DNS records answer typed questions about a name, such as which address it uses, where its mail goes, or which text policy it publishes. dig sends one DNS question and prints the response, which makes it a focused check before or after a zone edit, resolver change, mail cutover, or certificate validation task.
A normal dig lookup uses the resolver configured on the local system unless a specific server is named. The response shows a DNS status, the question that was sent, the number of answer rows, TTL values, and the returned record data. That output is evidence for the resolver path that answered, not proof that every public cache has the same value.
Choose the record type that matches the operational question. A and AAAA records check addresses, MX records check mail routing, TXT records check verification and policy strings, and CNAME records check aliases. A response can be successful and still contain no answer rows for the requested type, so read the status and the answer count before changing DNS.
Related: How to install dig on Ubuntu or Debian
Related: How to show short DNS answers with dig
Related: How to query a specific DNS server with dig
Tool: DNS Record Lookup
Steps to query DNS records with dig:
- Query the name and record type with dig.
$ dig +noall +comments +question +answer example.com A ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40568 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 297 IN A 172.66.147.243 example.com. 297 IN A 104.20.23.154
NOERROR means the resolver returned a DNS response for the name. The ANSWER count shows how many answer rows matched the requested type.
- Read each answer row from left to right.
The fields are owner name, TTL in seconds, class, record type, and record data. For an A lookup, the data field is the IPv4 address returned for the owner name.
- Print only the answer rows when the status has already been checked.
$ dig +noall +answer example.com A example.com. 297 IN A 172.66.147.243 example.com. 297 IN A 104.20.23.154
TTL values can count down in resolver cache, so the exact number may differ between repeated runs.
Related: How to show short DNS answers with dig - Query a different record type when the DNS change is not an address record.
$ dig +noall +answer -t TXT example.com example.com. 187 IN TXT "v=spf1 -all" example.com. 187 IN TXT "_k2n1y4vw3qtb4skdx9e7dxt97qrmmq9"
The -t option makes the requested type explicit. Use the same position for types such as AAAA, MX, CNAME, NS, or CAA.
- Check the status when no answer row appears.
$ dig +noall +comments +question +answer no-such-host.invalid A ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52507 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;no-such-host.invalid. IN A
NXDOMAIN means the queried name does not exist. NOERROR with ANSWER: 0 means the name exists from that resolver's view, but not for the requested record type.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
