dig and host Commands in Linux: DNS Lookup Syntax, Options & Examples

dig and host query DNS name servers from the command line. dig exposes full resolver control and sectioned output; host prints concise answers for quick forward and reverse lookups.

Published

Updated

Read time 10 min read

Reviewed byDeepak Prasad

dig and host Commands in Linux: DNS Lookup Syntax, Options & Examples
About dig and host query DNS name servers from the command line. dig exposes full resolver control and sectioned output; host prints concise answers for quick forward and reverse lookups.
Tested on Ubuntu 25.04 (Plucky Puffin); dig/host (BIND) 9.20.11; kernel 7.0.0-27-generic
Package bind9-dnsutils (apt/deb) · bind-utils (dnf/rpm)
Man page dig / host(1)
Privilege user
Distros

Ubuntu and Debian: bind9-dnsutils (dig, host). RHEL family: bind-utils.

Legacy alternative: nslookup (interactive, less script-friendly). This page covers dig and host from BIND 9.

Related guide

dig — quick reference

Basic queries

Forward lookups — map a name to records. Add +short when you only want answer values.

When to use Command
Short A record answers only dig example.com +short
Full answer section, hide query metadata dig example.com +noall +answer
Query a specific resolver dig @8.8.8.8 example.com +short
Lookup MX records dig example.com MX +short
Lookup NS records dig example.com NS +short
Lookup TXT records (SPF, DKIM, verification) dig example.com TXT +short
Reverse lookup (IP to name) dig -x 8.8.8.8 +short
Force IPv4 or IPv6 query transport dig -4 example.com +short
dig -6 example.com +short
Set query timeout and retry count dig example.com +time=2 +tries=1 +short

Advanced dig options

Trace delegation, DNSSEC, and batch mode — mostly for debugging resolver paths and authority problems.

When to use Command
Trace delegation from root to the name dig example.com +trace
Request DNSSEC records dig example.com +dnssec +multi
Read queries from a batch file dig -f queries.txt
Reverse lookup via explicit name dig -x 93.184.216.34 @1.1.1.1 +short
Show only comments and headers (debug layout) dig example.com +noall +comments
Show version dig -v

host — quick reference

Forward and reverse lookups

host prints human-readable lines — good for quick checks when you do not need dig's section flags.

When to use Command
Default A/AAAA lookup host example.com
Query a specific record type host -t MX example.com
Name server records host -t NS example.com
TXT records host -t TXT example.com
Reverse lookup by IP host 8.8.8.8
Use a specific resolver host example.com 8.8.8.8
Limit wait time (seconds) host -W 2 example.com
Verbose output (similar to dig sections) host -v example.com 8.8.8.8
Force TCP instead of UDP host -T example.com 8.8.8.8
Show version host -V

dig and host — command syntax

Synopsis from dig -h and host usage on Ubuntu 25.04 (BIND 9.20.11):

text
dig [@server] name [type] [class] [queryopt...]

host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
     [-R number] [-p port] hostname [server]

Both tools send DNS queries to a resolver — by default often systemd-resolved on Ubuntu (127.0.0.53). Append @8.8.8.8, @1.1.1.1, or your corporate resolver when you need to bypass local caching or test a specific server.


dig and host — command examples

Essential Quick A record check with dig +short

When you only need addresses — for scripts or a fast "does this name resolve?" test — +short strips the banner and question section.

Run the command:

bash
dig example.com +short

Sample output:

text
104.20.23.154
172.66.147.243

Multiple lines mean multiple A records (load balancing or CDN). Empty output with exit code 0 can mean no A records — try +trace or another type.

Essential Readable forward lookup with host

host formats the same data in plain sentences — easier to read in terminal scrollback than dig's default multi-section dump.

Run the command:

bash
host example.com 8.8.8.8

Sample output:

text
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

example.com has address 172.66.147.243
example.com has address 104.20.23.154
example.com mail is handled by 0 .
example.com has HTTP service bindings 1 . alpn="h2" ipv4hint=104.20.23.154,172.66.147.243 ipv6hint=2606:4700:10::6814:179a,2606:4700:10::ac42:93f3

The trailing mail is handled by line is the MX answer (example.com publishes a null MX). Modern BIND also prints HTTPS/SVCB bindings when present.

