1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <!-- $Id: dig.docbook,v 1.17.18.24 2008/10/14 00:54:40 marka Exp $ -->
22 <refentry id="man.dig">
25 <date>Jun 30, 2000</date>
29 <refentrytitle>dig</refentrytitle>
30 <manvolnum>1</manvolnum>
31 <refmiscinfo>BIND9</refmiscinfo>
35 <refname>dig</refname>
36 <refpurpose>DNS lookup utility</refpurpose>
46 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
53 <holder>Internet Software Consortium.</holder>
59 <command>dig</command>
60 <arg choice="opt">@server</arg>
61 <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
62 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
63 <arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
64 <arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
65 <arg><option>-m</option></arg>
66 <arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
67 <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
68 <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
69 <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
70 <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
71 <arg><option>-4</option></arg>
72 <arg><option>-6</option></arg>
73 <arg choice="opt">name</arg>
74 <arg choice="opt">type</arg>
75 <arg choice="opt">class</arg>
76 <arg choice="opt" rep="repeat">queryopt</arg>
80 <command>dig</command>
81 <arg><option>-h</option></arg>
85 <command>dig</command>
86 <arg choice="opt" rep="repeat">global-queryopt</arg>
87 <arg choice="opt" rep="repeat">query</arg>
92 <title>DESCRIPTION</title>
93 <para><command>dig</command>
94 (domain information groper) is a flexible tool
95 for interrogating DNS name servers. It performs DNS lookups and
96 displays the answers that are returned from the name server(s) that
97 were queried. Most DNS administrators use <command>dig</command> to
98 troubleshoot DNS problems because of its flexibility, ease of use and
99 clarity of output. Other lookup tools tend to have less functionality
100 than <command>dig</command>.
104 Although <command>dig</command> is normally used with
106 arguments, it also has a batch mode of operation for reading lookup
107 requests from a file. A brief summary of its command-line arguments
108 and options is printed when the <option>-h</option> option is given.
109 Unlike earlier versions, the BIND 9 implementation of
110 <command>dig</command> allows multiple lookups to be issued
116 Unless it is told to query a specific name server,
117 <command>dig</command> will try each of the servers listed
119 <filename>/etc/resolv.conf</filename>.
123 When no command line arguments or options are given,
124 <command>dig</command> will perform an NS query for "." (the root).
128 It is possible to set per-user defaults for <command>dig</command> via
129 <filename>${HOME}/.digrc</filename>. This file is read and
131 are applied before the command line arguments.
135 The IN and CH class names overlap with the IN and CH top level
136 domains names. Either use the <option>-t</option> and
137 <option>-c</option> options to specify the type and class,
138 use the <option>-q</option> the specify the domain name, or
139 use "IN." and "CH." when looking up these top level domains.
145 <title>SIMPLE USAGE</title>
148 A typical invocation of <command>dig</command> looks like:
149 <programlisting> dig @server name type </programlisting>
155 <term><constant>server</constant></term>
158 is the name or IP address of the name server to query. This can
160 address in dotted-decimal notation or an IPv6
161 address in colon-delimited notation. When the supplied
162 <parameter>server</parameter> argument is a
164 <command>dig</command> resolves that name before
166 server. If no <parameter>server</parameter>
167 argument is provided,
168 <command>dig</command> consults <filename>/etc/resolv.conf</filename>
169 and queries the name servers listed there. The reply from the
171 server that responds is displayed.
177 <term><constant>name</constant></term>
180 is the name of the resource record that is to be looked up.
186 <term><constant>type</constant></term>
189 indicates what type of query is required —
190 ANY, A, MX, SIG, etc.
191 <parameter>type</parameter> can be any valid query
193 <parameter>type</parameter> argument is supplied,
194 <command>dig</command> will perform a lookup for an
206 <title>OPTIONS</title>
209 The <option>-b</option> option sets the source IP address of the query
210 to <parameter>address</parameter>. This must be a valid
212 one of the host's network interfaces or "0.0.0.0" or "::". An optional
214 may be specified by appending "#<port>"
218 The default query class (IN for internet) is overridden by the
219 <option>-c</option> option. <parameter>class</parameter> is
221 class, such as HS for Hesiod records or CH for Chaosnet records.
225 The <option>-f</option> option makes <command>dig </command>
227 in batch mode by reading a list of lookup requests to process from the
228 file <parameter>filename</parameter>. The file contains a
230 queries, one per line. Each entry in the file should be organized in
231 the same way they would be presented as queries to
232 <command>dig</command> using the command-line interface.
