2 - Copyright (C) 2004-2011, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
18 <!-- Converted by db4-upgrade version 1.0 -->
19 <refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dig">
22 <date>2014-02-12</date>
25 <corpname>ISC</corpname>
26 <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
30 <refentrytitle>dig</refentrytitle>
31 <manvolnum>1</manvolnum>
32 <refmiscinfo>BIND9</refmiscinfo>
36 <refname>dig</refname>
37 <refpurpose>DNS lookup utility</refpurpose>
53 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
60 <holder>Internet Software Consortium.</holder>
65 <cmdsynopsis sepchar=" ">
66 <command>dig</command>
67 <arg choice="opt" rep="norepeat">@server</arg>
68 <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
69 <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
70 <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
71 <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
72 <arg choice="opt" rep="norepeat"><option>-m</option></arg>
73 <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
74 <arg choice="opt" rep="norepeat"><option>-q <replaceable class="parameter">name</replaceable></option></arg>
75 <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
76 <arg choice="opt" rep="norepeat"><option>-v</option></arg>
77 <arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
78 <arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
79 <arg choice="opt" rep="norepeat"><option>-4</option></arg>
80 <arg choice="opt" rep="norepeat"><option>-6</option></arg>
81 <arg choice="opt" rep="norepeat">name</arg>
82 <arg choice="opt" rep="norepeat">type</arg>
83 <arg choice="opt" rep="norepeat">class</arg>
84 <arg choice="opt" rep="repeat">queryopt</arg>
87 <cmdsynopsis sepchar=" ">
88 <command>dig</command>
89 <arg choice="opt" rep="norepeat"><option>-h</option></arg>
92 <cmdsynopsis sepchar=" ">
93 <command>dig</command>
94 <arg choice="opt" rep="repeat">global-queryopt</arg>
95 <arg choice="opt" rep="repeat">query</arg>
99 <refsection><info><title>DESCRIPTION</title></info>
101 <para><command>dig</command>
102 (domain information groper) is a flexible tool
103 for interrogating DNS name servers. It performs DNS lookups and
104 displays the answers that are returned from the name server(s) that
105 were queried. Most DNS administrators use <command>dig</command> to
106 troubleshoot DNS problems because of its flexibility, ease of use and
107 clarity of output. Other lookup tools tend to have less functionality
108 than <command>dig</command>.
112 Although <command>dig</command> is normally used with
114 arguments, it also has a batch mode of operation for reading lookup
115 requests from a file. A brief summary of its command-line arguments
116 and options is printed when the <option>-h</option> option is given.
117 Unlike earlier versions, the BIND 9 implementation of
118 <command>dig</command> allows multiple lookups to be issued
124 Unless it is told to query a specific name server,
125 <command>dig</command> will try each of the servers listed in
126 <filename>/etc/resolv.conf</filename>. If no usable server addresses
127 are found, <command>dig</command> will send the query to the local
132 When no command line arguments or options are given,
133 <command>dig</command> will perform an NS query for "." (the root).
137 It is possible to set per-user defaults for <command>dig</command> via
138 <filename>${HOME}/.digrc</filename>. This file is read and
140 are applied before the command line arguments.
144 The IN and CH class names overlap with the IN and CH top level
145 domain names. Either use the <option>-t</option> and
146 <option>-c</option> options to specify the type and class,
147 use the <option>-q</option> the specify the domain name, or
148 use "IN." and "CH." when looking up these top level domains.
153 <refsection><info><title>SIMPLE USAGE</title></info>
157 A typical invocation of <command>dig</command> looks like:
158 <programlisting> dig @server name type </programlisting>
164 <term><constant>server</constant></term>
167 is the name or IP address of the name server to query. This
168 can be an IPv4 address in dotted-decimal notation or an IPv6
169 address in colon-delimited notation. When the supplied
170 <parameter>server</parameter> argument is a hostname,
171 <command>dig</command> resolves that name before querying
175 If no <parameter>server</parameter> argument is
176 provided, <command>dig</command> consults
177 <filename>/etc/resolv.conf</filename>; if an
178 address is found there, it queries the name server at
179 that address. If either of the <option>-4</option> or
180 <option>-6</option> options are in use, then
181 only addresses for the corresponding transport
182 will be tried. If no usable addresses are found,
183 <command>dig</command> will send the query to the
184 local host. The reply from the name server that
185 responds is displayed.
191 <term><constant>name</constant></term>
194 is the name of the resource record that is to be looked up.
