We love to dig (DNS troubleshooting)

We spend a lot of time with DNS, we’re constantly having to investigate issues, analysis outputs, or just try to understand what is going on. When troubleshooting DNS, the best tool is the dig command.

Dig comes by default on most Linux distributions and on MacOS (sorry Windows users, you are stuck with nslookup by default). All your have to do is open your terminal and type dig (with -h to see a list of all options) to get started:

$ dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} […]]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,…) [default: in]
q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,…) [default:a]
(Use ixfr=version for type ixfr)
q-opt is one of:

Dig: Getting an IP Address for a domain

To get the IP address for a domain, all you have to do is provide the domain name to the Dig command:

$ dig www.google.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54352
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 65494
;www.google.com. IN A
www.google.com. 299 IN A
www.google.com. 299 IN A
www.google.com. 299 IN A
www.google.com. 299 IN A
www.google.com. 299 IN A
www.google.com. 299 IN A

You can see, it provides the DNS question header and response header at the top (Query for 1 domain, answered with 6 IP Addresses with 1 additional section). If you are not interested in the headers, you can use the +short option to make it easy to read:

$ dig +short www.cleanbrowsing.org

In this example, for the domain www.cleanbrowsing.org, it is responding with the CNAME of the NOC.org CDN and the IP address it is being routed to.

Dig: Testing across different resolvers

Let’s say you want to test the response for different DNS providers, you can use the @NAMESERVER format at the end of the query, to specify the DNS resolver IP address. For example, to get the IP for example.com at the Google DNS ( you would do:

$ dig +short example.com @

But let’s say you are troubleshooting a DNS issue and you want to check across multiple DNS providers at the same time, a little bit of shell script and dig will do it for you:

$ for i in; do echo -n $i’: ‘ ; dig +short example.com @$i; done

In this example, it is checking on OpenDNS’s, CloudFlare’s, Google’s, Quad9 and CleanBrowsing’s security filter ( for the IP of example.com. As you can see from the response, they all worked and matched to

Dig: Getting the IP of your DNS resolver

Most DNS lookups go straight to your DNS resolver, before hitting the Authoritative server for a specific domain. If you want to check the IP Address (or provider) that is being used, you can leverage the Lua service (DNS API) provided by PowerDNS to check:

dig +short -t TXT whoami.lua.powerdns.org

And it responds with which is one of the CleanBrowsing IP addresses in LA ( domain name pointer dns-edge-usa-west-la.cleanbrowsing.org. )

Note that we passed the -t flag with the TXT value to query for the TXT record. You can use the AAAA for IPv6 or MX for the Mail records, etc.

Dig: Getting the response time for a query

One of the very useful things that Dig also do is to provide the query time for your request:

$ dig www.google.com |grep ‘Query time’
;; Query time: 10 msec

In this case, you can see that the CleanBrowsing DNS is responding with 10msec for the google.com query. If I try to Quad9 one, it is responding in 47 msec:

$ dig www.google.com @ |grep ‘Query time’
;; Query time: 47 msec

A bit slower, but also pretty good. That allows you to troubleshoot performance and even test different DNS providers.

Dig: Finding the nameserver for a domain

If you need to find the Name server (aka authoritative DNS) for a domain, all you have to do is pass the NS value to the -t query:

$ dig +short -t NS noc.org

As you can see, the NOC.org domain is using the NOC DNS as it authoritative server. And that Amazon, uses DYN and UltraDNS instead of their own Route53:

$ dig +short -t NS amazon.com

And that’s pretty much it about dig. Try it out and let us know if you have any questions.