DNS traces using dig

Dig utility is a flexible and powerful tool to investigate the DNS system. It comes with the well-known BIND package and is an advance version of "host" or "nslookup" commands. With Dig command, we can generate any kind of DNS request and display a full decoding of the DNS response. (cf. Dig Manual Page)

Example 1 : "dig" (== "dig . NS") 

; --- DiG 9.2.1rc2 ---
;; ==HEADER== opcode: QUERY, status: NOERROR, id: 59594
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13

;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			238778	IN	NS	H.ROOT-SERVERS.NET.
.			238778	IN	NS	C.ROOT-SERVERS.NET.
.			238778	IN	NS	G.ROOT-SERVERS.NET.
.			238778	IN	NS	F.ROOT-SERVERS.NET.
.			238778	IN	NS	B.ROOT-SERVERS.NET.
.			238778	IN	NS	J.ROOT-SERVERS.NET.
.			238778	IN	NS	K.ROOT-SERVERS.NET.
.			238778	IN	NS	L.ROOT-SERVERS.NET.
.			238778	IN	NS	M.ROOT-SERVERS.NET.
.			238778	IN	NS	I.ROOT-SERVERS.NET.
.			238778	IN	NS	E.ROOT-SERVERS.NET.
.			238778	IN	NS	D.ROOT-SERVERS.NET.
.			238778	IN	NS	A.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
H.ROOT-SERVERS.NET.	325178	IN	A	128.63.2.53
C.ROOT-SERVERS.NET.	325178	IN	A	192.33.4.12
G.ROOT-SERVERS.NET.	325178	IN	A	192.112.36.4
F.ROOT-SERVERS.NET.	325178	IN	A	192.5.5.241
B.ROOT-SERVERS.NET.	325178	IN	A	128.9.0.107
J.ROOT-SERVERS.NET.	325178	IN	A	198.41.0.10
K.ROOT-SERVERS.NET.	325178	IN	A	193.0.14.129
L.ROOT-SERVERS.NET.	325178	IN	A	198.32.64.12
M.ROOT-SERVERS.NET.	325178	IN	A	202.12.27.33
I.ROOT-SERVERS.NET.	325178	IN	A	192.36.148.17
E.ROOT-SERVERS.NET.	325178	IN	A	192.203.230.10
D.ROOT-SERVERS.NET.	325178	IN	A	128.8.10.90
A.ROOT-SERVERS.NET.	325178	IN	A	198.41.0.4

;; Query time: 38 msec
;; SERVER: 157.159.10.12#53(157.159.10.12)
;; WHEN: Tue May  7 13:24:48 2002
;; MSG SIZE  rcvd: 436
Hints : the 13 well-known root servers, and glue.

Example 2 "dig int-evry.fr SOA +multiline" 

; <<>> DiG 9.2.2rc1 <<>> int-evry.fr SOA +multiline
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64578
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;int-evry.fr.           IN SOA

;; ANSWER SECTION:
int-evry.fr.            172800 IN SOA diamant.int-evry.fr. admin.int-evry.fr. (
                                2003043000 ; serial
                                21600      ; refresh (6 hours)
                                3600       ; retry (1 hour)
                                1209600    ; expire (2 weeks)
                                172800     ; minimum (2 days)
                                )

;; AUTHORITY SECTION:
int-evry.fr.            172800 IN NS diamant.int-evry.fr.
int-evry.fr.            172800 IN NS ns2.nic.fr.
int-evry.fr.            172800 IN NS ns4.enst.fr.
int-evry.fr.            172800 IN NS pompei.int-evry.fr.

;; ADDITIONAL SECTION:
pompei.int-evry.fr.     172800 IN A 157.159.11.13
diamant.int-evry.fr.    172800 IN A 157.159.10.12

;; Query time: 6 msec
;; SERVER: 157.159.100.81#53(157.159.100.81)
;; WHEN: Fri May  2 09:25:03 2003
;; MSG SIZE  rcvd: 191
Hints : Zone definition : SOA, NS, Glue. NB: in SOA, "minimum" must be read as "Negative Cache TTL".

