We love to dig (DNS troubleshooting)

We spend a lot of time with DNS, we’re constantly having to investigate issues, analysis outputs, or just try to understand what is going on. When troubleshooting DNS, the best tool is the dig command.

Dig comes by default on most Linux distributions and on MacOS (sorry Windows users, you are stuck with nslookup by default). All your have to do is open your terminal and type dig (with -h to see a list of all options) to get started:

$ dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} […]]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,…) [default: in]
q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,…) [default:a]
(Use ixfr=version for type ixfr)
q-opt is one of:

Dig: Getting an IP Address for a domain

To get the IP address for a domain, all you have to do is provide the domain name to the Dig command:

$ dig www.google.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54352
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 299 IN A 142.251.6.106
www.google.com. 299 IN A 142.251.6.105
www.google.com. 299 IN A 142.251.6.147
www.google.com. 299 IN A 142.251.6.99
www.google.com. 299 IN A 142.251.6.104
www.google.com. 299 IN A 142.251.6.103

You can see, it provides the DNS question header and response header at the top (Query for 1 domain, answered with 6 IP Addresses with 1 additional section). If you are not interested in the headers, you can use the +short option to make it easy to read:

$ dig +short www.cleanbrowsing.org
cdn-grp01.cdn-noc.net.
208.167.248.121

In this example, for the domain www.cleanbrowsing.org, it is responding with the CNAME of the NOC.org CDN and the IP address it is being routed to.

Dig: Testing across different resolvers

Let’s say you want to test the response for different DNS providers, you can use the @NAMESERVER format at the end of the query, to specify the DNS resolver IP address. For example, to get the IP for example.com at the Google DNS (8.8.8.8) you would do:

$ dig +short example.com @8.8.8.8
93.184.216.34

But let’s say you are troubleshooting a DNS issue and you want to check across multiple DNS providers at the same time, a little bit of shell script and dig will do it for you:

$ for i in 208.67.222.222 1.1.1.1 8.8.8.8 9.9.9.9 185.228.168.9; do echo -n $i’: ‘ ; dig +short example.com @$i; done
208.67.222.222: 93.184.216.34
1.1.1.1: 93.184.216.34
8.8.8.8: 93.184.216.34
9.9.9.9: 93.184.216.34
185.228.168.9: 93.184.216.34

In this example, it is checking on OpenDNS’s 208.67.222.222, CloudFlare’s 1.1.1.1, Google’s 8.8.8.8, Quad9 9.9.9.9 and CleanBrowsing’s security filter (185.228.168.9) for the IP of example.com. As you can see from the response, they all worked and matched to 93.184.216.34.

Dig: Getting the IP of your DNS resolver

Most DNS lookups go straight to your DNS resolver, before hitting the Authoritative server for a specific domain. If you want to check the IP Address (or provider) that is being used, you can leverage the Lua service (DNS API) provided by PowerDNS to check:

dig +short -t TXT whoami.lua.powerdns.org
“45.76.171.37”

And it responds with 45.76.171.37 which is one of the CleanBrowsing IP addresses in LA ( 37.171.76.45.in-addr.arpa domain name pointer dns-edge-usa-west-la.cleanbrowsing.org. )

Note that we passed the -t flag with the TXT value to query for the TXT record. You can use the AAAA for IPv6 or MX for the Mail records, etc.

Dig: Getting the response time for a query

One of the very useful things that Dig also do is to provide the query time for your request:

$ dig www.google.com |grep ‘Query time’
;; Query time: 10 msec

In this case, you can see that the CleanBrowsing DNS is responding with 10msec for the google.com query. If I try to Quad9 one, it is responding in 47 msec:

$ dig www.google.com @9.9.9.9 |grep ‘Query time’
;; Query time: 47 msec

A bit slower, but also pretty good. That allows you to troubleshoot performance and even test different DNS providers.

Dig: Finding the nameserver for a domain

If you need to find the Name server (aka authoritative DNS) for a domain, all you have to do is pass the NS value to the -t query:

$ dig +short -t NS noc.org
ns7.dns-noc.org.
ns12.dns-noc.org.
ns7.dns-noc.net.
ns12.dns-noc.net.

As you can see, the NOC.org domain is using the NOC DNS as it authoritative server. And that Amazon, uses DYN and UltraDNS instead of their own Route53:

$ dig +short -t NS amazon.com
pdns1.ultradns.net.
ns2.p31.dynect.net.
ns1.p31.dynect.net.
ns3.p31.dynect.net.
pdns6.ultradns.co.uk.
ns4.p31.dynect.net.

And that’s pretty much it about dig. Try it out and let us know if you have any questions.