| Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Start DIG Query (STRDIGQRY) command, or its alias DIG, starts the Domain Information Groper tool.
DIG is a powerful query tool that allows you to retrieve information from or test the response of a Domain Name System (DNS) server. You can verify that a DNS server is responding correctly before you configure your system to use it. You can also retrieve DNS information about hosts, domains, and other DNS servers.
Unless it is told to query a specific name server, DIG will try each of the servers listed in CHGTCPDMN.
Restrictions:
| Top |
| Keyword | Description | Choices | Notes |
|---|---|---|---|
| HOSTNAME | Query name | Character value, *DFT | Optional, Positional 1 |
| TYPE | Query type | *A, *AAAA, *ANY, *AXFR, *CNAME, *MX, *NS, *PTR, *SOA, *SRV, *TXT | Optional, Positional 2 |
| CLASS | Query class | *IN, *CH, *HS, *ANY | Optional |
| REVERSE | Reverse lookup | *NO, *YES, *IP6INT | Optional |
| DMNNAMSVR | Domain name server | Character value, *CFG | Optional |
| PORT | Domain name server port | 1-65535, 53 | Optional |
| TIMEOUT | Query timeout | 1-100, 5 | Optional |
| USEDMNSCHL | Use domain search list | *YES, *NO | Optional |
| DMNSCHLIST | Domain search list | Character value, *CFG, *NONE | Optional |
| SRCADR | Source address | Character value, *DFT, *ANY4, *LOOPBACK4, *ANY6, *LOOPBACK6 | Optional |
| BCHFILE | Batch input file | Path name, *NONE | Optional |
| IPVSN | IP Version | *ALL, *IPV4ONLY, *IPV6ONLY | Optional |
| PROTOCOL | Network protocol | *UDP, *TCP | Optional |
| SETRDFLAG | Recursion desired | *YES, *NO | Optional |
| SETAAFLAG | Authoritative answers only | Character value, *NO, *YES | Optional |
| SETADFLAG | Authentic data | *NO, *YES | Optional |
| SETCDFLAG | Disable DNSSEC checking | *NO, *YES | Optional |
| MULTILINE | Print multiple lines | *NO, *YES | Optional |
| SHORT | Print short answer | *NO, *YES | Optional |
| IDENTIFY | Print server in short answer | *NO, *YES | Optional |
| PRTQRY | Print query | *NO, *YES | Optional |
| PRTCLASS | Print RR class | *YES, *NO | Optional |
| PRTTTL | Print RR TTL | *YES, *NO | Optional |
| PRTALL | Print all query detail | *YES, *NO | Optional |
| CMD | Print query command | *DFT, *YES, *NO | Optional |
| COMMENTS | Print query comments | *DFT, *YES, *NO | Optional |
| STATS | Print query statistics | *DFT, *YES, *NO | Optional |
| QUESTION | Print question section | *DFT, *YES, *NO | Optional |
| ANSWER | Print answer section | *DFT, *YES, *NO | Optional |
| AUTHORITY | Print authority section | *DFT, *YES, *NO | Optional |
| ADDITIONAL | Print additional section | *DFT, *YES, *NO | Optional |
| KEYFILE | Key file | Path name, *NONE | Optional |
| KEYNAME | Key name | Character value, *NONE | Optional |
| STOPFAIL | Stop on SERVFAIL | *YES, *NO | Optional |
| UDPTRUNC | Ignore truncated responses | *RETRY, *IGNORE | Optional |
| NSSCH | List authoritative servers | *NO, *YES | Optional |
| TRACE | Trace delegation path | *NO, *YES | Optional |
| UDPTRIES | Times to try UDP query | 1-100, 3 | Optional |
| UDPNBRRTY | UDP retry | 0-100, 2 | Optional |
| NBRDOTS | Number of dots | 0-10, 1 | Optional |
| BUFSIZE | UDP buffer size for EDNS | 0-65535, 0 | Optional |
| EDNS | Set EDNS version | 0-255, 0 | Optional |
| NOEDNS | Clear EDNS version | *NO, *YES | Optional |
| BESTEFFORT | Best effort display | *NO, *YES | Optional |
| DNSSEC | Request DNSSEC records | *NO, *YES | Optional |
| SIGCHASE | Chase DNSSEC chains | *NO, *YES | Optional |
| TRUSTEDKEY | Trusted keys file | Path name, *NONE | Optional |
| TOPDOWN | DNSSEC top down validation | *NO, *YES | Optional |
| TOSTMF | Output file | Path name, *STDOUT | Optional |
| Top |
Specifies the name that you want the Domain Name System (DNS) server to supply information about. You can use either a name or an IP address to identify the resource record. For example, a name could be 'mycomputer.mycompany.com' An IP address could be an IPv4 address like '10.0.1.100' or an IPv6 address like '2001:D88::1'. You can use either the name to obtain the address, or the address to obtain the name.
