xref: /netbsd-src/external/mpl/bind/dist/bin/dig/dig.rst (revision 8ecbf5f02b752fcb7debe1a8fab1dc82602bc760) 
1..
2   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3
4   This Source Code Form is subject to the terms of the Mozilla Public
5   License, v. 2.0. If a copy of the MPL was not distributed with this
6   file, You can obtain one at http://mozilla.org/MPL/2.0/.
7
8   See the COPYRIGHT file distributed with this work for additional
9   information regarding copyright ownership.
10
11..
12   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
13
14   This Source Code Form is subject to the terms of the Mozilla Public
15   License, v. 2.0. If a copy of the MPL was not distributed with this
16   file, You can obtain one at http://mozilla.org/MPL/2.0/.
17
18   See the COPYRIGHT file distributed with this work for additional
19   information regarding copyright ownership.
20
21
22.. highlight: console
23
24.. _man_dig:
25
26dig - DNS lookup utility
27------------------------
28
29Synopsis
30~~~~~~~~
31:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
32
33:program:`dig` [**-h**]
34
35:program:`dig` [global-queryopt...] [query...]
36
37Description
38~~~~~~~~~~~
39
40``dig`` is a flexible tool for interrogating DNS name servers. It
41performs DNS lookups and displays the answers that are returned from the
42name server(s) that were queried. Most DNS administrators use ``dig`` to
43troubleshoot DNS problems because of its flexibility, ease of use and
44clarity of output. Other lookup tools tend to have less functionality
45than ``dig``.
46
47Although ``dig`` is normally used with command-line arguments, it also
48has a batch mode of operation for reading lookup requests from a file. A
49brief summary of its command-line arguments and options is printed when
50the ``-h`` option is given. Unlike earlier versions, the BIND 9
51implementation of ``dig`` allows multiple lookups to be issued from the
52command line.
53
54Unless it is told to query a specific name server, ``dig`` will try each
55of the servers listed in ``/etc/resolv.conf``. If no usable server
56addresses are found, ``dig`` will send the query to the local host.
57
58When no command line arguments or options are given, ``dig`` will
59perform an NS query for "." (the root).
60
61It is possible to set per-user defaults for ``dig`` via
62``${HOME}/.digrc``. This file is read and any options in it are applied
63before the command line arguments. The ``-r`` option disables this
64feature, for scripts that need predictable behaviour.
65
66The IN and CH class names overlap with the IN and CH top level domain
67names. Either use the ``-t`` and ``-c`` options to specify the type and
68class, use the ``-q`` the specify the domain name, or use "IN." and
69"CH." when looking up these top level domains.
70
71Simple Usage
72~~~~~~~~~~~~
73
74A typical invocation of ``dig`` looks like:
75
76::
77
78    dig @server name type
79
80where:
81
82``server``
83   is the name or IP address of the name server to query. This can be an
84   IPv4 address in dotted-decimal notation or an IPv6 address in
85   colon-delimited notation. When the supplied ``server`` argument is a
86   hostname, ``dig`` resolves that name before querying that name
87   server.
88
89   If no ``server`` argument is provided, ``dig`` consults
90   ``/etc/resolv.conf``; if an address is found there, it queries the
91   name server at that address. If either of the ``-4`` or ``-6``
92   options are in use, then only addresses for the corresponding
93   transport will be tried. If no usable addresses are found, ``dig``
94   will send the query to the local host. The reply from the name server
95   that responds is displayed.
96
97``name``
98   is the name of the resource record that is to be looked up.
99
100``type``
101   indicates what type of query is required MDASH ANY, A, MX, SIG, etc.
102   ``type`` can be any valid query type. If no ``type`` argument is
103   supplied, ``dig`` will perform a lookup for an A record.