236 The <option>-m</option> option enables memory usage debugging.
237 <!-- It enables ISC_MEM_DEBUGTRACE and ISC_MEM_DEBUGRECORD
238 documented in include/isc/mem.h -->
242 If a non-standard port number is to be queried, the
243 <option>-p</option> option is used. <parameter>port#</parameter> is
244 the port number that <command>dig</command> will send its
246 instead of the standard DNS port number 53. This option would be used
247 to test a name server that has been configured to listen for queries
248 on a non-standard port number.
252 The <option>-4</option> option forces <command>dig</command>
254 use IPv4 query transport. The <option>-6</option> option forces
255 <command>dig</command> to only use IPv6 query transport.
259 The <option>-t</option> option sets the query type to
260 <parameter>type</parameter>. It can be any valid query type
262 supported in BIND 9. The default query type is "A", unless the
263 <option>-x</option> option is supplied to indicate a reverse lookup.
264 A zone transfer can be requested by specifying a type of AXFR. When
265 an incremental zone transfer (IXFR) is required,
266 <parameter>type</parameter> is set to <literal>ixfr=N</literal>.
267 The incremental zone transfer will contain the changes made to the zone
268 since the serial number in the zone's SOA record was
269 <parameter>N</parameter>.
273 The <option>-q</option> option sets the query name to
274 <parameter>name</parameter>. This useful do distinguish the
275 <parameter>name</parameter> from other arguments.
279 Reverse lookups — mapping addresses to names — are simplified by the
280 <option>-x</option> option. <parameter>addr</parameter> is
282 address in dotted-decimal notation, or a colon-delimited IPv6 address.
283 When this option is used, there is no need to provide the
284 <parameter>name</parameter>, <parameter>class</parameter> and
285 <parameter>type</parameter> arguments. <command>dig</command>
286 automatically performs a lookup for a name like
287 <literal>11.12.13.10.in-addr.arpa</literal> and sets the
289 class to PTR and IN respectively. By default, IPv6 addresses are
290 looked up using nibble format under the IP6.ARPA domain.
291 To use the older RFC1886 method using the IP6.INT domain
292 specify the <option>-i</option> option. Bit string labels (RFC2874)
293 are now experimental and are not attempted.
297 To sign the DNS queries sent by <command>dig</command> and
299 responses using transaction signatures (TSIG), specify a TSIG key file
300 using the <option>-k</option> option. You can also specify the TSIG
301 key itself on the command line using the <option>-y</option> option;
302 <parameter>hmac</parameter> is the type of the TSIG, default HMAC-MD5,
303 <parameter>name</parameter> is the name of the TSIG key and
304 <parameter>key</parameter> is the actual key. The key is a
306 encoded string, typically generated by
308 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
311 Caution should be taken when using the <option>-y</option> option on
312 multi-user systems as the key can be visible in the output from
314 <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
316 or in the shell's history file. When
317 using TSIG authentication with <command>dig</command>, the name
318 server that is queried needs to know the key and algorithm that is
319 being used. In BIND, this is done by providing appropriate
320 <command>key</command> and <command>server</command> statements in
321 <filename>named.conf</filename>.
327 <title>QUERY OPTIONS</title>
329 <para><command>dig</command>
330 provides a number of query options which affect
331 the way in which lookups are made and the results displayed. Some of
332 these set or reset flag bits in the query header, some determine which
333 sections of the answer get printed, and others determine the timeout
334 and retry strategies.
338 Each query option is identified by a keyword preceded by a plus sign
339 (<literal>+</literal>). Some keywords set or reset an
340 option. These may be preceded
341 by the string <literal>no</literal> to negate the meaning of
343 keywords assign values to options like the timeout interval. They
344 have the form <option>+keyword=value</option>.
345 The query options are:
350 <term><option>+[no]tcp</option></term>
353 Use [do not use] TCP when querying name servers. The default
354 behavior is to use UDP unless an AXFR or IXFR query is
356 which case a TCP connection is used.
362 <term><option>+[no]vc</option></term>
365 Use [do not use] TCP when querying name servers. This alternate
366 syntax to <parameter>+[no]tcp</parameter> is
367 provided for backwards
368 compatibility. The "vc" stands for "virtual circuit".
374 <term><option>+[no]ignore</option></term>
377 Ignore truncation in UDP responses instead of retrying with TCP.
379 default, TCP retries are performed.
