dig Command Reference
Complete reference for dig command syntax, DNS query types, command-line flags, and query options with defaults and examples.
Complete reference for Domain Information Groper (dig) command syntax, DNS record types, command-line flags, and query options.
dig Command Syntax
Domain Information Groper (dig) follows this command-line syntax:
dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-p port#] [-q name] [-t type] [-x addr] [-4] [-6] [name] [type] [class] [queryopt...]A typical dig invocation uses the pattern
dig @server name type, where
@server is the DNS resolver to query,
name is the domain to look up, and
type is the DNS record type.
dig DNS Record Types
dig queries different DNS record types to retrieve specific domain information. Specify the record type after the domain name in the dig command.
| Record Type | Description | Example |
|---|---|---|
A | Maps a domain name to an IPv4 address. The default record type when no type is specified. | dig example.com A |
AAAA | Maps a domain name to an IPv6 address. Use to verify IPv6 connectivity for a domain. | dig example.com AAAA |
MX | Lists the Mail Exchange servers responsible for receiving email for a domain, with priority values. | dig example.com MX |
NS | Lists the authoritative nameservers delegated to handle DNS for a domain. | dig example.com NS |
CNAME | Returns the Canonical Name record that aliases one domain name to another. | dig www.example.com CNAME |
SOA | Returns the Start of Authority record containing the primary nameserver, administrator email, zone serial number, refresh interval, retry interval, expire time, and minimum TTL. | dig example.com SOA |
TXT | Returns text records used for SPF policies, DKIM keys, domain verification, and other metadata. | dig example.com TXT |
PTR | Returns the Pointer record that maps an IP address to a domain name (reverse DNS lookup). Typically queried with
dig -x. | dig -x 93.184.216.34 |
SRV | Returns the Service Locator record specifying the host, port, priority, and weight for a network service. | dig _sip._tcp.example.com SRV |
ANY | Requests all available record types for a domain. Some DNS servers restrict ANY queries for security reasons. | dig example.com ANY |
dig Command-Line Flags
dig accepts command-line flags that control query transport, source address, and input mode. These flags use the traditional hyphen prefix.
| Flag | Description | Default | Example |
|---|---|---|---|
@server | Specify the DNS server to query by IP address or hostname, bypassing the system resolver in
/etc/resolv.conf | System resolver | dig @8.8.8.8 example.com |
-b address | Set the source IP address for the outgoing DNS query. The address must be valid on the host network interface. | System default | dig -b 192.168.1.10 example.com |
-c class | Set the query class. Common values:
IN (Internet),
CH (CHAOSNET),
HS (Hesiod). | IN | dig example.com -c CH |
-f file | Read domain names from a file and query each one in batch mode, one domain per line. | N/A | dig -f domains.txt |
-k file | Specify a TSIG (Transaction Signature) key file to sign DNS queries for authenticated transfers. | None | dig -k tsig.key example.com AXFR |
-p port | Send the DNS query to a non-standard port number instead of the default DNS port. | 53 | dig -p 5353 example.com |
-q name | Set the query domain name explicitly. Useful when the domain name could be confused with a dig option. | N/A | dig -q example.com |
-t type | Set the DNS record type for the query (A, AAAA, MX, NS, CNAME, TXT, SOA, PTR, SRV, ANY). | A | dig -t MX example.com |
-x address | Perform a reverse DNS lookup for the specified IP address. dig converts the address to a PTR query automatically. | N/A | dig -x 8.8.8.8 |
-4 | Force dig to use IPv4 transport only for sending the query. | Both IPv4 and IPv6 | dig -4 example.com |
-6 | Force dig to use IPv6 transport only for sending the query. | Both IPv4 and IPv6 | dig -6 example.com |
dig Query Options (+ Prefix)
dig query options use the
+ prefix and control output formatting, DNS protocol flags, and timeout behavior. Prefix any option with
no to disable it (e.g.,
+nostats).
dig Output Control Options
These dig options control which sections of the DNS response appear in the output.
| Option | Description | Default | Example |
|---|---|---|---|
+[no]short | Display the answer value only, without headers, metadata, or statistics. Useful for scripting. | Off | dig example.com +short |
+[no]all | Enable or disable all display sections at once. Combine with
+answer to show the answer section alone. | On | dig example.com +noall +answer |
+[no]answer | Control display of the ANSWER section containing the returned DNS records. | On | dig example.com +noanswer |
+[no]authority | Control display of the AUTHORITY section listing authoritative nameservers for the domain. | On | dig example.com +noauthority |
+[no]additional | Control display of the ADDITIONAL section containing supplementary records. | On | dig example.com +noadditional |
+[no]question | Control display of the QUESTION section repeating the sent query. | On | dig example.com +noquestion |
+[no]comments | Control display of comment lines showing packet header details and section names. | On | dig example.com +nocomments |
+[no]stats | Control display of the statistics footer with query time, server IP, and message size. | On | dig example.com +nostats |
+[no]cmd | Control display of the initial comment line showing the dig version and command. | On | dig example.com +nocmd |
+[no]ttlid | Control display of the Time to Live (TTL) value in record output. | On | dig example.com +nottlid |
+[no]ttlunits | Display TTL values in human-readable units (s, m, h, d, w) instead of raw seconds. | Off | dig example.com +ttlunits |
+[no]class | Control display of the record class (IN, CH, HS) in output. | On | dig example.com +noclass |
+[no]multiline | Print SOA and other complex records in a multi-line format with comments for readability. | Off | dig example.com SOA +multiline |
+[no]yaml | Present the DNS query results in YAML format for machine parsing. | Off | dig example.com +yaml |
+[no]crypto | Control display of cryptographic fields in DNSSEC-related records (RRSIG, DNSKEY). | On | dig example.com +dnssec +nocrypto |
+[no]rrcomments | Control display of per-record comments in the output. | Off | dig example.com +rrcomments |
+[no]split=N | Split hexadecimal and Base64 fields into chunks of N characters for readability. | 56 | dig example.com DNSKEY +split=32 |
+[no]identify | Show the responding server's IP address and port in short-form answers. Useful with multiple queries. | Off | dig example.com +short +identify |
dig DNS Protocol Options
These dig options modify the DNS query behavior and protocol flags sent to the nameserver.