104
105Options
106~~~~~~~
107
108**-4**
109   Use IPv4 only.
110
111**-6**
112   Use IPv6 only.
113
114**-b** address[#port]
115   Set the source IP address of the query. The ``address`` must be a
116   valid address on one of the host's network interfaces, or "0.0.0.0"
117   or "::". An optional port may be specified by appending "#<port>"
118
119**-c** class
120   Set the query class. The default ``class`` is IN; other classes are
121   HS for Hesiod records or CH for Chaosnet records.
122
123**-f** file
124   Batch mode: ``dig`` reads a list of lookup requests to process from
125   the given ``file``. Each line in the file should be organized in the
126   same way they would be presented as queries to ``dig`` using the
127   command-line interface.
128
129**-k** keyfile
130   Sign queries using TSIG using a key read from the given file. Key
131   files can be generated using tsig-keygen8. When using TSIG
132   authentication with ``dig``, the name server that is queried needs to
133   know the key and algorithm that is being used. In BIND, this is done
134   by providing appropriate ``key`` and ``server`` statements in
135   ``named.conf``.
136
137**-m**
138   Enable memory usage debugging.
139
140**-p** port
141   Send the query to a non-standard port on the server, instead of the
142   default port 53. This option would be used to test a name server that
143   has been configured to listen for queries on a non-standard port
144   number.
145
146**-q** name
147   The domain name to query. This is useful to distinguish the ``name``
148   from other arguments.
149
150**-r**
151   Do not read options from ``${HOME}/.digrc``. This is useful for
152   scripts that need predictable behaviour.
153
154**-t** type
155   The resource record type to query. It can be any valid query type. If
156   it is a resource record type supported in BIND 9, it can be given by
157   the type mnemonic (such as "NS" or "AAAA"). The default query type is
158   "A", unless the ``-x`` option is supplied to indicate a reverse
159   lookup. A zone transfer can be requested by specifying a type of
160   AXFR. When an incremental zone transfer (IXFR) is required, set the
161   ``type`` to ``ixfr=N``. The incremental zone transfer will contain
162   the changes made to the zone since the serial number in the zone's
163   SOA record was ``N``.
164
165   All resource record types can be expressed as "TYPEnn", where "nn" is
166   the number of the type. If the resource record type is not supported
167   in BIND 9, the result will be displayed as described in :rfc:`3597`.
168
169**-u**
170   Print query times in microseconds instead of milliseconds.
171
172**-v**
173   Print the version number and exit.
174
175**-x** addr
176   Simplified reverse lookups, for mapping addresses to names. The
177   ``addr`` is an IPv4 address in dotted-decimal notation, or a
178   colon-delimited IPv6 address. When the ``-x`` is used, there is no
179   need to provide the ``name``, ``class`` and ``type`` arguments.
180   ``dig`` automatically performs a lookup for a name like
181   ``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
182   and IN respectively. IPv6 addresses are looked up using nibble format
183   under the IP6.ARPA domain.
184
185**-y** [hmac:]keyname:secret
186   Sign queries using TSIG with the given authentication key.
187   ``keyname`` is the name of the key, and ``secret`` is the base64
188   encoded shared secret. ``hmac`` is the name of the key algorithm;
189   valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
190   ``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
191   not specified, the default is ``hmac-md5`` or if MD5 was disabled
192   ``hmac-sha256``.
193
194.. note:: You should use the ``-k`` option and avoid the ``-y`` option,
195   because with ``-y`` the shared secret is supplied as a command line
196   argument in clear text. This may be visible in the output from ps1 or
197   in a history file maintained by the user's shell.
198
199Query Options
200~~~~~~~~~~~~~
201
202``dig`` provides a number of query options which affect the way in which
203lookups are made and the results displayed. Some of these set or reset
204flag bits in the query header, some determine which sections of the
205answer get printed, and others determine the timeout and retry
206strategies.
