2 - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
18 <!-- $Id: dig.html,v 1.6.2.5 2004/03/15 04:44:38 marka Exp $ -->
26 CONTENT="Modular DocBook HTML Stylesheet Version 1.73
47 >dig -- DNS lookup utility</DIV
49 CLASS="REFSYNOPSISDIV"
123 >] [name] [type] [class] [queryopt...]</P
136 > [global-queryopt...] [query...]</P
149 > (domain information groper) is a flexible tool
150 for interrogating DNS name servers. It performs DNS lookups and
151 displays the answers that are returned from the name server(s) that
152 were queried. Most DNS administrators use <B
156 troubleshoot DNS problems because of its flexibility, ease of use and
157 clarity of output. Other lookup tools tend to have less functionality
166 > is normally used with command-line
167 arguments, it also has a batch mode of operation for reading lookup
168 requests from a file. A brief summary of its command-line arguments
169 and options is printed when the <TT
173 Unlike earlier versions, the BIND9 implementation of
177 > allows multiple lookups to be issued from the
180 >Unless it is told to query a specific name server,
184 > will try each of the servers listed in
187 >/etc/resolv.conf</TT
190 >When no command line arguments or options are given, will perform an
191 NS query for "." (the root).</P
193 >It is possible to set per user defaults for <B
200 >. This file is read and any options in it
201 are applied before the command line arguements.</P
211 >A typical invocation of <B
216 CLASS="PROGRAMLISTING"
217 > dig @server name type </PRE
232 >is the name or IP address of the name server to query. This can be an IPv4
233 address in dotted-decimal notation or an IPv6
234 address in colon-delimited notation. When the supplied
240 > argument is a hostname,
244 > resolves that name before querying that name
250 > argument is provided,
256 >/etc/resolv.conf</TT
258 and queries the name servers listed there. The reply from the name
259 server that responds is displayed.</P
268 >is the name of the resource record that is to be looked up.</P
277 >indicates what type of query is required —
278 ANY, A, MX, SIG, etc.
284 > can be any valid query type. If no
290 > argument is supplied,
294 > will perform a lookup for an A record.</P
311 > option sets the source IP address of the query
317 >. This must be a valid address on
318 one of the host's network interfaces.</P
320 >The default query class (IN for internet) is overridden by the
330 class, such as HS for Hesiod records or CH for CHAOSNET records.</P
339 in batch mode by reading a list of lookup requests to process from the
345 >. The file contains a number of
346 queries, one per line. Each entry in the file should be organised in
347 the same way they would be presented as queries to
351 > using the command-line interface.</P
353 >If a non-standard port number is to be queried, the
357 > option is used. <TT
363 the port number that <B
366 > will send its queries
367 instead of the standard DNS port number 53. This option would be used
368 to test a name server that has been configured to listen for queries
369 on a non-standard port number.</P
374 > option sets the query type to
380 >. It can be any valid query type which is
381 supported in BIND9. The default query type "A", unless the
385 > option is supplied to indicate a reverse lookup.
386 A zone transfer can be requested by specifying a type of AXFR. When
387 an incremental zone transfer (IXFR) is required,
397 The incremental zone transfer will contain the changes made to the zone
398 since the serial number in the zone's SOA record was
406 >Reverse lookups - mapping addresses to names - are simplified by the
416 address in dotted-decimal notation, or a colon-delimited IPv6 address.
417 When this option is used, there is no need to provide the
438 automatically performs a lookup for a name like
441 >11.12.13.10.in-addr.arpa</TT
442 > and sets the query type and
443 class to PTR and IN respectively. By default, IPv6 addresses are
444 looked up using the IP6.ARPA domain and binary labels as defined in
445 RFC2874. To use the older RFC1886 method using the IP6.INT domain and
446 "nibble" labels, specify the <TT
449 > (nibble) option.</P
451 >To sign the DNS queries sent by <B
455 responses using transaction signatures (TSIG), specify a TSIG key file
459 > option. You can also specify the TSIG
460 key itself on the command line using the <TT
469 > is the name of the TSIG key and
475 > is the actual key. The key is a base-64
476 encoded string, typically generated by <SPAN
479 CLASS="REFENTRYTITLE"
484 Caution should be taken when using the <TT
488 multi-user systems as the key can be visible in the output from
492 CLASS="REFENTRYTITLE"
495 > or in the shell's history file. When
496 using TSIG authentication with <B
500 server that is queried needs to know the key and algorithm that is
501 being used. In BIND, this is done by providing appropriate
525 > provides a number of query options which affect
526 the way in which lookups are made and the results displayed. Some of
527 these set or reset flag bits in the query header, some determine which
528 sections of the answer get printed, and others determine the timeout
529 and retry strategies.</P
531 >Each query option is identified by a keyword preceded by a plus sign
535 >). Some keywords set or reset an option. These may be preceded
539 > to negate the meaning of that keyword. Other
540 keywords assign values to options like the timeout interval. They
545 The query options are:
559 >Use [do not use] TCP when querying name servers. The default
560 behaviour is to use UDP unless an AXFR or IXFR query is requested, in
561 which case a TCP connection is used.</P
570 >Use [do not use] TCP when querying name servers. This alternate
576 > is provided for backwards
577 compatibility. The "vc" stands for "virtual circuit".</P
586 >Ignore truncation in UDP responses instead of retrying with TCP. By
587 default, TCP retries are performed.</P
592 >+domain=somename</TT
596 >Set the search list to contain the single domain
602 >, as if specified in a
609 >/etc/resolv.conf</TT
610 >, and enable search list
611 processing as if the <TT
616 > option were given.</P
625 >Use [do not use] the search list defined by the searchlist or domain
630 The search list is not used by default.</P
639 >Deprecated, treated as a synonym for <TT
653 >This option does nothing. It is provided for compatibility with old
657 > where it set an unimplemented
667 >Set [do not set] the AD (authentic data) bit in the query. The AD bit
668 currently has a standard meaning only in responses, not in queries,
669 but the ability to set the bit in the query is provided for
679 >Set [do not set] the CD (checking disabled) bit in the query. This
680 requests the server to not perform DNSSEC validation of responses.</P
689 >Toggle the setting of the RD (recursion desired) bit in the query.
