Here are 2 quick tips for using the Linux command dig to mine some interesting DNS information.
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.
Tracing a DNS Query
Similar to a traceroute, you can use the dig command’s +trace option to follow the path of servers that a DNS look-up touches. For example, here’s how my domain, lamolabs.org would look:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
% dig lamolabs.org +trace ; <<>> DiG 9.5.1-P2-RedHat-9.5.1-2.P2.fc10 <<>> lamolabs.org +trace ;; global options: printcmd . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. ;; Received 304 bytes from 192.168.1.101#53(192.168.1.101) in 7 ms org. 172800 IN NS B0.ORG.AFILIAS-NST.org. org. 172800 IN NS B2.ORG.AFILIAS-NST.org. org. 172800 IN NS C0.ORG.AFILIAS-NST.INFO. org. 172800 IN NS A2.ORG.AFILIAS-NST.INFO. org. 172800 IN NS D0.ORG.AFILIAS-NST.org. org. 172800 IN NS A0.ORG.AFILIAS-NST.INFO. ;; Received 432 bytes from 126.96.36.199#53(E.ROOT-SERVERS.NET) in 106 ms lamolabs.org. 86400 IN NS ns1.mydomain.com. lamolabs.org. 86400 IN NS ns2.mydomain.com. lamolabs.org. 86400 IN NS ns3.mydomain.com. lamolabs.org. 86400 IN NS ns4.mydomain.com. ;; Received 114 bytes from 188.8.131.52#53(D0.ORG.AFILIAS-NST.org) in 147 ms lamolabs.org. 3600 IN CNAME bubs.dyndns.org. lamolabs.org. 86400 IN NS ns1.mydomain.com. lamolabs.org. 86400 IN NS ns2.mydomain.com. lamolabs.org. 86400 IN NS ns3.mydomain.com. lamolabs.org. 86400 IN NS ns4.mydomain.com. ;; Received 204 bytes from 184.108.40.206#53(ns2.mydomain.com) in 75 ms
In this example the dig output is broken up into 4 sections. Each section shows what’s being looked up on the left side, while on the right side one of the Namer Servers is listed. Here are the 4 sections in my example:
section 1 (“.” aka root level)
First dig consults the /etc/resolv.conf file to find a designated DNS server. Here’s a copy of what my /etc/resolv.conf file looks like:
1 2 3 4
# Generated by NetworkManager domain home.lan search home.lan nameserver 192.168.1.101
In my case, I manage my own DNS Server locally, which listens on IP address 192.168.1.101. This server is then queried to find out all the Name Servers for the root level, i.e. “.”.
NOTE: The root portion of a DNS name is the trailing dot i.e. “.”. This dot is typically never displayed when typing a DNS name but it is implicitly there. So the true DNS name for my blog would really be “www.lamolabs.org.”.
section 2 (org.)
The root DNS server “E.ROOT-SERVERS.NET.” is then queried to find all the Name Servers for the top level domain “.org.”.
section 3 (lamolabs.org.)
The DNS Server “D0.ORG.AFILIAS-NST.org.” is then queried to find all the Name Servers for the domain name “lamolabs.org.”.
section 4 (lamolabs.org.)
Finally the DNS Server “ns2.mydomain.com.” is queried to see that the domain name “lamolabs.org.” is just an alias (CNAME) to the hostname bubs.dyndns.org.
Time to Live (TTL)
Dig can also be used to determine how long the results of a DNS query will remain valid. This is called Time to Live and is often referred to simply as TTL. Here’s an example that demonstrates the TTL for lamolabs.org.
1 2 3
% dig +nocmd lamolabs.org +noall +answer lamolabs.org. 3600 IN CNAME bubs.dyndns.org. bubs.dyndns.org. 6 IN A 220.127.116.11
Here you can see that lamolabs.org. hasn’t been queried yet, so it gets the default TTL of 3600 seconds. The other hostname bubs.dyndns.org has only 6 seconds until its value expires and should no longer be cached by my local DNS Server. Here we can see the TTL running out and eventually getting reset for the domain bubs.dyndns.org.
1 2 3 4 5 6 7 8 9
% dig +nocmd lamolabs.org +noall +answer lamolabs.org. 3597 IN CNAME bubs.dyndns.org. bubs.dyndns.org. 3 IN A 18.104.22.168 % dig +nocmd lamolabs.org +noall +answer lamolabs.org. 3595 IN CNAME bubs.dyndns.org. bubs.dyndns.org. 1 IN A 22.214.171.124 % dig +nocmd lamolabs.org +noall +answer lamolabs.org. 3591 IN CNAME bubs.dyndns.org. bubs.dyndns.org. 60 IN A 126.96.36.199
Interestingly the hostname bubs.dyndns.org is what is called a Dynamic DNS or DDNS, hostname. All that’s really going on with DDNS is that the TTL is being set really low, 60 seconds in this example, so that it can get set to a different IP address if the IP address happens to change.
NOTE: For further details regarding my one-liner blog posts, check out my one-liner style guide primer.