dig – Advanced DNS Lookup & Troubleshooting

1. What Is dig?

dig (Domain Information Groper) is a command-line DNS query tool included in the BIND DNS software suite. Available on Linux, macOS, and Windows (via BIND tools), it is the preferred tool for DNS diagnostics, testing, scripting, and troubleshooting among network engineers and system administrators.

Unlike nslookup (which has an interactive mode and inconsistent output formatting), dig produces structured, predictable output that is easy to parse in shell scripts and automation pipelines. It also provides complete DNS response data including all sections of the DNS message — something simpler tools omit.

Capability dig nslookup host
Purpose Full DNS diagnostics, scripting, analysis Basic DNS queries and interactive troubleshooting Simple forward and reverse lookups
Output detail Complete DNS message (Header, Question, Answer, Authority, Additional) Basic answer only Minimal one-line answer
Scripting Excellent — +short, batch mode (-f), consistent format Limited — inconsistent output format across platforms Limited
DNSSEC support Full — shows AD, CD, DO flags; validates signatures Partial Some
+trace capability Yes — full root-to-authority resolution trace No No
Zone transfer (AXFR) Yes No Yes
Availability Linux/macOS built-in; Windows via BIND package Built-in on all OS Linux/macOS built-in

Related pages: nslookup Command | How DNS Works | DNS Record Types | DNS Overview | Port Numbers (DNS port 53)

2. Basic dig Command Syntax

dig [@server] [name] [type] [+options]

  @server  — Optional: DNS server to query (e.g., @8.8.8.8)
  name     — Domain name to query (e.g., example.com)
  type     — Record type (A, MX, NS, TXT, etc.; default is A)
  +options — Query flags (e.g., +short, +trace, +tcp)

Most Common Commands at a Glance

Command What It Does
dig example.com Query A record (IPv4 address) for example.com
dig example.com MX Query mail server (MX) records
dig example.com NS Query authoritative name servers
dig example.com TXT Query TXT records (SPF, DKIM, site verification)
dig example.com AAAA Query IPv6 address
dig example.com SOA Query Start of Authority record
dig @8.8.8.8 example.com Query Google's DNS server instead of default resolver
dig -x 8.8.8.8 Reverse DNS lookup — PTR record for IP 8.8.8.8
dig example.com +short Concise output — just the answer (ideal for scripting)
dig example.com +trace Trace the full DNS resolution from root servers
dig example.com +tcp Force TCP instead of UDP for large responses
dig -f domains.txt Batch mode — query multiple domains from a file

3. Understanding dig Output — All Five Sections

A full dig response is structured into up to five sections. Understanding each section is essential for DNS troubleshooting.

Annotated dig Output

$ dig example.com

; <<>> DiG 9.16.1-Ubuntu <<>> example.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4578
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
                                                                     ↑ HEADER
;; QUESTION SECTION:                                                 ↑ QUESTION
;example.com.                 IN    A

;; ANSWER SECTION:                                                   ↑ ANSWER
example.com.       299        IN    A      93.184.216.34
│           ↑TTL              ↑Class↑Type  ↑ The IP address

;; AUTHORITY SECTION:                                                ↑ AUTHORITY
example.com.       172799     IN    NS     a.iana-servers.net.
example.com.       172799     IN    NS     b.iana-servers.net.

;; ADDITIONAL SECTION:                                               ↑ ADDITIONAL
a.iana-servers.net.    3600   IN    A      199.43.135.53
b.iana-servers.net.    3600   IN    A      199.43.133.53

;; Query time: 31 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)   ← Which DNS server responded
;; WHEN: Thu Jul 18 14:30:25 UTC 2024
;; MSG SIZE  rcvd: 135

