Digging deep into dig command
j

Prabesh Thapa

September 9, 2020

DIG stands for Domain Information Groper. As the name suggests it is used to grab information from a DNS server. It is one of the most powerful yet most underrated utility. Sometimes we get overwhelmed by all the information that is shown and cannot decode it as we do not know what it is.

This article dissects output from DIG to let you know every bit of information you see in the screen.
So, output for:

dig google.com

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> google.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 32521

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: 29e4df0bf7cfe3b2 (echoed)

;; QUESTION SECTION:

;google.com.                    IN  A

;; Query time: 0 msec

;; SERVER: 192.168.10.228#53(192.168.10.228)

;; WHEN: Wed Feb 26 09:00:35 AEDT 2020

;; MSG SIZE  rcvd: 51

After dig google.com +noedns

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> google.com +noedns

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35391

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;google.com.                    IN  A

;; ANSWER SECTION:

google.com.             70  IN      A   172.217.167.78

;; Query time: 0 msec

;; SERVER: 192.168.10.228#53(192.168.10.228)

;; WHEN: Wed Feb 26 09:13:15 AEDT 2020

;; MSG SIZE  rcvd: 44

First section tells you the version of dig utility you are using and name of the domain you want to fetch information from. It tells you which query was invoked. Second section tells you which options you are using with the dig command. There are a lot of options you can add with dig like +short for just the IP address and more. If you don’t want to see this section you can add +nocmd option with dig.

First section tells you the version of dig utility you are using and name of the domain you want to fetch information from. It tells you which query was invoked. Second section tells you which options you are using with the dig command. There are a lot of options you can add with dig like +short for just the IP address and more. If you don’t want to see this section you can add +nocmd option with dig.

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> google.com

;; global options: +cmd

Third section tells you the first response from your query. It first shows you the HEADER response, opcode (OPCODE A four bit field, only valid values: 0,1,2 )  is operation or action that DIG took where in this case it is just a QUERY, status shows was there any errors while executing this query. It shows status like NOERROR, FORMERR etc. In this case it showed FORMERR which caused due to absence of dns cookie with its new feature introduced.

Dig utility does not send a DNS cookie by default.

DNS cookies are a security feature implemented as an EDNS option. The technology is defined in Internet Engineering Task Force RFC 7873.

Extension mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing functionality of the protocol (Please see below for more info).

Some other status are NOERROR= everything is alright, SERVFAIL= no data or invalid data for that name at the requested authority, NXDOMAIN= Name does not exist, no authoritative DNS data to be served, REFUSED= Not only zone not exists at requested authority, but their infrastructure is not in the business of serving things that don’t exists, then comes the ID for the query.

After that we have flags, which shows what options were allowed for that query.  QR is Query,  RD is Recursion desired hence it means our command was a query and it was a recursive query. There are other queries as well such as RA (Recursive Allowed), AA (Authoritative Answer, CD (Check Domain). QUERY shows that we executed only one query and did not get any answer. No authority section was displayed and no additional section, then there is warning which shows if any error occurred and what caused it. If you don’t want to see this section you can add +nocomments option with dig.

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 32521

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: recursion requested but not available

Then sometime we get this OPT PSEUDOSECTION, it is not the main section that we get, but sometime we get this. It is displayed for newer versions of dig utility. https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS, you can disable this using +noedns

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: 29e4df0bf7cfe3b2 (echoed)

Then we have a QUESTION section, which shows our question which is a query. By default dig requests for A record. You can disable this section using +noquestion option

;; QUESTION SECTION:

;google.com.                    IN  A

Then we have ANSWER section showing the ANSWER that we got which is the A records. You can disable this section using +noanswer option

;; ANSWER SECTION:

google.com.             70  IN      A   172.217.167.78

Sometime we get other sections like ADDITIONAL section for additional information like NS, MX and AUTHORITY section to show the address of the answering authoritative server, which can be disabled using +noadditional and +noauthority

The last section displays the query statistics. You can disable it using +nostats option. Server is the server we requested a query from, other sections in the output are time, date, and message size.

;; Query time: 0 msec

;; SERVER: 192.168.10.228#53(192.168.10.228)

;; WHEN: Wed Feb 26 09:13:15 AEDT 2020

;; MSG SIZE  rcvd: 44

So OUTPUT for:

dig google.com

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> google.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 32521

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: 29e4df0bf7cfe3b2 (echoed)

;; QUESTION SECTION:

;google.com.                    IN  A

;; Query time: 0 msec

;; SERVER: 192.168.10.228#53(192.168.10.228)

;; WHEN: Wed Feb 26 09:00:35 AEDT 2020

;; MSG SIZE  rcvd: 51

After dig google.com +noedns

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> google.com +noedns

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35391

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;google.com.                    IN  A

;; ANSWER SECTION:

google.com.             70  IN      A   172.217.167.78

;; Query time: 0 msec

;; SERVER: 192.168.10.228#53(192.168.10.228)

;; WHEN: Wed Feb 26 09:13:15 AEDT 2020

;; MSG SIZE  rcvd: 44

Some important shortcuts

dig google.com +short for just the IP address or A record

If you want to query specific name server for the DNS then use

dig google.com @8.8.8.8

If you want to query certain record types, then

dig google.com [MX or PTR or CNAME or TXT or A or AAAA or NS or any] +noall +answer

Reverse DNS lookup

dig with -x switch

dig -x {IP} +nocmd +noall +answer

You can change the behaviour of dig by making change in $(HOME)/.digrc

Instead of adding all these switches you can add them into the .digrc file and just issue normal dig command  as usual to get a curated answer back. The switches that i mostly put in my .digrc file are:

+nostats +nocomments +nocmd +noquestion +recurse

Prabesh is an avid Linux enthusiast and open source advocate. He is currently working as a DevOps engineer in Audinate. He has completed his masters in networking with major in computer security. Professionally he works DevOps in day and tkinter around with technologies and research during the night.

Prabesh Thapa

DevOps / SRE Engineer , Cloud and Automation

Get connected with Prabesh :

3 Comments

  1. Links.M106.COM

    Spot on with this write-up, I truly suppose this website wants much more consideration. I’ll probably be once more to read far more, thanks for that info.

    Reply
  2. Informacje Pianino

    This definitely be the next preference. You are perfect, theme team. I Really enjoy the system, fonts along with the perfect subject. Thanks for a great valuable project. Great work! Keep up the ultra do the webjob!

    Reply
  3. Links.M106.COM

    Wow! Its like you read my mind! You seem to know a lot about this, just like you wrote the book in it or something. I think that you could do with some images to drive the content home a bit, but other than that, this is helpful blog post. A wonderful read. I will definitely revisit again.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Articles