dig — quick reference
Basic queries
Forward lookups — map a name to records. Add +short when you only want answer values.
| When to use | Command |
|---|---|
| Short A record answers only | dig example.com +short |
| Full answer section, hide query metadata | dig example.com +noall +answer |
| Query a specific resolver | dig @8.8.8.8 example.com +short |
| Lookup MX records | dig example.com MX +short |
| Lookup NS records | dig example.com NS +short |
| Lookup TXT records (SPF, DKIM, verification) | dig example.com TXT +short |
| Reverse lookup (IP to name) | dig -x 8.8.8.8 +short |
| Force IPv4 or IPv6 query transport | dig -4 example.com +shortdig -6 example.com +short |
| Set query timeout and retry count | dig example.com +time=2 +tries=1 +short |
Advanced dig options
Trace delegation, DNSSEC, and batch mode — mostly for debugging resolver paths and authority problems.
| When to use | Command |
|---|---|
| Trace delegation from root to the name | dig example.com +trace |
| Request DNSSEC records | dig example.com +dnssec +multi |
| Read queries from a batch file | dig -f queries.txt |
| Reverse lookup via explicit name | dig -x 93.184.216.34 @1.1.1.1 +short |
| Show only comments and headers (debug layout) | dig example.com +noall +comments |
| Show version | dig -v |
host — quick reference
Forward and reverse lookups
host prints human-readable lines — good for quick checks when you do not need dig's section flags.
| When to use | Command |
|---|---|
| Default A/AAAA lookup | host example.com |
| Query a specific record type | host -t MX example.com |
| Name server records | host -t NS example.com |
| TXT records | host -t TXT example.com |
| Reverse lookup by IP | host 8.8.8.8 |
| Use a specific resolver | host example.com 8.8.8.8 |
| Limit wait time (seconds) | host -W 2 example.com |
| Verbose output (similar to dig sections) | host -v example.com 8.8.8.8 |
| Force TCP instead of UDP | host -T example.com 8.8.8.8 |
| Show version | host -V |
dig and host — command syntax
Synopsis from dig -h and host usage on Ubuntu 25.04 (BIND 9.20.11):
dig [@server] name [type] [class] [queryopt...]
host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
[-R number] [-p port] hostname [server]Both tools send DNS queries to a resolver — by default often systemd-resolved on Ubuntu (127.0.0.53). Append @8.8.8.8, @1.1.1.1, or your corporate resolver when you need to bypass local caching or test a specific server.
dig and host — command examples
Essential Quick A record check with dig +short
When you only need addresses — for scripts or a fast "does this name resolve?" test — +short strips the banner and question section.
Run the command:
dig example.com +shortSample output:
104.20.23.154
172.66.147.243Multiple lines mean multiple A records (load balancing or CDN). Empty output with exit code 0 can mean no A records — try +trace or another type.
Essential Readable forward lookup with host
host formats the same data in plain sentences — easier to read in terminal scrollback than dig's default multi-section dump.
Run the command:
host example.com 8.8.8.8Sample output:
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
example.com has address 172.66.147.243
example.com has address 104.20.23.154
example.com mail is handled by 0 .
example.com has HTTP service bindings 1 . alpn="h2" ipv4hint=104.20.23.154,172.66.147.243 ipv6hint=2606:4700:10::6814:179a,2606:4700:10::ac42:93f3The trailing mail is handled by line is the MX answer (example.com publishes a null MX). Modern BIND also prints HTTPS/SVCB bindings when present.
Essential Query MX and NS record types
Mail routing and delegation debugging need types beyond A. dig uses the type name after the domain; host uses -t.
Run the commands:
dig example.com MX +short
host -t NS example.com 8.8.8.8Sample output:
0 .
example.com name server hera.ns.cloudflare.com.
example.com name server elliott.ns.cloudflare.com.MX answers show priority and target host. NS answers list authoritative name servers for the zone — compare with your registrar if delegation is broken.
Common Reverse DNS — IP address to hostname
Reverse lookups query in-addr.arpa (IPv4) or ip6.arpa (IPv6). dig -x accepts dotted-quad notation; host accepts the IP directly.
Run the commands:
dig -x 8.8.8.8 @1.1.1.1 +short
host 8.8.8.8 1.1.1.1Sample output:
dns.google.
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:
8.8.8.8.in-addr.arpa domain name pointer dns.google.PTR records are optional — many IPs have no reverse name. Mail servers often require matching forward and reverse DNS.
Common dig with +noall +answer for scripts
Hide everything except the answer section — a middle ground between verbose dig and bare +short.
Run the command:
dig @8.8.8.8 example.com +noall +answerSample output:
example.com. 258 IN A 104.20.23.154
example.com. 258 IN A 172.66.147.243Columns are owner name, TTL, class, type, and rdata. TTL counts down so you can see caching behaviour during cutovers.
Common Read TXT records (SPF, DKIM, domain verification)
TXT holds SPF policies, DKIM public keys, and vendor verification strings. Quotes in output are normal.
Run the command:
dig example.com TXT +shortSample output:
"v=spf1 -all"
"_k2n1y4vw3qtb4skdx9e7dxt97qrmmq9"Parse carefully in scripts — TXT strings may contain spaces and multiple chunks per name.
Common NXDOMAIN — name does not exist
A negative answer means the name is not in the DNS tree (typo, expired domain, or wrong zone). Both tools report it clearly.
Run the commands:
dig @8.8.8.8 nonexistent.invalid +time=1 +tries=1 +short
host -W 1 nonexistent.invalid 8.8.8.8Sample output:
Host nonexistent.invalid not found: 3(NXDOMAIN)dig shows status: NXDOMAIN in the header when run without +short. Distinguish NXDOMAIN (name missing) from timeout (network or resolver unreachable).
