DNS Cheat Sheet
DNS Record Types
Record Type Purpose Example
----------- ------- -------
A IPv4 address example.com → 93.184.216.34
AAAA IPv6 address example.com → 2606:2800:220:1:...
CNAME Canonical name (alias) www.example.com → example.com
MX Mail exchange server example.com → mail.example.com
NS Name server example.com → ns1.example.com
TXT Text record (SPF, DKIM, etc.) example.com → "v=spf1 ..."
SOA Start of authority Zone information
PTR Pointer (reverse DNS) 34.216.184.93 → example.com
SRV Service location _sip._tcp.example.com
CAA Certificate Authority Authorization example.com → letsencrypt.org
dig Command
Basic Queries
# Basic A record lookup
dig example.com
# Short output (just the answer)
dig +short example.com
# Query specific record type
dig example.com A
dig example.com AAAA
dig example.com MX
dig example.com NS
dig example.com TXT
dig example.com SOA
dig example.com CNAME
dig example.com CAA
# Query ANY records (may be limited by server)
dig example.com ANY
Query Specific TXT Records
# Get all TXT records for a domain
dig TXT example.com +short
# Query specific TXT record by name
dig TXT _dmarc.example.com +short # DMARC policy
dig TXT _acme-challenge.example.com +short # Let's Encrypt verification
dig TXT selector._domainkey.example.com +short # DKIM key
# Common specific TXT records
dig TXT _dmarc.example.com # DMARC
dig TXT google._domainkey.example.com # Google DKIM
dig TXT default._domainkey.example.com # Default DKIM selector
dig TXT _amazonses.example.com # Amazon SES verification
dig TXT _github-challenge-org.example.com # GitHub domain verification
dig TXT _mtasts.example.com # MTA-STS policy
dig TXT _smtp._tls.example.com # TLS reporting
# SPF record (stored as TXT on root domain)
dig TXT example.com +short | grep "v=spf1"
# Filter TXT records containing specific text
dig TXT example.com +short | grep -i "google"
dig TXT example.com +short | grep -i "verification"
# Check domain ownership verification records
dig TXT example.com +short | grep -E "(google|facebook|ms=|adobe|docusign)"
# Query with full output for debugging
dig TXT _dmarc.example.com
# Query using specific DNS server
dig @8.8.8.8 TXT _dmarc.example.com +short
Using Specific DNS Server
# Query Google DNS
dig @8.8.8.8 example.com
# Query Cloudflare DNS
dig @1.1.1.1 example.com
# Query specific nameserver
dig @ns1.example.com example.com
# Query local DNS server
dig @127.0.0.1 example.com
dig @localhost example.com
Output Control
# Short answer only
dig +short example.com
# Show only answer section
dig +noall +answer example.com
# Show answer with comments
dig +noall +answer +comments example.com
# Show all sections
dig +noall +answer +authority +additional example.com
# Minimal output
dig +noall +answer +nocomments +nostats example.com
# Show statistics only
dig +noall +stats example.com
# Show query time
dig +stats example.com | grep "Query time"
Advanced Options
# Trace DNS delegation path
dig +trace example.com
# Show DNSSEC information
dig +dnssec example.com
# TCP instead of UDP
dig +tcp example.com
# Set timeout (seconds)
dig +time=5 example.com
# Set number of retries
dig +tries=3 example.com
# Disable recursion
dig +norecurse example.com
# Request specific buffer size
dig +bufsize=4096 example.com
# Show full response
dig +all example.com
# Ignore truncation
dig +ignore example.com
Reverse DNS Lookup
# Reverse lookup (PTR record)
dig -x 8.8.8.8
# Short reverse lookup
dig +short -x 8.8.8.8
# Reverse lookup for IPv6
dig -x 2001:4860:4860::8888
Batch Queries
# Query multiple domains
dig example.com google.com github.com
# Query from file
dig -f domains.txt
# Query multiple record types
dig example.com A example.com MX example.com NS
Understanding dig Output
; <<>> DiG 9.16.1 <<>> example.com ← dig version and query
;; global options: +cmd ← options used
;; Got answer: ← response received
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; ↑ NOERROR = success
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; qr = query response
;; rd = recursion desired