Section-by-Section Reference

Section Content Diagnostic Use
HEADER Query status (NOERROR, NXDOMAIN, SERVFAIL, REFUSED), DNS flags (qr, aa, rd, ra, tc, ad, cd), counts of records in each section First place to check — status reveals whether the query succeeded or failed and why
QUESTION The exact query that was sent — domain name, class (IN = Internet), record type Confirms dig queried what you intended; useful when troubleshooting scripts
ANSWER The actual DNS records returned — IP address for A query, mail server for MX, etc. Each record shows: Name / TTL / Class / Type / Data The primary result — IP addresses, mail servers, text records, etc.
AUTHORITY The authoritative name servers for this domain — which NS records hold the official DNS for this zone Identify which DNS servers are authoritative; empty when querying a resolver that already has a cached answer
ADDITIONAL Glue records — IP addresses of the authoritative name servers listed in the AUTHORITY section Eliminates extra lookups to resolve the NS hostnames
Footer stats Query time (ms), responding server IP and port, timestamp, message size Check which server answered and how fast; compare performance between resolvers

4. DNS Header Flags — What They Mean

The header line flags: qr rd ra contains one-letter codes that describe the nature of the DNS message. Understanding these flags is important for DNSSEC and troubleshooting.

Flag Full Name Meaning
qr Query Response This is a response (not a query). Always present in dig output.
aa Authoritative Answer The responding server is authoritative for this domain — it holds the official records. Not present for cached/recursive responses.
tc Truncated Response was truncated — exceeded 512 bytes for UDP. Client should retry with TCP (+tcp).
rd Recursion Desired Client asked the server to perform recursive resolution (default in dig).
ra Recursion Available Server supports recursive queries. Authoritative servers typically do not set this.
ad Authenticated Data DNSSEC: The response has been validated and is cryptographically authentic.
cd Checking Disabled DNSSEC validation is disabled for this query (client set this flag).

Header Status Codes

Status Code Meaning What To Do
NOERROR Query successful — the record was found Check ANSWER section for the result
NXDOMAIN Non-Existent Domain — the domain does not exist in DNS Typo in domain name? Domain not registered? Check spelling.
SERVFAIL Server Failure — the DNS server encountered an error processing the query DNSSEC validation failure? Authoritative server unreachable? Try a different resolver.
REFUSED Server refuses to answer this query (policy/security) Zone transfer attempted but denied, or querying an authoritative server for a zone it doesn't serve
NOERROR (empty answer) Domain exists but no record of the requested type The domain is valid but the specific record type doesn't exist (e.g., no AAAA record)

5. DNS Record Types — Full Reference

Type Full Name dig Command Purpose
A Address dig example.com A (or just dig example.com) Maps hostname to IPv4 address — the most common record type
AAAA IPv6 Address dig example.com AAAA Maps hostname to IPv6 address — see IPv6 addressing
MX Mail Exchange dig example.com MX Specifies mail servers for the domain with priority values (lower = preferred)
NS Name Server dig example.com NS Lists authoritative DNS servers for the domain
CNAME Canonical Name dig www.example.com CNAME Alias — maps one name to another (e.g., www → example.com)
TXT Text dig example.com TXT Arbitrary text — used for SPF (email sender policy), DKIM keys, site verification, DMARC policies
PTR Pointer dig -x 8.8.8.8 Reverse DNS — maps IP address to hostname; used for email authentication, logging
SOA Start of Authority dig example.com SOA Zone metadata — primary nameserver, zone serial number, refresh/retry/expire timers
SRV Service Locator dig _sip._tcp.example.com SRV Locates services (SIP phones, XMPP, Microsoft AD) by protocol and port
CAA Certification Authority Authorisation dig example.com CAA Specifies which certificate authorities are allowed to issue SSL certs for the domain
DNSKEY DNS Key dig example.com DNSKEY DNSSEC public key used to verify digital signatures on DNS records
ANY All record types dig example.com ANY Request all record types (many servers block or rate-limit this; use sparingly)