| Top |
Specifies the type of the query. The default type is *A. The list of supported query types changes with time, and not all servers support all the types that exist. This list provides some common query types for convenience and is not a complete list. If you do not see a query type you want in this list, you can still type in a character string that represents that query type. If the type is unknown by this BIND version, the query will default to an *A query with any corresponding results.
| Top |
Specifies the protocol group of the information.
DIG HOSTNAME('version.bind') TYPE(*TXT) CLASS(*CH)
DIG HOSTNAME('hostname.bind') TYPE(*TXT) CLASS(*CH)
DIG HOSTNAME('ID.SERVER') TYPE(*TXT) CLASS(*CH)
| Top |
Specifies if the value specified for the Query name (HOSTNAME) parameter is to be used as part of a reverse (PTR) query. A reverse lookup is when you map an IPv4 address in dotted-decimal notation or a colon-delimited IPv6 address to a name. Reverse lookups require the name to be in either the 'in-addr.arpa' (IPv4) or 'ip6.arpa' (IPv6) zone.
Reverse lookups are simplified by this option as there is no need format the NAME parameter or provide the TYPE and CLASS parameters. For an IPv4 address like 10.0.1.100, DIG will reverse the IP address using byte (8-bit) format and sets the NAME parameter to 100.1.0.10.in-addr.arpa. DIG also sets the TYPE and CLASS parameters to *PTR and *IN, respectively.
By default, IPv6 addresses are queried using nibble (4-bit) format under the zone ip6.arpa (and not zone ip6.int). Thus, for an IPv6 address like 2001:D88::1, DIG will set the NAME parameter to 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.8.d.0.1.0.0.2.ip6.arpa. DIG also sets the TYPE and CLASS parameters to *PTR and *IN, respectively.
Note: For IPv4, a reverse lookup name is normally the IP address written in reverse order, separated by a dot at every 8-bit boundary (a 'byte' boundary) and it is delegated within the zone in-addr.arpa (i.e. 100.1.0.10.in-addr.arpa.). The notation for IPv6 is a bit different, it is also the IP address written backwards with dots as separators, but it is separated at every 4-bit boundary (a 'nibble' boundary) and the delegation is done within the zone ip6.arpa. (e.g. 8.8.d.0.1.0.0.2.ip6.arpa.). In the past, the delegation for IPv6 addresses was done in the zone ip6.int, therefore today it might still be common and often necessary to query a delegation like 8.8.d.0.1.0.0.2.ip6.int.
| Top |
Specifies the name or the IP address of the DNS server that DIG will use as its current server for the query session. You can specify any DNS server to which your TCP/IP network has access.
DIG retrieves information from DNS servers. It needs an active DNS server to send its queries to. If you do not specify a DNS server with DMNNAMSVR when you start the tool, it will attempt to set one of the following as its default DNS server for the session:
| Top |
Specifies the default TCP/UDP name server port to use.
| Top |
Specifies the timeout interval, in seconds, to wait for a response.
| Top |
Specifies whether or not to use the search list defined by the Domain search list (DMNSCHLIST) parameter. The search list is not used by default.
| Top |
Specifies a single domain name for the search list. The default search list is set by running the Change TCP/IP Domain (CHGTCPDMN) command and specifying the DMNSCHLIST parameter. If more than one domain name is found, only the first domain name is used.
If DMNSCHLIST is specified, USEDMNSCHL(*YES) must also be specified.
| Top |
Specifies the source IP address to use when sending the query. Some DNS servers are configured to only allow queries from certain source addresses. This parameter allows you use a specific source address if your system has multiple network interfaces.
| Top |
Specifies the file containing a list of query requests to be used as batch input. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to DIG using the PASE command-line interface. The purpose of using a file is to allow batch mode or scripting operation.
Format: [@global-server] [domain] [q-type] [q-class] {q-opt}
or
{global-d-opt} domain [@local-server] {local-d-opt}
or
[domain [@local-server] {local-d-opt} [...]]
