Command of the Day: dig
Table of Contents
Overview⌗
Going to end this week with the last DNS lookup tools released with BIND9.
I’m sure there are other DNS lookup tools, and I know the Internet Systems Consortium has various other tools for you to use.
Today we’re looking at dig
, the first DNS lookup utility I ever used back in the day.
Had now idea how it worked, kind of just copied and pasted code, but thought it was so cool to get an IP address of a website.
The thing with dig
is that it is almost exactly the same as host
and nslookup
.
When using dig
, the default output is much more verbose than the previous two tools.
In the man page, it states that dig
is a flexible tool for interrogating DNS name servers.
Interrogating is a strong word.
But a great descriptor once you look at the man page and see the complexity that it has to offer.
dig drt.sh
; <<>> DiG 9.10.6 <<>> drt.sh
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;drt.sh. IN A
;; ANSWER SECTION:
drt.sh. 3599 IN A 167.99.103.200
;; Query time: 94 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Thu Mar 05 15:19:18 EST 2020
;; MSG SIZE rcvd: 51
If you have no idea what most of that output means, don’t worry about it.
Neither do I….but one day I will.
The key parts are the QUESTION SECTION
and ANSWER SECTION
.
It shows that it’s querying for drt.sh and looking for an A record.
Which it has and shows in the ANSWER SECTION
.
With the same IP addess as before.
You might have noticed the 3599
returned in the result as well.
It’s not the time it took to respond (because that would be awful).
It’s actually the records’ time to live value.
I know it looks like a lot of info, but thats the beauty if you’re trying to diagnose a problem.
Let’s dive into a few more examples of how we can use dig
.
Examples⌗
Query for the nameservers, along with other DNS records using the -t
flag.
dig -t NS drt.sh
; <<>> DiG 9.10.6 <<>> -t NS drt.sh
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27396
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;drt.sh. IN NS
;; ANSWER SECTION:
drt.sh. 1799 IN NS ns2.digitalocean.com.
drt.sh. 1799 IN NS ns1.digitalocean.com.
drt.sh. 1799 IN NS ns3.digitalocean.com.
;; Query time: 123 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Thu Mar 05 15:49:27 EST 2020
;; MSG SIZE rcvd: 105
If the output is a bit much for you, you can reduce it a bit by using the +nocomments
option
dig +nocomments drt.sh
; <<>> DiG 9.10.6 <<>> +nocomments drt.sh
;; global options: +cmd
;drt.sh. IN A
drt.sh. 3599 IN A 167.99.103.200
;; Query time: 122 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Thu Mar 05 15:34:41 EST 2020
;; MSG SIZE rcvd: 51
Before this post gets too long w/ dig
results, I’ll end this with an example of how to do a zone transfer.
As with the host
command, we can do a zone transfer to try and list out all the domains on the DNS server.
This is done using the -t AXFR
switch, notice that the nameserver requires an @
symbol before it for the lookup to work properly.
The dig
command provides more information (by default) than host
, as it will return the DNS record type and the data it holds.
The same can be achieved with host -lv
.
I love some of the values in these results, especially shellshock and xss.
dig -t AXFR zonetransfer.me @nsztm1.digi.ninja
; <<>> DiG 9.10.6 <<>> -t AXFR zonetransfer.me @nsztm1.digi.ninja
;; global options: +cmd
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP"
zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT "; ls"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me. 7200 IN TXT "AbCdEfG"
email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT "Hi to Josh and all his class"
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT "ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin Wood"
rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" .
sqli.zonetransfer.me. 300 IN TXT "' or 1=1 --"
sshock.zonetransfer.me. 7200 IN TXT "() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'><script>alert('Boo')</script>"
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
;; Query time: 115 msec
;; SERVER: 81.4.108.41#53(81.4.108.41)
;; WHEN: Thu Mar 05 15:39:17 EST 2020
;; XFR size: 50 records (messages 1, bytes 1994)
Conclusion⌗
I’ve only scratched the surface of dig
, but I’ll let you take a dive into it’s world.
I’m not a network engineer, and I only use these tools for some basic functionality.
dig
alone has a plethora of query options to choose from and I would be writing a book to explain and demonstrate each one.
At the end of the day, it’s your choice as to what DNS lookup tool you want to use.
Try them all out and see which one you feel more comfortable using.
Remember that between the three of them, they all provide the same functionality.
Personally, while I like the verbosity of dig
, I’ll probably end up using host
for its simple output and flag options.