6. dig Options and Flags — Complete Reference

Option Effect Example When to Use
+short Print only the answer data — removes all headers and extra sections dig example.com +short Shell scripts, monitoring, quick IP lookups
+trace Traces the full delegation path from root (.) servers to the authoritative server dig example.com +trace Diagnose where in the DNS hierarchy a resolution fails
+noall +answer Suppress all sections except ANSWER dig example.com +noall +answer Cleaner output than +short when record details (TTL) are still needed
+tcp Force TCP instead of UDP for the query dig example.com +tcp Large responses (zone data, many TXT records), DNSSEC responses, testing TCP-53
+dnssec Request DNSSEC records (RRSIG, DNSKEY) in the response dig example.com +dnssec DNSSEC troubleshooting and validation testing
+noadditional Suppress the ADDITIONAL section dig example.com NS +noadditional Clean NS queries when glue records aren't needed
+norecurse Disable recursion (RD flag) — ask for the server's local knowledge only dig @ns1.example.com example.com +norecurse Query an authoritative server directly without it resolving recursively
+time=N Set query timeout in seconds dig example.com +time=3 Automated scripts with tight timeouts; testing slow resolvers
+retry=N Number of retry attempts on timeout (default: 2) dig example.com +retry=1 Reduce retries for fast-failing scripts
-p PORT Query on a non-standard port dig @8.8.8.8 example.com -p 5353 Test DNS-over-mDNS, custom resolvers, or firewall testing
-x IP Reverse DNS lookup — constructs the in-addr.arpa query automatically dig -x 8.8.8.8 Find hostname for an IP address; verify PTR records for email
-f FILE Batch mode — read domains from a file, one per line dig -f domains.txt +short Bulk DNS lookups in scripts

7. Annotated Output Examples

A Record Query

$ dig google.com

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51421
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
     ↑              ↑                  ↑ No authority (cached response from resolver)
     qr=response    NOERROR=success

;; QUESTION SECTION:
;google.com.                 IN  A
                                ↑ Queried for IPv4 address

;; ANSWER SECTION:
google.com.      299         IN   A    142.250.183.14
                 ↑ TTL(secs) ↑IN  ↑A   ↑ The IP address

;; Query time: 24 msec
;; SERVER: 192.168.1.1#53   ← Local router/resolver answered
;; MSG SIZE rcvd: 55

MX Record Query — Mail Server Priorities

$ dig gmail.com MX

;; ANSWER SECTION:
gmail.com.  3599  IN  MX  5   gmail-smtp-in.l.google.com.   ← Priority 5 (highest)
gmail.com.  3599  IN  MX  10  alt1.gmail-smtp-in.l.google.com.
gmail.com.  3599  IN  MX  20  alt2.gmail-smtp-in.l.google.com.
gmail.com.  3599  IN  MX  30  alt3.gmail-smtp-in.l.google.com.
gmail.com.  3599  IN  MX  40  alt4.gmail-smtp-in.l.google.com.  ← Priority 40 (lowest)

Note: Lower MX priority number = preferred mail server
      Email senders try priority 5 first, fall back to 10, 20, 30, 40 in order

Reverse DNS (PTR) Lookup

$ dig -x 8.8.8.8

;; QUESTION SECTION:
;8.8.8.8.in-addr.arpa.      IN  PTR
        ↑ dig automatically reverses the IP and appends .in-addr.arpa

;; ANSWER SECTION:
8.8.8.8.in-addr.arpa. 86399 IN  PTR  dns.google.
                                       ↑ Hostname for 8.8.8.8

SOA Record — Zone Authority Details

$ dig example.com SOA

;; ANSWER SECTION:
example.com.  3600  IN  SOA  ns.icann.org. noc.dns.icann.org. (
                    2024041544  ← Serial number (zone version)
                    7200        ← Refresh (seconds between secondary NS checks)
                    3600        ← Retry (retry interval on refresh failure)
                    1209600     ← Expire (secondary stops serving after this many seconds)
                    3600        ← Negative TTL (how long to cache NXDOMAIN responses)
               )

NXDOMAIN — Domain Does Not Exist

$ dig nonexistent-domain-xyz123.com

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345
                                    ↑ Domain does not exist in DNS
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
                                          ↑ No answer records

;; AUTHORITY SECTION:
com.   900  IN  SOA  a.gtld-servers.net. nstld.verisign-grs.com. ...
      ↑ SOA in authority section confirms NXDOMAIN is authoritative

8. dig +trace — Full DNS Resolution Path

dig +trace performs the entire DNS resolution from scratch, starting at the root (.) servers, instead of relying on your local resolver's cache. It shows every delegation step — from root to TLD to authoritative server. 

