Is dig installed by default on my system?

On Linux: usually, via the `bind-utils` (RHEL/Fedora) or `dnsutils` (Debian/Ubuntu) package. On macOS: yes, ships with the OS. On Windows: not by default; install via WSL, Git Bash, or download BIND tools. Modern Windows 10/11 also ships `Resolve-DnsName` in PowerShell, which covers most dig use cases.

What's the difference between dig and nslookup?

dig is more powerful and produces richer, more parseable output; it's the standard for production troubleshooting. nslookup is older, more limited, but available on Windows by default. For anything beyond basic A-record lookup, prefer dig. See the nslookup tutorial for Windows-friendly equivalents.

How do I query a specific nameserver instead of my default resolver?

Use @server. Example: `dig www.example.com @ns1.dnscale.eu` queries DNScale's authoritative server directly, bypassing your local recursive resolver. This is the single most useful diagnostic technique — it tells you what's actually published, separate from what's cached anywhere.

Strips dig's verbose output to just the answer values. Compare `dig www.example.com` (full sectioned output) to `dig +short www.example.com` (just the IP addresses). Useful for scripts and quick checks; full output for debugging.

How do I check DNSSEC with dig?

Three patterns: (1) `dig +dnssec ` requests DNSSEC records (RRSIG, etc.) in the response; (2) `dig +cd ` disables resolver-side checking — bypasses validation, useful for isolating DNSSEC-induced SERVFAIL; (3) `delv ` (a related tool) does full validation client-side and reports the trust chain. Most useful for production debugging is `+cd` to confirm whether DNSSEC is the failing step.

Can I do AXFR zone transfers with dig?

Yes, but only if the authoritative server allows it for your IP. `dig AXFR example.com @ns1.example.com`. Most public zones reject AXFR from arbitrary clients (it would expose every record). Used legitimately when you're configuring a secondary DNS server; the secondary's IP must be explicitly allowed in the primary's zone-transfer ACL.

How do I time a dig query?

dig already prints query time at the bottom: `;; Query time: 23 msec`. For repeated timings, use `dig +tries=1 +retry=0 +time=2 ...` to avoid retries skewing measurements, and combine with shell `time` for end-to-end. For continuous monitoring, use a dedicated tool like `dnsperf` rather than wrapping dig.

dig command tutorial — 30 worked examples for DNS troubleshooting

Master the dig command for DNS diagnostics. 30 worked examples covering every common record type, +trace, +short, +cd for DNSSEC, AXFR zone transfers, EDNS, batch queries, and real-world troubleshooting recipes.

Updated 4 May 2026

TL;DR

dig is the de facto DNS diagnostic tool: query any record type, any nameserver, with full control over flags and output. Learn the 10 you'll use daily (basic A query, +short, @resolver, +trace, MX/TXT/CNAME, +cd for DNSSEC, AXFR for zone transfers, batch via -f), and you can troubleshoot 95% of DNS issues in production. This guide gives you 30 worked examples.

What you'll learn

Master basic dig syntax and the most useful flags (+short, +trace, @server, +cd, +noall +answer)
Query every common record type confidently (A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, CAA, TLSA, HTTPS)
Use dig for real-world troubleshooting workflows (propagation checks, DNSSEC validation, NS delegation)
Run batch queries and integrate dig output into shell scripts and CI pipelines

dig is the standard tool for DNS diagnostics. If you operate DNS in production, mastering it is non-negotiable. This guide gives you 30 worked examples across every common scenario, from a simple A-record lookup to AXFR zone transfers and DNSSEC validation.

Each example shows the exact command, what to expect in the output, and when to use it.

Setup

dig ships with the BIND DNS utilities. Install on your platform:

# macOS — pre-installed
which dig
 
# Debian / Ubuntu
sudo apt install dnsutils
 
# RHEL / Fedora / Rocky / AlmaLinux
sudo dnf install bind-utils
 
# Alpine
apk add bind-tools
 
# Windows
# Install via WSL, Git Bash, or download BIND tools from ISC.
# PowerShell alternative: Resolve-DnsName www.example.com

Verify:

dig -v

The 10 commands you'll use daily

1. Basic A-record lookup

dig www.example.com

Returns full output with question, answer, authority, and additional sections. The default record type is A (IPv4). Read the ANSWER SECTION for the actual records.

2. Just the answer (`+short`)

dig +short www.example.com

Strips everything except the answer values. Output: just the IP addresses. Use in scripts and one-liners.

3. Query a specific nameserver (`@server`)

dig www.example.com @ns1.dnscale.eu

Bypasses your local recursive resolver and queries the authoritative server directly. The single most important diagnostic technique — tells you what the zone actually serves, independent of any cache.

You can also query public resolvers directly:

dig www.example.com @8.8.8.8     # Google
dig www.example.com @1.1.1.1     # Cloudflare
dig www.example.com @9.9.9.9     # Quad9

4. Specify the record type

dig MX example.com
dig TXT example.com
dig AAAA www.example.com
dig CNAME www.example.com
dig NS example.com
dig SOA example.com

Replace MX/TXT/etc. with any record type. Type goes after the name (some examples put it before — both work, but after is more common).

5. Trace from root (`+trace`)

dig +trace www.example.com

Walks the full DNS hierarchy: root → TLD → authoritative. Each hop shows up. Invaluable for diagnosing delegation problems and confirming the path from .com to your zone.

6. Reverse DNS (`-x`)

dig -x 192.0.2.1
dig -x 2001:db8::1

Looks up the PTR record for an IP address. dig handles the in-addr.arpa / ip6.arpa name expansion automatically.

7. Disable DNSSEC validation (`+cd`)

dig +cd www.example.com @8.8.8.8

The +cd flag is "Checking Disabled" — tells the resolver not to validate DNSSEC. If a normal query returns SERVFAIL but +cd returns the answer, DNSSEC validation is the cause. See SERVFAIL explained.

8. Request DNSSEC records (`+dnssec`)

dig +dnssec www.example.com

Adds RRSIG and other DNSSEC records to the response. Useful for inspecting the signed state of a zone.

9. AXFR zone transfer

dig AXFR example.com @ns1.example.com

Requests a full zone transfer. Most servers reject this from arbitrary clients (rightly). Used when configuring secondary DNS or auditing a zone you control.

10. Quiet output (`+noall +answer`)

dig +noall +answer www.example.com

Shows only the ANSWER section without the headers and timing. Cleaner than full output but more informative than +short.

Worked examples by record type

Example 1 — A and AAAA together

dig +short A www.example.com
dig +short AAAA www.example.com

Run both for dual-stack debugging.

Example 2 — Multiple records (round-robin)

dig +short A round-robin.example.com
# 192.0.2.1
# 192.0.2.2
# 192.0.2.3

When a name has multiple A records, dig lists them all. Run a few times — most resolvers rotate the order.

Example 3 — Inspect MX priority

dig MX example.com +noall +answer
# example.com.    3600    IN    MX    10 mail1.example.com.
# example.com.    3600    IN    MX    20 mail2.example.com.

The first numeric value is priority — lower = higher priority. Mail goes to mail1 first; if that fails, mail2.

Example 4 — TXT record (SPF, DKIM, verification)

dig TXT example.com
dig TXT default._domainkey.example.com         # DKIM with selector "default"
dig TXT _dmarc.example.com                     # DMARC

TXT records can be many strings concatenated. dig prints them as quoted strings.

Example 5 — NS delegation at the apex

dig NS example.com +noall +answer

Lists the authoritative nameservers for the zone. Should match the registrar's NS configuration.

Example 6 — SOA inspection

dig SOA example.com +noall +answer
# example.com.  3600  IN  SOA  ns1.dnscale.eu. ops.dnscale.eu. 2026050401 3600 600 1209600 300

Read the fields: primary NS, admin email (with @ → .), serial, refresh, retry, expire, negative-cache TTL.

Example 7 — SRV records

dig SRV _sip._tcp.example.com +short
# 10 5 5060 sip1.example.com.
# 20 5 5060 sip2.example.com.

Format: priority, weight, port, target.

Example 8 — CAA records (cert issuance authorisation)

dig CAA example.com
# example.com.   3600  IN  CAA   0 issue "letsencrypt.org"
# example.com.   3600  IN  CAA   0 iodef "mailto:security@example.com"

Example 9 — TLSA / DANE

dig TLSA _25._tcp.mail.example.com +short
# 3 1 1 0123456789abcdef...

Format: usage, selector, matching type, certificate data hash.

Example 10 — HTTPS / SVCB records

dig HTTPS www.example.com
# www.example.com.  3600  IN  HTTPS   1 . alpn="h3,h2" ipv4hint=192.0.2.1

Modern web HTTPS-record lookup; advertises HTTP/3 support and connection hints.

Diagnostic workflows

Example 11 — Verify a record was published correctly

After adding a record:

# Check authoritative directly (bypasses caches)
dig +short A www.example.com @ns1.dnscale.eu

If the authoritative answer is wrong, the record itself is wrong. Check the dashboard or API.