207
208Each query option is identified by a keyword preceded by a plus sign
209(``+``). Some keywords set or reset an option. These may be preceded by
210the string ``no`` to negate the meaning of that keyword. Other keywords
211assign values to options like the timeout interval. They have the form
212``+keyword=value``. Keywords may be abbreviated, provided the
213abbreviation is unambiguous; for example, ``+cd`` is equivalent to
214``+cdflag``. The query options are:
215
216``+[no]aaflag``
217   A synonym for ``+[no]aaonly``.
218
219``+[no]aaonly``
220   Sets the "aa" flag in the query.
221
222``+[no]additional``
223   Display [do not display] the additional section of a reply. The
224   default is to display it.
225
226``+[no]adflag``
227   Set [do not set] the AD (authentic data) bit in the query. This
228   requests the server to return whether all of the answer and authority
229   sections have all been validated as secure according to the security
230   policy of the server. AD=1 indicates that all records have been
231   validated as secure and the answer is not from a OPT-OUT range. AD=0
232   indicate that some part of the answer was insecure or not validated.
233   This bit is set by default.
234
235``+[no]all``
236   Set or clear all display flags.
237
238``+[no]answer``
239   Display [do not display] the answer section of a reply. The default
240   is to display it.
241
242``+[no]authority``
243   Display [do not display] the authority section of a reply. The
244   default is to display it.
245
246``+[no]badcookie``
247   Retry lookup with the new server cookie if a BADCOOKIE response is
248   received.
249
250``+[no]besteffort``
251   Attempt to display the contents of messages which are malformed. The
252   default is to not display malformed answers.
253
254``+bufsize=B``
255   Set the UDP message buffer size advertised using EDNS0 to ``B``
256   bytes. The maximum and minimum sizes of this buffer are 65535 and 0
257   respectively. Values outside this range are rounded up or down
258   appropriately. Values other than zero will cause a EDNS query to be
259   sent.
260
261``+[no]cdflag``
262   Set [do not set] the CD (checking disabled) bit in the query. This
263   requests the server to not perform DNSSEC validation of responses.
264
265``+[no]class``
266   Display [do not display] the CLASS when printing the record.
267
268``+[no]cmd``
269   Toggles the printing of the initial comment in the output, identifying the
270   version of ``dig`` and the query options that have been applied.  This option
271   always has global effect; it cannot be set globally and then overridden on a
272   per-lookup basis.  The default is to print this comment.
273
274``+[no]comments``
275   Toggles the display of some comment lines in the output, containing
276   information about the packet header and OPT pseudosection, and the names of
277   the response section.  The default is to print these comments.
278
279   Other types of comments in the output are not affected by this option, but
280   can be controlled using other command line switches. These include
281   ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
282
283``+[no]cookie=####``
284   Send a COOKIE EDNS option, with optional value. Replaying a COOKIE
285   from a previous response will allow the server to identify a previous
286   client. The default is ``+cookie``.
287
288   ``+cookie`` is also set when +trace is set to better emulate the
289   default queries from a nameserver.
290
291``+[no]crypto``
292   Toggle the display of cryptographic fields in DNSSEC records. The
293   contents of these field are unnecessary to debug most DNSSEC
294   validation failures and removing them makes it easier to see the
295   common failures. The default is to display the fields. When omitted
296   they are replaced by the string "[omitted]" or in the DNSKEY case the
297   key id is displayed as the replacement, e.g. "[ key id = value ]".
298
299``+[no]defname``
300   Deprecated, treated as a synonym for ``+[no]search``
301
302``+[no]dnssec``
303   Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in
304   the OPT record in the additional section of the query.
305
306``+domain=somename``
307   Set the search list to contain the single domain ``somename``, as if
308   specified in a ``domain`` directive in ``/etc/resolv.conf``, and
309   enable search list processing as if the ``+search`` option were
310   given.
311
312``+dscp=value``
313   Set the DSCP code point to be used when sending the query. Valid DSCP
314   code points are in the range [0..63]. By default no code point is
315   explicitly set.
316
317``+[no]edns[=#]``
318   Specify the EDNS version to query with. Valid values are 0 to 255.
319   Setting the EDNS version will cause a EDNS query to be sent.
320   ``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
321   default.