385 <term><option>+domain=somename</option></term>
388 Set the search list to contain the single domain
389 <parameter>somename</parameter>, as if specified in
391 <command>domain</command> directive in
392 <filename>/etc/resolv.conf</filename>, and enable
394 processing as if the <parameter>+search</parameter>
401 <term><option>+[no]search</option></term>
404 Use [do not use] the search list defined by the searchlist or
406 directive in <filename>resolv.conf</filename> (if
408 The search list is not used by default.
414 <term><option>+[no]showsearch</option></term>
417 Perform [do not perform] a search showing intermediate
424 <term><option>+[no]defname</option></term>
427 Deprecated, treated as a synonym for <parameter>+[no]search</parameter>
433 <term><option>+[no]aaonly</option></term>
436 Sets the "aa" flag in the query.
442 <term><option>+[no]aaflag</option></term>
445 A synonym for <parameter>+[no]aaonly</parameter>.
451 <term><option>+[no]adflag</option></term>
454 Set [do not set] the AD (authentic data) bit in the query. The
456 currently has a standard meaning only in responses, not in
458 but the ability to set the bit in the query is provided for
465 <term><option>+[no]cdflag</option></term>
468 Set [do not set] the CD (checking disabled) bit in the query.
470 requests the server to not perform DNSSEC validation of
477 <term><option>+[no]cl</option></term>
480 Display [do not display] the CLASS when printing the record.
486 <term><option>+[no]ttlid</option></term>
489 Display [do not display] the TTL when printing the record.
495 <term><option>+[no]recurse</option></term>
498 Toggle the setting of the RD (recursion desired) bit in the
500 This bit is set by default, which means <command>dig</command>
501 normally sends recursive queries. Recursion is automatically
503 when the <parameter>+nssearch</parameter> or
504 <parameter>+trace</parameter> query options are
511 <term><option>+[no]nssearch</option></term>
514 When this option is set, <command>dig</command>
516 authoritative name servers for the zone containing the name
518 looked up and display the SOA record that each name server has
526 <term><option>+[no]trace</option></term>
529 Toggle tracing of the delegation path from the root name servers
531 the name being looked up. Tracing is disabled by default. When
532 tracing is enabled, <command>dig</command> makes
534 resolve the name being looked up. It will follow referrals from
536 root servers, showing the answer from each server that was used
544 <term><option>+[no]cmd</option></term>
547 Toggles the printing of the initial comment in the output
549 the version of <command>dig</command> and the query
551 been applied. This comment is printed by default.
557 <term><option>+[no]short</option></term>
560 Provide a terse answer. The default is to print the answer in a
567 <term><option>+[no]identify</option></term>
570 Show [or do not show] the IP address and port number that
572 answer when the <parameter>+short</parameter> option
574 short form answers are requested, the default is not to show the
575 source address and port number of the server that provided the
582 <term><option>+[no]comments</option></term>
585 Toggle the display of comment lines in the output. The default
593 <term><option>+[no]stats</option></term>
596 This query option toggles the printing of statistics: when the
598 was made, the size of the reply and so on. The default
600 to print the query statistics.
606 <term><option>+[no]qr</option></term>
609 Print [do not print] the query as it is sent.
610 By default, the query is not printed.
616 <term><option>+[no]question</option></term>
619 Print [do not print] the question section of a query when an
621 returned. The default is to print the question section as a
628 <term><option>+[no]answer</option></term>
631 Display [do not display] the answer section of a reply. The
639 <term><option>+[no]authority</option></term>
642 Display [do not display] the authority section of a reply. The
643 default is to display it.
649 <term><option>+[no]additional</option></term>
652 Display [do not display] the additional section of a reply.
653 The default is to display it.
659 <term><option>+[no]all</option></term>
662 Set or clear all display flags.
668 <term><option>+time=T</option></term>
672 Sets the timeout for a query to
673 <parameter>T</parameter> seconds. The default
674 timeout is 5 seconds.
675 An attempt to set <parameter>T</parameter> to less
677 in a query timeout of 1 second being applied.
683 <term><option>+tries=T</option></term>
686 Sets the number of times to try UDP queries to server to
687 <parameter>T</parameter> instead of the default, 3.
689 <parameter>T</parameter> is less than or equal to
691 tries is silently rounded up to 1.
697 <term><option>+retry=T</option></term>
700 Sets the number of times to retry UDP queries to server to
701 <parameter>T</parameter> instead of the default, 2.
