DNS lookups with dig

When an endpoint times out, I check DNS early to rule it in or out quickly. dig gives a fast sanity check before digging into app or network layers.

Basic commands Link to heading

Basic lookup:

dig example.com

Get just the answer:

dig +short example.com

Specific record types Link to heading

A records (IPv4):

dig A example.com

AAAA records (IPv6):

dig AAAA example.com

CNAME records:

dig CNAME www.example.com

MX records (mail):

dig MX example.com

TXT records:

dig TXT example.com

Query specific DNS server Link to heading

Useful for checking if a change has propagated:

dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

Trace the resolution Link to heading

See the full resolution path:

dig +trace example.com

This shows each step from root servers down to your answer.

Quick reference Link to heading

dig +short example.com        # Just the IP
dig +noall +answer example.com # Clean output
dig -x 1.2.3.4                # Reverse lookup

Real debugging scenario Link to heading

Last month I was investigating why our staging environment wasn’t accessible. The domain was staging.example.com and it was timing out intermittently.

Here’s how I debugged it:

1. Check what it resolves to locally:

   dig +short staging.example.com
   

   Got back an IP: 34.123.45.67

2. Check if it’s a CNAME:

   dig staging.example.com
   

   Output showed it was a CNAME pointing to a load balancer: lb-prod-xyz.eu-west-2.elb.amazonaws.com

3. Check what the CNAME resolves to:

   dig +short lb-prod-xyz.eu-west-2.elb.amazonaws.com
   

   Got multiple IPs (load balancer)

4. Query Cloudflare’s DNS directly (our DNS provider):

   dig @1.1.1.1 staging.example.com
   

   Same result as local

5. Check if it’s cached (query an authoritative nameserver):

   dig +trace staging.example.com
   

   This showed the full chain and revealed that the CNAME was correct.

The issue turned out to be firewall rules blocking our office IP from the load balancer. But dig helped rule out DNS as the problem within 2 minutes. Without it, I would have wasted time checking application logs, Kubernetes pods, etc.

The key insight was using +trace to verify the CNAME was correct all the way from the root servers, and querying @1.1.1.1 to confirm Cloudflare was serving the right record.

dig vs nslookup vs dog Link to heading

• dig: best default for day-to-day debugging.
• nslookup: fine in a pinch, but less ergonomic.
• dog: modern output and JSON, good if you want nicer UX.

My take: learn dig first and you’re covered almost everywhere.

Links Link to heading

• DNS record types explained - comprehensive guide to A, AAAA, CNAME, MX, TXT, etc.
• dig man page - official documentation
• How DNS works - interactive comic explaining DNS resolution