322
323``+[no]ednsflags[=#]``
324   Set the must-be-zero EDNS flags bits (Z bits) to the specified value.
325   Decimal, hex and octal encodings are accepted. Setting a named flag
326   (e.g. DO) will silently be ignored. By default, no Z bits are set.
327
328``+[no]ednsnegotiation``
329   Enable / disable EDNS version negotiation. By default EDNS version
330   negotiation is enabled.
331
332``+[no]ednsopt[=code[:value]]``
333   Specify EDNS option with code point ``code`` and optionally payload
334   of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
335   option name (for example, ``NSID`` or ``ECS``), or an arbitrary
336   numeric value. ``+noednsopt`` clears the EDNS options to be sent.
337
338``+[no]expire``
339   Send an EDNS Expire option.
340
341``+[no]fail``
342   Do not try the next server if you receive a SERVFAIL. The default is
343   to not try the next server which is the reverse of normal stub
344   resolver behavior.
345
346``+[no]header-only``
347   Send a query with a DNS header without a question section. The
348   default is to add a question section. The query type and query name
349   are ignored when this is set.
350
351``+[no]identify``
352   Show [or do not show] the IP address and port number that supplied
353   the answer when the ``+short`` option is enabled. If short form
354   answers are requested, the default is not to show the source address
355   and port number of the server that provided the answer.
356
357``+[no]idnin``
358   Process [do not process] IDN domain names on input. This requires IDN
359   SUPPORT to have been enabled at compile time.
360
361   The default is to process IDN input when standard output is a tty.
362   The IDN processing on input is disabled when dig output is redirected
363   to files, pipes, and other non-tty file descriptors.
364
365``+[no]idnout``
366   Convert [do not convert] puny code on output. This requires IDN
367   SUPPORT to have been enabled at compile time.
368
369   The default is to process puny code on output when standard output is
370   a tty. The puny code processing on output is disabled when dig output
371   is redirected to files, pipes, and other non-tty file descriptors.
372
373``+[no]ignore``
374   Ignore truncation in UDP responses instead of retrying with TCP. By
375   default, TCP retries are performed.
376
377``+[no]keepalive``
378   Send [or do not send] an EDNS Keepalive option.
379
380``+[no]keepopen``
381   Keep the TCP socket open between queries and reuse it rather than
382   creating a new TCP socket for each lookup. The default is
383   ``+nokeepopen``.
384
385``+[no]mapped``
386   Allow mapped IPv4 over IPv6 addresses to be used. The default is
387   ``+mapped``.
388
389``+[no]multiline``
390   Print records like the SOA records in a verbose multi-line format
391   with human-readable comments. The default is to print each record on
392   a single line, to facilitate machine parsing of the ``dig`` output.
393
394``+ndots=D``
395   Set the number of dots that have to appear in ``name`` to ``D`` for
396   it to be considered absolute. The default value is that defined using
397   the ndots statement in ``/etc/resolv.conf``, or 1 if no ndots
398   statement is present. Names with fewer dots are interpreted as
399   relative names and will be searched for in the domains listed in the
400   ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
401   ``+search`` is set.
402
403``+[no]nsid``
404   Include an EDNS name server ID request when sending a query.
405
406``+[no]nssearch``
407   When this option is set, ``dig`` attempts to find the authoritative
408   name servers for the zone containing the name being looked up and
409   display the SOA record that each name server has for the zone.
410   Addresses of servers that that did not respond are also printed.
411
412``+[no]onesoa``
413   Print only one (starting) SOA record when performing an AXFR. The
414   default is to print both the starting and ending SOA records.
415
416``+[no]opcode=value``
417   Set [restore] the DNS message opcode to the specified value. The
418   default value is QUERY (0).
