dig.html revision abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9d
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Copyright (C) 2000-2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
d60212e03fbef1d3dd7f7eb05c0545cc373cb9fcAutomatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafsson - file, You can obtain one at http://mozilla.org/MPL/2.0/.
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<a name="man.dig"></a><div class="titlepage"></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein — DNS lookup utility
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>]
26e2a07a0b6a3b1eccef82ba31270d0c54ad4f06Mark Andrews [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>]
030aac3dbc57f99bad1d251b0783890ff0369952Automatic Updater [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
d60212e03fbef1d3dd7f7eb05c0545cc373cb9fcAutomatic Updater [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [queryopt...]
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews [global-queryopt...]
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <p><span class="command"><strong>dig</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein (domain information groper) is a flexible tool
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for interrogating DNS name servers. It performs DNS lookups and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein displays the answers that are returned from the name server(s) that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein were queried. Most DNS administrators use <span class="command"><strong>dig</strong></span> to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein troubleshoot DNS problems because of its flexibility, ease of use and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein clarity of output. Other lookup tools tend to have less functionality
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein than <span class="command"><strong>dig</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Although <span class="command"><strong>dig</strong></span> is normally used with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein command-line
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein arguments, it also has a batch mode of operation for reading lookup
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein requests from a file. A brief summary of its command-line arguments
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and options is printed when the <code class="option">-h</code> option is given.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Unlike earlier versions, the BIND 9 implementation of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>dig</strong></span> allows multiple lookups to be issued
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein command line.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Unless it is told to query a specific name server,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>dig</strong></span> will try each of the servers listed in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="filename">/etc/resolv.conf</code>. If no usable server addresses
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein are found, <span class="command"><strong>dig</strong></span> will send the query to the local
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When no command line arguments or options are given,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>dig</strong></span> will perform an NS query for "." (the root).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein It is possible to set per-user defaults for <span class="command"><strong>dig</strong></span> via
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="filename">${HOME}/.digrc</code>. This file is read and
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews any options in it
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews are applied before the command line arguments.
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews The IN and CH class names overlap with the IN and CH top level
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews domain names. Either use the <code class="option">-t</code> and
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews <code class="option">-c</code> options to specify the type and class,
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews use the <code class="option">-q</code> the specify the domain name, or
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews use "IN." and "CH." when looking up these top level domains.
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews A typical invocation of <span class="command"><strong>dig</strong></span> looks like:
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews<pre class="programlisting"> dig @server name type </pre>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="variablelist"><dl class="variablelist">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="constant">server</code></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews is the name or IP address of the name server to query. This
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews can be an IPv4 address in dotted-decimal notation or an IPv6
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews address in colon-delimited notation. When the supplied
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <em class="parameter"><code>server</code></em> argument is a hostname,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>dig</strong></span> resolves that name before querying
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews that name server.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews If no <em class="parameter"><code>server</code></em> argument is
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews provided, <span class="command"><strong>dig</strong></span> consults
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <code class="filename">/etc/resolv.conf</code>; if an
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews address is found there, it queries the name server at
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews that address. If either of the <code class="option">-4</code> or
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <code class="option">-6</code> options are in use, then
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews only addresses for the corresponding transport
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews will be tried. If no usable addresses are found,
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <span class="command"><strong>dig</strong></span> will send the query to the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein local host. The reply from the name server that
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews responds is displayed.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="constant">name</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is the name of the resource record that is to be looked up.
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews<dt><span class="term"><code class="constant">type</code></span></dt>
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews indicates what type of query is required —
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews ANY, A, MX, SIG, etc.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="parameter"><code>type</code></em> can be any valid query
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="parameter"><code>type</code></em> argument is supplied,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>dig</strong></span> will perform a lookup for an
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <div class="variablelist"><dl class="variablelist">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Use IPv4 only.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Use IPv6 only.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-b <em class="replaceable"><code>address[<span class="optional">#port</span>]</code></em></span></dt>
9a41f786b167a2a6df498d5e9c699f9835e1e9dcMark Andrews Set the source IP address of the query.
