dig（执行网络DNS查找）_语法_示例_Unix&Linux命令

在类似Unix的操作系统上，dig命令执行网络DNS查找。

查看英文版

Unix&Linux

dig（代表域信息groper）是一种用于查询DNS名称服务器的灵活工具。它执行DNS查找，并显示从被名称服务器（一个或多个）返回的答案查询。由于DNS的灵活性，易用性和输出的清晰度，大多数DNS管理员都使用dig来解决DNS问题。其他查找工具的功能往往比挖掘少。

尽管dig通常与命令行参数一起使用，但它也具有批处理操作模式，用于从文件读取查询请求。给定-h选项时，将打印其命令行参数和选项的摘要。与早期版本不同，dig的BIND 9实现允许从命令行发出多个查询。

除非被告知要查询特定的名称服务器，否则dig将尝试/etc/resolv.conf中列出的每个服务器。

如果未提供任何命令行参数或选项，dig将执行NS查询“ 。 ”（根目录）。

可以通过$ {HOME} /。digrc为每个用户设置默认的dig 。将读取此文件，并在命令行参数之前应用其中的所有选项。

IN和CH类名称与IN和CH顶级域名重叠。使用-t和-c选项指定类型和类，或者使用-q指定域名，或者使用“ IN”。和“ CH”。在查找这些顶级域时。

查看英文版

dig [@server] [-b address] [-c class] [-f filename] [-k filename]
    [-m] [-p port#] [-q name] [-t type] [-x addr] [-y [hmac:]name:key]
    [-4] [-6] [name] [type] [class] [queryopt...]

dig [-h]

dig [global-queryopt...] [query...]

选件

-b address	该-b选项设置查询的源IP地址地址。这必须是主机网络接口之一上的有效地址，或者是“ 0.0.0.0”或“ ::”。可以通过附加“＃ ”来指定可选端口
-c class	默认查询类（IN为互联网）被覆盖由-c选项。class是任何有效的类，例如Hesiod记录的HS或CHAOSNET记录的CH。
-f filename	在-f选项使挖掘从文件读取查找请求的列表，以处理在批处理模式下运行的文件名。该文件包含许多查询，每行一个。文件中的每个条目都应以与使用命令行界面进行挖掘的查询相同的方式组织。
-p port＃	如果要查询非标准端口号，则使用-p选项。port＃是dig将发送其查询的端口号，而不是标准DNS端口号53。此选项将用于测试配置为侦听非标准端口号上的查询的名称服务器。
-4	在-4选项强制挖只使用IPv4的查询运输。
-6	该-6选项强制挖仅使用IPv6的查询运输。
-t type	该-t选项设置查询类型为类型。它可以是BIND9支持的任何有效查询类型。缺省查询类型“ A ”，除非提供了-x选项以指示反向查找。甲区转移可以通过指定一个请求AXFR。当增量区域传输（IXFR是必需的），类型被设置为IXFR = N。增量区域传输将包含自到区域所做的更改序列号，在该区域的SOA记录是ñ。
-x addr	-x选项简化了反向查询（将地址映射到名称）。addr是点分十进制格式的IPv4地址，或冒号分隔的IPv6地址。使用此选项时，无需提供名称，类和类型参数。挖掘将自动对诸如11.12.13.10.in-addr.arpa之类的名称执行查找，并将查询类型和类分别设置为PTR和IN。默认情况下，在IP6.ARPA域下使用半字节格式查找IPv6地址。要使用IP6.INT域使用较旧的RFC1886方法，请指定-i选项。位字符串标签（RFC2874）现在处于试验阶段，不再尝试。
-k filename	要使用TSIG（事务签名）对dig发送的DNS查询及其响应进行签名，请使用-k选项指定一个TSIG密钥文件。
-y [ hmac ： ]name：key	您也可以使用-y选项在命令行上指定TSIG密钥本身。name是TSIG密钥的名称，而key是实际密钥。密钥是由dnssec-keygen生成的base-64编码的字符串。在多用户系统上使用-y选项时应小心，因为该键在ps的输出或外壳的历史记录文件中可见。将TSIG身份验证与dig结合使用时，查询的名称服务器需要知道所使用的密钥和算法。在BIND中，这是通过在named.conf中提供适当的key和server语句来完成的。

