Basic Syntax
The simplest dig query resolves the A record (IPv4 address) for a domain:
dig google.comTo request a specific record type, add it as a third argument:
dig google.com A
dig google.com AAAA
dig google.com MXdig is available by default on most Linux distributions and macOS. On Linux, it is part of the dnsutils or bind-utils package depending on the distribution. On Windows it is not included by default — see the FAQ below for installation options.
Understanding dig Output Sections
dig produces structured output divided into clearly labelled sections. Understanding each section is essential for interpreting DNS responses correctly.
| Section | What it contains | Key fields to read |
|---|---|---|
| HEADER | Query metadata and response flags | status (NOERROR, NXDOMAIN, SERVFAIL), flags (qr, aa, rd, ra) |
| QUESTION | The exact query sent to the resolver | Confirms the queried name and type |
| ANSWER | The records returned by the resolver | Record type, TTL (seconds), and the data (IP address, hostname, etc.) |
| AUTHORITY | The authoritative nameservers for the domain | NS records identifying who is authoritative |
| ADDITIONAL | A records for nameservers listed in AUTHORITY | Glue records that allow resolvers to reach the authoritative servers |
| Query time / SERVER | Performance and resolver metadata | Query time in ms, which resolver answered, when the query was made |
Querying Common Record Types
Each DNS record type serves a specific purpose. Here are the most useful queries:
dig google.com A # IPv4 address
dig google.com AAAA # IPv6 address
dig google.com MX # Mail server records
dig google.com TXT # Text records (SPF, DMARC, domain verification)
dig google.com CNAME # Canonical name alias
dig google.com NS # Authoritative nameservers
dig google.com SOA # Start of Authority (serial, refresh, retry, expire)
dig -x 8.8.8.8 # Reverse lookup — IP to hostname (PTR record)Querying a Specific Resolver
By default, dig uses your system's configured resolver (from /etc/resolv.conf on Linux/macOS). To query a specific DNS server, prefix the domain with @ and the resolver's address:
dig @8.8.8.8 google.com # Google Public DNS
dig @1.1.1.1 google.com # Cloudflare DNS
dig @9.9.9.9 google.com # Quad9 DNSYou can also query an authoritative nameserver directly, bypassing caches entirely:
dig @ns1.google.com google.comThis is the most reliable way to see the current published value of a DNS record without any caching interference.
Key Flags for Cleaner and More Powerful Output
dig's output includes a lot of metadata by default. These flags refine what you see:
dig google.com +short # Print only the answer data — no headers
dig google.com +noall +answer # Suppress all sections except ANSWER
dig google.com +trace # Follow the full resolution path from root
dig @8.8.8.8 google.com +dnssec # Request DNSSEC validation records
dig -x 203.0.113.1 # Reverse lookup for an IP addressThe +trace flag is especially valuable — it shows the complete delegation chain from the root nameservers down to the authoritative nameservers for the domain, which is exactly what a recursive resolver does when it has no cached answer. This lets you verify that the full DNS resolution chain is working correctly end-to-end.
Checking DNS Propagation
When you update a DNS record, the change needs to propagate to resolvers around the world. The TTL on the old record determines how long resolvers cache it — a record with TTL 3600 may take up to an hour to expire from caches. To check whether a change has reached a specific resolver, query it directly:
dig @8.8.8.8 yourdomain.com A +short
dig @1.1.1.1 yourdomain.com A +shortIf the answers differ between resolvers, propagation is still in progress. The TTL field in the ANSWER section shows how many seconds remain before that resolver's cache expires and it fetches a fresh answer.
dig vs nslookup vs host
All three tools make DNS queries, but they differ in detail, portability, and use case. dig is the most powerful and most scriptable. nslookup is available everywhere including Windows. host produces the most human-readable output for simple lookups.
dig on Windows
dig is not included with Windows. Options to get it: install BIND for Windows from ISC, which bundles dig as part of its tools package; use WSL and install the dnsutils package with sudo apt install dnsutils; or use the Windows version of dig distributed by some third-party package managers. If none of these options are available, nslookup is built into Windows and covers the most common DNS lookup scenarios.
Frequently Asked Questions
What does dig stand for?
dig stands for Domain Information Groper. It is part of the BIND (Berkeley Internet Name Domain) suite of DNS tools and is the standard command-line utility for making arbitrary DNS queries. Despite the name, it is a precise and powerful tool used daily by network engineers, sysadmins, and security researchers.
How do I look up a specific DNS record type with dig?
Add the record type as the third argument: dig google.com A returns IPv4 addresses, dig google.com AAAA returns IPv6 addresses, dig google.com MX returns mail server records, dig google.com TXT returns text records (including SPF and DMARC), dig google.com NS returns the authoritative nameservers, and dig google.com SOA returns the Start of Authority record. To query all record types at once, use dig google.com ANY, though many resolvers restrict ANY queries.
How do I query a specific DNS server with dig?
Use the @ symbol followed by the resolver's IP address or hostname before the domain name: dig @8.8.8.8 google.com queries Google's public resolver, dig @1.1.1.1 google.com queries Cloudflare's resolver, and dig @ns1.google.com google.com queries Google's own authoritative nameserver directly. This is essential for checking whether a DNS change has propagated to a specific resolver, or for comparing answers from different resolvers.
What is the difference between dig and nslookup?
dig provides more detailed output, better scriptability, and full control over query flags and output format. It is the preferred tool for technical DNS investigation. nslookup is available on Windows, macOS, and Linux without any additional installation and is easier for simple lookups, but its output is less detailed and its interactive mode can be confusing. For scripting and automated DNS checks, dig is strongly preferred. For a quick lookup on a Windows machine where dig is not installed, nslookup is a reasonable alternative.
How do I do a reverse DNS lookup with dig?
Use the -x flag followed by the IP address: dig -x 8.8.8.8. This looks up the PTR record for the IP, which maps it back to a hostname. dig automatically constructs the correct in-addr.arpa (for IPv4) or ip6.arpa (for IPv6) query. You can also query a specific resolver for the reverse lookup: dig @1.1.1.1 -x 8.8.8.8.
Is dig available on Windows?
dig is not included with Windows by default. To get it on Windows, you can install BIND for Windows from ISC (Internet Systems Consortium), which includes dig as part of its tools package. Alternatively, you can use WSL (Windows Subsystem for Linux) and install dig with sudo apt install dnsutils. Windows users who need a quick DNS lookup without installing anything can use nslookup, which is built into every version of Windows.