dig and nslookup — DNS Troubleshooting

ByChirag

When DNS is broken, you reach for dig (or nslookup if you’re on Windows). Both query DNS servers and show you the responses. dig is more powerful and has cleaner output. nslookup is older but works on every platform without installing anything.

dig — the standard

# Basic query
dig example.com

# Just the answer
dig +short example.com

# Specific record type
dig example.com A
dig example.com AAAA
dig example.com MX
dig example.com TXT
dig example.com NS

# Use a specific resolver
dig @1.1.1.1 example.com
dig @8.8.8.8 example.com

Reading dig output

; <> DiG 9.18.x <> example.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;example.com.       IN  A

;; ANSWER SECTION:
example.com.    300 IN  A   93.184.216.34

;; Query time: 12 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon Apr 28 09:00:00 UTC 2026
;; MSG SIZE  rcvd: 56

Five sections to know:

  • HEADER — operation status. status: NOERROR is good. NXDOMAIN means doesn’t exist. SERVFAIL means the resolver had a problem.
  • QUESTION SECTION — what you asked
  • ANSWER SECTION — what you got back
  • AUTHORITY SECTION — who’s authoritative for this zone
  • ADDITIONAL SECTION — bonus records the server included (often glue records)

Useful dig flags

# Just print the answer values
dig +short example.com

# Show full trace from root → TLD → authoritative
dig +trace example.com

# Don't use the search domain in /etc/resolv.conf
dig example.com +nosearch

# Show DNSSEC info
dig +dnssec example.com

# Reverse lookup (IP → name)
dig -x 8.8.8.8

# Multiple queries at once
dig example.com A AAAA MX

# Use TCP instead of UDP (for big responses)
dig +tcp example.com

# Set timeout (default 5s, retries 2)
dig +time=2 +tries=1 example.com

nslookup — the cross-platform fallback

nslookup example.com

# Specific resolver
nslookup example.com 1.1.1.1

# Specific record type
nslookup -type=MX example.com
nslookup -type=AAAA example.com

# Reverse lookup
nslookup 8.8.8.8

# Interactive mode
nslookup
> server 1.1.1.1
> set type=mx
> example.com
> exit

host — the simple alternative

host example.com               # default lookup
host example.com 1.1.1.1       # specific server
host -t MX example.com         # specific type
host -a example.com            # all records

Common debugging recipes

“Is this domain registered?”

dig +short example.com NS
# If empty: domain not registered or DNS not configured
# If returns name servers: registered, those NS handle queries

“What MX records does this domain have?”

dig +short example.com MX
# 10 mail.example.com.
# Lower number = higher priority

“Why is the wrong IP coming back?”

# Compare what YOUR resolver says vs what's authoritative
dig example.com                          # your resolver
dig @ns1.example-dns-provider.com example.com    # authoritative

# If different: caching issue. Wait for TTL or flush local cache.

“Trace the entire DNS resolution”

dig +trace example.com

# Shows: root servers → .com TLD → authoritative servers → final answer
# Very useful when investigating delegation issues

“What’s the SPF/DKIM/DMARC for this domain?”

dig +short example.com TXT
dig +short _dmarc.example.com TXT
dig +short selector1._domainkey.example.com TXT

“DNSSEC verification”

dig +dnssec example.com
# Look for "ad" flag in header — means resolver validated DNSSEC successfully

# Walk through the chain manually
dig example.com DNSKEY
dig example.com DS
dig example.com RRSIG

Find your machine’s resolver

# Linux
cat /etc/resolv.conf
resolvectl status      # systemd-resolved

# macOS
scutil --dns | head

# Windows
ipconfig /all | findstr "DNS Servers"

# What did dig actually use?
dig example.com | grep "SERVER:"

Flush local DNS cache

# Linux
sudo systemd-resolve --flush-caches
sudo resolvectl flush-caches      # newer

# macOS
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

# Windows
ipconfig /flushdns

# Browsers also cache — clear in browser settings

Common gotchas

  • dig vs +short output difference — the verbose default shows you the full record (with TTL, class, type). +short just gives the value. Use both.
  • Forgetting to specify type — default is A. To check IPv6, use AAAA explicitly.
  • Caching at multiple levels — your browser, OS, recursive resolver, and the authoritative server all have caches. Flushing one doesn’t help if another still has the stale entry.
  • NXDOMAIN cached too long — a “doesn’t exist” answer also gets cached. SOA’s minimum TTL controls this.

What to learn next

nmap — port scanning, service detection, OS fingerprinting. The reconnaissance tool. Up next.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *