ContactSign in

dig queries a DNS resolver or authoritative nameserver and prints the DNS response in detail. It helps you confirm which records are returned, by which server, and how long the lookup takes. It has become the industry standard replacement for nslookup, offering enhanced DNS troubleshooting capabilities across Windows, Linux, and macOS systems.

When working with DNS queries, you can:

  • Query specific DNS servers to verify record updates
  • Check different DNS record types (A, AAAA, MX, CNAME)
  • Track complete DNS resolution paths
  • Measure response times from different servers
  • Compare results across multiple DNS providers
  • Execute batch queries for multiple domains

The dig displays comprehensive DNS responses in a structured format, including query statistics, server information, and precise timing data. This detailed output helps you identify DNS issues quickly and validate domain configurations effectively.

When to use dig

Use dig when you need to:

  • Verify DNS propagation across different resolvers (ISP, public DNS, corporate DNS).
  • Confirm record values (A, AAAA, CNAME, MX, TXT, NS, SOA).
  • Troubleshoot “wrong IP,” “old record,” or “works for me” DNS issues.
  • Compare responses from different DNS providers or regions.
  • Measure DNS lookup time (latency) for a resolver.

When not to use dig

dig may not be the best fit when you:

  • Need a GUI-only workflow (use a DNS dashboard or web-based DNS checker).
  • Need to test HTTP/TLS behavior (use curl, openssl s_client, or browser devtools).
  • Want only a single short answer (consider host, nslookup, or dig +short).
  • Don’t have terminal access on the environment you’re debugging.

Signals you need this (common symptoms)

You’ll usually reach for dig when:

  • DNS changes “haven’t propagated,” but you’re unsure which resolver is stale.
  • Users in one network resolve correctly and others don’t.
  • A load-balanced record doesn’t seem to rotate or respond as expected.
  • You suspect a CNAME chain or delegation (NS) is misconfigured.
  • You need proof of what DNS returned at a specific time and from a specific server.

How dig works (what it actually queries)

A dig request can go to:

  • A recursive resolver (most common): returns the final answer and may use cache.
  • An authoritative nameserver: returns the source-of-truth answer for the zone.

By default, dig uses the DNS servers configured on your machine (system resolver list). You can override this by specifying a resolver IP with @.

Key things to read in the output

Focus on these parts:

  • ANSWER SECTION: the record(s) returned (and their TTL).
  • Query time (footer): how long the resolver took to answer (ms).
  • SERVER (footer): which resolver you queried.
  • AUTHORITY / ADDITIONAL: delegation hints and related records.
  • Status in the header (e.g., NOERROR, NXDOMAIN, SERVFAIL).

Installing the dig command

The dig command comes pre-installed on most macOS versions and some Linux distributions. Since it’s not available by default on Windows and many Linux distributions, we provide installation guides to help you set up this essential DNS troubleshooting tool. As part of the BIND toolkit, dig serves as an alternative to the discontinued nslookup command, offering comprehensive DNS query capabilities across all major operating systems.

Installing dig on Windows

  1. Download the Current-Stable, ESV version of BIND from the ISC downloads page.
  2. Extract the entire contents of the compressed file BIND9.18.14.tar.xz into a dedicated folder.
  3. Run the BINDInstall.exe file as an administrator.
  4. Select the Tools Only checkbox to install only the dig, host, nslookup, and nsupdatetools.

You can still use BIND with Windows. However, support for OS was removed in a 2021 update.

Installing dig on Linux distributions

To install the command on Debian-based distributions such as Ubuntu, PopOS, and Kali Linux:

  1. Open the terminal.
  2. Run sudo apt-get install dnsutils.

    For other Linux distributions, see the developer documentation.

  3. Run dig -v to check the installed version.

Installing the dig command: video guide

This comprehensive video demonstrates how to install and use the dig across different operating systems. You’ll learn how to:

  • Install dig on Windows and Linux
  • Perform basic DNS lookups
  • Check CNAME records
  • Understand dig responses
  • Validate Edge Computing services

Using the dig command

In this section, you’ll query records from a specific domain and from several domains in the same request; select which DNS server to use for the query; find out the latency (in milliseconds); what are the IPs associated with the domains queried; and track the entire process of resolving nameservers, from the root to the last authoritative nameserver (which maintains the domain records).

To perform a query with the dig command:

  1. Open the terminal (Command Line Prompt, Power Shell, or Git Bash for Windows systems).
  2. Run dig azion.com (swap azion.com for the domain you want to query).

