DNS Lookup and Troubleshooting
"Clase de la hoja"
########################################################################################################################################################################################################################################################## Copiar todos los comandos
########################################################################################################################################################################################################################################################## Generar PDF seleccionado/button
■/div titulada
"Notificación" clase="notificación" Entendido ¡Todos los comandos de excavación copiados al portapapeles! ■/div titulada
Dig (Domain Information Groper) es una poderosa herramienta de línea de comandos para la búsqueda y solución de problemas DNS. Es más flexible y proporciona una salida más detallada que nslookup, lo que lo convierte en la herramienta preferida para el diagnóstico e investigación de DNS.
Uso básico
Simple DNS Lookup
# Basic A record lookup
dig google.com
dig example.com
dig github.com
# Lookup with specific DNS server
dig @8.8.8.8 google.com
dig @1.1.1.1 google.com
dig @208.67.222.222 google.com
# Short output (just the answer)
dig +short google.com
dig +short @8.8.8.8 google.com
Tipos de Registro de Especificación
# A record (IPv4 address)
dig google.com A
dig +short google.com A
# AAAA record (IPv6 address)
dig google.com AAAA
dig +short google.com AAAA
# MX record (mail exchange)
dig google.com MX
dig +short google.com MX
# NS record (name servers)
dig google.com NS
dig +short google.com NS
# TXT record (text records)
dig google.com TXT
dig +short google.com TXT
# CNAME record (canonical name)
dig www.google.com CNAME
dig +short www.google.com CNAME
# SOA record (start of authority)
dig google.com SOA
dig +short google.com SOA
# PTR record (reverse DNS)
dig google.com PTR
# ANY record (all available records)
dig google.com ANY
DNS Server Specification
Utilizando diferentes servidores DNS
# Google DNS
dig @8.8.8.8 google.com
dig @8.8.4.4 google.com
# Cloudflare DNS
dig @1.1.1.1 google.com
dig @1.0.0.1 google.com
# OpenDNS
dig @208.67.222.222 google.com
dig @208.67.220.220 google.com
# Quad9 DNS
dig @9.9.9.9 google.com
dig @149.112.112.112 google.com
# Local DNS server
dig @192.168.1.1 google.com
# Multiple servers (dig will try each)
dig @8.8.8.8 @1.1.1.1 google.com
IPv6 DNS Servidores
# Google IPv6 DNS
dig @2001:4860:4860::8888 google.com
dig @2001:4860:4860::8844 google.com
# Cloudflare IPv6 DNS
dig @2606:4700:4700::1111 google.com
dig @2606:4700:4700::1001 google.com
# OpenDNS IPv6
dig @2620:119:35::35 google.com
dig @2620:119:53::53 google.com
Opciones de control de productos
Formato de salida
# Short output (answer only)
dig +short google.com
# Show only answer section
dig +noall +answer google.com
# Show only authority section
dig +noall +authority google.com
# Show only additional section
dig +noall +additional google.com
# Show question and answer
dig +noall +question +answer google.com
# Multiline output
dig +multiline google.com
# No comments
dig +nocomments google.com
# No statistics
dig +nostats google.com
# No question section
dig +noquestion google.com
# No answer section
dig +noanswer google.com
# No authority section
dig +noauthority google.com
# No additional section
dig +noadditional google.com
Localización detallada
# Trace the full DNS resolution path
dig +trace google.com
# Trace with short output
dig +trace +short google.com
# Trace specific record type
dig +trace google.com MX
# Show all name servers for domain
dig +nssearch google.com
# Show all name servers with details
dig +nssearch +noall +answer google.com
Opciones avanzadas de consulta
Query Behavior
# Disable recursion
dig +norecurse google.com
# Use TCP instead of UDP
dig +tcp google.com
dig +vc google.com
# Force UDP (default)
dig +notcp google.com
# Set query timeout
dig +time=5 google.com
dig +time=10 google.com
# Set number of tries
dig +tries=3 google.com
# Set number of retries
dig +retry=2 google.com
# Set UDP buffer size
dig +bufsize=512 google.com
dig +bufsize=4096 google.com
# Enable EDNS
dig +edns=0 google.com
# Ignore truncation
dig +ignore google.com
# Fail on truncation
dig +fail google.com
DNSSEC Opciones
# Request DNSSEC records
dig +dnssec google.com
# Check DNSSEC validation
dig +cd google.com
# Request authentic data
dig +ad google.com
# Show DNSSEC chain
dig +trace +dnssec google.com
# Validate DNSSEC signatures
dig +sigchase google.com
# Show DNSKEY records
dig google.com DNSKEY
# Show DS records
dig google.com DS
# Show RRSIG records
dig google.com RRSIG
Consultas DNS inversas
PTR Consultas de grabación
# Reverse lookup using -x flag
dig -x 8.8.8.8
dig -x 1.1.1.1
dig -x 192.168.1.1
