DIG is a command-line utility used for making DNS queries and displaying their results. For some purposes, it is a much better tool than nslookup. DIG runs on Linux and Windows equally well, and is probably available for most other operating systems too. If you have Linux, DIG is probably already there.
Installation of DIG on Windows is simple. I recommend putting all of
the files in c:\dig and putting that on your PATH. There is a
resolv.conf file in the dig directory; you can add a nameserver
directive to specify a default nameserver so you don't always have to
type the nameserver in every DIG command. You can also specify a search
directive; this will only be used if in your DIG command you add +search.
Here are some common usage scenarios for DIG. In these examples, 1.1.1.1 will be the nameserver we are querying. By the way, RR
stands for resource record, which is DNS-speak for any kind of record (SOA, A, NS, PTR, etc.).
dig @1.1.1.1 www.amazon.com ; <<>> DiG 9.3.2 <<>> @1.1.1.1 www.amazon.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1605 <-- look here for status ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.amazon.com. IN A ;; ANSWER SECTION: www.amazon.com. 54 IN A 72.21.210.11 <-- the answer ;; AUTHORITY SECTION: www.amazon.com. 317 IN NS ns-911.amazon.com. www.amazon.com. 317 IN NS ns-912.amazon.com. www.amazon.com. 317 IN NS ns-921.amazon.com. www.amazon.com. 317 IN NS ns-923.amazon.com. ;; ADDITIONAL SECTION: ns-923.amazon.com. 420 IN A 72.21.204.208 ns-921.amazon.com. 420 IN A 72.21.192.209 ns-912.amazon.com. 52 IN A 207.171.191.123 ns-911.amazon.com. 420 IN A 207.171.178.13 ;; Query time: 0 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Fri Aug 01 07:52:15 2008 ;; MSG SIZE rcvd: 196
In the answer for www.amazon.com above, note that the remaining TTL is 54 seconds. If you repeat this query over and over this number will change. It looks like it starts at 60. Whenever you see a value like this that changes, it means that the DNS server answering you has the RR in cache. Once the TTL expires, the DNS server will have to refresh the cache, doing another lookup, and the TTL will jump back up to the max.
dig @1.1.1.1 www.arthgen.com
; <<>> DiG 9.3.2 <<>> @1.1.1.1 www.arthgen.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1996 <-- status is NXDOMAIN
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.arthgen.com. IN A
<-- no ANSWER SECTION
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1217591762 1800 900
604800 900
;; Query time: 90 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Aug 01 07:56:14 2008
;; MSG SIZE rcvd: 106
dig @1.1.1.1 www.amazon.com +short 72.21.210.11
dig @1.1.1.1 www.arthgen.com +short
dig @1.1.1.1 -x 12.127.16.68 ; <<>> DiG 9.3.2 <<>> @1.1.1.1 -x 12.127.16.68 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2016 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;68.16.127.12.in-addr.arpa. IN PTR ;; ANSWER SECTION: 68.16.127.12.in-addr.arpa. 3600 IN PTR smtu.mt.rs.els-gms.att.net. ;; Query time: 20 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Fri Aug 01 08:04:00 2008 ;; MSG SIZE rcvd: 83
dig @1.1.1.1 godaddy.com mx ; <<>> DiG 9.3.2 <<>> @1.1.1.1 godaddy.com mx ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1922 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4 ;; QUESTION SECTION: ;godaddy.com. IN MX ;; ANSWER SECTION: godaddy.com. 313 IN MX 0 smtp.secureserver.net. godaddy.com. 313 IN MX 10 mailstore1.secureserver.net. ;; AUTHORITY SECTION: godaddy.com. 2619 IN NS cns3.secureserver.net. godaddy.com. 2619 IN NS cns2.secureserver.net. godaddy.com. 2619 IN NS cns1.secureserver.net. ;; ADDITIONAL SECTION: mailstore1.secureserver.net. 2056 IN A 64.202.166.11 cns3.secureserver.net. 3133 IN A 216.69.160.22 cns1.secureserver.net. 20747 IN A 64.202.167.31 cns2.secureserver.net. 656 IN A 216.69.185.100 ;; Query time: 30 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Fri Aug 01 08:10:04 2008 ;; MSG SIZE rcvd: 214
If you want to infer whether anyone using a particular DNS server has visited a host recently, you can specify a non-recursive
query. Most DNS servers will obey this request, although this is not
required. For security reasons some better DNS server software can be
configured to intentionally ignore requests not to recurse.
In the example below we check to see whether an A record for www.competitor.com is in the cache of DNS server 1.1.1.1.
If you see an output like the one below, with no answer section and a list of root servers, you know that the RR you looked up is not in the cache.
dig @1.1.1.1 www.competitor.com +norecurse ; <<>> DiG 9.3.2 <<>> @1.1.1.1 www.competitor.com +norecurse ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 677 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; QUESTION SECTION: ;www.competitor.com. IN A ;; AUTHORITY SECTION: com. 16002 IN NS a.gtld-servers.net. com. 16002 IN NS k.gtld-servers.net. com. 16002 IN NS e.gtld-servers.net. com. 16002 IN NS l.gtld-servers.net. com. 16002 IN NS c.gtld-servers.net. com. 16002 IN NS i.gtld-servers.net. com. 16002 IN NS d.gtld-servers.net. com. 16002 IN NS m.gtld-servers.net. com. 16002 IN NS h.gtld-servers.net. com. 16002 IN NS f.gtld-servers.net. com. 16002 IN NS b.gtld-servers.net. com. 16002 IN NS g.gtld-servers.net. com. 16002 IN NS j.gtld-servers.net. ;; ADDITIONAL SECTION: f.gtld-servers.net. 103822 IN A 192.35.51.30 d.gtld-servers.net. 113177 IN A 192.31.80.30 j.gtld-servers.net. 16151 IN A 192.48.79.30 i.gtld-servers.net. 112995 IN A 192.43.172.30 l.gtld-servers.net. 103644 IN A 192.41.162.30 c.gtld-servers.net. 91839 IN A 192.26.92.30 g.gtld-servers.net. 91851 IN A 192.42.93.30 m.gtld-servers.net. 112995 IN A 192.55.83.30 k.gtld-servers.net. 91668 IN A 192.52.178.30 b.gtld-servers.net. 18001 IN A 192.33.14.30 b.gtld-servers.net. 21877 IN AAAA 2001:503:231d::2:30 e.gtld-servers.net. 103729 IN A 192.12.94.30 a.gtld-servers.net. 91759 IN A 192.5.6.30 a.gtld-servers.net. 92620 IN AAAA 2001:503:a83e::2:30 ;; Query time: 30 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Fri Aug 01 08:14:02 2008 ;; MSG SIZE rcvd: 507
There are so many options for DIG that some start with -
and some start with +
. Use
dig -h to see a list of them.