Example 3 "dig +trace bonemine.ipv6.int-evry.fr AAAA" 

; --- DiG 9.2.1rc2 ---  +trace ipv6.int-evry.fr
.			500116	IN	NS	D.ROOT-SERVERS.NET.
.			500116	IN	NS	A.ROOT-SERVERS.NET.
.			500116	IN	NS	H.ROOT-SERVERS.NET.
.			500116	IN	NS	C.ROOT-SERVERS.NET.
.			500116	IN	NS	G.ROOT-SERVERS.NET.
.			500116	IN	NS	F.ROOT-SERVERS.NET.
.			500116	IN	NS	B.ROOT-SERVERS.NET.
.			500116	IN	NS	J.ROOT-SERVERS.NET.
.			500116	IN	NS	K.ROOT-SERVERS.NET.
.			500116	IN	NS	L.ROOT-SERVERS.NET.
.			500116	IN	NS	M.ROOT-SERVERS.NET.
.			500116	IN	NS	I.ROOT-SERVERS.NET.
.			500116	IN	NS	E.ROOT-SERVERS.NET.
;; Received 436 bytes from 192.93.0.4#53(ns2.nic.fr) in 18 ms

fr.			172800	IN	NS	DNS.CS.WISC.EDU.
fr.			172800	IN	NS	NS1.NIC.fr.
fr.			172800	IN	NS	NS3.NIC.fr.
fr.			172800	IN	NS	DNS.INRIA.fr.
fr.			172800	IN	NS	NS2.NIC.fr.
fr.			172800	IN	NS	NS.EU.NET.
fr.			172800	IN	NS	DNS.PRINCETON.EDU.
fr.			172800	IN	NS	NS-EXT.VIX.COM.
;; Received 352 bytes from 128.8.10.90#53(D.ROOT-SERVERS.NET) in 103 ms

int-evry.fr.		345600	IN	NS	ns2.nic.fr.
int-evry.fr.		345600	IN	NS	diamant.int-evry.fr.
int-evry.fr.		345600	IN	NS	etna.int-evry.fr.
;; Received 145 bytes from 128.105.2.10#53(DNS.CS.WISC.EDU) in 124 ms

ipv6.int-evry.fr.       172800  IN      NS      hugo.int-evry.fr.
ipv6.int-evry.fr.       172800  IN      NS      diamant.int-evry.fr.
ipv6.int-evry.fr.       172800  IN      NS      zeratul.ipv6.int-evry.fr.
;; Received 182 bytes from 2001:660:3005:1::1:2#53(ns2.nic.fr) in 27 ms

bonemine.ipv6.int-evry.fr. 86400 IN     AAAA    2001:660:3203:1000:203:baff:fe0e:52ab
ipv6.int-evry.fr.       86400   IN      NS      hugo.int-evry.fr.
ipv6.int-evry.fr.       86400   IN      NS      diamant.int-evry.fr.
ipv6.int-evry.fr.       86400   IN      NS      zeratul.ipv6.int-evry.fr.
;; Received 210 bytes from 157.159.100.81#53(hugo.int-evry.fr) in 3 ms
Hints : iterative resolution simulation.

Example 4 "dig int-evry.fr ANY" and "dig @ns1.nic.fr int-evry.fr ANY" 

; --- DiG 9.2.1rc2 --- int-evry.fr any
;; ==HEADER== opcode: QUERY, status: NOERROR, id: 44675
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 7

;; QUESTION SECTION:
;int-evry.fr.			IN	ANY

;; ANSWER SECTION:
int-evry.fr.		172800	IN	MX	60 sparte.int-evry.fr.
int-evry.fr.		172800	IN	MX	80 anaconda.int-evry.fr.
int-evry.fr.		172800	IN	MX	90 smtp2.enst.fr.
int-evry.fr.		172800	IN	NS	diamant.int-evry.fr.
int-evry.fr.		172800	IN	NS	etna.int-evry.fr.
int-evry.fr.		172800	IN	NS	hugo.int-evry.fr.
int-evry.fr.		172800	IN	NS	ns2.nic.fr.
int-evry.fr.		172800	IN	SOA	diamant.int-evry.fr. admin.int-evry.fr. 2002050200 21600 3600 1209600 172800

