A · MX · CNAME · TXT · NS · PTR · DNSSEC
01 — How DNS & dig Work

When you type a domain into a browser, your OS asks a DNS resolver to turn it into an IP address. dig lets you do that same query manually, choose which DNS server to ask, and inspect every detail of the response.

dig sends a DNS query, waits for the answer, and prints the raw response — including flags, TTL, record data, and query timing.

dig is part of the BIND utilities. It ships with most Linux distributions and macOS. On Windows, it can be installed via BIND tools or used through WSL. The equivalent built-in Windows tool is nslookup.

02 — Basic Usage
Simple A record lookup
dig google.com
Annotated output
; <<>> DiG 9.18.1 <<>> google.com ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 112 IN A 142.250.185.46 ;; Query time: 14 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Mar 13 10:00:00 2026 ;; MSG SIZE rcvd: 55
SectionWhat it contains
QUESTIONThe query that was sent — domain, class (IN = Internet), type (A)
ANSWERThe records returned — name, TTL in seconds, class, type, value
AUTHORITYThe nameservers authoritative for the domain (when present)
ADDITIONALExtra records the server included (e.g. glue records)
Query timeHow long the query took in milliseconds
SERVERWhich DNS server answered the query
03 — Record Types
TypeWhat it holdsExample query
AIPv4 addressdig google.com A
AAAAIPv6 addressdig google.com AAAA
MXMail exchange servers with prioritydig google.com MX
CNAMECanonical name — alias to another domaindig www.github.com CNAME
TXTFree-text records — SPF, DKIM, verification tokensdig google.com TXT
NSAuthoritative nameservers for the domaindig google.com NS
SOAStart of Authority — zone serial, refresh, TTLsdig google.com SOA
PTRReverse DNS — IP address to hostnamedig -x 8.8.8.8
ANYAll available records (often restricted)dig google.com ANY
ℹ  Many resolvers now restrict ANY queries and return a minimal response. Query specific record types for reliable results.
04 — Common Flags
FlagDescriptionExample
@<server>Query a specific DNS serverdig @8.8.8.8 google.com
-t <type>Record type to querydig -t MX google.com
-x <ip>Reverse lookup (PTR)dig -x 1.1.1.1
+shortPrint only the answer valuedig google.com +short
+noall +answerShow only the ANSWER sectiondig google.com +noall +answer
+traceTrace full delegation from root serversdig google.com +trace
+dnssecRequest DNSSEC recordsdig google.com +dnssec
+tcpUse TCP instead of UDPdig google.com +tcp
+time=<n>Query timeout in secondsdig google.com +time=2
-4 / -6Force IPv4 or IPv6 transportdig -6 google.com
05 — Practical Examples
Quick IP lookup
dig google.com +short
Query a specific DNS server
dig @1.1.1.1 cloudflare.com A
Check mail records
dig gmail.com MX +noall +answer
Reverse DNS lookup
dig -x 8.8.8.8 +short
Check SPF / DKIM / DMARC records
# SPF dig google.com TXT +short # DKIM (replace selector as needed) dig google._domainkey.google.com TXT +short # DMARC dig _dmarc.google.com TXT +short
Trace full DNS delegation from root
dig google.com +trace
All nameservers for a domain
dig google.com NS +short
Test over TCP (large responses / DNSSEC)
dig google.com +dnssec +tcp
ℹ  +short is your best friend for scripting — it strips all headers and prints only the answer value, one per line.
06 — Troubleshooting with dig
Problemdig command to runWhat to check
Domain not resolvingdig google.com @8.8.8.8If this works but your default resolver fails, the issue is your local DNS server
Wrong IP returneddig google.com +traceFollow the delegation — a rogue NS or stale cache may be intercepting
Email delivery issuesdig domain.com MX
dig domain.com TXT		Verify MX records point to the right server and SPF/DKIM are correct
Slow DNS responsedig google.com +statsCheck Query time — above 100 ms points to a slow or overloaded resolver
NXDOMAIN (no such domain)dig domain.com SOAConfirm the domain exists — if SOA returns nothing the domain may not be registered or delegated
Stale cached recorddig domain.com +shortCheck the TTL in the ANSWER section — low TTL means propagation is fast, high TTL means a change may take hours
⚠  dig queries your system's configured resolver by default. Always test with @8.8.8.8 or @1.1.1.1 in parallel to distinguish between a local DNS problem and a global one.