It’s also possible to perform a query of several domains in the same request:

  1. Create a text file to store the domains of interest. Example: domains.txt.
  2. Inside the file, separate the domains by line. Example:
Terminal window
azion.com
google.com
github.com
  1. Open the terminal.
  2. Run dig domains.txt.

The answer to these commands consists of four sections: Header, OPT PSEUDOSECTION, ANSWER SECTION, and footer.

There’s relevant information in all sections of the response. However, this guide will focus on the last two sections: ANSWER SECTION and footer.

The ANSWER SECTION is where the DNS records should appear. In the footer section, you find the latency time, in milliseconds, in addition to which DNS server was used to solve the request.

By default, the dig command uses a list of DNS servers stored locally on your machine.

If you want to use a specific DNS list, such as Google’s (8.8.8.8, 8.8.4.4, 2001:4860::4860::8888, and 2001:4860:4860::8844), for example, use the @ + IP tag in the list.

Here’s an example of the command:

dig @8.8.8.8 azion.com or dig @8.8.8.8 domains.txt

To track the entire DNS server path, add the +trace option to the command. See an example:

dig azion.com +trace

The +trace option is an instruction to return the full path that the DNS server took to resolve the query.

This response is quite different from the simple request and presents all DNS servers involved in the resolution of a domain, passing through the Top-Level Domain (TLD) servers until reaching the last authoritative server.

Using dig to test Azion zones and applications

If you’ve configured a zone in Azion Edge DNS, you can use the dig command to test how and if it’s receiving proper traffic. For example, if you’ve configured a load balance with a DNS record, you can test and check if the load balance is working properly.

Create Azion account
Create zone
Test balanced record

You can also check the latency of a web application with the dig command to validate the Azion Edge Computing service. For example, you can compare the latency of your application, served by cloud and by Azion Web Platform.

Using dig in batch (multiple domains)

Create a file:

Terminal window
`cat \> domains.txt \<\< 'EOF'
azion.com
google.com
github.com
EOF

Run:

Terminal window
while read \-r d; do
echo "== $d \=="
dig "$d" A \+short
done \< domains.txt

Installing dig

macOS

Usually preinstalled. If not, install via Homebrew:

Terminal window
brew install bind


### **Linux (Debian/Ubuntu and derivatives)**


```bash
sudo apt-get update
sudo apt-get install \-y dnsutils
dig \-v

Windows

dig isn’t typically installed by default. A common approach is to install BIND tools and select Tools Only during setup.

  • Download BIND from the ISC downloads page: https://www.isc.org/download/
  • Note: ISC removed full Windows OS support in 2021; tools may still work depending on your environment.

How this applies in practice (vendor-neutral)

Typical real-world DNS troubleshooting flow:

  1. Query with your default resolver to reproduce the problem.
  2. Query a public resolver (e.g., 8.8.8.8 / 1.1.1.1) to compare answers.
  3. If results differ, check TTL and caching behavior.
  4. Use +trace to validate delegation and identify the authoritative server.
  5. Query the authoritative server directly to confirm the source-of-truth record.

How to implement on Azion

If you manage DNS zones and records on Azion, dig is useful for validating that your records are being served as expected and for testing behaviors such as load balancing.

  • Create/configure a zone (Azion Edge DNS):
    /en/documentation/products/guides/secure/edge-dns-configure-main-settings/
  • Test a balanced record:
    /en/documentation/products/guides/secure/load-balance-dns/#testing-your-balanced-record

Mini FAQ

“How do I check which DNS server answered my query?”
Look at the footer line that starts with SERVER:.

“How do I query Google DNS with dig?”
Use @8.8.8.8, for example:

Terminal window
dig @8.8.8.8 azion.com

“How do I see only the IP address returned by DNS?”
Use +short:

Terminal window
dig azion.com A \+short

“How do I troubleshoot DNS delegation issues?”
Run a trace:

Terminal window
dig example.com \+trace

“How do I compare propagation across resolvers?”
Run the same query against multiple resolvers and compare the ANSWER SECTION:

Terminal window
dig @1.1.1.1 example.com
dig @8.8.8.8 example.com

Limitations

  • dig checks DNS responses, not application availability (HTTP/TLS).
  • Results depend on which resolver you query and its cache state.
  • Some networks intercept or filter DNS (can affect results).

Docs

  • Azion Edge DNS zone configuration: /en/documentation/products/guides/secure/edge-dns-configure-main-settings/
  • Load balance DNS testing: /en/documentation/products/guides/secure/load-balance-dns/#testing-your-balanced-record