dig @ns1.google.com +short TXT o-o.myaddr.l.google.com

dig +noall +answer +ttlunits @1.1.1.1 A www.example.com

dig +noall +answer +ttlunits A www.example.com @1.1.1.1

• qr - query reponse. we are getting a respone to our query
• rd - recursion desired. we are saying want the server to always get.
• ra - recursion available. THis is missing if the server doesn't have recursion enabled.
• ad - authentic data. DNSSEC stuff. It has been validated using DNS sec.
• aa - authorative answer. The server is authoratative for the query answer.
• tc - truncation
• cd - checking disabled.
• do - DNSSEC OK

• QUERY : How many queries were made in the DIG command.
• ANSWER : How many records are in the answer.
• AUTHORITY : Whether or not the server queries is authoratative for the domain queried.
• ADDITIONAL : How many additional fields (e.g. EDNS)

The following flag tells dig to not request recursion.

+norecurse

dig . DNSKEY

dig . DNSKEY +comments +multi

dig @a.root-servers.net . DNSKEY +comments +multi

dig -p 5353 @10.1.1.1 A domain.name

dig axfr @dns-server domain.name

dig axfr domain.name @dns-server

Live Test

dig axfr @nsztm1.digi.ninja zonetransfer.me

If the zone transfer requires keys: (HMAC-MD5 is also a valid algo)

dig axfr @dns-server ZONE_NAME -y HMAC-SHA256:NAME_OF_KEY:TSIG_KEY_VALUE

Linux Script

NAME=suspicious
RPZ_FEED=$NAME.rpz.infoblox.local
OUTPUT_FILE=rpz-$NAME.txt
B1TD_SERVER=52.2.30.79
KEY_ALGORITHM=HMAC-SHA256
KEY_NAME=portal.1234567.infoblox.site-infoblox-abababab
TSIG_KEY=ababababababababababababababab
KEY=$KEY_ALGORITHM:$KEY_NAME:$TSIG_KEY

# Get Data
# Strip RPZ feed name off domains
# Remove Blank Lines
# Remove Lines starting with ;
# Remove Lines containing "rpz.infoblox.local" (RPZ name)
# Remove Lines containing "2000512" (tenant ID - only use with Infoblox RPZ feeds)
dig +noidnout axfr @$B1TD_SERVER $RPZ_FEED -y $KEY | awk -F ".$RPZ_FEED" '{print $1}' | sed '/^[[:space:]]*$/d' | sed '/^ *;/d' | grep -v rpz.infoblox.local | grep -v 2000512 > $OUTPUT_FILE

# The following version deletes lines starting with the character. This is useful when you just want a list of domains rather than the actual list of domains (which includes the wildcard).

dig +noidnout axfr @$B1TD_SERVER $RPZ_FEED -y $KEY | awk -F ".$RPZ_FEED" '{print $1}' | sed '/^[[:space:]]*$/d' | sed '/^ *;/d' | sed '/^\*.*$/d' | grep -v rpz.infoblox.local | grep -v 2000512 > $OUTPUT_FILE

The reason we include +noidnout is because we once got this error from suspicious feeds

dig: 'xn--6g8haa.cf.domain.' is not a legal IDNA2008 name (string contains a disallowed character), use +noidnout

If the RPZ feed is IP based, you can convert the format into IP format with the following. Strip it down to the reverse IP and then use AWK to invert the numbers.

awk -F ".rpz-ip" '{print $1}' | awk -F "." '{print $5 "." $4 "." $3 "." $2 "/" $1}'

A fuller version of the IP conversation is

dig +noidnout axfr @$B1TD_SERVER $RPZ_FEED -y $KEY | awk -F ".$RPZ_FEED" '{print $1}' | sed '/^[[:space:]]*$/d' | sed '/^ *;/d' | grep -v rpz.infoblox.local | grep -v 3000462 | awk -F ".rpz-ip" '{print $1}' | awk -F "." '{print $5 "." $4 "." $3 "." $2 "/" $1}'> $OUTPUT_FILE

C:\Users\bstafford>dig +multiline SOA oxford.ac.uk

; <<>> DiG 9.16.13 <<>> +multiline SOA oxford.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53038
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: aecc1f7029637c12010000006362486fdb80181a44d242ab (good)
;; QUESTION SECTION:
;oxford.ac.uk.          IN SOA