$ dig www.example.com +trace

;; Tracing from root (.)
.           518400  IN  NS  a.root-servers.net.
.           518400  IN  NS  b.root-servers.net.
... (13 root servers listed)

;; Root server tells us: .com TLD is handled by:
com.        172800  IN  NS  a.gtld-servers.net.
com.        172800  IN  NS  b.gtld-servers.net.

;; TLD server tells us: example.com is handled by:
example.com.   172800  IN  NS  a.iana-servers.net.
example.com.   172800  IN  NS  b.iana-servers.net.

;; Authoritative server (a.iana-servers.net) answers:
www.example.com.  86400  IN  A  93.184.216.34   ← Final answer
a.iana-servers.net — flag: aa (Authoritative Answer)
Using +trace for troubleshooting: If DNS resolution fails, +trace reveals exactly at which delegation step it breaks — root, TLD, or authoritative. A failure at the authoritative step means the zone's NS records are wrong or the nameserver is down. A failure at the TLD step means the domain's delegation is broken at the registrar.

9. Querying Specific DNS Servers — Testing and Comparison

The @server syntax directs dig to bypass your default resolver and query a specific DNS server directly. This is invaluable for:

  • Comparing what different resolvers return (checking for DNS hijacking or filtering)
  • Querying an authoritative server directly to verify published records
  • Testing a new DNS server before cutover
  • Verifying DNS record propagation after a change
! Query Google's public DNS
dig @8.8.8.8 example.com

! Query Cloudflare's DNS
dig @1.1.1.1 example.com

! Query the domain's own authoritative nameserver directly
! (first find the NS, then query it)
dig example.com NS +short
→ a.iana-servers.net.
dig @a.iana-servers.net example.com

! Compare TTL between your resolver (cached) and authoritative server
dig example.com +noall +answer          ! Your resolver's cached TTL (may be low)
dig @a.iana-servers.net example.com +noall +answer  ! Authoritative TTL (full value)
Detecting DNS hijacking: ISPs and some corporate networks intercept DNS and redirect NXDOMAIN responses to search pages or ads. Compare: 
dig @8.8.8.8 definitely-nonexistent-domain.com   ! Should return NXDOMAIN
dig definitely-nonexistent-domain.com            ! Your local resolver — does it match?
If your resolver returns an IP address for a domain that should NXDOMAIN, DNS interception is active.

10. Zone Transfers (AXFR) — Security Implications

A zone transfer (AXFR — Authoritative Transfer) requests a complete copy of an entire DNS zone from a nameserver. If permitted, it reveals every hostname, IP address, and service in that zone — a significant security exposure. 

! Attempt a full zone transfer
dig @ns1.example.com example.com AXFR

! If zone transfer is ALLOWED (security risk!):
; <<>> DiG 9.16.1 <<>> @ns1.example.com example.com AXFR
example.com.   3600  IN  SOA   ns1.example.com. admin.example.com. ...
example.com.   3600  IN  NS    ns1.example.com.
example.com.   3600  IN  A     93.184.216.34
mail.example.com.   3600  IN  A  93.184.216.40
vpn.example.com.    3600  IN  A  93.184.216.50
...all records exposed...

! If zone transfer is BLOCKED (correct security posture):
; Transfer failed. Received 1 messages.
; TRANSFER: Transfer failed.
Why zone transfers must be restricted: AXFR exposes the entire internal DNS namespace — internal server names, VPN endpoints, management interfaces, and infrastructure IPs. This is reconnaissance gold for attackers. Zone transfers should be restricted to specific authorised secondary nameserver IPs only, using access control lists on the DNS server. An unrestricted zone transfer is a critical DNS misconfiguration vulnerability.

11. Real-World DNS Troubleshooting with dig

DNS problems are among the most common connectivity issues. See also Troubleshooting Connectivity for the broader diagnostic workflow.

