分类: LINUX
2014-08-18 13:40:05
DIG(1) DIG(1)
NAME
dig - DNS lookup
utility // dig 是一个 DNS 查询工具
SYNOPSIS [语法]
dig [ @server ] [
-b address ] [ -c class ] [ -f filename ] [ -k filename
] [ -p port# ] [ -t type ] [ -x addr ] [ -y name:key
]
[ name ] [ type ] [ class ] [ queryopt... ]
dig [ -h ]
dig [
global-queryopt... ] [ query... ]
DESCRIPTION [描述]
dig (domain information
groper) is a flexible tool for interrogating
DNS name servers. It performs DNS lookups
and displays the answers that
are returned from the name server(s) that
were queried. Most DNS admin-
istrators use dig to troubleshoot DNS
problems because of its flexibil-
ity, ease of use and clarity (清楚)of output. Other
lookup tools tend to have
less functionality than dig.
# 注释 :dig 命令因为它的灵活性、易用性、输出格式明了而受到广泛使用,很少查询工具能够超过它。
Although dig is normally used with command-line arguments, it also has
a batch mode of
operation for reading lookup requests from a file. A
brief summary of its command-line
arguments and options is printed when
the -h option is given. Unlike
earlier versions, the BIND9 implementa-
tion of dig allows multiple lookups to be
issued from the command line.
# 注释 :虽然 dig 一般同命令行参数一起使用,它也可以从文件中读取具体要查询的域名(batch mode)
# 注释 :-h 参数给出 dig 的语法
# 注释 :BIND 9 允许在命令行发出多个查询。
Unless
it is told to query a specific name server, dig will try each of
the servers listed in /etc/resolv.conf.
# 注释 :除非明确告诉 dig 使用一个特定的 name server ,它会自动尝试使用 /etc/resolv.conf 中的 nameserver 列出的每个 name server 。
When no command line arguments or options are given, will
perform an NS
query for "." (the root).
# 注释 :如果命令行没有给出任何参数,则 dig 默认打印 "." 的所有 NS 记录。
SIMPLE USAGE [简单用法]
A typical invocation of dig looks like:
dig @server name type
where:
server is the name
or IP address of the name server to query. This can
be an IPv4 address in dotted-decimal
notation or an IPv6 address
in colon-delimited notation. When the supplied server argument
is a hostname, dig resolves that name before querying
that name
server. If
no server argument is provided, dig consults
/etc/resolv.conf and queries the name servers
listed there. The
reply from the name server that responds
is displayed.
name is the name of the resource record that is to be looked up.
type indicates what type of query is required ANY, A, MX, SIG, etc.
type can be any valid query type. If no
type argument is sup-
plied, dig will perform a lookup for an A
record.
# 注释 :最简单的 dig 命令格式是 :
dig [@server] [name] [type]
# 如果不给出 [@server] 部分,则默认使用 /etc/resolv.conf 中的 nameserver ,如果没有给出 type ,则默认查询 A 记录。
OPTIONS
The -b
option sets the source IP address of the query to address. This
must be a valid address on one of the
host's network interfaces.
# 注释 :-b 用于指定查询消息的源地址,该地址必须是主机网络的一个合法地址。
The default query
class (IN for internet) is overridden by the
-c
option. class is any valid
class, such as HS for Hesiod records or CH
for CHAOSNET records.
The -f option makes
dig operate in batch mode by reading a list of
lookup requests to process from the
file filename. The file contains a
number of queries, one per line.
Each entry in the file should be
organised in the
same way they would be presented as queries to dig
using the command-line interface.
# 注释 :-f
If a non-standard port number is to be queried, the -p option is used.
port# is the port number that dig
will send its queries instead of the
standard DNS port number 53. This option
would be used to test a name
server that has been configured to listen
for queries on a non-standard
port number.
# 注释 :-p port# 指定远程
name server 的端口,也就是目的端口。如果远程 name server 在非标准53端口上监听,可以使用该选项。
The -t option sets the query type to type. It can be any valid query
type which is supported
in BIND9. The default query type "A", unless
the -x option is supplied to indicate a
reverse lookup. A zone trans-
fer can be requested by specifying a
type of AXFR. When an incremental
zone transfer (IXFR) is required, type is
set to ixfr=N. The incremen-
tal zone transfer will contain
the changes made to the zone since the
serial number in the zone's SOA record was
N.