419
420``+padding=value``
421   Pad the size of the query packet using the EDNS Padding option to
422   blocks of ``value`` bytes. For example, ``+padding=32`` would cause a
423   48-byte query to be padded to 64 bytes. The default block size is 0,
424   which disables padding. The maximum is 512. Values are ordinarily
425   expected to be powers of two, such as 128; however, this is not
426   mandatory. Responses to padded queries may also be padded, but only
427   if the query uses TCP or DNS COOKIE.
428
429``+[no]qr``
430   Toggles the display of the query message as it is sent. By default, the query
431   is not printed.
432
433``+[no]question``
434   Toggles the display of the question section of a query when an answer is
435   returned.  The default is to print the question section as a comment.
436
437``+[no]raflag``
438   Set [do not set] the RA (Recursion Available) bit in the query. The
439   default is +noraflag. This bit should be ignored by the server for
440   QUERY.
441
442``+[no]rdflag``
443   A synonym for ``+[no]recurse``.
444
445``+[no]recurse``
446   Toggle the setting of the RD (recursion desired) bit in the query.
447   This bit is set by default, which means ``dig`` normally sends
448   recursive queries. Recursion is automatically disabled when the
449   ``+nssearch`` or ``+trace`` query options are used.
450
451``+retry=T``
452   Sets the number of times to retry UDP queries to server to ``T``
453   instead of the default, 2. Unlike ``+tries``, this does not include
454   the initial query.
455
456``+[no]rrcomments``
457   Toggle the display of per-record comments in the output (for example,
458   human-readable key information about DNSKEY records). The default is
459   not to print record comments unless multiline mode is active.
460
461``+[no]search``
462   Use [do not use] the search list defined by the searchlist or domain
463   directive in ``resolv.conf`` (if any). The search list is not used by
464   default.
465
466   'ndots' from ``resolv.conf`` (default 1) which may be overridden by
467   ``+ndots`` determines if the name will be treated as relative or not
468   and hence whether a search is eventually performed or not.
469
470``+[no]short``
471   Provide a terse answer.  The default is to print the answer in a verbose
472   form.  This option always has global effect; it cannot be set globally and
473   then overridden on a per-lookup basis.
474
475``+[no]showsearch``
476   Perform [do not perform] a search showing intermediate results.
477
478``+[no]sigchase``
479   This feature is now obsolete and has been removed; use ``delv``
480   instead.
481
482``+split=W``
483   Split long hex- or base64-formatted fields in resource records into
484   chunks of ``W`` characters (where ``W`` is rounded up to the nearest
485   multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
486   split at all. The default is 56 characters, or 44 characters when
487   multiline mode is active.
488
489``+[no]stats``
490   Toggles the printing of statistics: when the query was made, the size of the
491   reply and so on.  The default behavior is to print the query statistics as a
492   comment after each lookup.
493
494``+[no]subnet=addr[/prefix-length]``
495   Send (don't send) an EDNS Client Subnet option with the specified IP
496   address or network prefix.
497
498   ``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
499   sends an EDNS CLIENT-SUBNET option with an empty address and a source
500   prefix-length of zero, which signals a resolver that the client's
501   address information must *not* be used when resolving this query.
502
503``+[no]tcflag``
504   Set [do not set] the TC (TrunCation) bit in the query. The default is
505   +notcflag. This bit should be ignored by the server for QUERY.
506
507``+[no]tcp``
508   Use [do not use] TCP when querying name servers. The default behavior
509   is to use UDP unless a type ``any`` or ``ixfr=N`` query is requested,
510   in which case the default is TCP. AXFR queries always use TCP.
511
512``+timeout=T``
513   Sets the timeout for a query to ``T`` seconds. The default timeout is
514   5 seconds. An attempt to set ``T`` to less than 1 will result in a
515   query timeout of 1 second being applied.
516
517``+[no]topdown``
518   This feature is related to ``dig +sigchase``, which is obsolete and
519   has been removed. Use ``delv`` instead.