# Manual PTR lookup
dig 8.8.8.8.in-addr.arpa PTR
dig 1.1.1.1.in-addr.arpa PTR
# IPv6 reverse lookup
dig -x 2001:4860:4860::8888
# Short reverse lookup
dig +short -x 8.8.8.8
# Reverse lookup with specific server
dig @8.8.8.8 -x 1.1.1.1
Batch Queries
Múltiples dominios
# Query multiple domains
dig google.com yahoo.com microsoft.com
# Query from file
echo -e "google.com\nyahoo.com\nmicrosoft.com" > domains.txt
dig -f domains.txt
# Query different record types for same domain
dig google.com A MX NS TXT
# Batch with specific server
dig @8.8.8.8 -f domains.txt
Preguntas escritas
# Loop through domains
for domain in google.com yahoo.com microsoft.com; do
echo "=== $domain ==="
dig +short $domain
done
# Check multiple record types
for type in A AAAA MX NS TXT; do
echo "=== $type records for google.com ==="
dig +short google.com $type
done
DNS especializada Documentos
Correo electrónico-Related Records
# MX records (mail exchange)
dig google.com MX
dig +short google.com MX
# SPF records (in TXT)
dig google.com TXT|grep "v=spf1"
dig _spf.google.com TXT
# DMARC records
dig _dmarc.google.com TXT
# DKIM records
dig selector1._domainkey.google.com TXT
# Mail server A records
dig gmail-smtp-in.l.google.com A
Service Discovery Documentos
# SRV records (service records)
dig _sip._tcp.example.com SRV
dig _xmpp-server._tcp.example.com SRV
dig _minecraft._tcp.example.com SRV
# CAA records (certificate authority authorization)
dig google.com CAA
# NAPTR records (naming authority pointer)
dig example.com NAPTR
# LOC records (location)
dig example.com LOC
Documentos de seguridad
# TLSA records (DNS-based authentication)
dig _443._tcp.example.com TLSA
dig _25._tcp.mail.example.com TLSA
# SSHFP records (SSH fingerprints)
dig example.com SSHFP
# CERT records (certificates)
dig example.com CERT
Resolución de problemas DNS Cuestiones
Diagnósticos comunes
# Check if domain exists
dig +short google.com
# Check authoritative name servers
dig +short google.com NS
# Query authoritative server directly
dig @ns1.google.com google.com
# Check SOA record for domain info
dig google.com SOA
# Trace full resolution path
dig +trace google.com
# Check for DNS propagation
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com
dig @208.67.222.222 example.com
Diagnóstico de error
# Check for NXDOMAIN (domain doesn't exist)
dig nonexistent.google.com
# Check for SERVFAIL
dig +trace problematic.domain.com
# Check for timeout issues
dig +time=1 +tries=1 slow.server.com
# Check for truncation
dig +bufsize=512 large.response.com
# Verify DNSSEC
dig +dnssec +cd google.com
Network Path Analysis
# Test different DNS servers
for server in 8.8.8.8 1.1.1.1 208.67.222.222; do
echo "Testing $server:"
dig @$server +time=3 google.com|grep "Query time"
done
# Check local vs remote DNS
dig @127.0.0.1 google.com
dig @8.8.8.8 google.com
# Test UDP vs TCP
dig +notcp google.com
dig +tcp google.com
Pruebas de rendimiento
Query Timing
# Show query time
dig google.com|grep "Query time"
# Multiple queries for average
for i in \\\\{1..5\\\\}; do
dig google.com|grep "Query time"
done
# Time multiple servers
for server in 8.8.8.8 1.1.1.1 208.67.222.222; do
echo "Server: $server"
dig @$server google.com|grep "Query time"
done
Pruebas de carga
# Rapid queries (be careful with rate limiting)
for i in \\\\{1..10\\\\}; do
dig +short google.com &
done
wait
# Measure DNS cache performance
dig google.com # First query (cache miss)
dig google.com # Second query (cache hit)
Configuración y personalización
Usando .digrc Configuración
# Create ~/.digrc for default options
echo "+short" > ~/.digrc
echo "+time=5" >> ~/.digrc
echo "+tries=2" >> ~/.digrc
# Override config file
dig +noconfig google.com
Medio ambiente
# Set default options
export DIG_OPTIONS="+short +time=5"
dig google.com
# Set default server
export DIG_SERVER="8.8.8.8"
dig google.com
Integración con otras herramientas
Combinando con Otros Comandos
# Extract IP addresses
dig +short google.com|grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
### Scripting Examples
```bash
#!/bin/bash
# DNS Health check script
DOMAIN="example.com"
SERVERS=("8.8.8" "1.1.1" "208.67.222")
eco "DNS Health Check for $DOMAIN"
eco "========================================
para servidor en "$\{SERVERS[@]\}"; do
eco "Testing server: $server"
# Test A record
A_RECORD=$(dig @$server +short $DOMAIN A)
si [ -n "$A_RECORD ]; entonces
eco "Un registro: $A_RECORD"
más
eco "A Record: FAILED"
fi
# Test query time
QUERY_TIME=$(dig @$server $DOMAIN soportagrep "Tiempo de preguntas"
eco " Hora de la consulta: $\{QUERY_TIME\}ms"
eco "
hecho
Cross-Platform Considerations
Linux
# Instalar excavación (generalmente parte de las redes o dnsutils)
sudo apt install dnsutils # Ubuntu/Debian
sudo yum install bind-utils # RHEL/CentOS
sudo dnf instalar bind-utils # Fedora
# Herramientas alternativas
host google.com # Simple DNS lookup