使用简单

典型的dig调用如下：

dig @server name type

哪里：

server是要查询的名称服务器的名称或IP地址。这可以是点分十进制表示形式的IPv4地址或冒号分隔的表示形式的IPv6地址。当提供的服务器参数是hostname时，dig在查询该名称服务器之前会解析该名称。如果没有提供服务器参数，dig会查询/etc/resolv.conf并查询那里列出的名称服务器。显示来自名称服务器的响应。
name是要查找的资源记录的名称。
type指示需要哪种查询类型-ANY，A，MX，SIG等。type可以是任何有效的查询类型。如果未提供任何类型参数，dig将对A记录执行查找。

查询选项

dig提供了许多查询选项，这些选项会影响查找方式和结果显示方式。查询标头中的这些设置或重置标志位中的一些，一些确定打印答案的哪些部分，其他确定超时和重试策略。

每个查询选项都由一个关键字加一个加号（+）标识。一些关键字设置或重置选项。可以在它们前面加上字符串no来否定该关键字的含义。其他关键字为诸如超时间隔之类的选项分配值。它们的格式为+ keyword = value。查询选项为：

+ [no] tcp	查询名称服务器时，请使用[不使用] TCP。除非请求AXFR或IXFR查询，否则默认行为是使用UDP，在这种情况下，将使用TCP连接。
+ [no] vc	查询名称服务器时，请使用[不使用] TCP。提供了+ [no] tcp的备用语法以实现向后兼容。“ vc”代表“虚拟电路”。
+ [no]忽略	忽略UDP响应中的截断，而不是使用TCP重试。默认情况下，执行TCP重试。
+ domain =somename	设置搜索列表以包含单个域somename，就像在/etc/resolv.conf中的domain指令中指定的那样，并启用搜索列表处理，就好像给出了+ search选项一样。
+ [no]search	使用[请勿使用]由resolv.conf中的searchlist或domain指令定义的搜索列表（如果有）。默认情况下不使用搜索列表。
+ [ no ] showsearch	执行[不执行]显示中间结果的搜索。
+ [ no ] defname	已过时，视为+ [no] search的同义词
+ [ no ] aaonly	在查询中设置“ aa ”标志。
+ [ no ] aaflag	仅+ [no] aa的同义词。
+ [ no ] adflag	设置[不设置]查询中的AD（真实数据）位。这要求服务器返回是否已根据服务器的安全性策略将所有答案和权限部分都全部确认为安全性。AD = 1表示所有记录都已被确认为安全记录，并且答案不在OPT-OUT范围内。AD = 0表示答案的某些部分不安全或未通过验证。
+ [ no ] cdflag	在查询中设置[不设置] CD（禁用检查）位。这要求服务器不执行响应的DNSSEC验证。
+ [ no ] cl	打印记录时显示[不显示] CLASS。
+ [no] ttlid	打印记录时显示[不显示] TTL。
+ [no]recurse	切换查询中的RD（需要递归）位的设置。该位是默认设置的，这意味着dig通常会发送递归查询。使用+ nssearch或+ trace查询选项时，将自动禁用递归。
+ [no] nssearch	设置此选项后，dig将尝试查找包含正在查找的名称的区域的权威名称服务器，并显示每个名称服务器对该区域具有的SOA记录。
+ [no]trace	从根名称服务器切换对要查找的名称的委派路径的跟踪。默认情况下，跟踪是禁用的。启用跟踪后，dig会进行迭代查询以解析要查找的名称。它将遵循来自根服务器的引用，显示来自用于解析该查询的每个服务器的答案。
+ [no] cmd	切换输出中初始注释的打印，以标识dig的版本和已应用的查询选项。默认情况下，此注释是打印的。
+ [ no ]short	提供一个简短的答案。默认为以详细形式打印答案。
+ [no]identify	显示[或不显示]启用+ short选项时提供答案的IP地址和端口号。如果要求提供简短的答案，则默认为不显示提供答案的服务器的源地址和端口号。
+ [no]comments	切换输出中注释行的显示。默认为打印注释。
+ [no]stats	此查询选项可切换统计信息的打印：进行查询时，答复的大小等。默认行为是打印查询统计信息。