Where:
domain is in the Domain Name System
q-type is one of (a,any,mx,ns,soa,...) [default:a]
(Use ixfr=version for type ixfr)
q-class is one of (in,hs,ch, ...) [default: in]
q-opt is one of:
-x dot-notation (shortcut for in-addr lookups)
-i (IP6.INT reverse IPv6 lookups)
-f filename (batch mode)
-b address[#port] (bind to source address/port)
-p port (specify port number)
-q name (specify query name)
-t type (specify query type)
-c class (specify query class)
-k keyfile (specify tsig key file)
-y [hmac:]name:key (specify named base64 tsig key)
-4 (use IPv4 query transport only)
-6 (use IPv6 query transport only)
d-opt is of the form +keyword[=value], where keyword is:
+[no]vc (TCP mode)
+[no]tcp (TCP mode, alternate syntax)
+time=### (Set query timeout) [5]
+tries=### (Set number of UDP attempts) [3]
+retry=### (Set number of UDP retries) [2]
+domain=### (Set default domainname)
+bufsize=### (Set EDNS0 Max UDP packet size)
+ndots=### (Set NDOTS value)
+edns=### (Set EDNS version)
+[no]search (Set whether to use searchlist)
+[no]showsearch (Search with intermediate results)
+[no]defname (Ditto)
+[no]recurse (Recursive mode)
+[no]all (Set or clear all display flags)
+[no]qr (Print question before sending)
+[no]nssearch (Search authoritative nameservers)
+[no]identify (ID responders in short answers)
+[no]trace (Trace delegation down from root)
+[no]dnssec (Request DNSSEC records)
+[no]sigchase (Chase DNSSEC signatures)
+trusted-key=#### (Trusted Key chasing DNSSEC sigs)
+[no]topdown (Do DNSSEC validation top down)
+[no]multiline (Print records in expanded format)
global d-opts and servers (before domain) affect all queries
local d-opts and servers (after domain) affect only that query
For example, you could put these lines into a file:
ibm.com aaaa in
aol.com mx
-q microsoft.com -t aaaa -c in
+recurse cisco.com @10.0.0.1 @10.0.0.2
@10.0.0.1 aa.com
| Top |
Specifies whether to limit the query to IPv4 or IPv6 networks.
| Top |
Specified whether to use TCP or UDP when sending requests to the server.
| Top |
Specifies whether or not to set the Recursion Desired (RD) flag in the query. This tells the current DNS server to query other DNS servers if the current server does not have the information.
| Top |
Specifies whether or not to set the Authoritative Answers (AA) flag in the query. This indicates that you want the response to be from an authoritative server and not from the cache of a non-authoritative server. Authoritative servers own the domain being queried.
| Top |
Specifies whether or not to set the Authentic Data (AD) flag in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
| Top |
Specifies whether or not to set the Checking Disabled (CD) flag in the query. This requests the server to not perform DNSSEC validation of responses.
| Top |
Specifies whether or not to print records, like the SOA record, in a verbose multi-line format with human-readable comments.
| Top |
Specifies whether or not DIG should provide a terse answer.
| Top |
Specifies whether or not to display the IP address and port number of the server that supplied the answer when the SHORT(*YES) parameter is specified.
Note: This parameter is ignored if SHORT(*NO) is specified.
| Top |
Specifies whether or not to print the query as it is sent.
| Top |
Specifies whether or not to print the CLASS when printing the record.
| Top |
Specifies whether or not to print the Time To Live (TTL) in the record output.
| Top |
Specifies whether to set or clear all print flags. You use this parameter in conjunction with other print parameters. This allows you to print only the output you are interested in. The shipped default is *YES for the CMD, COMMENTS, STATS, QUESTION, ANSWER, AUTHORITY and ADDITIONAL parameters.
For example, you could use the PRTALL parameter as follows:
DIG PRTALL(*NO) QUESTION(*YES) ANSWER(*YES)
The PRTALL(*NO) parameter turns off all print flags, and the QUESTION(*YES) and ANSWER(*YES) flags override the PRTALL(*NO) parameter to print only the question and answer sections of the DIG output.
| Top |
Specifies whether to print the initial comment in the output identifying the version of DIG and the query options that have been applied.
| Top |
Specifies whether to print comment lines in the output.
| Top |
Specifies whether to print query statistics, like when the query was made or the size of the reply.
| Top |
Specifies whether to print the question section of a reply.
| Top |
Specifies whether to print the answer section of a reply.
| Top |
Specifies whether to print the authority section of a reply.
| Top |
Specifies whether to print the additional section of a reply.
| Top |
Specifies a Transaction Signature (TSIG) key file to sign the DNS queries. The DNS server that is queried needs to be configured with the TSIG key and algorithm that is being used or the transaction will fail.
