$devvkit learn --librarie dig-&-nslookup-guide
dig & nslookup Guide
[dns][networking][troubleshooting][cli]
Network Diagnostics
Install
# dig comes with bind-utils / dnsutils sudo apt install dnsutils brew install bind # Windows: nslookup is built-in; dig via WSL or download
dig (Domain Information Groper) is the most powerful DNS debugging tool. Unlike nslookup, dig gives you detailed response sections (QUESTION, ANSWER, AUTHORITY, ADDITIONAL) and supports EDNS, DNSSEC validation, and TCP fallback.
Use `+short` for scripts, `+trace` to follow the full resolution chain from root servers, `+dnssec` to check DNSSEC signatures, and `-x` for reverse lookups. The `ANY` query type shows all records — but many modern DNS servers restrict it.
GUI alternatives: DNS Lookup (macOS), dig Web UI (digwebinterface.com), or Cloudflare's DNS resolver diagnostic page (1.1.1.1/help). For monitoring DNS changes over time, use `dnsdiag` or `dnsping`.
Basic Lookups
A record— IPv4 address lookup.
dig example.com # Short answer only: dig example.com +short # Specific nameserver: dig @8.8.8.8 example.com
nslookup interactive— Alternative interactive tool.
nslookup > server 8.8.8.8 > set type=MX > example.com > set debug # Show full packet > exit # One-liner: nslookup -type=TXT example.com 8.8.8.8
Record Types
All record types— Query specific RR types.
dig example.com AAAA # IPv6 dig example.com MX # Mail servers dig example.com NS # Name servers dig example.com TXT # Text records (SPF, DKIM, etc.) dig example.com CNAME # Canonical name dig example.com SOA # Start of authority dig _sip._tcp.example.com SRV # Service records
Reverse DNS— IP to hostname.
dig -x 8.8.8.8 # Also: dig 8.8.8.8.in-addr.arpa PTR # IPv6 reverse: dig -x 2001:4860:4860::8888
Advanced Queries
Trace resolution— Follow root to leaf.
dig +trace example.com # Shows every step: root → TLD → authoritative # Great for debugging delegation issues dig +trace +short example.com # Shortened trace
DNSSEC validation— Check DNSSEC chain.
dig example.com +dnssec # Look for "ad" flag (authenticated data) dig example.com +dnssec +multiline # Check specific RRSIG: dig example.com RRSIG # Verify with drill (ldns): drill -D example.com
Troubleshooting
Query time stats— Measure resolver speed.
dig example.com +stats # Shows: Query time: 23 msec, SERVER: 8.8.8.8#53 # Compare resolvers: dig @8.8.8.8 example.com +noall +stats | grep "Query time" dig @1.1.1.1 example.com +noall +stats | grep "Query time" dig @208.67.222.222 example.com +noall +stats | grep "Query time"
Check propagation— Verify DNS change propagated.
# Query multiple geographic resolvers: dig @8.8.8.8 example.com +short dig @1.1.1.1 example.com +short dig @208.67.222.222 example.com +short dig @9.9.9.9 example.com +short # If all same → fully propagated
Scripting
Bulk lookup— Query multiple domains.
# Check multiple domains from a file:
while read domain; do
ip=$(dig +short $domain A | head -1)
[ -n "$ip" ] && echo "$domain => $ip"
done < domains.txt
# Parallel with xargs:
cat domains.txt | xargs -P10 -I{} dig +short {} A {} AAAAAdvanced: +short tricks— Script-friendly output.
# Get all MX servers sorted by priority: dig example.com MX +short | sort -n # Check if SPF record exists: dig example.com TXT +short | grep "v=spf1" # Get canonical redirect target: dig bit.ly CNAME +short # Find authoritative nameservers: dig +norec @a.root-servers.net example.com NS +short