Example 12 — Check propagation across resolvers

for resolver in 8.8.8.8 1.1.1.1 9.9.9.9 208.67.222.222; do
  echo "$resolver: $(dig +short A www.example.com @$resolver)"
done

If they disagree, propagation is in progress. See DNS propagation.

Example 13 — Inspect TTL countdown (proves caching)

dig +noall +answer www.example.com
# wait a few seconds
dig +noall +answer www.example.com

The TTL value should be lower the second time — the resolver cached and the timer is counting down. If TTL is the same value both times, you're hitting authoritative directly (which always returns the full TTL).

Example 14 — Find DNSSEC failures

dig www.example.com @8.8.8.8                  # may return SERVFAIL
dig +cd www.example.com @8.8.8.8              # checking-disabled bypass

If +cd returns the answer and the default returns SERVFAIL, DNSSEC validation is broken. Drill in:

dig DS example.com @8.8.8.8                   # parent's DS hash
dig DNSKEY example.com @ns1.dnscale.eu        # zone's published keys

The DS hashes must correspond to the published KSK. See DNSSEC key management.

Example 15 — Trace delegation path

dig +trace example.com

You should see:

Query to a root server.
Referral to the .com TLD nameservers.
Referral to your authoritative nameservers.
Final authoritative answer (with ;; Received <bytes> bytes from <ns> in <time> and AA flag).

If any step fails, that's where delegation is broken.

Example 16 — Time the resolution

dig +stats www.example.com

Bottom of output: ;; Query time: 23 msec. Run it a few times — first time goes to authoritative if not cached; subsequent times come from resolver cache (much faster).

Example 17 — Force IPv4 or IPv6 transport

dig -4 www.example.com    # query over IPv4
dig -6 www.example.com    # query over IPv6

Useful when debugging dual-stack issues or testing v6-only connectivity.

Example 18 — Test an alternate resolver port

dig www.example.com @8.8.8.8 -p 53
dig www.example.com @<server> -p 5353

Useful when running a local resolver on a non-standard port (split DNS, dnsmasq, etc.).

Example 19 — Inspect EDNS / OPT pseudo-header

dig www.example.com +bufsize=4096 +stats

EDNS extends DNS for larger payloads (DNSSEC needs this) and additional flags. Most modern queries automatically use EDNS; explicit control is rarely needed but useful for protocol-level debugging.

Example 20 — Verify NXDOMAIN authoritatively

dig nonexistent.example.com @ns1.dnscale.eu
# expect: status: NXDOMAIN

If the authoritative server says NXDOMAIN, the record genuinely doesn't exist. See NXDOMAIN explained.

Less common but useful

Example 21 — ANY queries (mostly disabled now)

dig ANY example.com

Historically this returned all record types in one query. Most authoritative servers now refuse ANY (it was abused for amplification attacks) and return a minimal placeholder. Don't rely on it.

Example 22 — Batch queries from a file

cat > queries.txt <<EOF
example.com A
example.com MX
www.example.com AAAA
mail.example.com TXT
EOF
 
dig -f queries.txt +short

One query per line. Useful for scripted audits.

Example 23 — Multiple names in one invocation

dig www.example.com mail.example.com api.example.com +short

dig accepts multiple names; runs them sequentially.

Example 24 — Specify class (almost always IN)

dig IN A www.example.com
dig CH TXT version.bind @8.8.8.8           # CHAOS class — server version probe (often refused)

Class is virtually always IN (Internet). The CHAOS class has historical use cases and is mostly disabled now.

Example 25 — Set the source IP

dig -b 192.0.2.5 www.example.com @ns1.example.com

Tells dig to bind to a specific local IP. Useful when your machine has multiple IPs and you need to match an ACL.

Example 26 — Disable recursion (`+norecurse`)

dig +norecurse www.example.com @8.8.8.8

Asks the resolver not to recurse on your behalf. Mostly useful against authoritative servers — they'll only answer queries for zones they're authoritative for.

Example 27 — Force TCP

dig +tcp AXFR example.com @ns1.example.com

DNS uses UDP by default with TCP fallback for large responses. AXFR requires TCP. Use +tcp when you specifically want TCP transport.

Example 28 — Time-out and retry control

dig +tries=2 +retry=1 +time=3 www.example.com @ns1.example.com

Useful in scripts: bound the worst-case time when a nameserver might be unresponsive.

Example 29 — Verbose / human-readable

dig +nocomments +noquestion +answer www.example.com

Strip comments and the question section, keep just the answer. Combine flags freely.