Systematic Troubleshooting Flow

! Step 1: Basic resolution — does the domain resolve at all?
dig www.example.com
! Check: NOERROR in header? IP in ANSWER section?

! Step 2: If failure — try a known-good public resolver to rule out local resolver issue
dig @8.8.8.8 www.example.com
! If works with 8.8.8.8 but not locally → local DNS server problem

! Step 3: Trace the delegation chain to find where it breaks
dig www.example.com +trace
! Watch for delegation failures at root, TLD, or authoritative level

! Step 4: Check mail configuration (common troubleshooting request)
dig example.com MX
! Verify MX records exist; check priorities; confirm hostnames resolve

! Step 5: Verify email sender authentication
dig example.com TXT
! Look for: v=spf1... (SPF), v=DKIM1... (DKIM), v=DMARC1 (DMARC)

! Step 6: Check reverse DNS for IP (email deliverability)
dig -x 203.0.113.25
! Mail servers check PTR records; mismatched PTR = email delivery issues

! Step 7: Verify authoritative servers are correct
dig example.com NS
! Confirm they match what the domain registrar shows

! Step 8: Check SOA serial for zone propagation
dig example.com SOA @ns1.example.com
dig example.com SOA @ns2.example.com
! Serial numbers should match; different serials = zone replication lag

Common Diagnostic Scenarios

Symptom dig Command What to Look For
Website not loading dig www.site.com NXDOMAIN = domain expired or bad NS; SERVFAIL = resolver error; empty ANSWER = no A record
Email bouncing dig domain.com MX Empty ANSWER = no MX records; wrong priorities; check MX hostnames resolve to IPs
Works from one DNS server, not another dig @8.8.8.8 domain.com vs dig domain.com Different answers = propagation lag, split-horizon DNS, or local DNS filtering
Recent DNS change not propagating dig domain.com SOA @ns1 and @ns2 Different serial numbers between NS servers = replication not complete
DNSSEC validation failures dig domain.com +dnssec Look for SERVFAIL — check ad flag presence/absence; test with +cd to bypass validation

12. dig for Scripting and Automation

The +short flag and batch mode make dig ideal for automation. 

! Get just the IP address (perfect for variable assignment in scripts)
IP=$(dig example.com +short)
echo "example.com resolves to: $IP"

! Check if a domain exists (returns empty if NXDOMAIN)
RESULT=$(dig nonexistent.example.com +short)
if [ -z "$RESULT" ]; then
  echo "Domain does not resolve"
fi

! Batch lookup — check multiple domains from a file
cat domains.txt
  example.com
  google.com
  cisco.com

dig -f domains.txt +short

! Get TTL for a record (useful for monitoring cache expiry)
dig example.com +noall +answer | awk '{print $2}'

! Check if an MX record exists (returns empty if no MX)
MX=$(dig example.com MX +short)
[ -z "$MX" ] && echo "No MX records — email not configured"

! Compare resolution across DNS providers
for server in 8.8.8.8 1.1.1.1 9.9.9.9; do
  echo -n "$server: "
  dig @$server example.com +short
done

13. Common Misconceptions About dig

  • "dig always queries the authoritative server."
    By default, dig queries your configured resolver (usually your local DNS server or ISP's resolver), which may serve a cached answer. To query an authoritative server directly, you must specify it with @server or use +trace. The aa flag in the header confirms whether the response came from an authoritative source.
  • "An empty ANSWER section means the domain doesn't exist."
    NOERROR with an empty ANSWER section means the domain exists but has no record of the requested type — for example, querying dig example.com AAAA on a domain with no IPv6 address returns NOERROR with no ANSWER. NXDOMAIN is the status code for a non-existent domain.
  • "+short always shows just the IP."
    +short shows just the record data, whatever type was queried. For A records it's an IP. For MX it's the priority and mail server hostname. For TXT it's the quoted text string. The format depends on the record type, not just the flag.
  • "dig -x requires me to manually construct the in-addr.arpa query."
    The -x flag automatically reverses the IP octets and appends .in-addr.arpa.dig -x 8.8.8.8 is identical to dig 8.8.8.8.in-addr.arpa PTR. You never need to construct the reverse zone name manually.
  • "SERVFAIL always means the domain has an error."
    SERVFAIL can result from DNSSEC validation failure (the signatures don't verify), the authoritative server being unreachable, a lame delegation (NS record points to a server that doesn't serve the zone), or a resolver bug. Use +cd (checking disabled) to test whether DNSSEC is the cause: dig example.com +cd.

