Understanding Linux Dig Command

Updated: Sep 4

Dig is a very powerful Linux command to query DNS in Linux. We will dive into the dig command output today.

Example of Linux Dig Response

The following is a DNS query to get the A record for google.com. We will dive into every section below.

$ dig google.com

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6794
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;google.com.   IN A

google.com.  299 IN A

;; Query time: 7 msec
;; WHEN: Wed Jun 23 13:54:31 UTC 2021
;; MSG SIZE  rcvd: 55

  • Section 1 Message header

  • Section 2 The QUESTION SECTION: the DNS query for which a response is being sought

  • Section 3 The ANSWER SECTION: the resource record(s) that answer the question

  • Section 4 The AUTHORITY SECTION: the resource record(s) that point to the domain authority

  • Section 5 The ADDITIONAL SECTION: the resource record(s) that may hold additional information

DNS Header

|        Header       |
|       Question      | the question for the name server
|        Answer       | RRs answering the question
|      Authority      | RRs pointing toward an authority
|      Additional     | RRs holding additional information

The HEADER section

This is a representation of the DNS response packet. It will contain status codes, flags, and sometimes additional diagnostic output. The flags present may include one or more of the following:

  • qr (Query Response): This bit is set when the packet is a query response.

  • aa (Authoritative Answer): The response is authoritative, which means it came from one of the authoritative nameservers for the domain. It did not come from a resolver or DNS cache. We should only see this flag when We directly query an authoritative nameserver using @nameserver.

  • ra (Recursion Available): The nameserver that responded to this query is available for recursion. Typically ra and aa are mutually exclusive, as authoritative nameservers are generally deliberately configured to not offer recursion.

  • rd (Recursion Desired): The query was sent requesting recursion; this is the default behavior for dig, and most of the time it doesn't make a difference. If the client (dig) requests recursion and is answered by a server that isn't offering it, there will be no ra flag. We can override sending rd using the +norecurse flag; this becomes a factor when debugging certain CNAME chains

  • cd (Checking Disabled): Do not check the DNSSEC-signed responses for validity.

  • ad (Authenticated Data): A zone is DNSSEC-signed, and all RRs germane to the query have been validated.

  • tc (Truncated): This signals the client to retry over TCP.

The ANSWER section

The answer section contains the actual response to the lookup.

The AUTHORITY section

This section will return the list of nameservers that should be authoritative for the query. It is derived from the list of NS RRs in the published zone, not from the set of nameservers that may be delegated for the zone in the TLDs rootzone.

The ADDITIONAL section

Finally, the ADDITIONAL section will provide references that have been deemed useful for completing the query.