Troubleshooting DNS with dig
dig is a DNS lookup utility which is invaluable for helping troubleshoot DNS errors.
To lookup the IPv4 address of a hostname, run:
$ dig example.ircnow.org
; <<>> dig 9.10.8-P1 <<>> example.ircnow.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15341
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.ircnow.org. IN A
;; ANSWER SECTION:
example.ircnow.org. 3600 IN A 192.168.0.1
;; Query time: 485 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 21 12:31:44 CST 2020
;; MSG SIZE rcvd: 55
Success or Failure
status: NOERROR
\
This indicates that the name lookup succeeded.
status: NXDOMAIN
\
This indicates that the name server believes there are no records for the hostname. In other words, the name server for the zone exists, but the record does not.
;; connection timed out; no servers could be reached
\
This indicates that your computer cannot reach the nameservers in /etc/resolv.conf. Please reconfigure your local caching nameservers.
Answer Section
;; ANSWER SECTION:
example.ircnow.org. 3600 IN A 192.168.0.1
The 3600
means that this entry has a time to live (TTL) value of 3600s. After 3600s, or 1 hour, the answer will no longer be valid. A
means this is an A record (it tells you the IPv4 address), and the IP address 192.168.0.1.
Other Details
;; Query time: 485 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
This tells you that it took 485 milliseconds to make the request, and that dig asked the nameserver 127.0.0.1 on port 53 for the answer. The server is very important because different nameservers might give different responses. For example, suppose you want to ask the two nameservers, ns1.ircnow.org
and ns2.ircnow.org
, what the correct answer is:
$ dig @ns1.ircnow.org example.ircnow.org
$ dig @ns2.ircnow.org example.ircnow.org
The two nameservers might give different answers!
To test if your changes have propagated (other nameservers have synced), you can try testing other public nameservers like the ones offered by OpenNIC.
Getting Other Records
By default, dig returns A records, but there are many other records:
$ dig -t any example.ircnow.org # shows all records
$ dig -t mx example.ircnow.org # shows MX (mail exchange) records
$ dig -t ns example.ircnow.org # shows NS (nameserver) records
$ dig -t aaaa example.ircnow.org # shows AAAA (IPv4) records
$ dig -t txt example.ircnow.org # shows TXT (text) records
Getting PTR Record(s) of an IP address
Dig can also be used to retrieve PTR record of an given IPv4/IPv6 address.
$ dig -x 1.1.1.1 # shows PTR record of the IPv4 address
$ dig -x 2001:4860:4860::8888 # shows PTR record of the IPv6 address
Tracing of the delegation path of given address
Delegation path of given address can be traced using dig, this is especially useful to find out if the delegation works as expected.
$ dig example.ircnow.org +trace
; <<>> dig 9.10.8-P1 <<>> example.ircnow.org +trace
;; global options: +cmd
. 518400 IN NS e.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20210516200000 20210503190000 14631 . bnVFcTaX1W1OiurBnLbT4UsUC2krXwFuxUulTcThjei0bDeBbNweZz/e qeps3buVQVL14TTKglTcuuxQOoacUSuznWbU3xaj+Wvxu+HLdBqD+cXP LXY/4qKG9jZLCo1h1sRg5ZUOkL13u8UaBT378Ic6AJyRTfVAiRk3S1Sy 3aWZWOVpnIM0U4RcCUZ4nZ6NPraZVeEapwk2HxkQml+twBO0rwueS0sP XV16tquBGsQhFD3w2/dQHLYhFjiU9LhaM9M6/+A7kPpPp36DpQiwT7kB dQVwWVPsMKOIr8gmrfLjfxXq46Hl/lV9k4HnLyozz3R/xs0Zp5wIxLQG LKIWZA==
;; Received 1097 bytes from 198.41.0.4#53(198.41.0.4) in 9 ms
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 86400 IN DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org. 86400 IN RRSIG DS 8 1 86400 20210516200000 20210503190000 14631 . A3Jr31VIuTGkzUFT/cWJNmkiNFYF8V9aOxwIDdca03xOFVsHzPcU5ZO8 zunq39DAer9PZgaKSSYhlGXC7WkAcrxT/lA9T83cnUTqKmbzWFnzr+wI b7+E3dzg9p63mKq/XuC0keLAAMwXHlqJy4Pe75FgzgPO3wwrqGx4tPev izbhJsUB4nrDWBJfOiGoOFXFGdX4DRdfLsjymteC0IIxPDoKvKByyP1a rDL9kUs23Ps65H6Vz/modC09a40cWNfYZaiOfFp7bkcXFJe7/544Jjki nv31EwHFF5t0TiWEPSrluiPnFC3aNphea/Q8bZ/jxWCrG98xpfSMCGA/ G9zqgA==
;; Received 784 bytes from 198.97.190.53#53(h.root-servers.net) in 95 ms
ircnow.org. 86400 IN NS mango.ircnow.org.