Essential Query MX and NS record types

Mail routing and delegation debugging need types beyond A. dig uses the type name after the domain; host uses -t.

Run the commands:

bash
dig example.com MX +short
host -t NS example.com 8.8.8.8

Sample output:

text
0 .
example.com name server hera.ns.cloudflare.com.
example.com name server elliott.ns.cloudflare.com.

MX answers show priority and target host. NS answers list authoritative name servers for the zone — compare with your registrar if delegation is broken.

Common Reverse DNS — IP address to hostname

Reverse lookups query in-addr.arpa (IPv4) or ip6.arpa (IPv6). dig -x accepts dotted-quad notation; host accepts the IP directly.

Run the commands:

bash
dig -x 8.8.8.8 @1.1.1.1 +short
host 8.8.8.8 1.1.1.1

Sample output:

text
dns.google.
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases: 

8.8.8.8.in-addr.arpa domain name pointer dns.google.

PTR records are optional — many IPs have no reverse name. Mail servers often require matching forward and reverse DNS.

Common dig with +noall +answer for scripts

Hide everything except the answer section — a middle ground between verbose dig and bare +short.

Run the command:

bash
dig @8.8.8.8 example.com +noall +answer

Sample output:

text
example.com.		258	IN	A	104.20.23.154
example.com.		258	IN	A	172.66.147.243

Columns are owner name, TTL, class, type, and rdata. TTL counts down so you can see caching behaviour during cutovers.

Common Read TXT records (SPF, DKIM, domain verification)

TXT holds SPF policies, DKIM public keys, and vendor verification strings. Quotes in output are normal.

Run the command:

bash
dig example.com TXT +short

Sample output:

text
"v=spf1 -all"
"_k2n1y4vw3qtb4skdx9e7dxt97qrmmq9"

Parse carefully in scripts — TXT strings may contain spaces and multiple chunks per name.

Common NXDOMAIN — name does not exist

A negative answer means the name is not in the DNS tree (typo, expired domain, or wrong zone). Both tools report it clearly.

Run the commands:

bash
dig @8.8.8.8 nonexistent.invalid +time=1 +tries=1 +short
host -W 1 nonexistent.invalid 8.8.8.8

Sample output:

text
Host nonexistent.invalid not found: 3(NXDOMAIN)

dig shows status: NXDOMAIN in the header when run without +short. Distinguish NXDOMAIN (name missing) from timeout (network or resolver unreachable).

Advanced Trace delegation with dig +trace

+trace starts at the root servers and follows NS delegations until it reaches the authoritative zone — invaluable when a subdomain works in one region but not another.

Run the command:

bash
dig @8.8.8.8 example.com +trace 2>&1 | head -20

Sample output (truncated):

text
; <<>> DiG 9.20.11-0ubuntu0.2-Ubuntu <<>> @8.8.8.8 example.com +trace
; (1 server found)
;; global options: +cmd
.			87203	IN	NS	b.root-servers.net.
.			87203	IN	NS	h.root-servers.net.
...
;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 38 ms

Each hop shows which server answered and which NS records were returned. Compare the final authority section with the NS you expect at the registrar.

Advanced Resolver timeout vs slow authority

When lookups hang, cap wait time and retries so scripts fail fast. Specify the resolver explicitly to test whether the problem is local cache or upstream.

Run the command:

bash
host -W 2 example.com 8.8.8.8

Sample output (success):

text
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

example.com has address 172.66.147.243
example.com has address 104.20.23.154

If you see no servers could be reached, check firewall rules for UDP/TCP port 53, VPN split DNS, and whether systemd-resolved is forwarding correctly (resolvectl status).


dig and host — when to use / when not

Use dig / host when Use something else when
  • You need to verify DNS resolution for a hostname or IP from the shell
  • You are debugging MX, NS, TXT, or other record types
  • You want script-friendly output (dig +short, +noall +answer)
  • You need to query a specific resolver (@8.8.8.8 or host name server)
  • You are tracing delegation problems (dig +trace)
  • You only need to test TCP connectivity to a host → ping or curl
  • You need HTTP reachability, TLS, or status codes → curl
  • You need local NSS resolution (files, LDAP, SSSD) → getent hosts name
  • You prefer an interactive legacy tool → nslookup (less ideal for scripts)
  • You need continuous monitoring or dashboards → dedicated DNS monitoring, not ad-hoc CLI

dig vs host

dig host
Output Sectioned, highly configurable (+noall, +answer, +trace) Short, sentence-style lines
Scripting Excellent (+short, +noall +answer) Good for simple checks; less flexible
Record types Any type on the command line -t TYPE
Reverse DNS dig -x IP host IP
Tracing / DNSSEC +trace, +dnssec Limited — prefer dig
Best for Debugging, automation, authority issues Quick human-readable checks

Both use the same resolver libraries in BIND 9. Many admins use host for a fast check and dig when they need control.


