Docs / DNS & Domains / Debugging DNS with dig +trace

Debugging DNS with dig +trace

By Admin · Mar 15, 2026 · Updated Apr 24, 2026 · 595 views · 4 min read

The dig +trace command is the most powerful DNS debugging tool available, showing the complete resolution path from root servers to the final answer. It reveals exactly where DNS resolution fails, making it invaluable for diagnosing propagation issues, DNSSEC problems, and delegation errors. This guide covers practical dig techniques for DNS troubleshooting.

Basic dig Usage

# Simple query
dig example.com A

# Query specific server
dig @8.8.8.8 example.com A

# Short output
dig example.com A +short

# Multiple record types
dig example.com ANY    # Not reliable — many servers block ANY
dig example.com A AAAA MX TXT    # Query specific types instead

Using +trace

# Full resolution trace from root servers
dig example.com A +trace

# Output shows the complete delegation chain:
# .                    518400    IN    NS    a.root-servers.net.
# com.                 172800    IN    NS    a.gtld-servers.net.
# example.com.         172800    IN    NS    ns1.example.com.
# example.com.         300       IN    A     93.184.216.34

# Each section shows which server was queried and what it responded

# Trace with DNSSEC validation info
dig example.com A +trace +dnssec

Diagnosing Common Problems

DNS Propagation Issues

# Check if all authoritative servers agree
dig example.com NS +short
# ns1.example.com
# ns2.example.com

# Query each authoritative server directly
dig @ns1.example.com example.com A +short
dig @ns2.example.com example.com A +short

# Compare with public resolvers
dig @8.8.8.8 example.com A +short     # Google
dig @1.1.1.1 example.com A +short     # Cloudflare
dig @9.9.9.9 example.com A +short     # Quad9

Delegation Problems

# Check NS records at parent (com. servers for .com domains)
dig example.com NS +trace | grep -A2 "com."

# Verify glue records
dig ns1.example.com A +trace

# Check for lame delegation (NS records point to servers that don't answer)
for ns in $(dig example.com NS +short); do
    echo "Testing $ns:"
    dig @$ns example.com SOA +short 2>&1
done

DNSSEC Validation Failures

# Check DNSSEC chain
dig example.com A +dnssec +short

# Full DNSSEC trace
dig example.com A +trace +dnssec

# Check DS record at parent
dig example.com DS +trace

# Validate DNSKEY
dig @ns1.example.com example.com DNSKEY +short

# Use DNSSEC analyzer
# https://dnsviz.net/d/example.com/dnssec/

Useful dig Flags

# Show query time and server info
dig example.com A +stats

# Show only the answer section
dig example.com A +noall +answer

# Check specific record types
dig example.com MX +short          # Mail servers
dig example.com TXT +short         # SPF, DKIM, verification records
dig example.com SOA +short         # Start of Authority (serial, refresh)
dig example.com NS +short          # Nameservers
dig example.com CAA +short         # Certificate Authority Authorization

# Reverse DNS lookup
dig -x 93.184.216.34

# Check EDNS support
dig example.com A +edns=0

# TCP query (test if TCP DNS works)
dig example.com A +tcp

# Query with specific source port
dig example.com A -p 5353 @mdns-server

Batch DNS Testing

#!/bin/bash
# check-dns.sh — verify DNS records for a domain
DOMAIN=$1

echo "=== NS Records ==="
dig $DOMAIN NS +short

echo "=== A Records ==="
dig $DOMAIN A +short

echo "=== AAAA Records ==="
dig $DOMAIN AAAA +short

echo "=== MX Records ==="
dig $DOMAIN MX +short

echo "=== SPF ==="
dig $DOMAIN TXT +short | grep spf

echo "=== DKIM ==="
dig mail._domainkey.$DOMAIN TXT +short 2>/dev/null || echo "No DKIM found with selector 'mail'"

echo "=== DMARC ==="
dig _dmarc.$DOMAIN TXT +short

echo "=== CAA ==="
dig $DOMAIN CAA +short

echo "=== SOA ==="
dig $DOMAIN SOA +short

echo "=== Nameserver consistency ==="
for ns in $(dig $DOMAIN NS +short); do
    serial=$(dig @$ns $DOMAIN SOA +short | awk '{print $3}')
    echo "$ns: serial $serial"
done

Alternative Tools

# dog — modern DNS client with colored output
dog example.com A MX TXT

# kdig — from knot-dnsutils, supports DoT/DoH
kdig @1.1.1.1 +tls example.com A

# drill — from ldns, good for DNSSEC debugging
drill -T example.com    # Trace
drill -S example.com    # Chase DNSSEC signatures

Best Practices

  • Always use +trace as the first debugging step — it shows exactly where resolution fails
  • Query authoritative servers directly (@ns1.example.com) to bypass caching
  • Check multiple public resolvers to identify caching-related inconsistencies
  • Use +short for quick checks and full output for debugging
  • Compare SOA serials across all authoritative servers to verify zone synchronization
  • For email issues, always check MX, SPF (TXT), DKIM, and DMARC records

Was this article helpful?

Related Articles