# 注释 :-t 选项设置查询类型。它可以是任何合法类型。默认是 A 记录。除非使用 -x 指定作 inverse query 。
# 注释 :dig 还可以直接发出
AXFR / IXFR 请求。如果请求 AXFR ,type 字段为
AXFR ;如果请求
IXFR ,type
字段为 ixfr=N ,N 是序列号。
# dig 将只返回当该 zone 序列号是 N 时的所有动态更新。
Reverse lookups - mapping addresses to names - are simplified by the -x
option. addr is an IPv4 address in
dotted-decimal notation, or a colon-
delimited IPv6 address. When this
option is used, there is no need to
provide the name, class and type
arguments. dig automatically performs
a lookup for a name like
11.12.13.10.in-addr.arpa and sets the query
type and class to PTR and IN
respectively. By default, IPv6 addresses
are looked up using the IP6.ARPA domain
and binary labels as defined in
RFC2874. To use the older
RFC1886 method using the IP6.INT domain and
"nibble" labels, specify the -n
(nibble) option.
# 注释 :当使用 -x 选项时,dig 自动进行 PTR 查询,会自动加上 .in-addr.arpa. 并查询 PTR 记录。
To sign the DNS queries sent by dig and their responses using transac-
tion signatures (TSIG),
specify a TSIG key file using the -k option.
You can
also specify the TSIG key itself on the command line using the
-y option; name is the name of the
TSIG key and key is the actual key.
The key is a base-64 encoded
string, typically generated by dnssec-key-
gen(8). Caution
should be taken when using the -y option on multi-user
systems as the key can be visible in the
output from ps(1) or in the
shell's history file. When using
TSIG authentication with dig, the name
server that is queried needs to know
the key and algorithm that is
being used. In
BIND, this is done by providing appropriate key and
server statements in named.conf.
# 注释 :dig 还支持
TSIG ,可以使用
-k 指定
key 文件的名称和位置。
# 还可以使用 -y name:key 的格式来声明 key 的名称和内容。但要注意,可以通过 .bash_history 或者 ps 命令查到 key 的名称和内容,所以不推荐这种方式。
QUERY OPTIONS [查询选项]
dig provides a number of query options which affect the way in
which
lookups are made and the results
displayed. Some of these set or reset
flag bits in the query header, some
determine which sections of the
answer get printed, and others
determine the timeout and retry strate-
gies.
Each query option is identified by a keyword preceded
by a plus sign
(+). Some keywords set or reset an option.
These may be preceded by the
string no to negate the meaning of that
keyword. Other keywords assign
values to options like the timeout
interval. They have the form +key-
word=value. The query options are:
# 注释 :dig 可以在命令行指出查询的选项。有两种格式 :
# -)+[no]
# -)+[arg]=
+[no]tcp
Use [do not use] TCP when querying
name servers. The default
behaviour is to
use UDP unless an AXFR or IXFR query is
requested, in which case a TCP connection
is used.
# 注释 :默认使用 udp 格式发送查询,除了 axfr 或者 ixfr 之外。
+[no]vc
Use [do not use] TCP when querying name servers. This alternate
syntax to +[no]tcp is provided for
backwards compatibility. The
"vc" stands for "virtual
circuit".
# 注释 :同 [no]tcp 一样
+[no]ignore
Ignore truncation in UDP responses instead of
retrying with TCP.
By
default, TCP retries are performed.
# 注释 :对带有 truncation bit 的响应,不使用 tcp 进行重传。默认会使用 tcp 再发送一次。
+domain=somename
Set the search
list to contain the single domain somename, as if
specified in a domain directive in
/etc/resolv.conf, and enable
search list processing as if the +search
option were given.
# 注释 :设置 search list
+[no]search
Use [do not use] the search list defined by the searchlist or
domain directive in resolv.conf (if
any). The search list is
not used by default.
# 注释 :设置是否使用 search list 。默认不使用 search list 。这是跟 nslookup 不同的地方。
+[no]defname
Deprecated, treated as a synonym for
+[no]search
# 注释 :跟 [no]search 一样。
+[no]aaonly
This option does nothing. It is provided for compatibilty with
old versions of dig where it set an
unimplemented resolver flag.
+[no]adflag
Set [do not set] the AD (authentic data) bit in the query. The
AD bit currently has a standard meaning
only in responses, not
in queries, but the ability to set
the bit in the query is pro-
vided for completeness.
+[no]cdflag
Set [do not set] the CD (checking disabled) bit in the query.
This requests the
server to not perform DNSSEC validation of
responses.