Tools in the same troubleshooting path — connectivity, HTTP, and local name service.

Command One line
dig / host DNS queries from the CLI (this page)
ping ICMP reachability (not DNS)
curl HTTP/S reachability and headers
ss Open sockets and listening ports
getent hosts Name via NSS (files, DNS, LDAP, SSSD)

Browse the full index on the Linux commands cheat sheet.


dig and host — interview corner

What is dig used for?

dig (domain information groper) sends DNS queries and prints the full response — header, question, answer, authority, and additional sections. Admins use it to confirm that a name resolves, which records are published, and which server answered.

bash
dig example.com +short

For automation, +short or +noall +answer keeps output easy to parse.

A strong answer is:

"dig queries DNS servers and shows structured record data — I use +short in scripts and full output or +trace when debugging delegation."

What is the difference between host and dig?

Both come from BIND 9 and query DNS, but the interface differs.

  • host — short, readable lines (example.com has address …). Fast manual checks.
  • dig — granular control (+short, +trace, +dnssec, @resolver). Better for debugging and scripts.
bash
host example.com
dig example.com +noall +answer

A strong answer is:

"host is for quick readable lookups; dig gives fine-grained control and better scripting hooks like +trace and +noall +answer."

How do you do a reverse DNS lookup on Linux?

Map an IP to a hostname (PTR record):

bash
dig -x 8.8.8.8 +short
host 8.8.8.8

Specify a resolver if local cache confuses the test: dig @1.1.1.1 -x 8.8.8.8 +short.

A strong answer is:

"I use dig -x or host IP for reverse DNS — PTR records live in in-addr.arpa for IPv4."

What does NXDOMAIN mean?

NXDOMAIN means the DNS server responded that the name does not exist in the queried zone — not a timeout and not a network failure.

bash
host nonexistent.invalid

Typical message: not found: 3(NXDOMAIN). Fix typos, check zone files, or confirm the domain is still registered.

A strong answer is:

"NXDOMAIN is a negative DNS answer — the name isn't in the zone tree. I distinguish it from SERVFAIL or timeout, which point to server or network issues."

Why would you run dig @8.8.8.8?

The @server argument chooses which resolver receives the query instead of the system default (on Ubuntu often 127.0.0.53 via systemd-resolved).

Use it to:

  • Bypass stale local cache
  • Compare corporate DNS vs public DNS
  • Test whether a problem is local or global
bash
dig @8.8.8.8 www.example.com +short
host www.example.com 8.8.8.8

A strong answer is:

"dig @server targets a specific resolver — I use it to bypass local cache and see whether authoritative data or my resolver is wrong."


Troubleshooting

Symptom Likely cause Fix
no servers could be reached Resolver down, firewall blocking port 53, or VPN DNS Try @8.8.8.8; check resolvectl status; verify UDP/TCP 53
Works with @8.8.8.8 but not default Local resolver or split DNS issue Inspect /etc/resolv.conf, systemd-resolved, corporate DNS
NXDOMAIN Name missing or typo Verify spelling, zone file, registrar NS
SERVFAIL Authority server error or lame delegation dig +trace; check NS and glue at parent zone
Slow lookups High latency resolver or DNSSEC timeouts +time=2 +tries=1; query closer resolver
host -a fails with NOTIMP Server does not implement recursive ANY Use dig with explicit types (A, MX, TXT)
Answer differs from getent hosts NSS uses files/sssd before DNS Compare getent hosts name with dig +short name

References

Further reading — man pages and connectivity guides.

Rohan Timalsina

is a technical writer and Linux enthusiast who writes practical guides on Linux commands and system administration. He focuses on simplifying complex topics through clear explanations.