;; AUTHORITY SECTION:
int-evry.fr.		172800	IN	NS	diamant.int-evry.fr.
int-evry.fr.		172800	IN	NS	etna.int-evry.fr.
int-evry.fr.		172800	IN	NS	hugo.int-evry.fr.
int-evry.fr.		172800	IN	NS	ns2.nic.fr.

;; ADDITIONAL SECTION:
sparte.int-evry.fr.	172800	IN	A	157.159.10.11
anaconda.int-evry.fr.	172800	IN	A	157.159.15.5
smtp2.enst.fr.		191	IN	A	137.194.2.14
diamant.int-evry.fr.	172800	IN	A	157.159.10.12
etna.int-evry.fr.	172800	IN	A	157.159.110.67
hugo.int-evry.fr.	172800	IN	A	157.159.100.81
ns2.nic.fr.		65611	IN	A	192.93.0.4

;; Query time: 2 msec
;; SERVER: 157.159.10.12#53(157.159.10.12)
;; WHEN: Tue May  7 13:27:08 2002
;; MSG SIZE  rcvd: 396

; --- DiG 9.2.1rc2 --- @ns1.nic.fr int-evry.fr any
;; ==HEADER== opcode: QUERY, status: NOERROR, id: 22218
;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;int-evry.fr.			IN	ANY

;; ANSWER SECTION:
int-evry.fr.		345600	IN	NS	diamant.int-evry.fr.
int-evry.fr.		345600	IN	NS	etna.int-evry.fr.
int-evry.fr.		345600	IN	NS	ns2.nic.fr.

;; AUTHORITY SECTION:
int-evry.fr.		345600	IN	NS	diamant.int-evry.fr.
int-evry.fr.		345600	IN	NS	etna.int-evry.fr.
int-evry.fr.		345600	IN	NS	ns2.nic.fr.

;; ADDITIONAL SECTION:
diamant.int-evry.fr.	345600	IN	A	157.159.10.12
etna.int-evry.fr.	345600	IN	A	157.159.110.16
ns2.nic.fr.		172800	IN	A	192.93.0.4

;; Query time: 11 msec
;; SERVER: 192.93.0.1#53(ns1.nic.fr)
;; WHEN: Tue May  7 13:46:10 2002
;; MSG SIZE  rcvd: 182
Hints : ns1.nic.fr is authoritative for fr.. Invalid Delegation : "Etna" Address differs between parent zone and child zone.

Example 5 "dig @::1 apple.com." and "dig @::1 apple.com." 

; <<>> DiG 9.3.0 <<>> @::1 apple.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 927
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;apple.com.			IN	A

;; ANSWER SECTION:
apple.com.		3600	IN	A	17.254.3.183

;; AUTHORITY SECTION:
apple.com.		432000	IN	NS	nserver.asia.apple.com.
apple.com.		432000	IN	NS	nserver.euro.apple.com.
apple.com.		432000	IN	NS	nserver.apple.com.
apple.com.		432000	IN	NS	nserver2.apple.com.
apple.com.		432000	IN	NS	nserver3.apple.com.
apple.com.		432000	IN	NS	nserver4.apple.com.

;; Query time: 1089 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Apr  4 09:31:06 2005
;; MSG SIZE  rcvd: 188

; <<>> DiG 9.3.0 <<>> @::1 apple.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 79
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;apple.com.			IN	A

;; ANSWER SECTION:
apple.com.		3575	IN	A	17.254.3.183

;; AUTHORITY SECTION:
apple.com.		431975	IN	NS	nserver3.apple.com.
apple.com.		431975	IN	NS	nserver4.apple.com.
apple.com.		431975	IN	NS	nserver.asia.apple.com.
apple.com.		431975	IN	NS	nserver.euro.apple.com.
apple.com.		431975	IN	NS	nserver.apple.com.
apple.com.		431975	IN	NS	nserver2.apple.com.

