Overview

Going to end this week with the last DNS lookup tools released with BIND9. I’m sure there are other DNS lookup tools, and I know the Internet Systems Consortium has various other tools for you to use. Today we’re looking at dig, the first DNS lookup utility I ever used back in the day. Had now idea how it worked, kind of just copied and pasted code, but thought it was so cool to get an IP address of a website.

The thing with dig is that it is almost exactly the same as host and nslookup. When using dig, the default output is much more verbose than the previous two tools. In the man page, it states that dig is a flexible tool for interrogating DNS name servers. Interrogating is a strong word. But a great descriptor once you look at the man page and see the complexity that it has to offer.

dig drt.sh

; <<>> DiG 9.10.6 <<>> drt.sh
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;drt.sh.				IN	A

;; ANSWER SECTION:
drt.sh.			3599	IN	A	167.99.103.200

;; Query time: 94 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Thu Mar 05 15:19:18 EST 2020
;; MSG SIZE  rcvd: 51

If you have no idea what most of that output means, don’t worry about it. Neither do I….but one day I will. The key parts are the QUESTION SECTION and ANSWER SECTION. It shows that it’s querying for drt.sh and looking for an A record. Which it has and shows in the ANSWER SECTION. With the same IP addess as before. You might have noticed the 3599 returned in the result as well. It’s not the time it took to respond (because that would be awful). It’s actually the records’ time to live value. I know it looks like a lot of info, but thats the beauty if you’re trying to diagnose a problem.

Let’s dive into a few more examples of how we can use dig.

Examples

Query for the nameservers, along with other DNS records using the -t flag.

dig -t NS drt.sh

; <<>> DiG 9.10.6 <<>> -t NS drt.sh
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27396
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;drt.sh.				IN	NS

;; ANSWER SECTION:
drt.sh.			1799	IN	NS	ns2.digitalocean.com.
drt.sh.			1799	IN	NS	ns1.digitalocean.com.
drt.sh.			1799	IN	NS	ns3.digitalocean.com.

;; Query time: 123 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Thu Mar 05 15:49:27 EST 2020
;; MSG SIZE  rcvd: 105

If the output is a bit much for you, you can reduce it a bit by using the +nocomments option

dig +nocomments drt.sh

; <<>> DiG 9.10.6 <<>> +nocomments drt.sh
;; global options: +cmd
;drt.sh.				IN	A
drt.sh.			3599	IN	A	167.99.103.200
;; Query time: 122 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Thu Mar 05 15:34:41 EST 2020
;; MSG SIZE  rcvd: 51

Before this post gets too long w/ dig results, I’ll end this with an example of how to do a zone transfer. As with the host command, we can do a zone transfer to try and list out all the domains on the DNS server. This is done using the -t AXFR switch, notice that the nameserver requires an @ symbol before it for the lookup to work properly. The dig command provides more information (by default) than host, as it will return the DNS record type and the data it holds. The same can be achieved with host -lv. I love some of the values in these results, especially shellshock and xss.

dig -t AXFR zonetransfer.me @nsztm1.digi.ninja

; <<>> DiG 9.10.6 <<>> -t AXFR zonetransfer.me @nsztm1.digi.ninja
;; global options: +cmd
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me.	300	IN	HINFO	"Casio fx-700G" "Windows XP"
zonetransfer.me.	301	IN	TXT	"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me.	7200	IN	MX	0 ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	A	5.196.105.14
zonetransfer.me.	7200	IN	NS	nsztm1.digi.ninja.
zonetransfer.me.	7200	IN	NS	nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN	TXT	"6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN	SRV	0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200	IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN	AFSDB	1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200	IN	A	127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN	AFSDB	1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A	202.14.81.230
cmdexec.zonetransfer.me. 300	IN	TXT	"; ls"
contact.zonetransfer.me. 2592000 IN	TXT	"Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"
dc-office.zonetransfer.me. 7200	IN	A	143.228.181.132
deadbeef.zonetransfer.me. 7201	IN	AAAA	dead:beaf::
dr.zonetransfer.me.	300	IN	LOC	53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me.	7200	IN	TXT	"AbCdEfG"
email.zonetransfer.me.	2222	IN	NAPTR	1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me.	7200	IN	A	74.125.206.26
Hello.zonetransfer.me.	7200	IN	TXT	"Hi to Josh and all his class"
home.zonetransfer.me.	7200	IN	A	127.0.0.1
Info.zonetransfer.me.	7200	IN	TXT	"ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300	IN	NS	intns1.zonetransfer.me.
internal.zonetransfer.me. 300	IN	NS	intns2.zonetransfer.me.
intns1.zonetransfer.me.	300	IN	A	81.4.108.41
intns2.zonetransfer.me.	300	IN	A	167.88.42.94
office.zonetransfer.me.	7200	IN	A	4.23.39.254
ipv6actnow.org.zonetransfer.me.	7200 IN	AAAA	2001:67c:2e8:11::c100:1332
owa.zonetransfer.me.	7200	IN	A	207.46.197.32
robinwood.zonetransfer.me. 302	IN	TXT	"Robin Wood"
rp.zonetransfer.me.	321	IN	RP	robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me.	3333	IN	NAPTR	2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" .
sqli.zonetransfer.me.	300	IN	TXT	"' or 1=1 --"
sshock.zonetransfer.me.	7200	IN	TXT	"() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200	IN	CNAME	www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A	127.0.0.1
testing.zonetransfer.me. 301	IN	CNAME	www.zonetransfer.me.
vpn.zonetransfer.me.	4000	IN	A	174.36.59.154
www.zonetransfer.me.	7200	IN	A	5.196.105.14
xss.zonetransfer.me.	300	IN	TXT	"'><script>alert('Boo')</script>"
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
;; Query time: 115 msec
;; SERVER: 81.4.108.41#53(81.4.108.41)
;; WHEN: Thu Mar 05 15:39:17 EST 2020
;; XFR size: 50 records (messages 1, bytes 1994)

Conclusion

I’ve only scratched the surface of dig, but I’ll let you take a dive into it’s world. I’m not a network engineer, and I only use these tools for some basic functionality. dig alone has a plethora of query options to choose from and I would be writing a book to explain and demonstrate each one. At the end of the day, it’s your choice as to what DNS lookup tool you want to use. Try them all out and see which one you feel more comfortable using. Remember that between the three of them, they all provide the same functionality. Personally, while I like the verbosity of dig, I’ll probably end up using host for its simple output and flag options.

References