How Dig command is used for DNS lookup ?

The command dig is a tool for querying DNS nameservers for information about host addresses, mail exchanges, nameservers, and related information. This tool can be used from any Linux (Unix) or Macintosh OS X operating system. The most typical use of dig is to simply query a single host.

1. Use dig to send a DNS request for A type lookup hostA1.test.ca. dig hostA1.test.ca.

2. Observe the tcpdump output.

dig output for A type lookup

; <<>> DiG 9.6.-ESV-R3 <<>> hostA1.test.ca.

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47068

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:

;hostA1.test.ca. IN A

;; ANSWER SECTION:

hostA1.test.ca. 3600 IN A 10.1.1.1

;; AUTHORITY SECTION:

test.ca. 3600 IN NS gateway.test.ca.

;; ADDITIONAL SECTION:

gateway.test.ca. 3600 IN A 10.1.0.1

gateway.test.ca. 3600 IN AAAA 2001:c0:a8::1

;; Query time: 15 msec

;; SERVER: 10.1.0.1#53(10.1.0.1)

;; WHEN: Thu May 12 13:51:19 2016

;; MSG SIZE rcvd: 114

tcpdump output:

13:51:19.881131 IP (tos 0x0, ttl 64, id 45833, offset 0, flags [none], proto UDP (17), length 60)

10.1.3.1.32545 > 10.1.0.1.53: [udp sum ok] 47068+ A? hostA1.test.ca. (32)

13:51:19.895562 IP (tos 0x0, ttl 62, id 94, offset 0, flags [none], proto UDP (17), length 142)

10.1.0.1.53 > 10.1.3.1.32545: [udp sum ok] 47068* q: A? hostA1.test.ca. 1/1/2 hostA1.test.ca. [1h] A 10.1.1.1 ns: test.ca. [1h] NS gateway.test.ca. ar: gateway.test.ca. [1h] A 10.1.0.1, gateway.test.ca. [1h] AAAA 2001:c0:a8::1 (114)

Discussion:

The id is 47068.

The rd flag (recursion desired) is set in the query. This means that the sender wants the server to carry out the recursion.

The aa flag is set in the reply. The answer is from the name server with authority.

The question is an A type lookup: hostA1.test.ca

There is 1 answer, 1 authority record and 2 additional records.

The answer has a TTL of 1 hour: 10.1.1.1

The authority record is: test.ca. 3600 IN NS gateway.test.ca.

This is the name of the nameserver.

The additional records are the IP addresses of the name servers.

Conclusion:

The output of the dig program closely mirrors the actual DNS message structure. We have observed the various fields in the DNS messages such as transaction id, flags, question, answer, authority RR and additional RR.

What can I find using the dig command?

Dig will let you perform any valid DNS query, the most common of which are:

• A (the IP address),

• TXT (text annotations),

• MX (mail exchanges), and

• NS nameservers.