Skip to content
>_devvkit
$devvkit learn --librarie dig-&-nslookup-guide

dig & nslookup Guide

[dns][networking][troubleshooting][cli]
Network Diagnostics
Install
# dig comes with bind-utils / dnsutils
sudo apt install dnsutils
brew install bind
# Windows: nslookup is built-in; dig via WSL or download

dig (Domain Information Groper) is the most powerful DNS debugging tool. Unlike nslookup, dig gives you detailed response sections (QUESTION, ANSWER, AUTHORITY, ADDITIONAL) and supports EDNS, DNSSEC validation, and TCP fallback.

Use `+short` for scripts, `+trace` to follow the full resolution chain from root servers, `+dnssec` to check DNSSEC signatures, and `-x` for reverse lookups. The `ANY` query type shows all records — but many modern DNS servers restrict it.

GUI alternatives: DNS Lookup (macOS), dig Web UI (digwebinterface.com), or Cloudflare's DNS resolver diagnostic page (1.1.1.1/help). For monitoring DNS changes over time, use `dnsdiag` or `dnsping`.

Basic Lookups

A recordIPv4 address lookup.
dig example.com
# Short answer only:
dig example.com +short
# Specific nameserver:
dig @8.8.8.8 example.com
nslookup interactiveAlternative interactive tool.
nslookup
> server 8.8.8.8
> set type=MX
> example.com
> set debug          # Show full packet
> exit

# One-liner:
nslookup -type=TXT example.com 8.8.8.8

Record Types

All record typesQuery specific RR types.
dig example.com AAAA       # IPv6
dig example.com MX          # Mail servers
dig example.com NS          # Name servers
dig example.com TXT         # Text records (SPF, DKIM, etc.)
dig example.com CNAME       # Canonical name
dig example.com SOA         # Start of authority
dig _sip._tcp.example.com SRV  # Service records
Reverse DNSIP to hostname.
dig -x 8.8.8.8
# Also:
dig 8.8.8.8.in-addr.arpa PTR

# IPv6 reverse:
dig -x 2001:4860:4860::8888

Advanced Queries

Trace resolutionFollow root to leaf.
dig +trace example.com
# Shows every step: root → TLD → authoritative
# Great for debugging delegation issues

dig +trace +short example.com  # Shortened trace
DNSSEC validationCheck DNSSEC chain.
dig example.com +dnssec
# Look for "ad" flag (authenticated data)
dig example.com +dnssec +multiline
# Check specific RRSIG:
dig example.com RRSIG

# Verify with drill (ldns):
drill -D example.com

Troubleshooting

Query time statsMeasure resolver speed.
dig example.com +stats
# Shows: Query time: 23 msec, SERVER: 8.8.8.8#53

# Compare resolvers:
dig @8.8.8.8 example.com +noall +stats | grep "Query time"
dig @1.1.1.1 example.com +noall +stats | grep "Query time"
dig @208.67.222.222 example.com +noall +stats | grep "Query time"
Check propagationVerify DNS change propagated.
# Query multiple geographic resolvers:
dig @8.8.8.8 example.com +short
dig @1.1.1.1 example.com +short
dig @208.67.222.222 example.com +short
dig @9.9.9.9 example.com +short
# If all same → fully propagated

Scripting

Bulk lookupQuery multiple domains.
# Check multiple domains from a file:
while read domain; do
  ip=$(dig +short $domain A | head -1)
  [ -n "$ip" ] && echo "$domain => $ip"
done < domains.txt

# Parallel with xargs:
cat domains.txt | xargs -P10 -I{} dig +short {} A {} AAAA
Advanced: +short tricksScript-friendly output.
# Get all MX servers sorted by priority:
dig example.com MX +short | sort -n

# Check if SPF record exists:
dig example.com TXT +short | grep "v=spf1"

# Get canonical redirect target:
dig bit.ly CNAME +short

# Find authoritative nameservers:
dig +norec @a.root-servers.net example.com NS +short