Example 30 — Compare two resolvers side-by-side

diff <(dig +short www.example.com @8.8.8.8) <(dig +short www.example.com @1.1.1.1)

If the diff is empty, they agree. If not, you have a propagation or resolver-specific issue to investigate.

Reading dig output

A full dig response has these sections:

; <<>> DiG 9.18 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
 
;; QUESTION SECTION:
;www.example.com.       IN    A
 
;; ANSWER SECTION:
www.example.com.    3600  IN  A    93.184.216.34
 
;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: <timestamp>
;; MSG SIZE  rcvd: 60

Pay attention to:

status: NOERROR (success), NXDOMAIN (no such name), SERVFAIL (server failure), REFUSED.
flags: qr (query response), aa (authoritative answer — set when querying an authoritative server), rd (recursion desired), ra (recursion available), ad (DNSSEC authenticated data).
ANSWER SECTION: the actual records. Each line: name, TTL, class, type, value.
Query time: how long the query took.

Combining dig with shell scripting

# Get just the IP for the first A record
ip=$(dig +short A www.example.com | head -n 1)
 
# Loop through subdomains
for sub in www mail api status; do
  echo "$sub: $(dig +short A $sub.example.com)"
done
 
# Diff record state across resolvers (CI-friendly)
if ! diff -q <(dig +short A example.com @8.8.8.8) <(dig +short A example.com @1.1.1.1) > /dev/null; then
  echo "Resolvers disagree — investigate"
  exit 1
fi

Common pitfalls

Confusing default-resolver answers with authoritative. Always use @ns1.<provider> when you want ground truth.
Forgetting that dig follows CNAMEs by default. The output may show CNAME → A in two records; dig +short returns just the final IP. Use dig +noall +answer for the chain.
Treating empty dig +short output as success. No output means no answer (NXDOMAIN, SERVFAIL, or empty). Always check the status line in full output if +short is empty.
Quoting issues with TXT records in shell. TXT values often contain quotes, semicolons, and spaces. Use single quotes around dig's output before piping further.
Running dig from inside a VPN that does its own DNS. The VPN may intercept queries. Use @8.8.8.8 to force a known resolver.

References

BIND 9 dig manual
IETF RFC 1035 — DNS basic specification
IETF RFC 6891 — EDNS0

Frequently asked questions

Is dig installed by default on my system?: On Linux: usually, via the `bind-utils` (RHEL/Fedora) or `dnsutils` (Debian/Ubuntu) package. On macOS: yes, ships with the OS. On Windows: not by default; install via WSL, Git Bash, or download BIND tools. Modern Windows 10/11 also ships `Resolve-DnsName` in PowerShell, which covers most dig use cases.
What's the difference between dig and nslookup?: dig is more powerful and produces richer, more parseable output; it's the standard for production troubleshooting. nslookup is older, more limited, but available on Windows by default. For anything beyond basic A-record lookup, prefer dig. See the nslookup tutorial for Windows-friendly equivalents.
How do I query a specific nameserver instead of my default resolver?: Use @server. Example: `dig www.example.com @ns1.dnscale.eu` queries DNScale's authoritative server directly, bypassing your local recursive resolver. This is the single most useful diagnostic technique — it tells you what's actually published, separate from what's cached anywhere.
What does +short do?: Strips dig's verbose output to just the answer values. Compare `dig www.example.com` (full sectioned output) to `dig +short www.example.com` (just the IP addresses). Useful for scripts and quick checks; full output for debugging.
How do I check DNSSEC with dig?: Three patterns: (1) `dig +dnssec <name>` requests DNSSEC records (RRSIG, etc.) in the response; (2) `dig +cd <name>` disables resolver-side checking — bypasses validation, useful for isolating DNSSEC-induced SERVFAIL; (3) `delv <name>` (a related tool) does full validation client-side and reports the trust chain. Most useful for production debugging is `+cd` to confirm whether DNSSEC is the failing step.
Can I do AXFR zone transfers with dig?: Yes, but only if the authoritative server allows it for your IP. `dig AXFR example.com @ns1.example.com`. Most public zones reject AXFR from arbitrary clients (it would expose every record). Used legitimately when you're configuring a secondary DNS server; the secondary's IP must be explicitly allowed in the primary's zone-transfer ACL.
How do I time a dig query?: dig already prints query time at the bottom: `;; Query time: 23 msec`. For repeated timings, use `dig +tries=1 +retry=0 +time=2 ...` to avoid retries skewing measurements, and combine with shell `time` for end-to-end. For continuous monitoring, use a dedicated tool like `dnsperf` rather than wrapping dig.

Ready to manage your DNS with confidence?

DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.

Start free