;; ANSWER SECTION:
oxford.ac.uk.           276 IN SOA raptor.dns.ox.ac.uk. hostmaster.ox.ac.uk. (
                                2021071362 ; serial
                                3600       ; refresh (1 hour)
                                600        ; retry (10 minutes)
                                1209600    ; expire (2 weeks)
                                900        ; minimum (15 minutes)
                                )

;; Query time: 16 msec
;; SERVER: 172.16.1.1#53(172.16.1.1)
;; WHEN: Wed Nov 02 10:37:35 GMT Standard Time 2022
;; MSG SIZE  rcvd: 143

TTL is, in this case, the 24.

• serial - Serial number of latest DNS zone file version
• refresh - How frequently the secondary server should poll the SOA to get the latest DNS updates for the zone
• retry - How frequently the secondary server should poll the SOA to get the latest DNS updates for the zone if a refresh fails. (e.g. if refresh is 3 hours but fails, try every hour until it works).
• expire - How long the secondary server should wait if it can't reach the SOA until it, the secondary, dumps the zone.
• minimum - Negative Cache Time. When the server responds to a query with “that record doesn't exist”, it includes this value which means “don't ask me for this again until this time has expired.

dig chaos txt version.bind @ns1.srv.lu.se +short

You should get the result “My name is BIND, James BIND!”

The following is a name server for coredns.io

dig chaos txt version.bind @linode.atoom.net +short

dig @x.x.x.x hostname.bind TXT CH
dig @x.x.x.x id.server TXT CH
dig @x.x.x.x version.bind TXT CH
dig @x.x.x.x version.server TXT CH

dig A -f list-of-fqdn.txt

for i in $(cat dns_input_fqdn.csv); do dig A @1.1.1.1 $i;done

Dig from file of domains, look for nameservers and print to file

for i in $(cat domains.txt); do echo "NS for $i" >> output; dig NS +short @8.8.8.8 $i >> output; echo "done" >> output;done

for i in {1..10}; do dig @1.1.1.1 +short A www.google.com ;sleep .1; done;

What is my IP from the CLI with DNS

If you want to find your DNS resolver's exgress IP, remove the @x.x.x.x bit of the commands below.

CloudFlare

dig @1.0.0.1 +short TXT ch whoami.cloudflare

Strip of the double quotes with awk on Linux

dig @1.0.0.1 +short txt ch whoami.cloudflare | awk -F'"' '{ print $2}'

DNS Crypt

dig @37.59.238.214 +short TXT resolver.dnscrypt.info

dig @37.59.238.214 +short TXT resolver.dnscrypt.info | grep Resolver | awk -F'"' '{ print $2}' | awk -F' ' '{ print $3}'

Google

dig @ns1.google.com +short TXT o-o.myaddr.l.google.com

dig @216.239.32.10 +short TXT o-o.myaddr.l.google.com

Strip of the double quotes with awk on Linux

dig @ns1.google.com +short TXT o-o.myaddr.l.google.com | awk -F'"' '{ print $2}'

Akamai

dig @ns1-1.akamaitech.net +short ANY whoami.akamai.net

dig @193.108.88.1 +short ANY whoami.akamai.net

OpenDNS

dig @resolver1.opendns.com +short A myip.opendns.com -4

dig @208.67.222.222 +short A myip.opendns.com -4

Host

Host command is a backup

host myip.opendns.com resolver1.opendns.com

dig A www.example.com @192.168.1.1 +noauthority +noquestion +noadditional +nostats +ttlunits

Tidier version is

dig A www.example.com @192.168.1.1 +ttlunits +noall +answer

dig @10.1.1.1 app.demo.corp +subnet=2.2.2.0/24

In BIND the log will look something like the following (if the intermediate DNS server IP is 1.2.3.4 and 10.10.10.10 is the 'actual' IP of the authoritative DNS server.

