Skip to main content

Domain Information Groper (DIG) -- DNS Query Tool

DIG is a command-line tool for querying DNS Name Server (similar to nslookup utility available in Windows and host utility). dig utility can be used for querying DNS about the host address (both A and AAAA), name server(NS), mail exchange(MX), Pointer Record(PTR), SOA (Start Of Authority) and others.

DIG is a part of BIND software package ( BIND package is developed and managed by Internet Systems Consortium ISC).

Usage Example :-




1. Ask for a host address :-
dig nkn.in

2. Ask from a specific server :-

dig nkn.in @8.8.8.8

; <<>> DiG 9.8.5-P2 <<>> nkn.in @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13527
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nkn.in.                                IN      A

;; ANSWER SECTION:
nkn.in.                 14103   IN      A       164.100.56.206

;; Query time: 171 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Aug 03 23:22:51 India Standard Time 2013
;; MSG SIZE  rcvd: 40

3. Ask for all the records for a particular domain :-

C:\Users\kansal>dig nkn.in any @8.8.4.4

; <<>> DiG 9.8.5-P2 <<>> nkn.in any @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41915
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nkn.in.                                IN      ANY

;; ANSWER SECTION:
nkn.in.                 14390   IN      SOA     nkn.in. nsadmin\@nkn.in. 2013041
601 10800 86400 1209600 14400
nkn.in.                 14390   IN      NS      ns1.nkn.in.
nkn.in.                 14390   IN      NS      ns3.nkn.in.
nkn.in.                 14390   IN      NS      ns2.nkn.in.
nkn.in.                 14390   IN      A       164.100.56.206
nkn.in.                 14390   IN      AAAA    2001:4408:5200::a464:38ce
nkn.in.                 14390   IN      MX      0 mailgw.nic.in.

;; Query time: 159 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Sat Aug 03 23:24:59 India Standard Time 2013
;; MSG SIZE  rcvd: 197

4. Find out the domain's Mail Server :-


C:\Users\kansal>dig nkn.in MX

; <<>> DiG 9.8.5-P2 <<>> nkn.in MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50205
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nkn.in.                                IN      MX

;; ANSWER SECTION:
nkn.in.                 14232   IN      MX      0 mailgw.nic.in.

;; Query time: 63 msec
;; SERVER: 103.8.44.5#53(103.8.44.5)
;; WHEN: Sat Aug 03 23:32:05 India Standard Time 2013
;; MSG SIZE  rcvd: 51


5. Ask for a reverse lookup :-

C:\Users\kansal>dig -x 164.100.2.6

; <<>> DiG 9.8.5-P2 <<>> -x 164.100.2.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3471
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;6.2.100.164.in-addr.arpa.      IN      PTR

;; ANSWER SECTION:
6.2.100.164.in-addr.arpa. 82055 IN      PTR     mailgw-hyd.nic.in.

;; Query time: 70 msec
;; SERVER: 103.8.44.5#53(103.8.44.5)
;; WHEN: Sat Aug 03 23:29:52 India Standard Time 2013
;; MSG SIZE  rcvd: 73

6. Check for DNSSEC Validation :-


C:\Users\kansal>
C:\Users\kansal>dig apnic.net +dnssec @8.8.8.8

; <<>> DiG 9.8.5-P2 <<>> apnic.net +dnssec @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8543
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;apnic.net.                     IN      A

;; ANSWER SECTION:
apnic.net.              3600    IN      A       202.12.29.175
apnic.net.              3600    IN      RRSIG   A 8 2 3600 20130903002809 201308
03232809 42189 apnic.net. Q9D9OKv2qfjs33C3yyuAJhkdxy0ytjgAmsXTjVveVGwXqEcL0tEz7g
2f FKM+RykyuqxG/Tq2mxSlBrxgkhvomBLyR9OpCKvYPPST6deR6DWlztOa DIMYZ90gvpqBDGSiSafr
xcvXAr0ZTUgBZcIAtkOpzEpoOa1zP1f6VRVA vMM=

;; Query time: 386 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 04 11:07:27 India Standard Time 2013
;; MSG SIZE  rcvd: 223
7. Trace the DNS Query :-