+ [no] qr	在发送查询时打印[不打印]查询。默认情况下，不打印查询。
+ [no]question	返回答案时，打印[不打印]查询的问题部分。默认设置是将问题部分打印为注释。
+ [no]answer	显示[不显示]答复的答案部分。默认是显示它。
+ [no]authority	显示[不显示]回复的权限部分。默认是显示它。
+ [no]additional	显示[不显示]答复的其他部分。默认是显示它。
+ [no]all	设置或清除所有显示标志。
+time= T	将查询超时设置为T秒。默认超时为5秒。尝试将T设置为小于1将导致应用查询超时1秒。
+tries= T	将尝试对服务器的UDP查询的次数设置为T，而不是默认值3。如果T小于或等于零，则尝试次数将自动舍入为1。
+retry= T	将重试到服务器的UDP查询的次数设置为T，而不是默认值2。与+ tries不同，它不包括初始查询。
+ ndots = D	将必须出现在名称中的点数设置为D，才能将其视为绝对值。缺省值是使用所定义的ndots语句/etc/resolv.conf中，或1，如果没有的ndots语句存在。点号较少的名称将被解释为相对名称，并将在/etc/resolv.conf的search或domain指令中列出的域中进行搜索。
+ bufsize = B	将使用EDNS0通告的UDP消息缓冲区大小设置为B 字节。该缓冲区的最大和最小大小分别为65535和0。超出此范围的值将适当向上或向下取整。非零值将导致发送EDNS查询。
+ edns = ＃	指定要在查询中使用的EDNS版本。有效值为0到255。设置EDNS版本将导致发送EDNS查询。+ noedns清除记住的EDNS版本。
+ [ no ]multiline	以冗长的多行格式打印记录，如SOA记录，并带有易于阅读的注释。默认设置是将每条记录打印在一行上，以便于计算机分析挖掘输出。
+ [no] onesoa	执行AXFR时仅打印一个（开始）SOA记录。默认设置是同时打印开始和结束SOA记录。
+ [no]fail	如果收到SERVFAIL，请不要尝试下一个服务器。默认设置是不尝试与普通存根解析器行为相反的下一个服务器。
+ [no]besteffort	尝试显示格式错误的消息的内容。默认为不显示格式错误的答案。
+ [no] dnssec	通过在查询的附加部分中的OPT记录中设置DO（DNSSEC OK）位来发送请求DNSSEC记录。
+ [ no ] sigchase	追逐DNSSEC签名链。需要使用-DDIG_SIGCHASE编译dig。
+ trusted-key = ####	指定包含与+ sigchase一起使用的受信任密钥的文件。每个DNSKEY记录必须位于其自己的行上。如果未指定，dig将在当前目录中查找/etc/trusted-key.key，然后查找trust-key.key。需要使用-DDIG_SIGCHASE编译dig。
+ [no]topdown	追踪DNSSEC签名链时，请执行自顶向下的验证。需要使用-DDIG_SIGCHASE编译dig。
+ [no] nsid	发送查询时，请包含EDNS名称服务器ID请求。

多个查询

dig的BIND 9实现支持在命令行上指定多个查询（除了支持-f批处理文件选项之外）。可以为每个查询提供自己的一组标志，选项和查询选项。

在这种情况下，每个查询参数代表上述命令行语法中的单个查询。每个选项都包含任何标准选项和标志，要查找的名称，可选的查询类型和类以及应应用于该查询的所有查询选项。

还可以提供应应用于所有查询的全局查询选项集。这些全局查询选项必须在命令行上提供的名称，类，类型，选项，标志和查询选项的第一个元组之前。特定于查询的一组查询选项可以覆盖所有全局查询选项（+ [ no ] cmd选项除外）。例如：

dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

显示了如何从命令行使用dig进行三个查询：对www.isc.org的ANY查询，对127.0.0.1的反向查询以及对isc.org的NS记录的查询。应用了+ qr的全局查询选项，因此dig显示了它为每次查找所做的初始查询。最终查询的本地查询选项为+ noqr，这意味着dig在查询isc.org的NS记录时不会打印初始查询。