11-January-2001 11:22:33.123 queries: info: client @0x6f6667722a8 1.2.3.4#42463 (www.example-com): query: www.example-com IN A +E(0)K (10.10.10.10) [ECS 2.2.2.0/24/0]

dig +short @8.8.8.8 +subnet=41.33.12.0/24 3dzip.org

+ednsopt=65523:0a0a0a0a

This is 10.10.10.10 encoded as 0a0a0a0a

BloxOne accepts custom headers:

• 65522 - Site ID
• 65523 - Source IP
• 65524 - Source MAC address
• 65525 - ? (36adae19 converts to number which converts to 917351961 which converts to 54.173.174.25)
• 65526 - DNS View

Just convert from ASCII to HEX and numbers to HEX (remove the . from IP and : from MAC)

• Source = 10.10.10.10
• DNSView = prod
• MAC = ab:cd:ef:12:34:56
• dig example.com @52.119.40.100 +ednsopt=65523:0a0a0a0a +ednsopt=65526:70726F64 +ednsopt=65524:616263646566313233343536

Example: Option 65523 with value c0a8634e (Hex) converts to 3232260942 (Decimal) which converts to 192.168.99.78.

• Decimal to Hex is here)
• IP to Decimal is here

What does ”@0x7fbad80bda00“ mean in a query message? :

30-Apr-2013 13:35:02.187 client 10.120.20.32#42386: query: foo.com @0x7fbad80bda00 IN A + (100.90.80.70)

Client object identifier in @0x<hexadecimal-number> format.

The @xxxxx is BIND’s client object identifier to indicate which object it is in the memory. This thread explains how this is useless to 99% of the users. It’s a “feature” added by BIND developers to help them debug.

See how many queries are needed to resolve outlook.office365.com

NS .
NS com.
NS office365.com.
@NS A outlook.office365.com 
CNAME > ooc-g2.tm-4.office.com
NS office.com.
NS tm-4.office.com.
@NS A ooc-g2.tm-4.office.com
CNAME >  outlook.ms-acdc.office.com
NS ms-acdc.office.com.
@NS A outlook.ms-acdc.office.com
CNAME > LHR-efz.ms-acdc.office.com + IP addresses.

dig +tcp txt run-d.m.c.never.watch

If a query returns a CNAME chain (see below), then if the BIND server that made the query (i.e. forwarded to a recursor) is authoratative or conditionally forwards to a domain in the CNAME chain (e.g. forward privatelink.azurewebsites.net to Azure DNS resolver), then BIND will try and re-resolve using the conditional forwarder/authoritative zone even though it already has the answer. This means that, in the case below, the domain won't resolve if you are forwarding privatelink.azurewebsites.net to Azure and haven't configured Azure to fallback to public resolution.

C:\Users\owner>dig A www.icaew.com

; <<>> DiG 9.16.38 <<>> A www.icaew.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25022
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 96da9888912f9092 (echoed)
;; QUESTION SECTION:
;www.icaew.com.                 IN      A

;; ANSWER SECTION:
www.icaew.com.          10      IN      CNAME   icaew-sitecore-cd-as.azurewebsites.net.
icaew-sitecore-cd-as.azurewebsites.net. 10 IN CNAME icaew-sitecore-cd-as.privatelink.azurewebsites.net.
icaew-sitecore-cd-as.privatelink.azurewebsites.net. 10 IN CNAME waws-prod-am2-217.sip.azurewebsites.windows.net.
waws-prod-am2-217.sip.azurewebsites.windows.net. 10 IN CNAME waws-prod-am2-217.westeurope.cloudapp.azure.com.
waws-prod-am2-217.westeurope.cloudapp.azure.com. 10 IN A 137.117.218.101

;; Query time: 162 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 22 13:15:59 GMT Summer Time 2025
;; MSG SIZE  rcvd: 503

From a forum online but I can't remember which one. Stackoverflow?

#!/bin/bash
INPUT="b1td-doh.txt"

# IPv4
while IFS= read -r line
do
  dig +short -t "a" "$line" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" >> ipv4.list
done < "$INPUT"
sort -u ipv4.list | sort -h >> ipv4.list.new && mv ipv4.list.new ipv4.list

# IPv6
while IFS= read -r line
do
  dig +short -t "aaaa" "$line" | grep -oE "(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))" >> ipv6.list
done < "$INPUT"
sort -u ipv6.list | sort -h >> ipv6.list.new && mv ipv6.list.new ipv6.list