Skip to content

The Complete Guide to Dig DNS Troubleshooting Commands

As a IT professional, few things elicit frustration faster than encountering mysterious domain resolution issues. One minute a web site or application server is humming along without issue. The next minute — it‘s suddenly unreachable, DNS queries are timing out, and your network seems headed for meltdown.

Before you panic and call for reinforcements, the humble yet powerful "dig" command should be your first line of defense for investigating DNS problems. Dig provides CLI access to query DNS servers for diagnosing hard-to-crack DNS issues quickly.

In this comprehensive 3200+ word guide, you‘ll learn how to:

  • Leverage 10 indispensable dig commands with detailed examples
  • Follow a systematic 10-step process for identifying any DNS issue
  • Compare dig against other DNS troubleshooting tools
  • Understand security implications of DNS vulnerabilities
  • Fix the 12 most common DNS error messages
  • Lookup DNS records on Windows
  • Parse dig output for automation and large-scale analysis

And much more! Let‘s dig in…

What is Dig? A Quick Primer

For the uninitiated, dig (short for Domain Information Groper) is a network tool included in practically every major operating system, including Linux, Unix, Mac and Windows. It allows querying DNS servers from the command line and returns detailed DNS records about domains, including:

  • IP addresses (A records)
  • Name servers (NS records)
  • Mail servers (MX records)
  • Text records (TXT records)
  • And many other record types

If you work in systems administration, site reliability, application development or other technical roles – dig should be your best friend when web sites, services and servers inexplicably become unreachable.

Key Dig Parameters

Dig has dozens of available parameters and modifiers for customizing DNS queries and output, but a few critical ones to remember:

+short – hides headers and statistics, only displaying final result
+noall +answer – limits output to answer section
+trace – enables a full dump of the recursive DNS lookup process
+dnssec – requests DNSSEC validation for domains that support it

There are many more parameters worth learning, but these form the basis of effective dig debugging.

With the basics covered, let‘s jump into vital examples…

10 Must-Know Dig Command Examples

I‘ve assembled this collection of indispensable dig invocation examples that every IT specialist should have readily available. Bookmark this page and thank me later!

1. Check A Record (IP Address Lookup)

One of the most common uses of dig is finding the IP address linked to a domain name via its fundamental A record. For example:

$ dig domain.com +short
192.0.2.1

This queries domain.com‘s A record and returns the IP address result only using the +short parameter. If the domain doesn‘t resolve to an IP, that‘s the first clue trouble is afoot!

2. Identify Mail Servers (MX Lookup)

You can query a domain‘s designated mail servers using dig‘s mx parameter:

$ dig domain.com mx +noall +answer 
domain.com. 86400 IN MX 10 mailserver1.domain.com.
domain.com. 86400 IN MX 20 mailserver2.domain.com.  

This outputs the domain‘s mail servers along with their preference value. You can then further test connectivity to those systems. An empty result indicates issues with MX records.

3. Find Authoritative Name Servers (NS Lookup)

Uncovering the authoritative name servers for a domain can provide insight into DNS misconfiguration or delegation problems:

$ dig domain.com ns +noall +answer
domain.com. 86400 IN NS ns1.nameserver.com.
domain.com. 86400 IN NS ns2.nameserver.net.

This dig invocation reveals the domain‘s designated DNS name servers. If these systems are unreachable from your network, that explains why the domain itself doesn‘t resolve!

4. Check Any DNS Record Type (TXT, CAA etc.)

A lesser known capability of dig is looking up practically any DNS record type supported by the domain, including:

TXT Records

$ dig domain.com txt +short 
"v=spf1 include:_spf4.domain.com ~all" 

CAA Records

$ dig domain.com CAA +short   
0 issue "letsencrypt.org"

Or any of the 300+ record types

Simply substitute "txt", "caa" etc. with whichever record type you want to query.

5. Tracing Complete DNS Resolution Path

One incredibly useful troubleshooting parameter is +trace. It dumps the full path of DNS resolution, from root ➜ Top-Level-Domain (TLD) ➜ authoritative nameserver:

$ dig domain.com +trace

This allows pinpointing precisely where DNS resolution is breaking down – at the root, TLD or nameserver level. +trace should be your first step when dealing with DNS reachability issues.

