DNS

How to Use Dig to Test DNS

How to Use Dig to Test DNS

Objective
This document shows how to use the Dig utility for DNS queries and troubleshooting. Dig is known as the Cadillac of DNS utilities because it is the most complete and powerful of all. Dig is natively available in most Unix distributions. Email Security appliances incorporate it as a CLI command (starting at firmware version 6.0). Finally, Dig is not shipped in the Windows OS but can be installed on Windows XP. It may also be possible to install Dig on a Windows 2003 server, but this has not been tested. All Windows systems use nslookup which is a great complimentary utility to Dig.

Table of Contents
WINDOWS INSTALLATION ........................................................................................................... 2 DEFAULT AND ARBITRARY DNS SERVERS .............................................................................. 3 A RECORD LOOK-UP: ................................................................................................................... 4 MX RECORD LOOK-UP.................................................................................................................. 5 PTR RECORD (REVERSE DNS) LOOK-UP: ................................................................................. 7 TXT RECORD (SPF) LOOK-UP...................................................................................................... 9 MULTIPLE RECORD DNS LOOKUP ........................................................................................... 10 ADDITIONAL RESOURCES ......................................................................................................... 12

1/12

Windows Installation

Windows Installation
Dig is not natively available in Windows. However, the utility has been created and made available for Windows. You can download and install the files posted at http://serghei.net/windows/dig. Instructions are for the installation of Dig on Windows 98, ME, 2000 and XP. It is not sure if this utility will work on Windows 2000 Server and Windows 2003 Server. Email Security training provides a quick setup. A C:\dig folder is created and all files, except one, are placed there. The reminding file, resolve.conf, is placed in C:\WINDOWS\system32\drivers\etc. This file sets the default DNS server dig will use. The Email Security setup has the following one line name nameserver 10.50.128.52.

How to Use Dig to Test DNS

Default and Arbitrary DNS Servers

Default and Arbitrary DNS Servers

Unless specified, Dig will use the DNS server specified in the resolve.conf file located in the C:\WINDOWS\system32\drivers\etc\ folder. In the example below, the default DNS server obtained from resolve.conf is 10.50.128.52. Email Security training installation is pre-configured to use DNS server 4.2.2.2.

Sometimes because of troubleshooting, a different DNS server may have to be queried. It is possible that an arbitrary external DNS server is queried instead of the local DNS server. The DNS server used can be changed without changing the default address in resolve.conf. This can be done on the command line by using the @ symbol followed by the DNS server name IP address. For example, the instruction dig @4.2.2.2 echofloor.com uses the 4.2.2.2 to resolves the IP address of echofloo.com.

How to Use Dig to Test DNS

A Record Look-Up:

A Record Look-Up:
A records map names to IP addresses. This is performed by placing a capital A or lower case a letter right after the dig instruction. In reality A record look-up is the default and no letter is necessary. dig A echofloor.com

The IP address for echofloor.com is 67.115.118.168. When the name is not found, the ANSWER section is missing. For example, an A look-up of IReallyDoNotExist.com yields a response without an ANSWER section.

How to Use Dig to Test DNS

MX Record Look-Up

MX Record Look-Up
MX records point to the name address of the SMTP server handling incoming email for a particular domain.

dig MX echofloor.com
The MX record query for echofloor.com resolves to the smtp.echofloor.com domain name. This MX record name resolves to IP address 67.115.118.168.

The MX record query for sportsya.com resolves to the mail.sportsya.com domain name. This name resolves to the 66.98.144.86 IP address.

How to Use Dig to Test DNS

MX Record Look-Up

The MX record query for debene.com resolves to the smtp.easydns.com domain name. This name resolves to 205.210.42.52 IP address.

How to Use Dig to Test DNS

PTR Record (Reverse DNS) Look-Up:

PTR Record (Reverse DNS) Look-Up:

PTR records resolve an IP address to a name address. This process is also known as reverse DNS lookup.

dig x 67.15.181.16
Sportsya.com domain resolves to 67.15.181.16. A reverse DNS lookup of this IP address resolves to ns1.sportsya.com name. IP addresses and domain names do not have a one-to-one relationship. Many names can be mapped to the same IP address whereas only one name can be reverse resolved from a given IP address.

The MX record for sportsya.com is mail.sportsya.com which resolves to 66.98.144.86. The reverse DNS of this IP address resolves back to mail.sportsya.com. The reverse PTR record matching the forward lookup may be important to ensure mail delivery.

How to Use Dig to Test DNS

PTR Record (Reverse DNS) Look-Up:

Companies such as AOL perform a reverse DNS on the IP address of the connecting SMTP server and compared the resolved name to the announced domain name at connection (in the EHLO/HELO command). If these do not match, the connection is dropped.

How to Use Dig to Test DNS

TXT Record (SPF) Look-Up

TXT Record (SPF) Look-Up

Reverse DNS allows for a company to announce which IP address are authorized to send email on its behalf. For example, the DNS query below can be executed to find the IPs allowed to send email for aol.com.

dig txt aol.com

The result here indicates a series of IP ranges from where email can be sent. All of the IP addresses used in this range should resolve back to mx.aol.com (ptr:mx.aol.com).

On the other hand, sportsya.com does not have any registered SPF records.

How to Use Dig to Test DNS

Multiple Record DNS Lookup

Multiple Record DNS Lookup

dig any aol.com

10

How to Use Dig to Test DNS

Multiple Record DNS Lookup

dig any echofloor.com

dig any sportsya.com

11

How to Use Dig to Test DNS

Additional Resources

Additional Resources
Digs man page can be found online http://www.stopspam.org/usenet/mmf/man/dig.html http://www.die.net/doc/linux/man/man1/dig.1.html

Dig also has built-in help.

Contacting SonicWALL Sales Toll free US: +1 888.557.6642 Local US: +1 408.745.9600 Local Fax US: +1 408.745.9300 If you wish to be contacted, use this form: http://www.sonicwall.com/us/How_to_Buy.html

Created: MM/DD/07 Updated: 05/08/07 Created by SonicWALL Technical Publications Updated and Maintained by: Jean-Marc Catalaa Version 2.0

12

How to Use Dig to Test DNS