dig Cheat Sheet
DNS lookup utility for querying record types, tracing resolution, and debugging DNSSEC.
Overview
dig (Domain Information Groper) queries DNS servers for A, AAAA, MX, TXT, NS, CNAME, PTR, SRV, and other records. Essential for manual verification after automated enum and for AD/internal DNS analysis.
Authorized testing only. Querying internal DNS may reveal sensitive hostnames—handle logs and data per engagement NDA.
Install
bind9-utils / dnsutils
sudo apt install -y dnsutilsdig -vEssential commands
A record (short answer)
dig +short target.example.com AAny record type
dig target.example.com MXdig target.example.com TXTSpecific resolver
dig @8.8.8.8 target.example.comReverse DNS
dig +short -x 10.10.10.5Common workflows
Zone transfer attempt —
dig axfr @ns1.target.example.com target.example.comdig axfr target.example.com @ns1.target.example.com +authorityTrace resolution path —
dig +trace target.example.comDNSSEC validation —
dig target.example.com +dnssecdig DNSKEY target.example.com +multiSRV / AD records —
dig +short _ldap._tcp.dc._msdcs.corp.local SRVdig +short _kerberos._tcp.corp.local SRVBatch from file —
while read h; do dig +short "$h" A; done < hosts.txtFlags reference
@server | Query specific nameserver |
|---|---|
+short | Minimal output |
+trace | Iterative resolution from root |
+dnssec | Request DNSSEC records |
-x | Reverse lookup for IP |
+tcp | Use TCP (large responses, AXFR) |
+noall +answer | Clean answer section only |
-4 / -6 | Force IPv4 or IPv6 |
-f filename | Batch queries |
Tips
- Use +tcp for zone transfers (axfr)—many servers require TCP for AXFR.
- Compare results from authoritative NS vs public resolver to spot split-horizon DNS.
- dig -t ANY is often blocked or deprecated—query specific types.
- Pair with host and nslookup for quick checks; dig is most scriptable.