6. Perform Reverse DNS Lookups

Reverse DNS lookups display the domain name associated with an IP address via its designated PTR record:

$ dig -x 8.8.8.8 +short   
dns.google.

This allows identifying the domain hiding behind cloud provider IPs, CDNs, or checking IPs for malicious activity.

7. Query Custom DNS Resolvers

You can instruct dig to use specific public DNS resolvers like Google (8.8.8.8), Cloudflare (1.1.1.1) or Cisco OpenDNS (208.67.222.222):

$ dig @1.1.1.1 domain.com

This isolates whether issues exist on your local DNS infrastructure versus upstream.

8. Diagnose DNS Connection Timeouts

If a domain isn‘t resolving at all and DNS queries are timing out, dig provides clues where the breakdown is occurring:

$ dig domain.com
;; connection timed out; no servers could be reached  

Indicating the DNS servers themselves are unreachable…

Or

$ dig invalidDomain.com  
;; Got SERVFAIL reply from 8.8.8.8, trying next server

Showing the domain itself has issues. This exposes where to focus troubleshooting next.

9. Verify DNSSEC Validation

You should absolutely enable DNSSEC on public-facing domains for security protection. Dig assists validating proper DNSSEC function:

$ dig domain.com +dnssec
;; flags: qr rd ra ad DO;

The DO flag indicates DNSSEC validation succeeded!

10. Detect Potential DNS Hijacking

DNS hijacking is a common attack vector attempts to redirect domains to bad actor IP addresses. But malicious redirection is easy to catch with dig:

$ dig domain.com
;; ANSWER SECTION  
domain.com 86400 IN A 192.0.2.2

If a domain suddenly resolves to a suspicious IP, inspection for hacking is warranted.

This concludes my 10 best dig invocation examples for rapidly diagnosing DNS issues. Combined they comprise a DNS troubleshooter‘s Swiss army knife. But we‘re just getting started…

Step-by-Step DNS Debugging Procedure

While those examples demonstrate isolated dig commands, I wanted to provide a complete 10 step DNS debugging procedure you can follow systematically when trouble starts:

Step 1: Confirm DNS Functionality on Local Machine

$ ping google.com 
$ host -v google.com  
$ dig google.com

Step 2: Flush the DNS Cache

$ sudo systemd-resolve --flush-caches

Step 3: Perform Lookup Using Third-Party DNS

$ dig @8.8.8.8 google.com 

Step 4: Execute Trace Route to Identify Network Issues

$ traceroute google.com 

Step 5: Lookup Domain Against Its Authoritative Name Servers

$ dig @ns1.google.com google.com

Step 6: Execute Dig +Trace for Granular DNS Breakdown

$ dig domain.com +trace

Step 7: Perform Reverse Lookup if Direct Fails

$ dig -x 8.8.8.8 +short 

Step 8: Spot Check Other Network Services

$ ping domain.com
$ telnet domain.com 80
$ curl domain.com

Step 9: Inspect DNS History in Query Logs

$ grep domain.com /var/log/syslog

Step 10: Shoot Packet Capture for Offline Analysis

$ sudo tcpdump -w output.pcap port 53

This walks through isolation, inspection, connectivity checks and finally packet analysis to get to the root cause of any DNS malfunction.

Now that you have a complete troubleshooting game plan, let‘s look at some ancillary topics that will make you a dig power user…

Comparing Dig vs nslookup vs host

Dig isn‘t the only DNS debugging game in town. The venerable nslookup and host commands provide overlap in functionally with dig:

nslookup – the original DNS query tool dating back to the early days of the internet. Rackspace has a good nslookup primer.

host – a simpler, stripped down DNS lookup tool part of the BIND DNS software package.

dig – the newer, more flexible Swiss army knife DNS tool with tons of parameters and filters for power users.

The quick takeaway is that any of these tools can be used for simple DNS queries, but dig provides the greatest breadth of lookup options for serious troubleshooting.

For example, only dig provides the handy +trace parameter to show the full iterative DNS lookup process. Nslookup and host lack that capability.

Still, I suggest getting cozy with all three tools, as nslookup remains quite handy for interactive investigation, while host is simpler when you just need basic DNS answers.

Think of dig/nslookup/host as good, better, best – with dig being the greatest power DNS tool.