14. Key Points & Exam Tips

  • dig = Domain Information Groper — advanced DNS query and diagnostic tool. Preferred over nslookup for detail and scripting.
  • Default query type is A (IPv4). Specify other types: dig example.com MX.
  • Use @server to query a specific DNS server: dig @8.8.8.8 example.com.
  • Five output sections: HEADER (status/flags), QUESTION (what was asked), ANSWER (the result), AUTHORITY (authoritative NS), ADDITIONAL (glue records).
  • Status codes: NOERROR = success; NXDOMAIN = domain doesn't exist; SERVFAIL = server error; REFUSED = server won't answer.
  • +short: concise output for scripting. +trace: full root-to- authority delegation trace. +tcp: force TCP (for large responses).
  • -x IP: reverse DNS lookup (PTR record) — dig -x 8.8.8.8.
  • aa flag: Authoritative Answer — response came directly from the zone's nameserver, not a cache.
  • ad flag: Authenticated Data — DNSSEC validated the response.
  • AXFR: zone transfer request — should always be blocked/refused in production. An open zone transfer is a security vulnerability exposing the entire DNS namespace.
  • MX priority: lower number = higher preference. Email tries lowest number first.

Related pages: nslookup Command | How DNS Works | DNS Record Types | DNS Overview | Port Numbers (DNS port 53)

15. dig – Advanced DNS Lookup Quiz

1. A network engineer runs dig example.com and sees the header line: status: NXDOMAIN with an empty ANSWER section. What does this mean and what should be checked first?

Correct answer is B. NXDOMAIN (Non-Existent Domain) means the DNS infrastructure confirmed this domain does not exist. Common causes: (1) typo in the domain name, (2) domain registration expired, (3) DNS delegation broken at the TLD level (registrar NS records incorrect). Note that NXDOMAIN is different from an empty ANSWER with NOERROR — the latter means the domain exists but has no record of the requested type. DNSSEC failures return SERVFAIL, not NXDOMAIN.

2. An engineer needs to verify whether the MX records for a domain are identical on both the local resolver and the authoritative nameserver (to check propagation after a recent change). Which two commands achieve this comparison?

Correct answer is D. The first command queries the local resolver — which may return cached data from before the change. The second queries the authoritative nameserver directly using @ns1.example.com with +norecurse (asking for its local knowledge only, preventing it from querying elsewhere). Comparing the two outputs reveals whether the new records have propagated. Different MX data between the two confirms propagation is incomplete or the old resolver cache hasn't expired yet.

3. The output of dig example.com contains the flag aa in the HEADER section. What does this indicate about the response?

Correct answer is C. The aa (Authoritative Answer) flag means the DNS server that responded is the authoritative server for this zone — it holds the primary, official records. When querying a recursive resolver (like your ISP's DNS), you typically do NOT see the aa flag — the resolver fetches the answer and caches it, but it is not itself authoritative. You only see aa when querying an authoritative server directly (e.g., using @ns1.example.com). DNSSEC authentication is indicated by the separate ad flag.

4. An engineer runs dig example.com +trace and notices the trace succeeds at root and TLD delegation but fails with SERVFAIL at the final step when querying the domain's own nameservers. What does this indicate?

Correct answer is A. When +trace succeeds through root (.) and the TLD (.com, .org, etc.) but fails at the authoritative server step, the TLD delegation is intact — the registrar's NS records are correct. The problem is at the authoritative level: the nameservers listed at the TLD are either down, unreachable (firewalled), or "lame" — meaning they are listed as authoritative but don't actually have the zone configured. This is the most common type of DNS outage for a live domain. Check if ns1/ns2 for the domain are reachable and serving the zone.