200 <term><constant>type</constant></term>
203 indicates what type of query is required —
204 ANY, A, MX, SIG, etc.
205 <parameter>type</parameter> can be any valid query
207 <parameter>type</parameter> argument is supplied,
208 <command>dig</command> will perform a lookup for an
219 <refsection><info><title>OPTIONS</title></info>
242 <term>-b <replaceable class="parameter">address<optional>#port</optional></replaceable></term>
245 Set the source IP address of the query.
246 The <parameter>address</parameter> must be a valid address on
247 one of the host's network interfaces, or "0.0.0.0" or "::". An
248 optional port may be specified by appending "#<port>"
254 <term>-c <replaceable class="parameter">class</replaceable></term>
257 Set the query class. The
258 default <parameter>class</parameter> is IN; other classes
259 are HS for Hesiod records or CH for Chaosnet records.
265 <term>-f <replaceable class="parameter">file</replaceable></term>
268 Batch mode: <command>dig</command> reads a list of lookup
269 requests to process from the
270 given <parameter>file</parameter>. Each line in the file
271 should be organized in the same way they would be
272 presented as queries to
273 <command>dig</command> using the command-line interface.
282 Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
283 domain, which is no longer in use. Obsolete bit string
284 label queries (RFC2874) are not attempted.
290 <term>-k <replaceable class="parameter">keyfile</replaceable></term>
293 Sign queries using TSIG using a key read from the given file.
294 Key files can be generated using
296 <refentrytitle>tsig-keygen</refentrytitle><manvolnum>8</manvolnum>
298 When using TSIG authentication with <command>dig</command>,
299 the name server that is queried needs to know the key and
300 algorithm that is being used. In BIND, this is done by
301 providing appropriate <command>key</command>
302 and <command>server</command> statements in
303 <filename>named.conf</filename>.
312 Enable memory usage debugging.
313 <!-- It enables ISC_MEM_DEBUGTRACE and ISC_MEM_DEBUGRECORD
314 documented in include/isc/mem.h -->
320 <term>-p <replaceable class="parameter">port</replaceable></term>
323 Send the query to a non-standard port on the server,
324 instead of the defaut port 53. This option would be used
325 to test a name server that has been configured to listen
326 for queries on a non-standard port number.
332 <term>-q <replaceable class="parameter">name</replaceable></term>
335 The domain name to query. This is useful to distinguish
336 the <parameter>name</parameter> from other arguments.
342 <term>-t <replaceable class="parameter">type</replaceable></term>
345 The resource record type to query. It can be any valid query type
347 supported in BIND 9. The default query type is "A", unless the
348 <option>-x</option> option is supplied to indicate a reverse lookup.
349 A zone transfer can be requested by specifying a type of AXFR. When
350 an incremental zone transfer (IXFR) is required, set the
351 <parameter>type</parameter> to <literal>ixfr=N</literal>.
352 The incremental zone transfer will contain the changes
353 made to the zone since the serial number in the zone's SOA
355 <parameter>N</parameter>.
364 Print the version number and exit.
370 <term>-x <replaceable class="parameter">addr</replaceable></term>
373 Simplified reverse lookups, for mapping addresses to
374 names. The <parameter>addr</parameter> is an IPv4 address
375 in dotted-decimal notation, or a colon-delimited IPv6
376 address. When the <option>-x</option> is used, there is no
378 the <parameter>name</parameter>, <parameter>class</parameter>
379 and <parameter>type</parameter>
380 arguments. <command>dig</command> automatically performs a
381 lookup for a name like
382 <literal>94.2.0.192.in-addr.arpa</literal> and sets the
383 query type and class to PTR and IN respectively. IPv6
384 addresses are looked up using nibble format under the
385 IP6.ARPA domain (but see also the <option>-i</option>
392 <term>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></term>
395 Sign queries using TSIG with the given authentication key.
396 <parameter>keyname</parameter> is the name of the key, and
397 <parameter>secret</parameter> is the base64 encoded shared secret.
398 <parameter>hmac</parameter> is the name of the key algorithm;
399 valid choices are <literal>hmac-md5</literal>,
400 <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
401 <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
402 <literal>hmac-sha512</literal>. If <parameter>hmac</parameter>
403 is not specified, the default is <literal>hmac-md5</literal>.
406 NOTE: You should use the <option>-k</option> option and
407 avoid the <option>-y</option> option, because
408 with <option>-y</option> the shared secret is supplied as
409 a command line argument in clear text. This may be visible
412 <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
414 or in a history file maintained by the user's shell.
