Back to Troubleshooting

Troubleshooting DNS with dig | NOC.org Support

The dig (Domain Information Groper) command is the most reliable tool for troubleshooting DNS issues. It queries DNS servers directly and displays the raw response, making it invaluable for verifying that your domain is resolving correctly through NOC's DNS infrastructure. This guide covers common dig commands for debugging DNS problems.

Basic dig Syntax

The basic syntax of the dig command is: 

dig [record-type] [domain] [@dns-server]
  • record-type: The DNS record type to query (A, AAAA, CNAME, MX, NS, TXT, etc.). Defaults to A if omitted.
  • domain: The domain name to look up.
  • @dns-server: Optional. Query a specific DNS server instead of your system's default resolver.

Checking A Records

A records map a domain name to an IPv4 address. When your site is behind NOC, the A record should point to a NOC Anycast IP address: 

dig A example.com

Look for the ANSWER SECTION in the output. It should show the NOC Anycast IP, not your origin server's IP. If you see your origin IP, DNS has not been updated to point through NOC yet. 

;; ANSWER SECTION:
example.com.        300     IN      A       198.51.100.1

The number 300 is the TTL (time to live) in seconds, indicating how long DNS resolvers will cache this response.

Checking CNAME Records

CNAME records create an alias from one domain name to another. Subdomains are often pointed to NOC using a CNAME: 

dig CNAME www.example.com

Expected output when using NOC: 

;; ANSWER SECTION:
www.example.com.    300     IN      CNAME   example.com.noc.org.

Checking NS Records

NS records specify which name servers are authoritative for your domain. If you are using NOC's DNS hosting, your NS records should point to NOC name servers: 

dig NS example.com

Verify the output shows NOC's name servers. If it still shows your previous DNS provider's name servers, the nameserver change has not propagated yet. NS record changes can take up to 48 hours to propagate globally.

Querying a Specific DNS Server

To check how a specific DNS server resolves your domain, use the @ syntax. This is useful for verifying propagation across different resolvers: 

# Query Google's public DNS
dig A example.com @8.8.8.8

# Query Cloudflare's public DNS
dig A example.com @1.1.1.1

# Query a specific NOC name server
dig A example.com @ns1.noc.org

If one resolver returns the correct (NOC) IP but another returns the old IP, DNS propagation is still in progress.

Checking DNS Propagation

After making DNS changes, you need to verify that the changes have propagated to DNS resolvers worldwide. Use dig to check multiple public resolvers: 

# Google DNS
dig A example.com @8.8.8.8 +short

# Cloudflare DNS
dig A example.com @1.1.1.1 +short

# Quad9 DNS
dig A example.com @9.9.9.9 +short

# OpenDNS
dig A example.com @208.67.222.222 +short

The +short flag outputs only the answer (the IP address) without the full dig output, making it easy to compare results across resolvers.

If all resolvers return the same IP (the NOC Anycast IP), propagation is complete. If some still return the old IP, you may need to wait for the previous TTL to expire.

Checking Authoritative Responses

To get the definitive answer from the authoritative name server (bypassing resolver caches), use the +trace flag: 

dig A example.com +trace

This traces the full DNS resolution path from the root servers to the authoritative name server for your domain. The final answer in the trace shows what the authoritative server returns, regardless of what cached responses other resolvers may still have.

Checking MX Records

If you use NOC's DNS hosting, verify your email (MX) records are configured correctly: 

dig MX example.com

MX records should point to your email provider's servers. Moving DNS to NOC should not affect MX records as long as they were configured correctly during the migration.

Checking TXT Records

TXT records are used for SPF, DKIM, domain verification, and other purposes: 

dig TXT example.com
dig TXT _dmarc.example.com

Verify that all TXT records (SPF, DKIM, DMARC, domain verification tokens) were migrated correctly when switching DNS to NOC.

Common dig Flags

Flag Description
+short Show only the answer, no extra information
+trace Trace the full resolution path from root servers
+noall +answer Show only the answer section
+ttlid Show TTL values in the output
@server Query a specific DNS server
ANY Query all record types (may be restricted by some servers)

Installing dig

The dig command is pre-installed on most macOS and Linux systems. If it is not available:

  • Ubuntu/Debian: apt install dnsutils
  • CentOS/RHEL: yum install bind-utils
  • macOS: Pre-installed with macOS. No action needed.
  • Windows: Use nslookup as an alternative, or install dig via BIND tools.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started