9a41f786b167a2a6df498d5e9c699f9835e1e9dcMark Andrews The <em class="parameter"><code>address</code></em> must be a valid address on
9a41f786b167a2a6df498d5e9c699f9835e1e9dcMark Andrews one of the host's network interfaces, or "0.0.0.0" or "::". An
9a41f786b167a2a6df498d5e9c699f9835e1e9dcMark Andrews optional port may be specified by appending "#<port>"
9a41f786b167a2a6df498d5e9c699f9835e1e9dcMark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
9a41f786b167a2a6df498d5e9c699f9835e1e9dcMark Andrews Set the query class. The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein default <em class="parameter"><code>class</code></em> is IN; other classes
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein are HS for Hesiod records or CH for Chaosnet records.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Batch mode: <span class="command"><strong>dig</strong></span> reads a list of lookup
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein requests to process from the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein given <em class="parameter"><code>file</code></em>. Each line in the file
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein should be organized in the same way they would be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein presented as queries to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>dig</strong></span> using the command-line interface.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein domain, which is no longer in use. Obsolete bit string
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein label queries (RFC2874) are not attempted.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sign queries using TSIG using a key read from the given file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Key files can be generated using
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="refentrytitle">tsig-keygen</span>(8)
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When using TSIG authentication with <span class="command"><strong>dig</strong></span>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the name server that is queried needs to know the key and
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein algorithm that is being used. In BIND, this is done by
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein providing appropriate <span class="command"><strong>key</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and <span class="command"><strong>server</strong></span> statements in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Enable memory usage debugging.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Send the query to a non-standard port on the server,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein instead of the default port 53. This option would be used
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to test a name server that has been configured to listen
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for queries on a non-standard port number.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The domain name to query. This is useful to distinguish
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the <em class="parameter"><code>name</code></em> from other arguments.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The resource record type to query. It can be any valid query type
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein supported in BIND 9. The default query type is "A", unless the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">-x</code> option is supplied to indicate a reverse lookup.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein A zone transfer can be requested by specifying a type of AXFR. When
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein an incremental zone transfer (IXFR) is required, set the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="parameter"><code>type</code></em> to <code class="literal">ixfr=N</code>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The incremental zone transfer will contain the changes
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein made to the zone since the serial number in the zone's SOA
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Print the version number and exit.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Simplified reverse lookups, for mapping addresses to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein names. The <em class="parameter"><code>addr</code></em> is an IPv4 address
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in dotted-decimal notation, or a colon-delimited IPv6
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein address. When the <code class="option">-x</code> is used, there is no
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein need to provide
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and <em class="parameter"><code>type</code></em>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein arguments. <span class="command"><strong>dig</strong></span> automatically performs a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein lookup for a name like
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="literal">94.2.0.192.in-addr.arpa</code> and sets the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein query type and class to PTR and IN respectively. IPv6
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein addresses are looked up using nibble format under the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein IP6.ARPA domain (but see also the <code class="option">-i</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sign queries using TSIG with the given authentication key.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="parameter"><code>keyname</code></em> is the name of the key, and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews <em class="parameter"><code>hmac</code></em> is the name of the key algorithm;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein valid choices are <code class="literal">hmac-md5</code>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is not specified, the default is <code class="literal">hmac-md5</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein or if MD5 was disabled <code class="literal">hmac-sha256</code>.
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews NOTE: You should use the <code class="option">-k</code> option and
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews avoid the <code class="option">-y</code> option, because
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews with <code class="option">-y</code> the shared secret is supplied as
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews a command line argument in clear text. This may be visible
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews in the output from
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews or in a history file maintained by the user's shell.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <p><span class="command"><strong>dig</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein provides a number of query options which affect
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews the way in which lookups are made and the results displayed. Some of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein these set or reset flag bits in the query header, some determine which
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein sections of the answer get printed, and others determine the timeout
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and retry strategies.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Each query option is identified by a keyword preceded by a plus sign
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein (<code class="literal">+</code>). Some keywords set or reset an
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein option. These may be preceded
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein by the string <code class="literal">no</code> to negate the meaning of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that keyword. Other
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein keywords assign values to options like the timeout interval. They
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein have the form <code class="option">+keyword=value</code>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Keywords may be abbreviated, provided the abbreviation is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein unambiguous; for example, <code class="literal">+cd</code> is equivalent
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The query options are:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="variablelist"><dl class="variablelist">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the "aa" flag in the query.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Display [do not display] the additional section of a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein reply. The default is to display it.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein Set [do not set] the AD (authentic data) bit in the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein query. This requests the server to return whether
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein all of the answer and authority sections have all
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein been validated as secure according to the security
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein policy of the server. AD=1 indicates that all records
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein have been validated as secure and the answer is not
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein from a OPT-OUT range. AD=0 indicate that some part
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein of the answer was insecure or not validated. This
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein bit is set by default.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]all</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Set or clear all display flags.
