dig (DNS lookup utility)

A flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.

     dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m]
             [-p port#] [-q name] [-t type] [-x addr] [-y [hmac:]name:key] 
                [-4] [-6] [name] [type] [class] [queryopt...]
dig [-h] dig [global-queryopt...] [query...] Options: -4 Force dig to only use IPv4 query transport. -6 Force dig to only use IPv6 query transport. -b address Set the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "" or "::". An optional port can be specified by appending "#port" -c class Over-ride the default query class (IN for internet). class is any valid class, such as HS for Hesiod records or CH for CHAOSNET records. -f filename Operate in batch mode by reading a list of lookup requests to process from a file. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to dig using the command-line interface. -m Enable memory usage debugging. -p port# Specify a non-standard port number to be queried, default = the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number. -t type Set the query type to type, any valid query type which is supported in BIND9. The default query type "A", unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, type is set to ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was N. -x addr Reverse lookups - mapping addresses to names: addr is an IPv4 address in dotted- decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the name, class and type arguments. dig automatically performs a lookup for a name like and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the -i option. Bit string labels (RFC2874) are now experimental and are not attempted. -k filename Sign the DNS queries sent by dig and their responses using transaction signatures (TSIG key file). You can also specify the TSIG key itself on the command line using the -y option; name is the name of the TSIG key and key is the actual key. The key is a base-64 encoded string, typically generated by dnssec-keygen(8). Caution should be taken when using the -y option on multi-user systems as the key can be visible in the output from ps(1 ) or in the shell's history file. When using TSIG authentication with dig, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in named.conf. -h Print a brief summary of the command-line arguments and options.

Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. Unlike earlier versions, the BIND9 implementation of dig allows multiple lookups to be issued from the command line.

Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf

When no command line arguments or options are given, will perform an NS query for "." (the root).

It is possible to set per-user defaults for dig via ${HOME}/.digrc. This file is read and any options in it are applied before the command line arguments.

The IN and CH class names overlap with the IN and CH top level domains names. Either use the -t and -c options to specify the type and class, use the -q the specify the domain name, or use "IN." and "CH." when looking up these top level domains.

The dig command does not use the host name and address resolution or the DNS query routing mechanisms used by other processes running on macOS. The results of name or address queries printed by dig might differ from those found by other processes that use the macOS native name and address resolution mechanisms. The results of DNS queries can also differ from queries that use the macOS DNS routing library.

Commonly used record types

A (Host address)
AAAA (IPv6 host address)
ALIAS (Auto resolved alias)
CNAME (Canonical name for an alias)
MX (Mail eXchange)
NS (Name Server)
PTR (Pointer)
SOA (Start Of Authority)
SRV (location of service)
TXT (Descriptive text)


List the DNS A records for ss64.com:
$ dig ss64.com

$ dig ss64.com A

List the DNS AAAA (ipv6) records for ss64.com:
$ dig ss64.com AAAA

List the DNS A records for ss64.com using Google DNS ( instead of your local cache:
$ dig ss64.com @

List the Signature record (SIG record) for ss64.com:
$ dig ss64.com SIG

List the Mail exchanger record (MX record) for ss64.com:
$ dig ss64.com MX

Test your DNS resolver's source port behavior:
$ dig +short porttest.dns-oarc.net TXT

“Businessmen they drink my wine, Plowmen dig my earth, But none of them along the line, Know what any of it is worth” - Bob Dylan

Related macOS commands

dscacheutil - Query or flush the Directory Service/DNS cache.
Dig web interface - Online Dig.
ViewDNS.info - Online IP and DNS lookups.

Copyright © 1999-2023 SS64.com
Some rights reserved