;; Query time: 14 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Apr  4 09:31:31 2005
;; MSG SIZE  rcvd: 188
Hints : Cache and round-robin (TTLs, Query time, aa flag)

Example 6 "dig ducon.lajoie.ipv6int-evry.fr +multiline" 


; <<>> DiG 9.2.2rc1 <<>> ducon.lajoie.ipv6.int-evry.fr +multiline
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3640
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ducon.lajoie.ipv6.int-evry.fr. IN A

;; AUTHORITY SECTION:
ipv6.int-evry.fr.	86400 IN SOA zeratul.ipv6.int-evry.fr. pascal\.hennequin.int-evry.fr. (
				2003040201 ; serial
				21600      ; refresh (6 hours)
				3600       ; retry (1 hour)
				3600000    ; expire (5 weeks 6 days 16 hours)
				86400      ; minimum (1 day)
				)

;; Query time: 4 msec
;; SERVER: 157.159.100.81#53(157.159.100.81)
;; WHEN: Fri May  2 09:17:57 2003
;; MSG SIZE  rcvd: 108
Hints : Negative response NXDOMAIN, SOA in authority section.

Example 7 "dig @::1 +norecurse cr.yp.to", "dig @::1 cr.yp.to NS" and "dig @::1 +norecurse cr.yp.to"

; <<>> DiG 9.3.0 <<>> @::1 +norecurse cr.yp.to
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 203
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;cr.yp.to.			IN	A

;; AUTHORITY SECTION:
.			3600000	IN	NS	L.ROOT-SERVERS.NET.
.			3600000	IN	NS	M.ROOT-SERVERS.NET.
.			3600000	IN	NS	A.ROOT-SERVERS.NET.
.			3600000	IN	NS	B.ROOT-SERVERS.NET.
.			3600000	IN	NS	C.ROOT-SERVERS.NET.
.			3600000	IN	NS	D.ROOT-SERVERS.NET.
.			3600000	IN	NS	E.ROOT-SERVERS.NET.
.			3600000	IN	NS	F.ROOT-SERVERS.NET.
.			3600000	IN	NS	G.ROOT-SERVERS.NET.
.			3600000	IN	NS	H.ROOT-SERVERS.NET.
.			3600000	IN	NS	I.ROOT-SERVERS.NET.
.			3600000	IN	NS	J.ROOT-SERVERS.NET.
.			3600000	IN	NS	K.ROOT-SERVERS.NET.

;; Query time: 13 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Mar 30 19:37:45 2005
;; MSG SIZE  rcvd: 237

; <<>> DiG 9.3.0 <<>> @::1 cr.yp.to NS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1784
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;cr.yp.to.			IN	NS

;; AUTHORITY SECTION:
yp.to.			2560	IN	SOA	a.ns.yp.to. hostmaster.yp.to. 1093750658 16384 2048 1048576 2560

;; Query time: 638 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Mar 30 19:38:29 2005
;; MSG SIZE  rcvd: 78

; <<>> DiG 9.3.0 <<>> @::1 +norecurse cr.yp.to
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1331
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;cr.yp.to.			IN	A

;; AUTHORITY SECTION:
yp.to.			86388	IN	NS	b.ns.yp.to.
yp.to.			86388	IN	NS	a.ns.yp.to.

;; Query time: 76 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Mar 30 19:38:41 2005
;; MSG SIZE  rcvd: 61
Hints : Iterative Response (rd flag); Negative recursive response with NODATA; cache
  1. worst-case Iterative (Root server references)
  2. negative Recursive with NODATA (NOERROR and ANSWER=0)
  3. better Iterative coming from cache data (pushed during previous step)