IDN支持

如果dig是使用IDN（国际化域名）支持构建的，则它可以接受和显示非ASCII域名。dig在向DNS服务器发送请求或显示来自服务器的答复之前，会适当地转换域名的字符编码。如果您出于某种原因想要关闭IDN支持，请定义IDN_DISABLE环境变量。如果在运行dig时设置了变量，则将禁用IDN支持。

dig [@server] [-b address] [-c class] [-f filename] [-k filename]
    [-m] [-p port#] [-q name] [-t type] [-x addr] [-y [hmac:]name:key]
    [-4] [-6] [name] [type] [class] [queryopt...]

dig [-h]

dig [global-queryopt...] [query...]

Options

-b address	The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#"
-c class	The default query class (IN for Internet) is overridden by the -c option. class is any valid class, such as HS for Hesiod records or CH for CHAOSNET records.
-f filename	The -f option makes dig operate in batch mode by reading a list of lookup requests to process from the file filename. The file contains many queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to dig using the command-line interface.
-p port#	If a non-standard port number is to be queried, the -p option is used. port# is the port number that dig will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that was configured to listen for queries on a non-standard port number.
-4	The -4 option forces dig to only use IPv4 query transport.
-6	The -6 option forces dig to only use IPv6 query transport.
-t type	The -t option sets the query type to type. It can be any valid query type that is supported in BIND9. The default query type "A", unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a AXFR. When an incremental zone transfer (IXFR) is required, type is set to ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was N.
-x addr	Reverse lookups (mapping addresses to names) are simplified by the -x option. addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the name, class, and type arguments. The dig automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the -i option. Bit string labels (RFC2874) are now experimental and are not attempted.
-k filename	To sign the DNS queries sent by dig and their responses using TSIG (transaction signatures), specify a TSIG key file using the -k option.
-y [hmac:]name:key	You can also specify the TSIG key itself on the command line using the -y option; name is the name of the TSIG key and key is the actual key. The key is a base-64 encoded string, generated by dnssec-keygen. Caution should be taken when using the -y option on multi-user systems as the key can be visible in the output from ps or in the shell's history file. When using TSIG authentication with dig, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in named.conf.

Simple usage

A typical invocation of dig looks like:

dig @server name type

where:

server is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied server argument is a hostname, dig resolves that name before querying that name server. If no server argument is provided, dig consults /etc/resolv.conf and queries the name servers listed there. The reply from the name server that responds is displayed.
name is the name of the resource record that is to be looked up.
type indicates what type of query is required - ANY, A, MX, SIG, etc. type can be any valid query type. If no type argument is supplied, dig will perform a lookup for an A record.

Query options

dig provides many query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.

Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string no to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form +keyword=value. The query options are:

