 |
» |
|
|
|
NAMEdig — domain information groper SYNOPSISSingle Querydig
[@server]
[-4|-6]
[-b
address
[#port]]
[-c
class]
[-f
filename]
[-i]
[-k
filename]
[-p
port]
[-t
type]
[-x
addr]
[-y
name:key]
[name]
[type]
[class]
[queryopt]... Multiple Querydig
[global-queryopt]...
[query]... DESCRIPTIONdig,
the domain information groper,
is a flexible tool for interrogating Domain Name System (DNS) servers.
It performs DNS lookups and displays the answers that are returned from the
name servers that were queried.
Most DNS administrators use
dig
to troubleshoot DNS problems because of its flexibility, ease of use,
and clarity of output.
The
dig
command has two modes:
a simple command-line mode for single or multiple queries
and a batch mode for reading lookup requests from a file
(-f
option). Unless it is told to query a specific name server
(@server
option),
dig
tries each of the servers listed in
/etc/resolv.conf. When no command line arguments or options are given,
dig
performs an NS query for
.
(the root). A simple, typical invocation of
dig
looks like:
OptionsOptions can be specified in any order.
- @server
Use
server
as the name server to query.
server
can be a host name,
an IPv4 address in dotted-decimal notation,
or an IPv6 address in colon-delimited notation.
When
server
is a host name,
dig
resolves that name before querying that name server.
If
@server
is omitted,
dig
queries the name servers listed in
/etc/resolv.conf.
The reply from the name server
that responds is displayed. - -4
Use the IPv4 query transport only. - -6
Use the IPv6 query transport only. - -b address[#port]
Set the source IP address of the query to
address.
This must be a valid address on one of the host's network interfaces or
0.0.0.0
or
::.
An optional port on the source may be specified by appending
#port. - -c class
Set the query class.
The default is
IN,
for Internet.
class
can also be
HS,
for Hesiod records, or
CH,
for Chaosnet records. - -f filename
Make
dig
operate in batch mode by reading a list of lookup requests to process
from the file
filename.
The file contains a number of queries, one per line.
Each entry in the file
should be organized in the same way it would be presented as a query to
dig
using the command-line interface. - -h
Display the annotated syntax for the command.
If other options or operands are specified, they are ignored. - -i
Look up IPv6 addresses using the older IP6.INT domain,
described in RFC 1886.
See the
-x
option. - -k filename
Specify a TSIG key file in order to sign the DNS queries sent by
dig
and their responses using transaction signatures (TSIG). - -p port
Send queries to a port number,
port,
instead of to the standard DNS port number 53.
Use this option to test a name server
that has been configured to listen for queries on a nonstandard port number. - -t type
Set the query type to
type.
It can be any valid query type which is supported in BIND 9.
For potential values,
see the
set querytype
command in
nslookup(1)
and the
Zone File
discussion in
named.conf(4). The default query
type is
A,
unless the
-x
option is supplied to indicate a reverse lookup.
A zone transfer can be
requested by specifying a type of
AXFR.
When an incremental zone transfer
(IXFR)
is required, set
type
to
IXFR=N.
The incremental zone transfer will contain the changes made to the zone
since the serial number in the zone's
SOA
record was
N. - -x addr
Simplify reverse lookups (mapping addresses to names).
addr
is an IPv4 address in dotted-decimal notation
or a colon-delimited IPv6 address.
When this option is used, there is no need to provide the
name,
class,
or
type
operands.
dig
automatically performs a lookup for a name like
11.12.13.10.in-addr.arpa
and sets the query type and class to
PTR
and
IN
respectively.
By default, IPv6 addresses
are looked up using nibble format under the IP6.ARPA domain.
To use the older RFC 1886 method (IP6.INT) domain, also specify the
-i
option. - -y name:key
Specify the TSIG key itself on the command line.
name
is the name of the TSIG key and
key
is the actual key.
The key is a base-64 encoded string, typically generated by
dnssec-keygen
(see
dnssec-keygen(1)).
Be cautious when using the
-y
option on multiuser systems as the key can be visible in the output from
ps(1)
or in the shell's history file.
When using TSIG authentication with
dig,
the name server that is queried needs to know
the key and algorithm that is being used.
In BIND, this is done by providing appropriate
key
and
server
statements in
named.conf.
OperandsOperands are order-dependent.
- class
Set the query class.
See the
-c
option.
The
class
operand overrides any preceding
-c
option. - global-queryopt
Query options (see the
queryopt
operand)
at the beginning of the command are "global".
