Troubleshooting DNS with Dig

We spend a lot of time with DNS, we’re constantly having to investigate issues, analysis outputs, or just try to understand what is going on. When troubleshooting DNS, the best tool is the dig command.

Dig comes by default on most Linux distributions and on MacOS (sorry Windows users, you are stuck with nslookup by default). All your have to do is open your terminal and type dig (with -h to see a list of all options) to get started:

$ dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} […]]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,…) [default: in]
q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,…) [default:a]
(Use ixfr=version for type ixfr)
q-opt is one of:

Dig: Getting an IP Address for a domain

To get the IP address for a domain, all you have to do is provide the domain name to the Dig command:

$ dig
; <<>> DiG 9.10.3-P4-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54352
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 65494
; IN A
;; ANSWER SECTION: 299 IN A 299 IN A 299 IN A 299 IN A 299 IN A

You can see, it provides the DNS question header and response header at the top (Query for 1 domain, answered with 6 IP Addresses with 1 additional section). If you are not interested in the headers, you can use the +short option to make it easy to read:

$ dig +short

In this example, for the domain, it is responding with the CNAME of the CDN and the IP address it is being routed to.

Dig: Testing across different resolvers

Let’s say you want to test the response for different DNS providers, you can use the @NAMESERVER format at the end of the query, to specify the DNS resolver IP address. For example, to get the IP for at the Google DNS ( you would do:

$ dig +short @

But let’s say you are troubleshooting a DNS issue and you want to check across multiple DNS providers at the same time, a little bit of shell script and dig will do it for you:

$ for i in; do echo -n $i’: ‘ ; dig +short @$i; done

In this example, it is checking on OpenDNS’s, CloudFlare’s, Google’s, Quad9 and CleanBrowsing’s security filter ( for the IP of As you can see from the response, they all worked and matched to

Dig: Getting the IP of your DNS resolver

Most DNS lookups go straight to your DNS resolver, before hitting the Authoritative server for a specific domain. If you want to check the IP Address (or provider) that is being used, you can leverage the Lua service (DNS API) provided by PowerDNS to check:

dig +short -t TXT

And it responds with which is one of the CleanBrowsing IP addresses in LA ( domain name pointer )

Note that we passed the -t flag with the TXT value to query for the TXT record. You can use the AAAA for IPv6 or MX for the Mail records, etc.

Dig: Getting the response time for a query

One of the very useful things that Dig also do is to provide the query time for your request:

$ dig |grep ‘Query time’
;; Query time: 10 msec

In this case, you can see that the CleanBrowsing DNS is responding with 10msec for the query. If I try to Quad9 one, it is responding in 47 msec:

$ dig @ |grep ‘Query time’
;; Query time: 47 msec

A bit slower, but also pretty good. That allows you to troubleshoot performance and even test different DNS providers.

Dig: Finding the nameserver for a domain

If you need to find the Name server (aka authoritative DNS) for a domain, all you have to do is pass the NS value to the -t query:

$ dig +short -t NS

As you can see, the domain is using the NOC DNS as it authoritative server. And that Amazon, uses DYN and UltraDNS instead of their own Route53:

$ dig +short -t NS

Try it out and let us know if you have any questions at

Posted in   troubleshooting   dns     by noc_team

Improve Your Websites Speed and Security