Drill: Debug DNS with dig

Goal

Use dig to perform DNS lookups, trace delegation chains, query specific servers, and perform reverse lookups.

Setup

• Linux system with dig installed (part of dnsutils or bind-utils)
• Network access to DNS servers

Commands

Basic lookup:

dig example.com

Get just the answer (short form):

dig +short example.com
dig +short example.com AAAA

Query a specific DNS server:

dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

Trace the full delegation chain from root:

dig +trace example.com

Look up specific record types:

dig example.com MX
dig example.com TXT
dig example.com NS
dig example.com SOA

Reverse DNS lookup:

dig -x 8.8.8.8

Check if a record is cached (show TTL):

dig +noall +answer +ttlid example.com

Query with no recursion (test authoritative server):

dig +norecurse @ns1.example.com example.com

What to Look For

• NOERROR status with empty answer section means the name exists but has no records of that type
• NXDOMAIN means the domain does not exist at all
• SERVFAIL often indicates DNSSEC validation failure or upstream issues
• TTL values tell you how long until the record expires from cache
• +trace shows each delegation step from root to authoritative server

Common Mistakes

• Not comparing results between local resolver and public DNS (caching differences)
• Forgetting that +trace bypasses local cache and queries from root
• Confusing CNAME chains with the actual A/AAAA answer
• Not checking the AUTHORITY section for NS delegation information

Cleanup

No cleanup needed. dig is a read-only query tool.