ircnow.org. 86400 IN NS cherry.ircnow.org.
ircnow.org. 86400 IN NS pear.ircnow.org.
ircnow.org. 86400 IN NS lemon.ircnow.org.
ircnow.org. 86400 IN NS fig.ircnow.org.
ircnow.org. 86400 IN NS peach.ircnow.org.
ircnow.org. 86400 IN NS plum.ircnow.org.
ircnow.org. 86400 IN NS banana.ircnow.org.
ircnow.org. 86400 IN NS guava.ircnow.org.
ircnow.org. 86400 IN NS jujube.ircnow.org.
1i870vj5h429vj9pci7ar6e9gki74tr7.org. 86400 IN NSEC3 1 1 10 332539EE7F95C32A 1I87R64GAJU4O91MHKBU7I9EKBS7K8UT NS SOA RRSIG DNSKEY NSEC3PARAM
1i870vj5h429vj9pci7ar6e9gki74tr7.org. 86400 IN RRSIG NSEC3 8 2 86400 20210525020414 20210504010414 30453 org. Jr1WNE6PxVRBjPaS2ocx+/QrcSHGo/Igqv2xKJZFmnU3o5CZ5Z321Oab o4aVePLpBu0xvRPMhShwEEp/1R4g+jhH/V3aiREbvV9tJNmYQXtsDVNi vB9KJJyimZRRYzu3Mmbdc0UQIiaI+v9/kuREwCvPge4gBbwRRt+BMM0X y+w=
dd5mibgab03im9bnjrjia69igfiona2m.org. 86400 IN NSEC3 1 1 10 332539EE7F95C32A DD5ND6BTBKEQ2D0352TNPA24DSKUA3DU NS DS RRSIG
dd5mibgab03im9bnjrjia69igfiona2m.org. 86400 IN RRSIG NSEC3 8 2 86400 20210522152710 20210501142710 30453 org. vJlCPFP7u+SJRx7aAwP5WPSWI5IoFZkuoT3BV0MzpxOV+3yb7PKJauKT dh8tx9WWgiQRTo6rlnl7p/uTzAfaqH4dc0qal9UfJiUQnEPwTAlAGcnZ 5EwquV1HyDmDUITNSUE/PiadxjOP4Abn6w7L6CPLv128wXebf/ReJkRB kUs=
;; Received 907 bytes from 2001:500:f::1#53(d0.org.afilias-nst.org) in 29 ms
ircnow.org. 3600 IN SOA ns1.ircnow.org. admin.ircnow.org. 2021032508 1800 7200 1209600 3600
;; Received 93 bytes from 198.251.89.130#53(fig.ircnow.org) in 127 ms
Here you can see that we started querying from the end of the address '.' and moving backward.
For each of the name server in the delegation path we query previous part of the address. In this example:
'.'
'org.' (answer from h.root-servers.net)
'ircnow.org.' (answer from d0.org.afilias-nst.org)
'example.ircnow.org' (answer from fig.ircnow.org)
To see your own authoritative name server in action after you have completed nsd tutorial, do:
$ dig username.fruit.ircnow.org +trace