DIG

COMMAND
DESCRIPTION

dig domain.com

Performs a default A record lookup for the domain.

dig domain.com A

Retrieves the IPv4 address (A record) associated with the domain.

dig domain.com AAAA

Retrieves the IPv6 address (AAAA record) associated with the domain.

dig domain.com MX

Finds the mail servers (MX records) responsible for the domain.

dig domain.com NS

Identifies the authoritative name servers for the domain.

dig domain.com TXT

Retrieves any TXT records associated with the domain.

dig domain.com CNAME

Retrieves the canonical name (CNAME) record for the domain.

dig domain.com SOA

Retrieves the start of authority (SOA) record for the domain.

dig @1.1.1.1 domain.com

Specifies a specific name server to query; in this case 1.1.1.1

dig +trace domain.com

Shows the full path of DNS resolution.

dig -x 192.168.1.1

Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server.

dig +short domain.com

Provides a short, concise answer to the query.

dig +noall +answer domain.com

Displays only the answer section of the query output.

dig domain.com ANY

Retrieves all available DNS records for the domain (Note: Many DNS servers ignore ANY queries to reduce load and prevent abuse, as per RFC 8482).

dig -x {ipAddress}

Returns the PTR record for the specified IP Address

SOA

The SOA (Start of Authority) record is a key component of a domain’s DNS zone file that designates the primary authoritative name server for the domain and identifies the administrator responsible for managing it. It also contains essential parameters for zone management, including the serial number, which tracks updates; refresh and retry intervals for secondary servers; the expire time after which outdated data is discarded; and the minimum TTL that dictates how long records are cached. By providing this information, the SOA record ensures that DNS data is consistently maintained and properly propagated across servers. For a red teamer or pentester, examining the SOA record can reveal the primary DNS server and administrative contact information, helping to plan reconnaissance, identify potential targets for social engineering, and understand how the domain’s DNS infrastructure is managed for further exploitation or testing.

root@oco:~$ dig soa www.inlanefreight.com

; <<>> DiG 9.16.27-Debian <<>> soa www.inlanefreight.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15876
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.inlanefreight.com.         IN      SOA

;; AUTHORITY SECTION:
inlanefreight.com.      900     IN      SOA     ns-161.awsdns-20.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 05 12:56:10 GMT 2023
;; MSG SIZE  rcvd: 128

 * The dot (.) in awsdns-hostmaster.amazon.com is replaced by an at sign (@) in the email address.
    - [email protected].
PreviousPSQLNextDNSENUM

Last updated