690 This bit is set by default, which means <B
694 normally sends recursive queries. Recursion is automatically disabled
706 > query options are used.</P
715 >When this option is set, <B
718 > attempts to find the
719 authoritative name servers for the zone containing the name being
720 looked up and display the SOA record that each name server has for the
730 >Toggle tracing of the delegation path from the root name servers for
731 the name being looked up. Tracing is disabled by default. When
732 tracing is enabled, <B
735 > makes iterative queries to
736 resolve the name being looked up. It will follow referrals from the
737 root servers, showing the answer from each server that was used to
738 resolve the lookup.</P
747 >toggles the printing of the initial comment in the output identifying
751 > and the query options that have
752 been applied. This comment is printed by default.</P
761 >Provide a terse answer. The default is to print the answer in a
771 >Show [or do not show] the IP address and port number that supplied the
777 > option is enabled. If
778 short form answers are requested, the default is not to show the
779 source address and port number of the server that provided the answer.</P
788 >Toggle the display of comment lines in the output. The default is to
798 >This query option toggles the printing of statistics: when the query
799 was made, the size of the reply and so on. The default behaviour is
800 to print the query statistics.</P
809 >Print [do not print] the query as it is sent.
810 By default, the query is not printed.</P
819 >Print [do not print] the question section of a query when an answer is
820 returned. The default is to print the question section as a comment.</P
829 >Display [do not display] the answer section of a reply. The default
839 >Display [do not display] the authority section of a reply. The
840 default is to display it.</P
849 >Display [do not display] the additional section of a reply.
850 The default is to display it.</P
859 >Set or clear all display flags.</P
868 > Sets the timeout for a query to
874 > seconds. The default time out is 5 seconds.
875 An attempt to set <TT
880 > to less than 1 will result
881 in a query timeout of 1 second being applied.</P
890 >Sets the number of times to retry UDP queries to server to
896 > instead of the default, 3. If
902 > is less than or equal to zero, the number of
903 retries is silently rounded up to 1.</P
912 >Set the number of dots that have to appear in
924 considered absolute. The default value is that defined using the
925 ndots statement in <TT
927 >/etc/resolv.conf</TT
929 ndots statement is present. Names with fewer dots are interpreted as
930 relative names and will be searched for in the domains listed in the
940 >/etc/resolv.conf</TT
950 >Set the UDP message buffer size advertised using EDNS0 to
956 > bytes. The maximum and minimum sizes of this
957 buffer are 65535 and 0 respectively. Values outside this range are
958 rounded up or down appropriately.</P
967 >Print records like the SOA records in a verbose multi-line
968 format with human-readable comments. The default is to print
969 each record on a single line, to facilitate machine parsing
982 >Do not try the next server if you receive a SERVFAIL. The default is
983 to not try the next server which is the reverse of normal stub resolver
993 >Attempt to display the contents of messages which are malformed.
994 The default is to not display malformed answers.</P
1003 >Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
1004 in the OPT record in the additional section of the query.</P
1016 >MULTIPLE QUERIES</H2
1018 >The BIND 9 implementation of <B
1022 specifying multiple queries on the command line (in addition to
1026 > batch file option). Each of those
1027 queries can be supplied with its own set of flags, options and query
1030 >In this case, each <TT
1035 > argument represent an
1036 individual query in the command-line syntax described above. Each
1037 consists of any of the standard options and flags, the name to be
1038 looked up, an optional query type and class and any query options that
1039 should be applied to that query.</P
1041 >A global set of query options, which should be applied to all queries,
1042 can also be supplied. These global query options must precede the
1043 first tuple of name, class, type, options, flags, and query options
1044 supplied on the command line. Any global query options (except
1049 overridden by a query-specific set of query options. For example:
1051 CLASS="PROGRAMLISTING"
1052 >dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr</PRE
1057 > could be used from the command line
1058 to make three lookups: an ANY query for <TT
1062 reverse lookup of 127.0.0.1 and a query for the NS records of
1068 A global query option of <TT
1077 > shows the initial query it made for each
1078 lookup. The final query has a local query option of
1084 > which means that <B
1088 will not print the initial query when it looks up the NS records for
1104 >/etc/resolv.conf</TT
1121 CLASS="CITEREFENTRY"
1123 CLASS="REFENTRYTITLE"
1128 CLASS="CITEREFENTRY"
1130 CLASS="REFENTRYTITLE"
1135 CLASS="CITEREFENTRY"
1137 CLASS="REFENTRYTITLE"
1138 >dnssec-keygen</SPAN
1154 >There are probably too many query options. </P