How to profile domain DNS records with dig

A domain's public DNS profile explains how resolvers see its web addresses, mail routing, authority, and policy records. dig can collect that profile from a terminal, which helps during DNS migrations, mail cutovers, certificate reviews, and incident notes that need exact answer rows.

The +noall +answer options keep each lookup focused on returned answer records instead of headers and timing detail. Checking one record family at a time also makes empty answers easier to interpret because an absent CAA record, a null MX record, and a missing address record all mean different things.

Use the same domain and resolver while building the profile. TTL values count down in resolver cache, so repeated checks can show different TTL numbers even when the underlying record data and SOA serial have not changed.

Related: How to query DNS records with dig
Related: How to compare DNS answers across resolvers with dig
Tool: DNS Configuration Report

Steps to profile domain DNS records with dig:

  1. Query A records for IPv4 address coverage. 
    $ dig +noall +answer example.com A
example.com.		234	IN	A	104.20.23.154
example.com.		234	IN	A	172.66.147.243

    Replace example.com with the domain apex or exact hostname being profiled. Address records prove name resolution only; they do not prove HTTP, TLS, SSH, or application health.

  2. Query AAAA records for IPv6 address coverage. 
    $ dig +noall +answer example.com AAAA
example.com.		337	IN	AAAA	2606:4700:10::6814:179a
example.com.		337	IN	AAAA	2606:4700:10::ac42:93f3

    No AAAA answer can be expected for IPv4-only services. Treat it as a design check before calling it an outage.

  3. Query MX records for inbound mail routing. 
    $ dig +noall +answer example.com MX
example.com.		377	IN	MX	0 .

    The 0 . answer is a null MX record, which declares that the domain does not accept inbound mail.

  4. Query NS records for delegated name servers. 
    $ dig +noall +answer example.com NS
example.com.		4502	IN	NS	hera.ns.cloudflare.com.
example.com.		4502	IN	NS	elliott.ns.cloudflare.com.
  5. Query the SOA record for zone authority and serial context. 
    $ dig +noall +answer example.com SOA
example.com.		2252	IN	SOA	elliott.ns.cloudflare.com. dns.cloudflare.com. 2407636105 10000 2400 604800 1800

    The SOA answer shows the primary server, responsible mailbox, serial, refresh, retry, expire, and negative-cache values for the zone view returned by the resolver.

  6. Query apex TXT records for visible policy and verification text. 
    $ dig +noall +answer example.com TXT
example.com.		377	IN	TXT	"v=spf1 -all"
example.com.		377	IN	TXT	"_k2n1y4vw3qtb4skdx9e7dxt97qrmmq9"

    TXT records can mix SPF policy, service verification, and other text values. Read each returned value before treating it as mail policy.

  7. Query DMARC policy at the dedicated owner name. 
    $ dig +noall +answer _dmarc.example.com TXT
_dmarc.example.com.	377	IN	TXT	"v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s"

    DMARC is checked below _dmarc, not at the apex TXT owner name.

  8. Query CAA records for certificate-authority policy. 
    $ dig +noall +answer example.com CAA

    No output with +answer means the resolver returned no visible answer rows for that type. Absence of CAA does not by itself block normal certificate issuance.

  9. Recheck one authority record through a named public resolver before sharing the profile. 
    $ dig @1.1.1.1 +noall +answer example.com SOA
example.com.		1800	IN	SOA	elliott.ns.cloudflare.com. dns.cloudflare.com. 2407636105 10000 2400 604800 1800

    Compare the serial and owner data, not only the TTL. Different TTL values can reflect resolver cache age.
    Related: How to compare DNS answers across resolvers with dig