This key must be a base-64 encoding of an HMAC-MD5 key.
Note: If this parameter is specified, the KEYNAME parameter cannot be specified.
The DNS server being queried needs to include this key name and algorithm in its configuration in order to accept this TSIG key from clients.
| Top |
Specifies a Transaction Signature (TSIG) key to sign the DNS queries. The key is a base-64 encoded string. The DNS server that is queried needs to be configured with the TSIG key and algorithm that is being used or the transaction will fail.
Note: If this parameter is specified, the KEYFILE parameter cannot be specified.
my-tsig-key:JNvcpnxysbJ2hsdOqQ5qrQ==
The key name in this case is 'my-tsig-key' and the base-64 encoded key is 'JNvcpnxysbJ2hsdOqQ5qrQ=='.
The DNS server being queried needs to include this key and algorithm in its configuration in order to accept this TSIG key from clients.
| Top |
Specifies whether to stop or try the next server if you receive a SERVFAIL response. The default is to not try the next server, which is the reverse of normal stub resolver behaviour.
| Top |
Specifies whether to ignore truncation in UDP responses or retry with TCP.
| Top |
Specifies whether or not DIG should attempt to find the authoritative DNS servers for the zone containing the name being looked up (HOSTNAME parameter) and print the Start of Authority (SOA) record that each name server has for the zone.
| Top |
Specifies whether or not to tracing the delegation path from the root name servers for the name being looked up. When tracing is enabled, DIG makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. You must have access to the root servers for this option.
| Top |
Specifies how many times to try UDP queries to the current DNS server before attempting TCP queries.
| Top |
Specifies the number of times to retry UDP queries to the current DNS server before attempting TCP queries.
| Top |
Specifies the number of dots (period characters) that have to appear in a domain name for it to be considered absolute.
Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the DMNSCHLIST parameter.
| Top |
Specifies the UDP message buffer size advertised using EDNS(0).
| Top |
Specifies the EDNS version to use with queries. Setting the EDNS version will cause an EDNS query to be sent. The Clear EDNS version (NOEDNS) parameter clears the remembered EDNS version.
If EDNS is specified, the NOEDNS parameter must not be specified.
Resolvers and servers can negotiate with other servers to set a UDP message size larger than the 512 byte default. Typically, they will attempt to negotiate a 4096 byte UDP packet size with a remote server. This negotiation requires the remote server to support EDNS. If the remote server does not support EDNS, then the original 512 byte limit remains the UDP default.
You can use the BUFSIZE parameter to control the size of the negotiated UDP packets.
| Top |
Specifies that the value set by a previous DIG invocation with the Set EDNS version (EDNS) parameter specified is to be cleared.
If NOEDNS is specified, the EDNS parameter must not be specified.
| Top |
Specifies whether or not to attempt to print the contents of messages which are malformed.
| Top |
Specifies whether or not to request DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
| Top |
Specifies whether or not to chase DNSSEC signature chains. This attempts to verify SIG records that belong to the record and further will try to verify them recursively for all the keys and DS that form the chain of trust all the way up to any self-signed or unsigned key.
If SIGCHASE(*YES) is specified, DNSSEC(*YES) must also be specified.
| Top |
Specifies a file containing trusted keys to be used with the SIGCHASE parameter. Each DNSKEY record must be on its own line.
If a value other than *NONE is specified, SIGCHASE(*YES) must also be specified.
| Top |
Specifies, when chasing DNSSEC signature chains, whether or not to perform a top down validation (from the root '.' to the leaf nodes).