| Option | Description | Default | Example |
|---|---|---|---|
+[no]trace | Trace the DNS delegation path from root nameservers through TLD servers to the authoritative server. Disables recursion automatically. | Off | dig example.com +trace |
+[no]recurse | Set or clear the RD (Recursion Desired) flag in the query. Disabling recursion sends a non-recursive query. | On | dig example.com +norecurse |
+[no]dnssec | Request DNSSEC records (RRSIG, DNSKEY) to verify the cryptographic signatures of DNS responses. | Off | dig example.com +dnssec |
+[no]adflag | Set or clear the AD (Authentic Data) flag requesting DNSSEC validation status from the resolver. | On | dig example.com +noadflag |
+[no]cdflag | Set or clear the CD (Checking Disabled) flag requesting the resolver to skip DNSSEC validation. | Off | dig example.com +cdflag |
+[no]aaflag | Set the AA (Authoritative Answer) flag in the outgoing query. | Off | dig example.com +aaflag |
+[no]tcp | Force dig to use TCP instead of UDP for the DNS query. Alias:
+[no]vc. | Off (UDP) | dig example.com +tcp |
+[no]ignore | Do not fall back to TCP when the DNS response has the TC (Truncation) flag set. | Off | dig example.com +ignore |
+[no]cookie | Send an EDNS COOKIE option with the query for DNS cookie authentication. | On | dig example.com +nocookie |
+[no]edns[=N] | Set the EDNS version to N. Use
+noedns to disable EDNS entirely. | 0 | dig example.com +noedns |
+[no]nsid | Request the Name Server Identifier (NSID) from the responding DNS server. | Off | dig example.com +nsid |
+[no]nssearch | Search for all authoritative nameservers for a domain and display the SOA record from each. | Off | dig example.com +nssearch |
+[no]search | Use the search list defined in
/etc/resolv.conf to complete unqualified domain names. | Off | dig myhost +search |
+[no]qr | Print the outgoing query before sending it. Useful for debugging the exact query being sent. | Off | dig example.com +qr |
+[no]fail | Do not fall back to the next nameserver if the current one returns SERVFAIL. | Off | dig example.com +fail |
+[no]besteffort | Attempt to parse and display malformed or non-standard DNS messages. | Off | dig example.com +besteffort |
+subnet=addr | Set the EDNS Client Subnet option to specify the client's network for geolocation-aware DNS responses. | None | dig example.com +subnet=203.0.113.0/24 |
+[no]keepopen | Keep the TCP socket open between consecutive queries in batch mode. | Off | dig -f domains.txt +tcp +keepopen |
+[no]keepalive | Request EDNS TCP keepalive from the DNS server to maintain the connection. | Off | dig example.com +tcp +keepalive |
+domain=name | Set the default domain name for unqualified lookups. | None | dig myhost +domain=example.com |
+[no]mapped | Allow mapped IPv4-over-IPv6 addresses in query transport. | Off | dig example.com +mapped |
+[no]header-only | Send a query with only the DNS header and no question section. | Off | dig example.com +header-only |
+[no]opcode=N | Set the opcode in the DNS query header (0=QUERY, 1=IQUERY, 2=STATUS, 4=NOTIFY, 5=UPDATE). | 0 | dig example.com +opcode=0 |
+[no]zflag | Set the reserved Z flag in the DNS header. Used for protocol testing. | Off | dig example.com +zflag |
+[no]badcookie | Retry the query when the server responds with BADCOOKIE. | On | dig example.com +nobadcookie |
+[no]expandaaaa | Expand AAAA records to display the full 128-bit IPv6 address without abbreviation. | Off | dig example.com AAAA +expandaaaa |
+[no]unexpected | Accept DNS responses from servers that are not the one queried. | Off | dig example.com +unexpected |
+[no]unknownformat | Print RDATA in the generic RFC 3597 format for unknown record types. | Off | dig example.com TYPE65 +unknownformat |
+padding=N | Set the EDNS padding block size to N bytes to mask query length in encrypted DNS. | 0 | dig example.com +padding=128 |
dig Timeout and Retry Options
These dig options control how long dig waits for a response and how many times it retries a failed query.
| Option | Description | Default | Example |
|---|---|---|---|
+time=N | Set the query timeout to N seconds. Increase for slow or distant DNS servers. | 5 | dig example.com +time=10 |
+tries=N | Set the total number of UDP query attempts, including the initial query. | 3 | dig example.com +tries=5 |
+retry=N | Set the number of UDP retries after the initial query fails. Unlike
+tries, this does not count the first attempt. | 2 | dig example.com +retry=4 |
+ndots=N | Set the number of dots required in a domain name before it is treated as an absolute name. Names with fewer dots use the search list. | Value from
/etc/resolv.conf or 1 | dig myhost +ndots=2 |
+bufsize=N | Set the UDP message buffer size announced via EDNS. Controls the maximum UDP payload size dig accepts. | 1232 | dig example.com +bufsize=4096 |
dig Help and Version
dig displays a usage summary with all supported flags and options using the
-h flag:
dig -hdig prints its version number and BIND build details with the
-v flag:
dig -v