DNS Sleuthing with Dig


#1

So I’ve seen a number of folks who use web based DNS checking tools such as Mx Toolbox and DNS Checker. And these are great tools, easily accessible and generally helpful. But sometimes they provide a layer of abstraction that can be confusing or are slower than is really needed. Since I’ve been mucking with DNS for the better part of 2 decades at this point i thought I would share some of the more common commands that I use and examples of the same.

I’m on a Mac so I use a tool called dig which is built in and can be accessed using the terminal application (I actually use a different shell called iTerm2 which I prefer and recommend to anyone who has to do much in the shell). On the PC, nslookup is generally an equivalent tool but the syntax will be different. So on to it…

Domain: infamousventures.com

What is the A record for www.infamousventures.com?

dig www.infamousventures.com +short
104.16.12.217
104.16.13.217
104.16.11.217
104.16.10.217
104.16.14.217

The domain has 5 IPs actually. (+short gives me a non-verbose answer which is what I want most times, if you drop +short you get the same answer with a bit more detail. If you want a really verbose output you can add +trace).

I can also set the query type explicitly to A to search for an A record.

dig www.infamousventures.com A +short

And I will get the same answer. Since Cloudflare is proxying my requests, even if I change the origin in my Cloudflare DNS control panel, the IP address(es) Cloudflare advertises won’t change. If I query for a different record type for www such as CNAME I will get not response for the value.

dig www.infamousventures.com CNAME +short

But this is technically not true, as www is a CNAME for my root domain. The reason it isn’t treated that way is because of CNAME flattening and because the record is orange clouded. As such it is treated like an A record by Cloudflare’s DNS so that we can proxy the traffic to the target specified in the CNAME in Cloudflare’s control panel without revealing anything about the true origin destination.

What server handles my mail?

dig infamousventures.com MX +short
0 infamousventures-com.mail.protection.outlook.com.

Oh it’s Office 365 (once you’ve spend enough time around mail servers you recognize the big players pretty easily). I know Office 365 requires SPF records, so I wonder what mine is… SPF records are specified in a TXT record so let’s query for that.

dig infamousventures.com TXT +short
“v=spf1 include:spf.protection.outlook.com -all”

And two fun ways to figure out what my nameservers are. First a query that will tell me Cloudflare vs. Not Cloudflare just by asking for a specific record type (ANY).

dig infamousventures.com ANY +short
“ANY obsoleted” “See draft-ietf-dnsop-refuse-any”

If you get this response it’s a Cloudflare NS because we’re the only NS that returns that exact response to an ANY query. Not terribly useful but a fun party trick (at a nerd party).

To really query my NS it looks like this:

dig infamousventures.com NS +short
james.ns.cloudflare.com.
kara.ns.cloudflare.com.

Anyway hope this helps someone as a basic primer in using command line tools in looking up and validating DNS records.


Have problems with 1.1.1.1? *Read Me First*
CNAME not updating
Subdomain don't work
#2

#3

A post was split to a new topic: Server IP visible