If TOPDOWN(*YES) is specified, SIGCHASE(*YES) must also be specified.
| Top |
Specifies the name of a stream file where all command output is written.
| Top |
Example 1: Forward Lookup Example - Long
STRDIGQRY HOSTNAME('ibm.com')
DMNNAMSVR(*CFG)
This command illustrates a simple query for a domain named 'ibm.com'. It will use the configured DNS server on the system. By default it will look up record type *A and class *IN. The output from this command might look like this:
; <<>> DiG 9.4.1.i5/OS.V6R1M0 <<>> ibm.com @10.0.1.100 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;ibm.com. IN A ;; ANSWER SECTION: ibm.com. 9559 IN A 129.42.18.103 ibm.com. 9559 IN A 129.42.16.103 ibm.com. 9559 IN A 129.42.17.103 ;; AUTHORITY SECTION: ibm.com. 9559 IN NS leda2.ibm.com. ibm.com. 9559 IN NS castor.ibm.com. ibm.com. 9559 IN NS pollux.ibm.com. ;; ADDITIONAL SECTION: leda2.ibm.com. 9559 IN A 9.14.1.3 castor.ibm.com. 9559 IN A 9.78.1.2 pollux.ibm.com. 9559 IN A 9.46.1.2 ;; Query time: 13 msec ;; SERVER: 10.0.1.100#53(10.0.1.100) ;; WHEN: Sat Aug 5 11:11:18 2006 ;; MSG SIZE rcvd: 183
Example 2: Forward Lookup Example - Short
DIG HOSTNAME('ibm.com')
DMNNAMSVR(*CFG)
SHORT(*YES)
IDENTIFY(*YES)
This command illustrates a the same query as in example 1, but with shorter output.
129.42.18.103 from server 10.0.1.100 in 1 ms. 129.42.16.103 from server 10.0.1.100 in 2 ms. 129.42.17.103 from server 10.0.1.100 in 2 ms.
Example 3: Reverse Lookup Example
DIG HOSTNAME('10.0.1.100')
REVERSE(*YES)
This command illustrates a simple reverse query for a host with IPv4 address '10.0.1.100'. It will use the configured DNS server on the system (seen with the CHGTCPDMN command). By default it will look up name '100.1.0.10.in-addr.arpa.' and record type PTR and class *IN. This is equivalent to the following command:
DIG HOSTNAME('100.1.0.10.in-addr.arpa')
TYPE(*PTR)
CLASS(*IN)
The output from this type of query might look like this:
; <<>> DiG 9.4.1.i5/OS.V6R1M0 <<>> -x 10.0.1.100 @10.0.1.100 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 609 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;100.1.0.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.1.0.10.in-addr.arpa. 86400 IN PTR mydns1.i5os.ibm.com. ;; AUTHORITY SECTION: 0.10.in-addr.arpa. 86400 IN NS mydns1.i5os.ibm.com. ;; ADDITIONAL SECTION: mydns2.i5os.ibm.com. 47409 IN A 10.0.2.200 ;; Query time: 994 msec ;; SERVER: 10.0.1.100#53(10.0.1.100) ;; WHEN: Sat Aug 5 11:32:16 2006 ;; MSG SIZE rcvd: 119
Example 4: DIG with Searchlist
STRDIGQRY HOSTNAME(time)
TYPE(*ANY)
CLASS(*IN)
USESCHDMNL(*YES)
DMNSCHLIST(nist.gov)
This command queries for any records associated with the name 'time'. If this query fails, then DIG will retry the query by appending the domain 'ibm.com' from the searchlist to the name.
The output from this type of query might look like this:
; <<>> DiG 9.4.1.i5/OS.V6R1M0 <<>> -q time -t any -c in @10.0.1.100 +search +domain=nist.gov ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1336 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;time.nist.gov. IN ANY ;; ANSWER SECTION: time.nist.gov. 287 IN A 192.43.244.18 ;; AUTHORITY SECTION: nist.gov. 65982 IN NS ns1.nist.gov. nist.gov. 65982 IN NS dns-x.boulder.nist.gov. ;; ADDITIONAL SECTION: ns1.nist.gov. 283 IN A 129.6.13.2 dns-x.boulder.nist.gov. 40652 IN A 132.163.4.9 ;; Query time: 1038 msec ;; SERVER: 10.0.1.100#53(10.0.1.100) ;; WHEN: Sat Aug 5 11:36:18 2006 ;; MSG SIZE rcvd: 125
Example 5: Suppression of Response Sections
DIG HOSTNAME(time.nist.gov)
TYPE(*ANY)
CLASS(*IN)
PRTALL(*NO)
QUESTION(*YES)
ANSWER(*YES)
This command is similar to Example 4, except we suppressed most of the response sections using the PRTALL(*NO) paramter, and then overrode that setting for the question section using QUESTION(*YES) and the answer section using ANSWER(*YES).
The output from this type of query might look like this:
;time.nist.gov. IN ANY time.nist.gov. 673 IN A 192.43.244.18
| Top |
*ESCAPE Messages
| Top |