nslookup google.com # Interactive DNS lookup
macOS
# cava está preinstalado en macOS
dig google.com
# Instalar via Homebrew para la última versión
instalación de cervecería
# Herramientas alternativas
host google.com
nslookup google.com
Windows
# excavación no se incluye por defecto
# Descarga de ISC BIND o utiliza alternativas
# Opciones de Windows
nslookup google.com
Resolve-DnsName google.com Poder Shell
Best Practices
Security Considerations
- Use trusted DNS servers for sensitive queries
- Be aware that DNS queries can be logged
- Consider using DNS over HTTPS (DoH) or DNS over TLS (DoT)
- Validate DNSSEC when security is critical
Performance Tips
- Use +short for scripting to reduce output parsing
- Set appropriate timeouts for your network
- Use local DNS caching when possible
- Consider the impact of DNS queries on rate limiting
Troubleshooting Methodology
- Start with basic queries to verify connectivity
- Use +trace to understand the resolution path
- Test multiple DNS servers to isolate issues
- Check both forward and reverse DNS
- Verify DNSSEC when applicable
Monitoring and Automation
- Log DNS query times for performance monitoring
- Set up alerts for DNS resolution failures
- Use batch queries for efficiency
- Implement proper error handling in scripts
Dig is an essential tool for DNS troubleshooting and investigation. Its flexibility and detailed output make it invaluable for network administrators, security professionals, and developers working with DNS-dependent applications.
Get all A records and ping them
dig +short google.com A|while read ip; do echo "Pinging $ip" ping -c 1 $ip done
Check if domain resolves to specific IP
if dig +short google.com|grep -q "172.217."; then echo "Domain resolves to Google IP range" fi
Compare DNS responses
diff <(dig @8.8.8.8 +short google.com) <(dig @1.1.1.1 +short google.com)
### Ejemplos de scripting
Cross-Platform Considerations
Linux
## Consideraciones transversales
### Linux
macOS
### macOS
Windows
### Windows
Best Practices
Security Considerations
- Use trusted DNS servers for sensitive queries
- Be aware that DNS queries can be logged
- Consider using DNS over HTTPS (DoH) or DNS over TLS (DoT)
- Validate DNSSEC when security is critical
Performance Tips
- Use +short for scripting to reduce output parsing
- Set appropriate timeouts for your network
- Use local DNS caching when possible
- Consider the impact of DNS queries on rate limiting
Troubleshooting Methodology
- Start with basic queries to verify connectivity
- Use +trace to understand the resolution path
- Test multiple DNS servers to isolate issues
- Check both forward and reverse DNS
- Verify DNSSEC when applicable
Monitoring and Automation
- Log DNS query times for performance monitoring
- Set up alerts for DNS resolution failures
- Use batch queries for efficiency
- Implement proper error handling in scripts
Dig is an essential tool for DNS troubleshooting and investigation. Its flexibility and detailed output make it invaluable for network administrators, security professionals, and developers working with DNS-dependent applications.
Get all A records and ping them
dig +short google.com A|while read ip; do echo "Pinging $ip" ping -c 1 $ip done
Check if domain resolves to specific IP
if dig +short google.com|grep -q "172.217."; then echo "Domain resolves to Google IP range" fi
Compare DNS responses
diff <(dig @8.8.8.8 +short google.com) <(dig @1.1.1.1 +short google.com) ```
Buenas prácticas
Consideraciones de seguridad
- Utilice servidores DNS confiables para consultas sensibles
- Tenga en cuenta que las consultas DNS pueden ser registradas
- Considere usar DNS sobre HTTPS (DoH) o DNS sobre TLS (DoT)
- Validar DNSSEC cuando la seguridad es crítica
Consejos de rendimiento
- Usar +short para scripting para reducir el corte de salida
- Establecer los plazos apropiados para su red
- Use caché DNS local cuando sea posible
- Considerar el impacto de las consultas DNS sobre la limitación de tarifas
Metodología de solución de problemas
- Comience con consultas básicas para verificar la conectividad
- Use +trace para entender el camino de resolución
- Prueba múltiples servidores DNS para aislar problemas
- Revise DNS hacia adelante y hacia atrás
- Verificar DNSSEC cuando sea aplicable
Vigilancia y automatización
- Log DNS horarios de consulta para el monitoreo del desempeño
- Configurar alertas para fallos de resolución DNS
- Use consultas por lotes para la eficiencia
- Implementar el correcto manejo de errores en scripts
Dig es una herramienta esencial para la solución de problemas e investigación del DNS. Su flexibilidad y producción detallada lo hacen invaluable para los administradores de redes, profesionales de seguridad y desarrolladores que trabajan con aplicaciones dependientes de DNS.