C:\Users\kansal>dig india.gov.in +trace

; <<>> DiG 9.8.5-P2 <<>> india.gov.in +trace
;; global options: +cmd
.                       31101   IN      NS      l.root-servers.net.
.                       31101   IN      NS      h.root-servers.net.
.                       31101   IN      NS      c.root-servers.net.
.                       31101   IN      NS      g.root-servers.net.
.                       31101   IN      NS      m.root-servers.net.
.                       31101   IN      NS      e.root-servers.net.
.                       31101   IN      NS      b.root-servers.net.
.                       31101   IN      NS      a.root-servers.net.
.                       31101   IN      NS      j.root-servers.net.
.                       31101   IN      NS      d.root-servers.net.
.                       31101   IN      NS      f.root-servers.net.
.                       31101   IN      NS      k.root-servers.net.
.                       31101   IN      NS      i.root-servers.net.
;; Received 228 bytes from 103.8.44.5#53(103.8.44.5) in 1471 ms

in.                     172800  IN      NS      a0.in.afilias-nst.info.
in.                     172800  IN      NS      a1.in.afilias-nst.in.
in.                     172800  IN      NS      a2.in.afilias-nst.info.
in.                     172800  IN      NS      b0.in.afilias-nst.org.
in.                     172800  IN      NS      b1.in.afilias-nst.in.
in.                     172800  IN      NS      b2.in.afilias-nst.org.
in.                     172800  IN      NS      c0.in.afilias-nst.info.
in.                     172800  IN      NS      ns7.cdns.net.
;; Received 495 bytes from 128.63.2.53#53(h.root-servers.net) in 2994 ms

india.gov.in.           86400   IN      NS      ns7.nic.in.
india.gov.in.           86400   IN      NS      ns1.nic.in.
india.gov.in.           86400   IN      NS      ns10.nic.in.
india.gov.in.           86400   IN      NS      ns2.nic.in.
;; Received 107 bytes from 199.7.87.1#53(a0.in.afilias-nst.info) in 757 ms

india.gov.in.           1800    IN      A       164.100.56.191
india.gov.in.           1800    IN      NS      ns2.nic.in.
india.gov.in.           1800    IN      NS      ns1.nic.in.
india.gov.in.           1800    IN      NS      ns10.nic.in.
india.gov.in.           1800    IN      NS      ns7.nic.in.
;; Received 199 bytes from 164.100.14.3#53(ns1.nic.in) in 55 ms


The above output show you how DNS queries works.
In the above query, i ask for "trace" for the india.gov.in domain.

My resolver first goes to "." (Root NameServer) as every resolver knows about Root Servers only. Root NS replies that 'he don't know about india.gov.in' but he knows about 'NS of .in domain'.
Then resolver goes to NS of ".in" domain and ask for india.gov.in, which in turn replies that he only knows about NS of india.gov.in.
Then resolver goes to NS of 'india.gov.in' which in turn replies the desired query answer.




Popular posts from this blog

Flaw in ServerKeyExchange messages of TLS Protocol

Here we will discuss the flaw in the ServerKeyExchange messages of the TLS protocol which caused the Logjam attack over TLS while using Diffie-Hellman Key Exchange. Before SSLv3, we don't use to authenticate the ServerKeyExchange messages where server negotiates with client regarding usage of cipersuite and parameters. From onwards SSLv3, TLS send the signed message where it mention about parameters it will use but remain silent over ciphersuite. Or in other words, signed portion contains parameters but not contain information about ciphersuite the server will going to use. Now just to remind you, the difference between DH and DH-EXPORT is the size of parameters only. So how to use this flaw - If the server supports DH-EXPORT, an attacker (Men-in-the-Middle) can edit the negotiation sent by the client (even if client doesn't support DH-EXPORT), and replace the list of client supported ciphersuite with DH-EXPORT only. The server will in turn send back a

Identity PSK ( iPSK)

With the evolution of IoT (Internet of Things), devices that connect wirelessly have increased many folds. From webcams, Smartwatches, fitness bands, firestick, Alexa, Google Home, and many more.., everything is going wireless for connectivity and so does the security threat. The main concern with IoT devices is the unavailability of the full wireless protocol stack (and in the majority of devices, support of 802.1x is not available). So, previously we only have the WPA-PSK option for connecting the IoT devices.  In WPA*-PSK (WPA or WPA2) WLAN, a Pre-Shared Key (PSK) is configured and distributed to all the clients that connect to the WLAN. This leads to PSK leakage, and it can be accessible to unauthorized users (due to the nature of common PSK across all the devices).  Therefore, there was a need to provision unique PSK or Multiple PSK per SSID. Identity-PSKs are unique pre-shared keys created for clients/groups on the same WLAN. Features of iPSK:-   1.Unique PSK for individual Cli