;; ra = recursion available
;; QUESTION SECTION: ← what was asked
;example.com. IN A
;; ANSWER SECTION: ← the answer
example.com. 3600 IN A 93.184.216.34
;; ↑ TTL (seconds)
;; Query time: 23 msec ← response time
;; SERVER: 192.168.1.1#53(192.168.1.1) ← DNS server used
;; WHEN: Mon Jan 01 12:00:00 UTC 2024 ← timestamp
;; MSG SIZE rcvd: 56 ← message size
Response Status Codes
NOERROR - Query successful
NXDOMAIN - Domain does not exist
SERVFAIL - Server failed to complete request
REFUSED - Server refused to answer
FORMERR - Format error in query
NOTIMP - Not implemented
nslookup Command
Basic Queries
# Basic lookup
nslookup example.com
# Query specific DNS server
nslookup example.com 8.8.8.8
# Reverse lookup
nslookup 8.8.8.8
Query Specific Record Types
# A record
nslookup -type=A example.com
# AAAA record (IPv6)
nslookup -type=AAAA example.com
# MX record
nslookup -type=MX example.com
# NS record
nslookup -type=NS example.com
# TXT record
nslookup -type=TXT example.com
# SOA record
nslookup -type=SOA example.com
# CNAME record
nslookup -type=CNAME www.example.com
# PTR record (reverse)
nslookup -type=PTR 8.8.8.8
# Any records
nslookup -type=ANY example.com
# SRV record
nslookup -type=SRV _sip._tcp.example.com
Interactive Mode
# Enter interactive mode
nslookup
> server 8.8.8.8 # Set DNS server
> set type=MX # Set query type
> example.com # Query domain
> set type=A # Change query type
> www.example.com # Query another domain
> set debug # Enable debug output
> set nodebug # Disable debug output
> exit # Exit interactive mode
Advanced Options
# Enable debug mode
nslookup -debug example.com
# Set timeout
nslookup -timeout=10 example.com
# Set retry count
nslookup -retry=3 example.com
# Query specific port
nslookup -port=5353 example.com dns-server
host Command
Basic Queries
# Simple lookup
host example.com
# Query specific DNS server
host example.com 8.8.8.8
# Verbose output
host -v example.com
# All record types
host -a example.com
Query Specific Record Types
# A record
host -t A example.com
# AAAA record
host -t AAAA example.com
# MX record
host -t MX example.com
# NS record
host -t NS example.com
# TXT record
host -t TXT example.com
# SOA record
host -t SOA example.com
# CNAME record
host -t CNAME www.example.com
# Any record
host -t ANY example.com
Reverse Lookup
# Reverse DNS lookup
host 8.8.8.8
# Verbose reverse lookup
host -v 8.8.8.8
Advanced Options
# Use TCP instead of UDP
host -T example.com
# Set timeout (seconds)
host -W 5 example.com
# Set retries
host -R 3 example.com
# Show DNSSEC data
host -D example.com
# Disable recursion
host -r example.com
Mail Record Lookups (MX, SPF, DKIM, DMARC)
MX Records
# List mail servers
dig MX example.com +short
# Detailed MX lookup
dig MX example.com
# Check mail server priority
dig +short MX example.com | sort -n
# Using nslookup
nslookup -type=MX example.com
# Using host
host -t MX example.com
SPF Records
# SPF is stored in TXT record
dig TXT example.com +short | grep "v=spf1"
# Full TXT record lookup
dig TXT example.com
# Using nslookup
nslookup -type=TXT example.com | grep "v=spf1"
# Validate SPF syntax (third-party tools)
# Use online SPF validators or:
dig TXT example.com +short
DKIM Records
# DKIM selector lookup (selector varies by provider)
dig TXT selector._domainkey.example.com +short
# Common selectors
dig TXT google._domainkey.example.com +short
dig TXT default._domainkey.example.com +short
dig TXT mail._domainkey.example.com +short
dig TXT k1._domainkey.example.com +short
# Check if DKIM exists
dig TXT selector._domainkey.example.com
DMARC Records
# DMARC record lookup
dig TXT _dmarc.example.com +short
# Full DMARC lookup
dig TXT _dmarc.example.com
# Using nslookup
nslookup -type=TXT _dmarc.example.com
Complete Email DNS Check
# Check all email-related records
echo "=== MX Records ==="
dig +short MX example.com
echo "=== SPF Record ==="
dig +short TXT example.com | grep "v=spf1"
echo "=== DMARC Record ==="
dig +short TXT _dmarc.example.com
echo "=== DKIM Record (google selector) ==="