They affect all subsequent queries on the command line (see the
query
operand). - name
The name of the resource record that is to be looked up. - query
A set of command-line options, operands, and query options
that form a single lookup query,
as shown in the
Single Query
syntax in
SYNOPSIS
(without the
dig
command word). - queryopt
Query options at the end of a query modify the lookup for that query only.
They override any global query options.
See the
Query Options
subsection for details. - type
Set the query type.
See the
-t
option.
The
type
operand overrides any preceding
-t
option.
Query Optionsdig
uses a number of query options to modify lookups
and the results that are displayed.
Some options set or clear flag bits in the query header,
some options determine which sections of the answer get displayed,
and other options determine the timeout and retry strategies. Query Option FormatsThere are two formats:
- +[no]keyword
The prefix
no
causes an option to be reset, negated, or cleared.
The
no
action is described in brackets ([...]). - +keyword=value
The keyword assigns a value to an option.
Query OptionsThe query options are:
- +[no]aaflag
A synonym for
+[no]aaonly.
The default is
+noaaflag. - +[no]aaonly
Set [do not set] the AA (authoritative answer) flag in the query.
The default is
+noaaonly. - +[no]additional
Display [do not display] the additional section of a reply.
The default is
+additional. - +[no]adflag
Set [do not set] the AD (authenticate data) bit in the query.
The AD bit currently has a standard meaning only in responses and
not in queries.
The ability to set the bit in the query is provided for completeness.
The default is
+noadflag. - +[no]all
Set [clear] all display flags.
The default is
+all. - +[no]answer
Display [do not display] the answer section of a reply.
The default is
+answer. - +[no]authority
Display [do not display] the authority section of a reply.
The default is
+authority. - +[no]besteffort
Attempt [do not attempt] to display the contents of messages that are malformed.
The default is
+nobesteffort. - +bufsize=B
Set the UDP message buffer size advertised using Extended DNS ( EDNS) to
B
bytes.
The maximum and minimum sizes of this buffer are 65535 and 0,
respectively.
If the
B
size is specified outside of this range,
then the size is adjusted appropriately.
The default is 2048. - +[no]cdflag
Set [do not set] the CD (checking disabled) bit in the query,
which requests the server not to perform DNSSEC validation of responses.
The default is
+nocdflag. - +[no]cl
Display [do not display] the CLASS when printing the record.
The default is
+cl. - +[no]cmd
Display [do not display] an initial comment in the output
identifying the version of
dig
and the command-line arguments that were specified.
The default is
+cmd. - +[no]comments
Display [do not display] comment lines in the output.
The default is
+comments. - +[no]defname
Deprecated; treated as a synonym for
+[no]search.
The default is
+nodefname. - +[no]dnssec
Request DNSSEC records be sent by setting the DNSSEC OK bit (DO)
in the OPT record in the additional section of the query.
The default is
+nodnssec. - +domain=somename
Set the default domain to
somename
as if specified in a
domain
directive in the
/etc/resolv.conf
file, and enable search list processing as if the
+search
option were given.
If this is not used, the query has to contain
a fully qualified domain name (FQDN) for forward lookup. - +[no]fail
Do not try [try] the next server if you receive a SERVFAIL.
The default is
+fail,
which is the reverse of normal stub resolver behavior. - +[no]identify
Show [do not show]
the IP address and port number that supplied the answer
when short form answers are requested with the
+short
query option.
The default is
+noidentify. - +[no]ignore
Ignore [do not ignore] truncation in UDP responses instead
of retrying with TCP.
The default is
+noignore
(perform TCP retries). - +[no]multiline
Print [do not print] records like the
SOA
records in a verbose multiline
format with human-readable comments.
The default is
+nomultiline:
print each record on a single line,
thereby facilitating machine parsing of the
dig
output. - +ndots=D
Set the number of dots (periods) that appear in
hostname
to
D.
The default for
D
is the value given in the
ndots
statement in
/etc/resolv.conf,
or
1
if there is no
ndots
statement.
Names with fewer dots are interpreted as relative names and will be
searched for in the domains listed in the search or the domain
directive in the
/etc/resolv.conf
file. - +[no]nssearch
Attempt [do not attempt] to find the authoritative
name servers for the zone containing the name being looked up and
display the
SOA
record that each name server has for the zone.
+nssearch
also sets the
+norecurse
query option.
The default is
+nonssearch, - +[no]qr
Print [do not print] the query before actually sending the query.
The default is
+noqr. - +[no]question
Print [do not print] the question section of a query when an
answer is returned.
