist or
	      domain directive in resolv.conf (if any).	The search list	is not
	      used by default.

	      Deprecated, treated as a synonym for +[no]search

	      Sets the "aa" flag in the	query.

	      A	synonym	for +[no]aaonly.

	      Set [do not set] the AD (authentic data) bit in the query. The
	      AD bit currently has a standard meaning only in responses, not
	      in queries, but the ability to set the bit in the	query is
	      provided for completeness.

	      Set [do not set] the CD (checking	disabled) bit in the query.
	      This requests the	server to not perform DNSSEC validation	of

	      Display [do not display] the CLASS when printing the record.

	      Display [do not display] the TTL when printing the record.

	      Toggle the setting of the	RD (recursion desired) bit in the
	      query. This bit is set by	default, which means dig normally
	      sends recursive queries. Recursion is automatically disabled
	      when the +nssearch or +trace query options are used.

	      When this	option is set, dig attempts to find the	authoritative
	      name servers for the zone	containing the name being looked up
	      and display the SOA record that each name	server has for the

	      Toggle tracing of	the delegation path from the root name servers
	      for the name being looked	up. Tracing is disabled	by default.
	      When tracing is enabled, dig makes iterative queries to resolve
	      the name being looked up.	It will	follow referrals from the root
	      servers, showing the answer from each server that	was used to
	      resolve the lookup.

	      toggles the printing of the initial comment in the output
	      identifying the version of dig and the query options that	have
	      been applied. This comment is printed by default.

	      Provide a	terse answer. The default is to	print the answer in a
	      verbose form.

	      Show [or do not show] the	IP address and port number that
	      supplied the answer when the +short option is enabled. If	short
	      form answers are requested, the default is not to	show the
	      source address and port number of	the server that	provided the

	      Toggle the display of comment lines in the output. The default
	      is to print comments.

	      This query option	toggles	the printing of	statistics: when the
	      query was	made, the size of the reply and	so on. The default
	      behaviour	is to print the	query statistics.

	      Print [do	not print] the query as	it is sent. By default,	the
	      query is not printed.

	      Print [do	not print] the question	section	of a query when	an
	      answer is	returned. The default is to print the question section
	      as a comment.

	      Display [do not display] the answer section of a reply. The
	      default is to display it.

	      Display [do not display] the authority section of	a reply. The
	      default is to display it.

	      Display [do not display] the additional section of a reply. The
	      default is to display it.

	      Set or clear all display flags.

	      Sets the timeout for a query to T	seconds. The default time out
	      is 5 seconds. An attempt to set T	to less	than 1 will result in
	      a	query timeout of 1 second being	applied.

	      Sets the number of times to try UDP queries to server to T
	      instead of the default, 3. If T is less than or equal to zero,
	      the number of tries is silently rounded up to 1.

	      Sets the number of times to retry	UDP queries to server to T
	      instead of the default, 2. Unlike	+tries,	this does not include
	      the initial query.

	      Set the number of	dots that have to appear in name to D for it
	      to be considered absolute. The default value is that defined
	      using the	ndots statement	in /etc/resolv.conf, or	1 if no	ndots
	      statement	is present. Names with fewer dots are interpreted as
	      relative names and will be searched for in the domains listed in
	      the search or domain directive in	/etc/resolv.conf.

	      Set the UDP message buffer size advertised using EDNS0 to	B
	      bytes. The maximum and minimum sizes of this buffer are 65535
	      and 0 respectively. Values outside this range are	rounded	up or
	      down appropriately.

	      Print records like the SOA records in a verbose multi-line
	      format with human-readable comments. The default is to print
	      each record on a single line, to facilitate machine parsing of
	      the dig output.

	      Do not try the next server if you	receive	a SERVFAIL. The
	      default is to not	try the	next server which is the reverse of
	      normal stub resolver behaviour.

	      Attempt to display the contents of messages which	are malformed.
	      The default is to	not display malformed answers.

	      Requests DNSSEC records be sent by setting the DNSSEC OK bit
	      (DO) in the OPT record in	the additional section of the query.

	      Chase DNSSEC signature chains. Requires dig be compiled with

	      Specifies	a file containing trusted keys to be used with
	      +sigchase. Each DNSKEY record must be on its own line.

	      If not specified dig will	look for /etc/trusted-key.key then
	      trusted-key.key in the current directory.

	      Requires dig be compiled with -DDIG_SIGCHASE.

	      When chasing DNSSEC signature chains perform a top down
	      validation. Requires dig be compiled with	-DDIG_SIGCHASE.

       The BIND	9 implementation of dig	supports specifying multiple queries
       on the command line (in addition	to supporting the -f batch file
       option).	Each of	those queries can be supplied with its own set of
       flags, options and query	options.

       In this case, each query	argument represent an individual query in the
       command-line syntax described above. Each consists of any of the
       standard	options	and flags, the name to be looked up, an	optional query
       type and	class and any query options that should	be applied to that

       A global	set of query options, which should be applied to all queries,
       can also	be supplied. These global query	options	must precede the first
       tuple of	name, class, type, options, flags, and query options supplied
       on the command line. Any	global query options (except the +[no]cmd
       option) can be overridden by a query-specific set of query options. For

       dig +qr any -x ns +noqr

       shows how dig could be used from	the command line to make three
       lookups:	an ANY query for, a	reverse	lookup of
       and a query for the NS records of A global query option	of +qr
       is applied, so that dig shows the initial query it made for each
       lookup. The final query has a local query option	of +noqr which means
       that dig	will not print the initial query when it looks up the NS
       records for



       host(1),	named(8), dnssec-keygen(8), RFC1035.

       There are probably too many query options.

BIND9				 Jun 30, 2000				DIG(1)


Want to link to this manual page? Use this URL:

home | help