dig +short TXT google._domainkey.example.com
DNSSEC Validation
Check DNSSEC Status
# Query with DNSSEC
dig +dnssec example.com
# Check for RRSIG records
dig +dnssec example.com | grep RRSIG
# Check DNSKEY
dig DNSKEY example.com
# Check DS record
dig DS example.com
# Validate DNSSEC chain
dig +sigchase +trusted-key=./trusted-key.key example.com
# Check if domain is signed
dig +short example.com DNSKEY
DNSSEC Troubleshooting
# Trace with DNSSEC
dig +trace +dnssec example.com
# Check delegation
dig DS example.com @parent-ns
# Verify signatures
dig +dnssec +multi example.com
# Check NSEC/NSEC3 records
dig NSEC example.com
dig NSEC3PARAM example.com
Zone Transfers
Attempt Zone Transfer
# AXFR zone transfer (usually restricted)
dig AXFR example.com @ns1.example.com
# Using host
host -l example.com ns1.example.com
# Using nslookup
nslookup
> server ns1.example.com
> ls example.com
Check Zone Transfer Restrictions
# Most servers should refuse
dig AXFR example.com @8.8.8.8
# Expected: Transfer failed.
# If transfer succeeds, review DNS security
DNS Troubleshooting
Common Issues
# Check if DNS is resolving
dig example.com +short
# Empty = no resolution
# Check DNS server response
dig @8.8.8.8 example.com
# Compare with local DNS
# Check propagation (use different DNS servers)
dig @8.8.8.8 example.com +short
dig @1.1.1.1 example.com +short
dig @208.67.222.222 example.com +short
# Check if domain exists
dig example.com
# NXDOMAIN = domain doesn't exist
# Check nameservers
dig NS example.com +short
# Verify nameserver responds
dig @ns1.example.com example.com
DNS Resolution Path
# Trace full resolution path
dig +trace example.com
# Output shows:
# 1. Root servers (.)
# 2. TLD servers (.com)
# 3. Authoritative servers (example.com)
# 4. Final answer
Local DNS Configuration
# Check current DNS servers
cat /etc/resolv.conf
# Check systemd-resolved status
resolvectl status
systemd-resolve --status
# Check NetworkManager DNS
nmcli dev show | grep DNS
# Flush DNS cache
# systemd-resolved
sudo systemd-resolve --flush-caches
sudo resolvectl flush-caches
# nscd
sudo nscd -i hosts
# dnsmasq
sudo killall -HUP dnsmasq
# Check hosts file
cat /etc/hosts
# Check nsswitch order
grep hosts /etc/nsswitch.conf
# files dns = check /etc/hosts first, then DNS
DNS Response Time
# Check query time
dig example.com | grep "Query time"
# Compare DNS servers
for dns in 8.8.8.8 1.1.1.1 208.67.222.222; do
echo "Testing $dns:"
dig @$dns example.com | grep "Query time"
done
# Benchmark DNS servers
for i in {1..10}; do dig @8.8.8.8 example.com | grep "Query time"; done
Debugging DNS Issues
# Full debug output
dig +all example.com
# Check for truncation
dig +tcp example.com
# If UDP fails but TCP works, check MTU
# Check EDNS support
dig +edns=0 example.com
# Disable EDNS
dig +noedns example.com
# Check buffer size issues
dig +bufsize=512 example.com
dig +bufsize=4096 example.com
DNS Server Testing
Test Authoritative Servers
# Find authoritative nameservers
dig NS example.com +short
# Query each nameserver directly
for ns in $(dig NS example.com +short); do
echo "=== $ns ==="
dig @$ns example.com +short
done
# Check SOA on all nameservers
for ns in $(dig NS example.com +short); do
echo "=== $ns ==="
dig @$ns SOA example.com +short
done
Compare DNS Responses
# Check consistency across nameservers
dig +short example.com @ns1.example.com
dig +short example.com @ns2.example.com
# Check serial numbers match
dig SOA example.com @ns1.example.com +short
dig SOA example.com @ns2.example.com +short
Public DNS Servers
# Google Public DNS
8.8.8.8
8.8.4.4
2001:4860:4860::8888 # IPv6
2001:4860:4860::8844 # IPv6
# Cloudflare DNS
1.1.1.1
1.0.0.1
2606:4700:4700::1111 # IPv6
2606:4700:4700::1001 # IPv6
# OpenDNS
208.67.222.222
208.67.220.220
# Quad9
9.9.9.9
149.112.112.112
# Cloudflare (malware blocking)
1.1.1.2
1.0.0.2
# Cloudflare (malware + adult blocking)
1.1.1.3
1.0.0.3
DNS Record Management
Check TTL Values
# View TTL in response
dig example.com
# TTL is second column in answer section
# example.com. 3600 IN A 93.184.216.34
# ↑ TTL in seconds (1 hour)
# Low TTL = faster propagation, more queries
# High TTL = slower propagation, cached longer
Monitor DNS Changes
# Watch for DNS changes
watch -n 60 'dig +short example.com'
# Log DNS responses
while true; do
echo "$(date): $(dig +short example.com)"
sleep 60
done >> dns_log.txt
# Check propagation worldwide
# Use online tools like:
# - whatsmydns.net
# - dnschecker.org
SRV Records
Query SRV Records
# SRV record format: _service._proto.name
dig SRV _sip._tcp.example.com
dig SRV _xmpp-server._tcp.example.com
dig SRV _ldap._tcp.example.com
dig SRV _kerberos._tcp.example.com
# Microsoft services
dig SRV _autodiscover._tcp.example.com
dig SRV _sipfederationtls._tcp.example.com
# Short output
dig +short SRV _sip._tcp.example.com
_service._proto.name TTL IN SRV priority weight port target
Example:
_sip._tcp.example.com. 3600 IN SRV 10 60 5060 sipserver.example.com.