Considering DNS Security Implications

While vital for diagnosing DNS issues, the dig command itself introduces some security considerations worth noting:

1. DNS Cache Poisoning – Attackers can inject false DNS records by spoofing responses to dig queries faster than legit DNS servers. Security expert Kevin Beaumont demonstrates this risk, explaining additional dig protections like DNSSEC should be enabled.

2. Possible Data Leakage – By querying other zones and servers, dig can expose information about your network accidentally through certain DNS record types. Care should be taken crafting dig commands.

3. DDoS Amplification Potential – The DNS protocol itself supports powerful functionality that malicious actors can abuse to launch amplified DDoS attacks achieving massive scale. Rate limiting dig traffic can mitigate this exposure.

In general, you should only execute dig commands and expose DNS servers internally or to trusted cloud DNS for security reasons. And additional protections like DNS response rate limiting, DNSSEC validation, and firewall rules restricting traffic are best practices to enact.

By better understanding risks associated with the powerful DNS protocol itself, you can safely unleash dig while avoiding enabling attacks.

Investigating Common DNS Errors

One advantage of a tool like dig over simply using ping or a browser to verify DNS failures is it sheds light on the types of errors occurring.

Here are explanations of some common DNS error codes you may encounter while troubleshooting with dig and how to decipher them:

1. SERVFAIL – This means the DNS server itself is having an issue. It may be overloaded or misconfigured. Typically transient.

2. NXDOMAIN – Indicates the domain itself doesn‘t exist in DNS according to the nameservers. Typos or DNS config issues.

3. TIMEOUT – DNS server not replying. Firewall blocking access, packet loss, DNS down.

4. CONNECTION REFUSED – Named DNS server not listening on port 53 or blocked.

5 NO ANSWER – Empty DNS response. Often reversed DNS with no PTR record configured.

6. FORMERR – DNS server rejected query format. Bad request coding.

7. NOTAUTH – Named DNS server not authoritative source for queried domain.

8. NOTIMP – Requested DNS query type not implemented on DNS server.

9. REFUSED – DNS server intentionally refusing to fulfill request. See security policies.

Armed with the context behind various DNS error terminology, you can zero in on likely fixing avenues faster.

Now let‘s look at options for Windows users who may not have easy access to dig.

How to Perform dig Commands on Windows

Linux administrators have dig readily available in most distros. But Windows users need to take additional steps to unleash this DNS debugging tool.

Here are a few options:

Method #1 – Enable the legacy nslookup tool. It provides similar functionality to dig for simple queries.

Method #2 – Install a Linux distro like Ubuntu via Windows Subsystem for Linux (WSL) to access native dig.

Method #3 – Run dig within the Windows Powershell terminal itself:

PS>Resolve-DnsName domain.com

Method #4 – Utilize online dig web tools like What‘s My DNS that provide a browser-based UI and API to execute dig queries.

So fret not fellow Windows users – with these alternatives, you can still harness dig power for getting DNS answers!

Parsing Dig Output Files

Finally, if you intend to execute high volume dig commands, log and analyze the collected data for patterns, you‘ll appreciate that dig output can be formatted as JSON, YAML, XML.

This flexible output lends itself nicely to automation scripts that can parse data structures versus trying to wrangle simple text. It also facilitates feeding data into graphing tools or machine learning algorithms.

Specify these output formats like so:

JSON

dig gmail.com @8.8.8.8 -f json 

YAML

dig gmail.com @8.8.8.8 -f yaml

XML

dig gmail.com @8.8.8.8 -f xml   

So unlock visibility through digging mass DNS data, then processing it downstream!

Let‘s Dig Into DNS Issues!

I hope these copious dig command examples provide both newbie DNS debuggers and weathered DNS veterans useful troubleshooting knowledge!

We covered core dig parameters, indispensible commands, procedural troubleshooting flows, alternate tools, critical considerations and advanced applications.

You‘re now armed with expert-level techniques for investigating DNS outages faster using dig‘s immense power. The next time your boss asks why the company website or email server suddenly stopped working (and demands answers ASAP), you‘ll have the ideal DNS interrogation tool waiting in your toolbox!

Until then, may all your DNS queries return successfully thanks to these vital dig commands. Go forth and resolve those nettlesome domain issues!