We spend a lot of time with DNS, we’re constantly having to investigate issues, analysis outputs, or just try to understand what is going on. When troubleshooting DNS, the best tool is the dig command.
Dig comes by default on most Linux distributions and on MacOS (sorry Windows users, you are stuck with nslookup by default). All your have to do is open your terminal and type dig (with -h to see a list of all options) to get started:
Dig: Getting an IP Address for a domain
To get the IP address for a domain, all you have to do is provide the domain name to the Dig command:
You can see, it provides the DNS question header and response header at the top (Query for 1 domain, answered with 6 IP Addresses with 1 additional section). If you are not interested in the headers, you can use the +short option to make it easy to read:
In this example, for the domain www.cleanbrowsing.org, it is responding with the CNAME of the NOC.org CDN and the IP address it is being routed to.
Dig: Testing across different resolvers
Let’s say you want to test the response for different DNS providers, you can use the @NAMESERVER format at the end of the query, to specify the DNS resolver IP address. For example, to get the IP for example.com at the Google DNS (22.214.171.124) you would do:
But let’s say you are troubleshooting a DNS issue and you want to check across multiple DNS providers at the same time, a little bit of shell script and dig will do it for you:
In this example, it is checking on OpenDNS’s 126.96.36.199, CloudFlare’s 188.8.131.52, Google’s 184.108.40.206, Quad9 220.127.116.11 and CleanBrowsing’s security filter (18.104.22.168) for the IP of example.com. As you can see from the response, they all worked and matched to 22.214.171.124.
Dig: Getting the IP of your DNS resolver
Most DNS lookups go straight to your DNS resolver, before hitting the Authoritative server for a specific domain. If you want to check the IP Address (or provider) that is being used, you can leverage the Lua service (DNS API) provided by PowerDNS to check:
And it responds with 126.96.36.199 which is one of the CleanBrowsing IP addresses in LA ( 188.8.131.52.in-addr.arpa domain name pointer dns-edge-usa-west-la.cleanbrowsing.org. )
Note that we passed the -t flag with the TXT value to query for the TXT record. You can use the AAAA for IPv6 or MX for the Mail records, etc.
Dig: Getting the response time for a query
One of the very useful things that Dig also do is to provide the query time for your request:
In this case, you can see that the CleanBrowsing DNS is responding with 10msec for the google.com query. If I try to Quad9 one, it is responding in 47 msec:
A bit slower, but also pretty good. That allows you to troubleshoot performance and even test different DNS providers.
Dig: Finding the nameserver for a domain
If you need to find the Name server (aka authoritative DNS) for a domain, all you have to do is pass the NS value to the -t query:
As you can see, the NOC.org domain is using the NOC DNS as it authoritative server. And that Amazon, uses DYN and UltraDNS instead of their own Route53:
And that’s pretty much it about dig. Try it out and let us know if you have any questions.