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Display [do not display] the answer section of a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein reply. The default is to display it.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Display [do not display] the authority section of a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein reply. The default is to display it.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]badcookie</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Retry lookup with the new server cookie if a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein BADCOOKIE response is received.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Attempt to display the contents of messages which are
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein malformed. The default is to not display malformed
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Set the UDP message buffer size advertised using EDNS0
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to <em class="parameter"><code>B</code></em> bytes. The maximum and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein minimum sizes of this buffer are 65535 and 0 respectively.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Values outside this range are rounded up or down
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein appropriately. Values other than zero will cause a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein EDNS query to be sent.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Set [do not set] the CD (checking disabled) bit in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the query. This requests the server to not perform
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein DNSSEC validation of responses.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]class</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Display [do not display] the CLASS when printing the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Toggles the printing of the initial comment in the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein output identifying the version of <span class="command"><strong>dig</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and the query options that have been applied. This
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein comment is printed by default.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Toggle the display of comment lines in the output.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The default is to print comments.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Send a COOKIE EDNS option, with optional
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein value. Replaying a COOKIE from a previous response will
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein allow the server to identify a previous client. The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="command"><strong>+cookie</strong></span> is also set when +trace
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is set to better emulate the default queries from a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Toggle the display of cryptographic fields in DNSSEC
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein records. The contents of these field are unnecessary
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to debug most DNSSEC validation failures and removing
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein them makes it easier to see the common failures. The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein default is to display the fields. When omitted they
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein are replaced by the string "[omitted]" or in the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein DNSKEY case the key id is displayed as the replacement,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein e.g. "[ key id = value ]".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]defname</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Deprecated, treated as a synonym for
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein <em class="parameter"><code>+[no]search</code></em>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Requests DNSSEC records be sent by setting the DNSSEC
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein OK bit (DO) in the OPT record in the additional section
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein of the query.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+domain=somename</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Set the search list to contain the single domain
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein <em class="parameter"><code>somename</code></em>, as if specified in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein a <span class="command"><strong>domain</strong></span> directive in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="filename">/etc/resolv.conf</code>, and enable
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein search list processing as if the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="parameter"><code>+search</code></em> option were given.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+dscp=value</code></span></dt>
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein Set the DSCP code point to be used when sending the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein query. Valid DSCP code points are in the range
8d709e3ee443222cd35e44eadc9a4c0a8d92fec2Rob Austein [0..63]. By default no code point is explicitly set.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specify the EDNS version to query with. Valid values
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein are 0 to 255. Setting the EDNS version will cause
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews a EDNS query to be sent. <code class="option">+noedns</code>
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews clears the remembered EDNS version. EDNS is set to
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews 0 by default.
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews<dt><span class="term"><code class="option">+[no]ednsflags[=#]</code></span></dt>
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews Set the must-be-zero EDNS flags bits (Z bits) to the
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews specified value. Decimal, hex and octal encodings are
21d493fc392d472086ad3c7c4563b7cadcb06788Mark Andrews accepted. Setting a named flag (e.g. DO) will silently be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein ignored. By default, no Z bits are set.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]ednsnegotiation</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Enable / disable EDNS version negotiation. By default
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein EDNS version negotiation is enabled.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]ednsopt[=code[:value]]</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specify EDNS option with code point <code class="option">code</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and optionally payload of <code class="option">value</code> as a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein hexadecimal string. <code class="option">code</code> can be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein either an EDNS option name (for example,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="literal">NSID</code> or <code class="literal">ECS</code>),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein or an arbitrary numeric value. <code class="option">+noednsopt</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein clears the EDNS options to be sent.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]expire</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Send an EDNS Expire option.
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafsson<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Do not try the next server if you receive a SERVFAIL.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The default is to not try the next server which is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the reverse of normal stub resolver behavior.
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews<dt><span class="term"><code class="option">+[no]header-only</code></span></dt>
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafsson Send a query with a DNS header without a question section.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The default is to add a question section. The query type
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and query name are ignored when this is set.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]identify</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Show [or do not show] the IP address and port number
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that supplied the answer when the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="parameter"><code>+short</code></em> option is enabled. If
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein short form answers are requested, the default is not
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to show the source address and port number of the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein server that provided the answer.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]idnout</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Convert [do not convert] puny code on output.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This requires IDN SUPPORT to have been enabled at
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein compile time. The default is to convert output.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Ignore truncation in UDP responses instead of retrying
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein with TCP. By default, TCP retries are performed.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]keepopen</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Keep the TCP socket open between queries and reuse
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein it rather than creating a new TCP socket for each
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein lookup. The default is <code class="option">+nokeepopen</code>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]mapped</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Allow mapped IPv4 over IPv6 addresses to be used. The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Print records like the SOA records in a verbose
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein multi-line format with human-readable comments. The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein default is to print each record on a single line, to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein facilitate machine parsing of the <span class="command"><strong>dig</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+ndots=D</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Set the number of dots that have to appear in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for it to be considered absolute. The default value
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is that defined using the ndots statement in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="filename">/etc/resolv.conf</code>, or 1 if no
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein ndots statement is present. Names with fewer dots
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein are interpreted as relative names and will be searched
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for in the domains listed in the <code class="option">search</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein or <code class="option">domain</code> directive in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="filename">/etc/resolv.conf</code> if
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Include an EDNS name server ID request when sending
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When this option is set, <span class="command"><strong>dig</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein attempts to find the authoritative name servers for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the zone containing the name being looked up and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein display the SOA record that each name server has for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Print only one (starting) SOA record when performing
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein an AXFR. The default is to print both the starting
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and ending SOA records.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]opcode=value</code></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Set [restore] the DNS message opcode to the specified
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein value. The default value is QUERY (0).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term"><code class="option">+[no]qr</code></span></dt>