422 <refsection><info><title>QUERY OPTIONS</title></info>
425 <para><command>dig</command>
426 provides a number of query options which affect
427 the way in which lookups are made and the results displayed. Some of
428 these set or reset flag bits in the query header, some determine which
429 sections of the answer get printed, and others determine the timeout
430 and retry strategies.
434 Each query option is identified by a keyword preceded by a plus sign
435 (<literal>+</literal>). Some keywords set or reset an
436 option. These may be preceded
437 by the string <literal>no</literal> to negate the meaning of
439 keywords assign values to options like the timeout interval. They
440 have the form <option>+keyword=value</option>.
441 Keywords may be abbreviated, provided the abbreviation is
442 unambiguous; for example, <literal>+cd</literal> is equivalent
443 to <literal>+cdflag</literal>.
444 The query options are:
449 <term><option>+[no]aaflag</option></term>
452 A synonym for <parameter>+[no]aaonly</parameter>.
458 <term><option>+[no]aaonly</option></term>
461 Sets the "aa" flag in the query.
467 <term><option>+[no]additional</option></term>
470 Display [do not display] the additional section of a
471 reply. The default is to display it.
477 <term><option>+[no]adflag</option></term>
480 Set [do not set] the AD (authentic data) bit in the
481 query. This requests the server to return whether
482 all of the answer and authority sections have all
483 been validated as secure according to the security
484 policy of the server. AD=1 indicates that all records
485 have been validated as secure and the answer is not
486 from a OPT-OUT range. AD=0 indicate that some part
487 of the answer was insecure or not validated. This
488 bit is set by default.
494 <term><option>+[no]all</option></term>
497 Set or clear all display flags.
503 <term><option>+[no]answer</option></term>
506 Display [do not display] the answer section of a
507 reply. The default is to display it.
513 <term><option>+[no]authority</option></term>
516 Display [do not display] the authority section of a
517 reply. The default is to display it.
523 <term><option>+[no]besteffort</option></term>
526 Attempt to display the contents of messages which are
527 malformed. The default is to not display malformed
534 <term><option>+bufsize=B</option></term>
537 Set the UDP message buffer size advertised using EDNS0
538 to <parameter>B</parameter> bytes. The maximum and
539 minimum sizes of this buffer are 65535 and 0 respectively.
540 Values outside this range are rounded up or down
541 appropriately. Values other than zero will cause a
542 EDNS query to be sent.
548 <term><option>+[no]cdflag</option></term>
551 Set [do not set] the CD (checking disabled) bit in
552 the query. This requests the server to not perform
553 DNSSEC validation of responses.
559 <term><option>+[no]class</option></term>
562 Display [do not display] the CLASS when printing the
569 <term><option>+[no]cmd</option></term>
572 Toggles the printing of the initial comment in the
573 output identifying the version of <command>dig</command>
574 and the query options that have been applied. This
575 comment is printed by default.
581 <term><option>+[no]comments</option></term>
584 Toggle the display of comment lines in the output.
585 The default is to print comments.
591 <term><option>+[no]defname</option></term>
594 Deprecated, treated as a synonym for
595 <parameter>+[no]search</parameter>
601 <term><option>+[no]dnssec</option></term>
604 Requests DNSSEC records be sent by setting the DNSSEC
605 OK bit (DO) in the OPT record in the additional section
612 <term><option>+domain=somename</option></term>
615 Set the search list to contain the single domain
616 <parameter>somename</parameter>, as if specified in
617 a <command>domain</command> directive in
618 <filename>/etc/resolv.conf</filename>, and enable
619 search list processing as if the
620 <parameter>+search</parameter> option were given.
626 <term><option>+[no]edns[=#]</option></term>
629 Specify the EDNS version to query with. Valid values
630 are 0 to 255. Setting the EDNS version will cause
631 a EDNS query to be sent. <option>+noedns</option>
632 clears the remembered EDNS version. EDNS is set to
639 <term><option>+[no]fail</option></term>
642 Do not try the next server if you receive a SERVFAIL.
643 The default is to not try the next server which is
644 the reverse of normal stub resolver behavior.
650 <term><option>+[no]identify</option></term>
653 Show [or do not show] the IP address and port number
654 that supplied the answer when the
655 <parameter>+short</parameter> option is enabled. If
656 short form answers are requested, the default is not
657 to show the source address and port number of the
658 server that provided the answer.
