Troubleshooting DNS with dig

dig is a DNS lookup utility which is invaluable for helping troubleshoot DNS errors.

To lookup the IPv4 address of a hostname, run:

$ dig example.ircnow.org
; <<>> dig 9.10.8-P1 <<>> example.ircnow.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15341
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.ircnow.org.                    IN      A

;; ANSWER SECTION:
example.ircnow.org.             3600    IN      A       192.168.0.1

;; Query time: 485 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 21 12:31:44 CST 2020
;; MSG SIZE  rcvd: 55

Success or Failure

  1. status: NOERROR
    This indicates that the name lookup succeeded.
  2. status: NXDOMAIN
    This indicates that the name server believes there are no records for the hostname. In other words, the name server for the zone exists, but the record does not.
  3. ;; connection timed out; no servers could be reached
    This indicates that your computer cannot reach the nameservers in /etc/resolv.conf. Please reconfigure your local caching nameservers.

Answer Section

;; ANSWER SECTION:
example.ircnow.org.             3600    IN      A       192.168.0.1

The 3600 means that this entry has a time to live (TTL) value of 3600s. After 3600s, or 1 hour, the answer will no longer be valid. A means this is an A record (it tells you the IPv4 address), and the IP address 192.168.0.1.

Other Details

;; Query time: 485 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

This tells you that it took 485 milliseconds to make the request, and that dig asked the nameserver 127.0.0.1 on port 53 for the answer. The server is very important because different nameservers might give different responses. For example, suppose you want to ask the two nameservers, ns1.ircnow.org and ns2.ircnow.org, what the correct answer is:

$ dig @ns1.ircnow.org example.ircnow.org
$ dig @ns2.ircnow.org example.ircnow.org

The two nameservers might give different answers!

To test if your changes have propagated (other nameservers have synced), you can try testing other public nameservers like the ones offered by OpenNIC.

Getting Other Records

By default, dig returns A records, but there are many other records:

$ dig -t any example.ircnow.org # shows all records
$ dig -t mx example.ircnow.org # shows MX (mail exchange) records
$ dig -t ns example.ircnow.org # shows NS (nameserver) records
$ dig -t aaaa example.ircnow.org # shows AAAA (IPv4) records
$ dig -t txt example.ircnow.org # shows TXT (text) records