5. What does the command dig -x 203.0.113.10 query, and how does dig construct the DNS query internally?

Correct answer is C. Reverse DNS lookups use the special .in-addr.arpa. zone. The IP address octets are reversed and appended with .in-addr.arpa. — so 203.0.113.10 becomes 10.113.0.203.in-addr.arpa. and a PTR record is queried. The -x flag performs this transformation automatically so you don't have to construct it manually. This is equivalent to dig 10.113.0.203.in-addr.arpa PTR. Reverse DNS is used for email authentication, logging, security tools, and network management.

6. An email security audit reveals that a company's mail server IP (198.51.100.25) returns NXDOMAIN when reverse DNS is queried. Why is this a problem, and what should be done?

Correct answer is B. A PTR record missing for a mail server IP is a major email deliverability issue. Receiving mail servers (Gmail, Outlook, etc.) perform reverse DNS lookups on connecting IPs as part of spam filtering. An IP with no PTR record, or where the PTR doesn't match the HELO hostname, is a strong spam indicator and will cause mail to be rejected or quarantined. PTR records for IP addresses must be created by the entity that owns the IP block — typically the ISP or hosting provider — not the domain owner. Verify with: dig -x 198.51.100.25.

7. A security team discovers that running dig @ns1.target-corp.com target-corp.com AXFR returns a complete list of all internal hostnames and IPs including vpn.target-corp.com, mail.target-corp.com, and dev-server.target-corp.com. Why is this a critical security finding?

Correct answer is D. An unrestricted AXFR zone transfer is a critical reconnaissance vulnerability. It gives attackers a complete map of the organisation's network infrastructure — every server, service, internal IP range, and system hostname. This dramatically reduces attacker discovery effort and reveals high-value targets (VPN endpoints, mail servers, development systems). Zone transfers must be restricted using ACLs to only allow the IP addresses of authorised secondary DNS servers. The fix: configure allow-transfer { trusted-secondaries; }; on the nameserver (BIND) or equivalent on other DNS platforms.

8. The command dig example.com AAAA returns status: NOERROR with an empty ANSWER section. What does this mean, and what would return a different status if the domain didn't exist at all?

Correct answer is A. DNS distinguishes between two very different conditions: (1) NXDOMAIN — the domain name does not exist in DNS at all; (2) NOERROR with empty ANSWER — the domain exists but has no record of the queried type. A domain with an A record but no AAAA record will return NOERROR with an empty ANSWER for AAAA queries — the domain is real but not IPv6-enabled. This distinction is important: NXDOMAIN means investigate the domain registration/delegation; NOERROR empty means the domain is fine but that specific record type needs to be added if required.

9. A shell script needs to extract only the IP address of api.example.com for use in a variable, with no extra output. Which dig command produces the cleanest result for this use case?

Correct answer is C. +short produces the most concise, script-friendly output — just the raw answer data with no headers, labels, or extra lines. For an A record query with +short, the output is simply the IP address on its own line, perfect for assignment: IP=$(dig api.example.com A +short). Option A (+noall +answer) still shows the full record line including domain name, TTL, class, type, and IP — requiring further parsing. Option D adds TCP unnecessarily for a simple A record. Explicitly specifying A is good practice to prevent unexpected CNAME chain output.

10. During a DNS investigation, a dig query returns the flag tc (Truncated) in the HEADER. What caused this and how should the query be rerun to get the complete response?

Correct answer is B. The tc (Truncated) flag indicates the DNS response exceeded the traditional 512-byte UDP limit and was cut off. The DNS standard specifies that when a UDP response is truncated, the client should retry using TCP (which has no such size limit). In dig, add +tcp: dig example.com ANY +tcp. This is commonly seen when querying for many records simultaneously (TXT records with long SPF/DKIM strings, ANY queries, or domains with many MX records). EDNS0 has extended the UDP limit to ~4096 bytes in modern DNS, but some servers still enforce the 512-byte limit.

← Back to Home