+[no]tcp	Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
+[no]vc	Use [do not use] TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backward compatibility. The "vc" stands for "virtual circuit".
+[no]ignore	Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
+domain=somename	Set the search list to contain the single domain somename, as if specified in a domain directive in /etc/resolv.conf, and enable search list processing as if the +search option were given.
+[no]search	Use [do not use] the search list defined by the searchlist or domain directive in resolv.conf (if any). The search list is not used by default.
+[no]showsearch	Perform [do not perform] a search showing intermediate results.
+[no]defname	Deprecated, treated as a synonym for +[no]search
+[no]aaonly	Sets the "aa" flag in the query.
+[no]aaflag	A synonym for +[no]aaonly.
+[no]adflag	Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from an OPT-OUT range. AD=0 indicate that some part of the answer was insecure or not validated.
+[no]cdflag	Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
+[no]cl	Display [do not display] the CLASS when printing the record.
+[no]ttlid	Display [do not display] the TTL when printing the record.
+[no]recurse	Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when the +nssearch or +trace query options are used.
+[no]nssearch	When this option is set, dig attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
+[no]trace	Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
+[no]cmd	Toggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default.
+[no]short	Provide a terse answer. The default is to print the answer in a verbose form.
+[no]identify	Show [or do not show] the IP address and port number that supplied the answer when the +short option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
+[no]comments	Toggle the display of comment lines in the output. The default is to print comments.
+[no]stats	This query option toggles the printing of statistics: when the query was made, the size of the reply, etc. The default behavior is to print the query statistics.
+[no]qr	Print [do not print] the query as it is sent. By default, the query is not printed.
+[no]question	Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
+[no]answer	Display [do not display] the answer section of a reply. The default is to display it.
+[no]authority	Display [do not display] the authority section of a reply. The default is to display it.
+[no]additional	Display [do not display] the additional section of a reply. The default is to display it.
+[no]all	Set or clear all display flags.
+time=T	Sets the timeout for a query to T seconds. The default timeout is 5 seconds. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied.
+tries=T	Sets the number of times to try UDP queries to server to T instead of the default, 3. If T is less than or equal to zero, the number of tries is silently rounded up to 1.
+retry=T	Sets the number of times to retry UDP queries to server to T instead of the default, 2. Unlike +tries, this does not include the initial query.
+ndots=D	Set the number of dots that have to appear in name to D for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.
+bufsize=B	Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause an EDNS query to be sent.
+edns=#	Specify the EDNS version to use in a query. Valid values are 0 to 255. Setting the EDNS version will cause an EDNS query to be sent. +noedns clears the remembered EDNS version.
+[no]multiline	Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the dig output.
+[no]onesoa	Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.
+[no]fail	Do not try the next server if you receive a SERVFAIL. The default is to not try the next server that is the reverse of normal stub resolver behavior.
+[no]besteffort	Attempt to display the contents of messages that are malformed. The default is to not display malformed answers.
+[no]dnssec	Requests DNSSEC records be sent by setting the DO (DNSSEC OK) bit in the OPT record in the additional section of the query.
+[no]sigchase	Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHASE.
+trusted-key=####	Specifies a file containing trusted keys to be used with +sigchase. Each DNSKEY record must be on its own line. If not specified, dig will look for /etc/trusted-key.key then trusted-key.key in the current directory. Requires dig be compiled with -DDIG_SIGCHASE.
+[no]topdown	When chasing DNSSEC signature chains perform a top-down validation. Requires dig be compiled with -DDIG_SIGCHASE.
+[no]nsid	Include an EDNS name server ID request when sending a query.

Multiple queries

The BIND 9 implementation of dig supports specifying multiple queries on the command line (in addition to supporting the -f batch file option). Each of those queries can be supplied with its own set of flags, options, and query options.

In this case, each query argument represents an individual query in the command-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.

A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the +[no]cmd option) can be overridden by a query-specific set of query options. For example:

dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

shows how dig could be used from the command line to make three lookups: an ANY query for www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of isc.org. A global query option of +qr is applied, so that dig shows the initial query it made for each lookup. The final query has a local query option of +noqr which means that dig will not print the initial query when it looks up the NS records for isc.org.

IDN support

If dig was built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. dig appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the IDN_DISABLE environment variable. The IDN support is disabled if the variable is set when dig runs.

查看英文版

dig computerhope.com

在上面的命令中键入将显示类似于以下内容的信息：

; <<>> DiG 9.8.3-P1 <<>> computerhope.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23826
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;computerhope.com.		IN	A
;; ANSWER SECTION:
computerhope.com.	86400	IN	A	104.20.56.118
;; Query time: 51 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Mar 23 11:16:37 2014
;; MSG SIZE  rcvd: 50

dig computerhope.com

Typing in the above command would display information similar to the following:

; <<>> DiG 9.8.3-P1 <<>> computerhope.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23826
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;computerhope.com.		IN	A
;; ANSWER SECTION:
computerhope.com.	86400	IN	A	104.20.56.118
;; Query time: 51 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Mar 23 11:16:37 2014
;; MSG SIZE  rcvd: 50

查看英文版

dig (执行网络DNS查找)

dig 运行系统环境

dig 描述

dig 语法

dig 例子

其他命令行