↑ ↑ ↑ ↑
priority weight port target
CAA Records
Query CAA Records
# Check Certificate Authority Authorization
dig CAA example.com
# Short output
dig +short CAA example.com
# Common CAA values
# 0 issue "letsencrypt.org" - Allow Let's Encrypt
# 0 issue "digicert.com" - Allow DigiCert
# 0 issuewild "letsencrypt.org" - Allow wildcards
# 0 iodef "mailto:admin@example.com" - Report violations
DNS over HTTPS (DoH) / DNS over TLS (DoT)
Testing DoH
# Using curl for DoH
curl -H "accept: application/dns-json" \
"https://cloudflare-dns.com/dns-query?name=example.com&type=A"
# Using curl with Google DoH
curl -H "accept: application/dns-json" \
"https://dns.google/resolve?name=example.com&type=A"
# Using kdig (from knot-dns)
kdig @1.1.1.1 +https example.com
Testing DoT
# Using kdig for DoT
kdig @1.1.1.1 +tls example.com
# Using openssl to test DoT
openssl s_client -connect 1.1.1.1:853
Quick Reference
# Basic lookups
dig example.com # Full A record query
dig +short example.com # Just the IP
dig MX example.com # Mail servers
dig NS example.com # Nameservers
dig TXT example.com # TXT records
# Use specific DNS server
dig @8.8.8.8 example.com # Query Google DNS
dig @1.1.1.1 example.com # Query Cloudflare
# Reverse lookup
dig -x 8.8.8.8 # IP to hostname
# Trace resolution
dig +trace example.com # Full delegation path
# nslookup equivalents
nslookup example.com # Basic lookup
nslookup -type=MX example.com # MX records
nslookup example.com 8.8.8.8 # Use specific server
# host equivalents
host example.com # Basic lookup
host -t MX example.com # MX records
host 8.8.8.8 # Reverse lookup
# Email records
dig MX example.com +short # Mail servers
dig TXT example.com | grep "v=spf1" # SPF
dig TXT _dmarc.example.com +short # DMARC
dig TXT selector._domainkey.example.com # DKIM
# Troubleshooting
dig +all example.com # Full debug info
dig +tcp example.com # Use TCP
dig +dnssec example.com # Check DNSSEC
resolvectl flush-caches # Flush local cache
Common Troubleshooting Scenarios
Domain Not Resolving
# 1. Check if domain exists
dig example.com
# Look for NXDOMAIN (doesn't exist) vs NOERROR
# 2. Try different DNS servers
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com
# 3. Check nameservers
dig NS example.com +short
# 4. Query authoritative server directly
dig @ns1.example.com example.com
# 5. Trace resolution
dig +trace example.com
Slow DNS Resolution
# 1. Check response time
dig example.com | grep "Query time"
# 2. Compare DNS servers
dig @8.8.8.8 example.com | grep "Query time"
dig @1.1.1.1 example.com | grep "Query time"
# 3. Check for network issues
ping 8.8.8.8
traceroute 8.8.8.8
# 4. Test TCP vs UDP
dig example.com # UDP
dig +tcp example.com # TCP
DNS Propagation Issues
# 1. Check TTL of old record
dig example.com | grep -A1 "ANSWER SECTION"
# 2. Query multiple DNS servers
for dns in 8.8.8.8 1.1.1.1 208.67.222.222; do
echo "$dns: $(dig @$dns example.com +short)"
done
# 3. Check authoritative servers
for ns in $(dig NS example.com +short); do
echo "$ns: $(dig @$ns example.com +short)"
done
# 4. Flush local cache and retry
sudo resolvectl flush-caches
dig example.com
Email Delivery Issues
# 1. Verify MX records exist
dig MX example.com +short
# 2. Check MX server responds
host $(dig MX example.com +short | head -1 | awk '{print $2}')
# 3. Verify SPF record
dig TXT example.com | grep "v=spf1"
# 4. Check DMARC policy
dig TXT _dmarc.example.com +short
# 5. Verify reverse DNS for mail server
dig -x <mail_server_ip>