DNS comes up in sysadmin work constantly. Server migrations, email deliverability issues, "the website isn't loading" tickets, certificate renewals, debugging weird routing problems. You don't need to be a DNS expert, but you do need a solid toolkit.
Here's the DNS commands and tools I use regularly, with real examples from actual problems I've dealt with.
dig - the workhorse
dig is the most useful DNS tool you'll ever learn. It queries DNS servers and shows you exactly what they return, with full detail.
Basic lookup
dig example.com
This queries your system's default DNS resolver for the A record. The output is verbose but everything in it is useful.
Query a specific DNS server
dig @8.8.8.8 example.com
This bypasses your local resolver and asks Google directly. Essential for comparing what different resolvers return.
Query specific record types
dig example.com MX # Mail servers
dig example.com TXT # SPF, DKIM, DMARC, verification records
dig example.com NS # Nameservers
dig example.com AAAA # IPv6 addresses
dig example.com CAA # Certificate Authority Authorization
dig example.com SOA # Start of Authority (serial, refresh, retry)
Short output
dig +short example.com
When you just want the IP address, no fuss. I use +short in scripts all the time.
Trace the full resolution path
dig +trace example.com
This shows every step of DNS resolution: root servers, TLD servers, authoritative servers. Brilliant for finding exactly where a lookup goes wrong.
Check TTL
dig example.com | grep -A1 "ANSWER SECTION"
The number between the domain name and record type is the remaining TTL. Useful before migrations.
Reverse lookup
dig -x 8.8.8.8
Turns an IP address back into a hostname. Handy for identifying mystery IPs in logs.
nslookup - quick and dirty
nslookup is older and simpler than dig. I use it mostly on Windows machines where dig isn't installed by default.
nslookup example.com
nslookup example.com 8.8.8.8
nslookup -type=MX example.com
It works, but the output is harder to parse than dig's. If you have both available, use dig.
host - the one-liner
host gives you the basics with minimal output:
host example.com
Returns A, AAAA, and MX records in a single readable line each. I use it when I just need a quick "does this resolve?" check.
host -t TXT example.com # Specific record type
host example.com 1.1.1.1 # Query specific server
whois - domain ownership and registration
When you need to know who owns a domain, when it expires, or which registrar it's with:
whois example.com
The output format varies by registrar and TLD but you'll usually find registration date, expiry date, registrar name, and nameservers.
If you're not at a terminal, publicdns.info has a web-based WHOIS tool that works with both domains and IPs. I keep it bookmarked for when I'm on a call with a client and need to check something quickly.
Real-world scenarios
"Email isn't being delivered"
Nine times out of ten, it's DNS. Check:
# MX records - where should email go?
dig example.com MX +short
# SPF - who's allowed to send as this domain?
dig example.com TXT | grep spf
# DKIM - signature record
dig selector._domainkey.example.com TXT
# DMARC - policy
dig _dmarc.example.com TXT
If SPF is missing or wrong, email goes to spam. If MX records point to the wrong server, email doesn't arrive at all.
"SSL certificate renewal is failing"
Let's Encrypt and other CAs use DNS to validate domain ownership:
# Check the ACME challenge record exists
dig _acme-challenge.example.com TXT +short
If this returns empty, your cert renewal script didn't create the record, or DNS propagation hasn't reached the CA's resolver yet.
Also check CAA records:
dig example.com CAA +short
If CAA is set and doesn't include your CA, certificate issuance will be blocked.
"The website loads from some places but not others"
Usually a propagation issue after a DNS change, or a geo-DNS setup:
# Compare what different resolvers see
dig @8.8.8.8 example.com +short
dig @1.1.1.1 example.com +short
dig @9.9.9.9 example.com +short
If they return different IPs, use a propagation checker to see the global picture.
"Is DNSSEC working on this domain?"
dig example.com +dnssec
Look for the ad flag in the response (Authenticated Data). If it's there, DNSSEC is validating.
Web-based alternatives
Sometimes you're not at a terminal. I keep publicdns.info/tools/dig bookmarked. It does proper dig queries from a browser - all record types, choice of DNS provider, shows the full response. Covers 90% of what I need when I can't open a terminal.
Quick reference card
| What you need | Command |
|---|---|
| A record lookup | dig example.com |
| Specific server | dig @1.1.1.1 example.com |
| MX records | dig example.com MX +short |
| TXT records (SPF/DKIM) | dig example.com TXT |
| Nameservers | dig example.com NS +short |
| Full trace | dig +trace example.com |
| Reverse lookup | dig -x 8.8.8.8 |
| Domain info | whois example.com |
| DNSSEC check | dig example.com +dnssec |
DNS looks simple until it isn't. Start with dig, check the obvious records, and work outward from there. Most DNS issues turn out to be simpler than they first appear.
Top comments (0)