664 <term><option>+[no]ignore</option></term>
667 Ignore truncation in UDP responses instead of retrying
668 with TCP. By default, TCP retries are performed.
674 <term><option>+[no]keepopen</option></term>
677 Keep the TCP socket open between queries and reuse
678 it rather than creating a new TCP socket for each
679 lookup. The default is <option>+nokeepopen</option>.
685 <term><option>+[no]multiline</option></term>
688 Print records like the SOA records in a verbose
689 multi-line format with human-readable comments. The
690 default is to print each record on a single line, to
691 facilitate machine parsing of the <command>dig</command>
698 <term><option>+ndots=D</option></term>
701 Set the number of dots that have to appear in
702 <parameter>name</parameter> to <parameter>D</parameter>
703 for it to be considered absolute. The default value
704 is that defined using the ndots statement in
705 <filename>/etc/resolv.conf</filename>, or 1 if no
706 ndots statement is present. Names with fewer dots
707 are interpreted as relative names and will be searched
708 for in the domains listed in the <option>search</option>
709 or <option>domain</option> directive in
710 <filename>/etc/resolv.conf</filename> if
711 <option>+search</option> is set.
717 <term><option>+[no]nsid</option></term>
720 Include an EDNS name server ID request when sending
727 <term><option>+[no]nssearch</option></term>
730 When this option is set, <command>dig</command>
731 attempts to find the authoritative name servers for
732 the zone containing the name being looked up and
733 display the SOA record that each name server has for
740 <term><option>+[no]onesoa</option></term>
743 Print only one (starting) SOA record when performing
744 an AXFR. The default is to print both the starting
745 and ending SOA records.
751 <term><option>+[no]qr</option></term>
754 Print [do not print] the query as it is sent. By
755 default, the query is not printed.
761 <term><option>+[no]question</option></term>
764 Print [do not print] the question section of a query
765 when an answer is returned. The default is to print
766 the question section as a comment.
772 <term><option>+[no]rdflag</option></term>
775 A synonym for <parameter>+[no]recurse</parameter>.
781 <term><option>+[no]recurse</option></term>
784 Toggle the setting of the RD (recursion desired) bit
785 in the query. This bit is set by default, which means
786 <command>dig</command> normally sends recursive
787 queries. Recursion is automatically disabled when
788 the <parameter>+nssearch</parameter> or
789 <parameter>+trace</parameter> query options are used.
795 <term><option>+retry=T</option></term>
798 Sets the number of times to retry UDP queries to
799 server to <parameter>T</parameter> instead of the
800 default, 2. Unlike <parameter>+tries</parameter>,
801 this does not include the initial query.
807 <term><option>+[no]rrcomments</option></term>
810 Toggle the display of per-record comments in the
811 output (for example, human-readable key information
812 about DNSKEY records). The default is not to print
813 record comments unless multiline mode is active.
819 <term><option>+[no]search</option></term>
822 Use [do not use] the search list defined by the
823 searchlist or domain directive in
824 <filename>resolv.conf</filename> (if any). The search
825 list is not used by default.
828 'ndots' from <filename>resolv.conf</filename> (default 1)
829 which may be overridden by <parameter>+ndots</parameter>
830 determines if the name will be treated as relative
831 or not and hence whether a search is eventually
838 <term><option>+[no]short</option></term>
841 Provide a terse answer. The default is to print the
842 answer in a verbose form.
848 <term><option>+[no]showsearch</option></term>
851 Perform [do not perform] a search showing intermediate
858 <term><option>+[no]sigchase</option></term>
861 Chase DNSSEC signature chains. Requires dig be
862 compiled with -DDIG_SIGCHASE.
868 <term><option>+split=W</option></term>
871 Split long hex- or base64-formatted fields in resource
872 records into chunks of <parameter>W</parameter>
873 characters (where <parameter>W</parameter> is rounded
874 up to the nearest multiple of 4).
875 <parameter>+nosplit</parameter> or
876 <parameter>+split=0</parameter> causes fields not to
877 be split at all. The default is 56 characters, or
878 44 characters when multiline mode is active.
884 <term><option>+[no]stats</option></term>
887 This query option toggles the printing of statistics:
888 when the query was made, the size of the reply and
889 so on. The default behavior is to print the query
896 <term><option>+[no]tcp</option></term>
899 Use [do not use] TCP when querying name servers. The
900 default behavior is to use UDP unless an
901 <literal>ixfr=N</literal> query is requested, in which
902 case the default is TCP. AXFR queries always use
909 <term><option>+time=T</option></term>
913 Sets the timeout for a query to
914 <parameter>T</parameter> seconds. The default
915 timeout is 5 seconds.