Advanced Trace delegation with dig +trace
+trace starts at the root servers and follows NS delegations until it reaches the authoritative zone — invaluable when a subdomain works in one region but not another.
Run the command:
dig @8.8.8.8 example.com +trace 2>&1 | head -20Sample output (truncated):
; <<>> DiG 9.20.11-0ubuntu0.2-Ubuntu <<>> @8.8.8.8 example.com +trace
; (1 server found)
;; global options: +cmd
. 87203 IN NS b.root-servers.net.
. 87203 IN NS h.root-servers.net.
...
;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 38 msEach hop shows which server answered and which NS records were returned. Compare the final authority section with the NS you expect at the registrar.
Advanced Resolver timeout vs slow authority
When lookups hang, cap wait time and retries so scripts fail fast. Specify the resolver explicitly to test whether the problem is local cache or upstream.
Run the command:
host -W 2 example.com 8.8.8.8Sample output (success):
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
example.com has address 172.66.147.243
example.com has address 104.20.23.154If you see no servers could be reached, check firewall rules for UDP/TCP port 53, VPN split DNS, and whether systemd-resolved is forwarding correctly (resolvectl status).
dig and host — when to use / when not
| Use dig / host when | Use something else when |
|---|---|
|
|
dig vs host
| dig | host | |
|---|---|---|
| Output | Sectioned, highly configurable (+noall, +answer, +trace) |
Short, sentence-style lines |
| Scripting | Excellent (+short, +noall +answer) |
Good for simple checks; less flexible |
| Record types | Any type on the command line | -t TYPE |
| Reverse DNS | dig -x IP |
host IP |
| Tracing / DNSSEC | +trace, +dnssec |
Limited — prefer dig |
| Best for | Debugging, automation, authority issues | Quick human-readable checks |
Both use the same resolver libraries in BIND 9. Many admins use host for a fast check and dig when they need control.
Related commands
Tools in the same troubleshooting path — connectivity, HTTP, and local name service.
| Command | One line |
|---|---|
| dig / host | DNS queries from the CLI (this page) |
| ping | ICMP reachability (not DNS) |
| curl | HTTP/S reachability and headers |
| ss | Open sockets and listening ports |
getent hosts |
Name via NSS (files, DNS, LDAP, SSSD) |
Browse the full index on the Linux commands cheat sheet.
dig and host — interview corner
What is dig used for?
dig (domain information groper) sends DNS queries and prints the full response — header, question, answer, authority, and additional sections. Admins use it to confirm that a name resolves, which records are published, and which server answered.
dig example.com +shortFor automation, +short or +noall +answer keeps output easy to parse.
A strong answer is:
"dig queries DNS servers and shows structured record data — I use +short in scripts and full output or +trace when debugging delegation."
What is the difference between host and dig?
Both come from BIND 9 and query DNS, but the interface differs.
- host — short, readable lines (
example.com has address …). Fast manual checks. - dig — granular control (
+short,+trace,+dnssec,@resolver). Better for debugging and scripts.
host example.com
dig example.com +noall +answerA strong answer is:
"host is for quick readable lookups; dig gives fine-grained control and better scripting hooks like +trace and +noall +answer."
How do you do a reverse DNS lookup on Linux?
Map an IP to a hostname (PTR record):
dig -x 8.8.8.8 +short
host 8.8.8.8Specify a resolver if local cache confuses the test: dig @1.1.1.1 -x 8.8.8.8 +short.
A strong answer is:
"I use dig -x or host IP for reverse DNS — PTR records live in in-addr.arpa for IPv4."
What does NXDOMAIN mean?
NXDOMAIN means the DNS server responded that the name does not exist in the queried zone — not a timeout and not a network failure.
host nonexistent.invalidTypical message: not found: 3(NXDOMAIN). Fix typos, check zone files, or confirm the domain is still registered.
A strong answer is:
"NXDOMAIN is a negative DNS answer — the name isn't in the zone tree. I distinguish it from SERVFAIL or timeout, which point to server or network issues."
Why would you run dig @8.8.8.8?
The @server argument chooses which resolver receives the query instead of the system default (on Ubuntu often 127.0.0.53 via systemd-resolved).
Use it to:
- Bypass stale local cache
- Compare corporate DNS vs public DNS
- Test whether a problem is local or global
dig @8.8.8.8 www.example.com +short
host www.example.com 8.8.8.8A strong answer is:
"dig @server targets a specific resolver — I use it to bypass local cache and see whether authoritative data or my resolver is wrong."
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
no servers could be reached |
Resolver down, firewall blocking port 53, or VPN DNS | Try @8.8.8.8; check resolvectl status; verify UDP/TCP 53 |
Works with @8.8.8.8 but not default |
Local resolver or split DNS issue | Inspect /etc/resolv.conf, systemd-resolved, corporate DNS |
NXDOMAIN |
Name missing or typo | Verify spelling, zone file, registrar NS |
SERVFAIL |
Authority server error or lame delegation | dig +trace; check NS and glue at parent zone |
| Slow lookups | High latency resolver or DNSSEC timeouts | +time=2 +tries=1; query closer resolver |
host -a fails with NOTIMP |
Server does not implement recursive ANY | Use dig with explicit types (A, MX, TXT) |
Answer differs from getent hosts |
NSS uses files/sssd before DNS | Compare getent hosts name with dig +short name |
References
Further reading — man pages and connectivity guides.
- dig(1) man page (Ubuntu noble)
- host(1) man page (Ubuntu noble)
- Check internet connectivity from shell — DNS as one layer of reachability
- ping command cheat sheet — ICMP vs DNS checks