703 <parameter>+tries</parameter>, this does not include
711 <term><option>+ndots=D</option></term>
714 Set the number of dots that have to appear in
715 <parameter>name</parameter> to <parameter>D</parameter> for it to be
716 considered absolute. The default value is that defined using
718 ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no
719 ndots statement is present. Names with fewer dots are
721 relative names and will be searched for in the domains listed in
723 <option>search</option> or <option>domain</option> directive in
724 <filename>/etc/resolv.conf</filename>.
730 <term><option>+bufsize=B</option></term>
733 Set the UDP message buffer size advertised using EDNS0 to
734 <parameter>B</parameter> bytes. The maximum and minimum sizes
735 of this buffer are 65535 and 0 respectively. Values outside
736 this range are rounded up or down appropriately.
737 Values other than zero will cause a EDNS query to be sent.
743 <term><option>+edns=#</option></term>
746 Specify the EDNS version to query with. Valid values
747 are 0 to 255. Setting the EDNS version will cause a
748 EDNS query to be sent. <option>+noedns</option> clears the
749 remembered EDNS version.
755 <term><option>+[no]multiline</option></term>
758 Print records like the SOA records in a verbose multi-line
759 format with human-readable comments. The default is to print
760 each record on a single line, to facilitate machine parsing
761 of the <command>dig</command> output.
767 <term><option>+[no]fail</option></term>
770 Do not try the next server if you receive a SERVFAIL. The
772 to not try the next server which is the reverse of normal stub
780 <term><option>+[no]besteffort</option></term>
783 Attempt to display the contents of messages which are malformed.
784 The default is to not display malformed answers.
790 <term><option>+[no]dnssec</option></term>
793 Requests DNSSEC records be sent by setting the DNSSEC OK bit
795 in the OPT record in the additional section of the query.
801 <term><option>+[no]sigchase</option></term>
804 Chase DNSSEC signature chains. Requires dig be compiled with
811 <term><option>+trusted-key=####</option></term>
814 Specifies a file containing trusted keys to be used with
815 <option>+sigchase</option>. Each DNSKEY record must be
819 If not specified <command>dig</command> will look for
820 <filename>/etc/trusted-key.key</filename> then
821 <filename>trusted-key.key</filename> in the current directory.
824 Requires dig be compiled with -DDIG_SIGCHASE.
830 <term><option>+[no]topdown</option></term>
833 When chasing DNSSEC signature chains perform a top-down
835 Requires dig be compiled with -DDIG_SIGCHASE.
848 <title>MULTIPLE QUERIES</title>
851 The BIND 9 implementation of <command>dig </command>
853 specifying multiple queries on the command line (in addition to
854 supporting the <option>-f</option> batch file option). Each of those
855 queries can be supplied with its own set of flags, options and query
860 In this case, each <parameter>query</parameter> argument
862 individual query in the command-line syntax described above. Each
863 consists of any of the standard options and flags, the name to be
864 looked up, an optional query type and class and any query options that
865 should be applied to that query.
869 A global set of query options, which should be applied to all queries,
870 can also be supplied. These global query options must precede the
871 first tuple of name, class, type, options, flags, and query options
872 supplied on the command line. Any global query options (except
873 the <option>+[no]cmd</option> option) can be
874 overridden by a query-specific set of query options. For example:
876 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
878 shows how <command>dig</command> could be used from the
880 to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
881 reverse lookup of 127.0.0.1 and a query for the NS records of
882 <literal>isc.org</literal>.
884 A global query option of <parameter>+qr</parameter> is
886 that <command>dig</command> shows the initial query it made
888 lookup. The final query has a local query option of
889 <parameter>+noqr</parameter> which means that <command>dig</command>
890 will not print the initial query when it looks up the NS records for
891 <literal>isc.org</literal>.
897 <title>IDN SUPPORT</title>
899 If <command>dig</command> has been built with IDN (internationalized
900 domain name) support, it can accept and display non-ASCII domain names.
901 <command>dig</command> appropriately converts character encoding of
902 domain name before sending a request to DNS server or displaying a
903 reply from the server.
904 If you'd like to turn off the IDN support for some reason, defines
905 the <envar>IDN_DISABLE</envar> environment variable.
906 The IDN support is disabled if the variable is set when
907 <command>dig</command> runs.
913 <para><filename>/etc/resolv.conf</filename>
915 <para><filename>${HOME}/.digrc</filename>
920 <title>SEE ALSO</title>
922 <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
925 <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
928 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
930 <citetitle>RFC1035</citetitle>.
937 There are probably too many query options.