916 An attempt to set <parameter>T</parameter> to less
918 in a query timeout of 1 second being applied.
924 <term><option>+[no]topdown</option></term>
927 When chasing DNSSEC signature chains perform a top-down
928 validation. Requires dig be compiled with -DDIG_SIGCHASE.
934 <term><option>+[no]trace</option></term>
937 Toggle tracing of the delegation path from the root
938 name servers for the name being looked up. Tracing
939 is disabled by default. When tracing is enabled,
940 <command>dig</command> makes iterative queries to
941 resolve the name being looked up. It will follow
942 referrals from the root servers, showing the answer
943 from each server that was used to resolve the lookup.
945 If @server is also specified, it affects only the
946 initial query for the root zone name servers.
948 <command>+dnssec</command> is also set when +trace
949 is set to better emulate the default queries from a
956 <term><option>+tries=T</option></term>
959 Sets the number of times to try UDP queries to server
960 to <parameter>T</parameter> instead of the default,
961 3. If <parameter>T</parameter> is less than or equal
962 to zero, the number of tries is silently rounded up
969 <term><option>+trusted-key=####</option></term>
972 Specifies a file containing trusted keys to be used
973 with <option>+sigchase</option>. Each DNSKEY record
974 must be on its own line.
976 If not specified, <command>dig</command> will look
977 for <filename>/etc/trusted-key.key</filename> then
978 <filename>trusted-key.key</filename> in the current
981 Requires dig be compiled with -DDIG_SIGCHASE.
987 <term><option>+[no]ttlid</option></term>
990 Display [do not display] the TTL when printing the
997 <term><option>+[no]vc</option></term>
1000 Use [do not use] TCP when querying name servers. This
1001 alternate syntax to <parameter>+[no]tcp</parameter>
1002 is provided for backwards compatibility. The "vc"
1003 stands for "virtual circuit".
1013 <refsection><info><title>MULTIPLE QUERIES</title></info>
1017 The BIND 9 implementation of <command>dig </command>
1019 specifying multiple queries on the command line (in addition to
1020 supporting the <option>-f</option> batch file option). Each of those
1021 queries can be supplied with its own set of flags, options and query
1026 In this case, each <parameter>query</parameter> argument
1028 individual query in the command-line syntax described above. Each
1029 consists of any of the standard options and flags, the name to be
1030 looked up, an optional query type and class and any query options that
1031 should be applied to that query.
1035 A global set of query options, which should be applied to all queries,
1036 can also be supplied. These global query options must precede the
1037 first tuple of name, class, type, options, flags, and query options
1038 supplied on the command line. Any global query options (except
1039 the <option>+[no]cmd</option> option) can be
1040 overridden by a query-specific set of query options. For example:
1042 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
1044 shows how <command>dig</command> could be used from the
1046 to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
1047 reverse lookup of 127.0.0.1 and a query for the NS records of
1048 <literal>isc.org</literal>.
1050 A global query option of <parameter>+qr</parameter> is
1052 that <command>dig</command> shows the initial query it made
1054 lookup. The final query has a local query option of
1055 <parameter>+noqr</parameter> which means that <command>dig</command>
1056 will not print the initial query when it looks up the NS records for
1057 <literal>isc.org</literal>.
1062 <refsection><info><title>IDN SUPPORT</title></info>
1065 If <command>dig</command> has been built with IDN (internationalized
1066 domain name) support, it can accept and display non-ASCII domain names.
1067 <command>dig</command> appropriately converts character encoding of
1068 domain name before sending a request to DNS server or displaying a
1069 reply from the server.
1070 If you'd like to turn off the IDN support for some reason, defines
1071 the <envar>IDN_DISABLE</envar> environment variable.
1072 The IDN support is disabled if the variable is set when
1073 <command>dig</command> runs.
1077 <refsection><info><title>FILES</title></info>
1079 <para><filename>/etc/resolv.conf</filename>
1081 <para><filename>${HOME}/.digrc</filename>
1085 <refsection><info><title>SEE ALSO</title></info>
1087 <para><citerefentry>
1088 <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
1091 <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
1094 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
1096 <citetitle>RFC1035</citetitle>.
1100 <refsection><info><title>BUGS</title></info>
1103 There are probably too many query options.