520
521``+[no]trace``
522   Toggle tracing of the delegation path from the root name servers for
523   the name being looked up. Tracing is disabled by default. When
524   tracing is enabled, ``dig`` makes iterative queries to resolve the
525   name being looked up. It will follow referrals from the root servers,
526   showing the answer from each server that was used to resolve the
527   lookup.
528
529   If @server is also specified, it affects only the initial query for
530   the root zone name servers.
531
532   ``+dnssec`` is also set when +trace is set to better emulate the
533   default queries from a nameserver.
534
535``+tries=T``
536   Sets the number of times to try UDP queries to server to ``T``
537   instead of the default, 3. If ``T`` is less than or equal to zero,
538   the number of tries is silently rounded up to 1.
539
540``+trusted-key=####``
541   Formerly specified trusted keys for use with ``dig +sigchase``. This
542   feature is now obsolete and has been removed; use ``delv`` instead.
543
544``+[no]ttlid``
545   Display [do not display] the TTL when printing the record.
546
547``+[no]ttlunits``
548   Display [do not display] the TTL in friendly human-readable time
549   units of "s", "m", "h", "d", and "w", representing seconds, minutes,
550   hours, days and weeks. Implies +ttlid.
551
552``+[no]unexpected``
553   Accept [do not accept] answers from unexpected sources.  By default, ``dig``
554   won't accept a reply from a source other than the one to which it sent the
555   query.
556
557``+[no]unknownformat``
558   Print all RDATA in unknown RR type presentation format (:rfc:`3597`).
559   The default is to print RDATA for known types in the type's
560   presentation format.
561
562``+[no]vc``
563   Use [do not use] TCP when querying name servers. This alternate
564   syntax to ``+[no]tcp`` is provided for backwards compatibility. The
565   "vc" stands for "virtual circuit".
566
567``+[no]yaml``
568   Print the responses (and, if <option>+qr</option> is in use, also the
569   outgoing queries) in a detailed YAML format.
570
571``+[no]zflag``
572   Set [do not set] the last unassigned DNS header flag in a DNS query.
573   This flag is off by default.
574
575Multiple Queries
576~~~~~~~~~~~~~~~~
577
578The BIND 9 implementation of ``dig`` supports specifying multiple
579queries on the command line (in addition to supporting the ``-f`` batch
580file option). Each of those queries can be supplied with its own set of
581flags, options and query options.
582
583In this case, each ``query`` argument represent an individual query in
584the command-line syntax described above. Each consists of any of the
585standard options and flags, the name to be looked up, an optional query
586type and class and any query options that should be applied to that
587query.
588
589A global set of query options, which should be applied to all queries,
590can also be supplied. These global query options must precede the first
591tuple of name, class, type, options, flags, and query options supplied
592on the command line. Any global query options (except ``+[no]cmd`` and
593``+[no]short`` options) can be overridden by a query-specific set of
594query options. For example:
595
596::
597
598   dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
599
600shows how ``dig`` could be used from the command line to make three
601lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1
602and a query for the NS records of ``isc.org``. A global query option of
603``+qr`` is applied, so that ``dig`` shows the initial query it made for
604each lookup. The final query has a local query option of ``+noqr`` which
605means that ``dig`` will not print the initial query when it looks up the
606NS records for ``isc.org``.
607
608IDN Support
609~~~~~~~~~~~
610
611If ``dig`` has been built with IDN (internationalized domain name)
612support, it can accept and display non-ASCII domain names. ``dig``
613appropriately converts character encoding of domain name before sending
614a request to DNS server or displaying a reply from the server. If you'd
615like to turn off the IDN support for some reason, use parameters
616``+noidnin`` and ``+noidnout`` or define the IDN_DISABLE environment
617variable.
618
619Files
620~~~~~
621
622``/etc/resolv.conf``
623
624``${HOME}/.digrc``
625
626See Also
627~~~~~~~~
628
629:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`.
630
631Bugs
632~~~~
633
634There are probably too many query options.
635