The default is
+question:
print the question section as a comment. - +[no]recurse
Set [do not set] the RD (recursion desired) bit in the query,
to have
dig
send recursive queries.
The default is
+recurse,
except that recursion is automatically disabled
(+norecurse)
when the
+nssearch
or
+trace
query option is used. - +retry=A
Set the number of times to retry UDP queries to server to
A.
Unlike
+tries,
this count does not include the initial query.
The default is 2. - +[no]search
Use [do not use] the search list in
/etc/resolv.conf
(if any).
The default is
+nosearch. - +[no]short
Display [do not display] a short answer.
The query results can be displayed in two forms:
Complete and Short answers.
In the short form, only the result is displayed.
In the complete form, additional information (for example, about
other servers that might answer your query) is also included.
The default is
+noshort. - +[no]stats
Print [do not print] statistics such as the size of the reply
when the query was made.
The default is
+stats. - +[no]tcp
Use [do not use] TCP when querying name servers.
The default is
+notcp:
use TCP if an
AXFR
or
IXFR
query is requested,
and use UDP otherwise. - +time=T
Set the timeout for a query to
T
seconds.
The minimum value of
T
is 1 second.
If
T
is less than 1,
it is set to 1 second.
The default timeout is 5 seconds. - +[no]trace
Trace [do not trace] the delegation path from the root name
servers for the name being looked up.
When tracing is enabled,
dig
makes iterative queries to resolve the name that is being looked up.
It will follow referrals from the root servers, showing the answer
from each server that was used to resolve the lookup.
+trace
also sets the
+norecurse
query option.
The default is
+notrace. - +tries=A
Set the number of times to retry UDP queries to server to
A.
If
A
is less than 1, it is set to 1.
The default is 3. - +[no]ttlid
Display [do not display] the TTL when printing the record.
The default is
+ttlid. - +[no]vc
Use [do not use] virtual circuit when querying name servers.
This alternate syntax to
+[no]tcp
is provided for backward compatibility.
The default is
+novc.
Multiple QueriesThe BIND 9 implementation of
dig
allows multiple queries on the command line (in addition to
supporting the
-f
batch file option).
Each of those queries can be supplied with its own set of
options, query type, query class, and query options.
See
Example 5
in
EXAMPLES. Global Query OptionsA global set of query options, which is applied to all queries,
can precede the first set of
options, name, query type, query class, and query options
supplied on the command line.
Any global query options (except the
+[no]cmd
query option) can be overridden by a query-specific
set of query options.
See
Example 5
in
EXAMPLES. EXAMPLESExample 1To look up information about domain
a.example.com
using DNS-Server
10.53.0.2
asking for host address
A
records:
$ dig +tcp +noadd +nosea +nostat +noquest +nocmd -p 5300 \
a.example.com @10.53.0.2 a Example 2To query
a.example.com
using DNS-Server
10.53.0.2
without authentication, asking for
A
records:
$ dig +tcp +noadd +nosea +nostat +noquest +nocmd +noauth \
-p 5300 a.example.com @10.53.0.2 a Example 3To request a transfer:
$ dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
example.com @10.53.0.2 axfr -p 5300 Example 4To request a transfer with Transaction Signature (TSIG):
$ dig +dnssec +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
tsigzone.com @10.53.0.3 axfr -y tsigzone.com:1234abcd8765 -p 5300 The key is
1234abcd8765. To secure server-to-server communication, BIND 9 primarily uses TSIG
for zone transfer, notify, and recursive query messages.
TSIG is very useful for dynamic updates. Example 5To make three lookups from the command line:
$ dig +qr www.bind.org any -x 127.0.0.1 bind.org ns +noqr The three queries are:
- www.bind.org any
An
ANY
query for domain name
www.bind.org. - -x 127.0.0.1
A reverse lookup of 127.0.0.1 - bind.org ns +noqr
A name server lookup for domain
bind.org,
suppressing the query display for this query only
(+noqr).
AUTHORdig
was developed by the Internet Systems Consortium (ISC). SEE ALSOdnssec-keygen(1),
dnssec-signzone(1),
host(1),
nsupdate(1),
hosts_to_named(1M),
named(1M),
gethostent(3N),
hostname(5). Requests for Comments (RFC):
1886,
available online at
http://www.rfc-editor.org/. HP-UX IP Address and Client Management Administrator's Guide,
available online at
http://docs.hp.com. BIND 9 Administrator Reference Manual,
available from the Internet Systems Consortium at
http://www.isc.org/sw/bind/arm93.
|
Printable version