# 注释 :设置查询包中的 cd (checking disabled)位,在响应中将不执行 DNSSEC 校验。
+[no]recursive
Toggle the setting of the RD
(recursion desired) bit in the
query. This bit
is set by default, which means dig normally
sends recursive queries. Recursion
is automatically disabled
when the +nssearch or +trace query options
are used.
# 注释 :禁止发送递归查询,而是发送 iterative query 。默认是发送递归查询。
# 注释 :当使用 +nssearch 或者 +trace 选项时,自动应用 +norecursive 选项。、
# 注释 :同 host 命令相比,host
命令默认只发送非递归查询。
+[no]nssearch
When this option is set, dig
attempts to find the authoritative
name servers for the zone containing the
name being looked up
and display the
SOA record that each name server has for the
zone.
# 注释 :该选项类似于 host 命令的 -c 选项,dig 将尝试打印某个 zone 的所有权威服务器的 SOA 记录
+[no]trace
Toggle tracing of the delegation path from the root name servers
for the name being looked
up. Tracing is disabled by default.
When tracing is enabled, dig makes
iterative queries to resolve
the name being looked up. It will follow
referrals from the root
servers, showing the answer from each
server that was used to
resolve the lookup.
# 注释 :打印一个域名的解释过程。默认是关闭的。dig 将发送 iterative query 并跟随 referral 消息直到找到答案。
+[no]cmd
toggles the printing of the initial comment in
the output iden-
tifying the version of dig and the query
options that have been
applied. This comment is printed by
default.
# 注释 :该选项促使 dig 打印一些初始化信息(例如 dig 版本和查询的选项)。默认是开启的。
+[no]short
Provide a terse
(简单、扼要的)answer.
The default is to print the answer in a
verbose form.
# 注释 :该选项促使 dig 使用简化的输出格式。默认是 verbose 格式的输出。
+[no]identify
Show [or do not show] the IP address and port
number that sup-
plied the answer
when the +short option is enabled. If short
form answers are requested, the
default is not to show the
source address and port number
of the server that provided the
answer.
# 注释 :当使用 +short 选项时,默认是不输出响应该答案的 name server 地址和端口的。+identify 选项则输出这两项。
+[no]comments
Toggle the display of comment lines in the
output. The default
is to print comments.
# 注释 :该选项控制输出内容是否包括 comment 行,默认是包括的。
+[no]stats
This query option toggles the printing
of statistics: when the
query was made, the size of the reply
and so on. The default
behaviour is to print the query
statistics.
# 注释 :该选项控制输出中是否显示一些统计信息
+[no]qr
Print [do not print] the query as it is
sent. By default, the
query is not printed.
# 注释 :该选项控制是否打印查询的内容。默认是不打印。类似 nslookup 的 d2 选项。
+[no]question
Print [do not print] the question section of a query
when an
answer is returned. The default is to
print the question section
as a comment.
# 注释 :该选项控制 dig 的输出是否包括 question 部分。默认是包括。
+[no]answer
Display [do not display] the answer
section of a reply. The
default is to display it.
# 注释 :控制是否输出 answer 部分。默认是显示
+[no]authority
Display [do not display] the
authority section of a reply. The
default is to display it.
# 注释 :控制是否输出
authority 部分。默认是显示
+[no]additional
Display [do not display] the additional
section of a reply. The
default is to display it.
# 注释 :控制是否输出 additional 部分。默认是显示
+[no]all
Set or clear all display flags.
# 注释 :设置或者清除所有输出格式方面的选项。
+time=T
Sets the timeout for a query to T seconds. The default time out
is 5 seconds. An attempt to set T to
less than 1 will result in
a query timeout of 1 second being applied.
# 注释 :设置 timeout 时间。单位是秒。默认是5秒。
+tries=T
Sets the number of
times to retry UDP queries to server to T
instead of the default, 3. If T is less than or equal to zero,
the number of retries is silently rounded
up to 1.
# 注释 :设置 retry 的次数。默认是3次,也即是总共4次查询。假如 T 的值小于或者等于0,默认改为1。
+ndots=D
Set the number of dots that have to appear in name to D for it
to be considered absolute. The default value is that defined
using the ndots statement in /etc/resolv.conf,
or 1 if no ndots
statement is present. Names with
fewer dots are interpreted as
relative names and will be searched for in
the domains listed in
the search or domain directive in
/etc/resolv.conf.
# 注释 :跟 /etc/resolv.conf 中的 options ndots 选项一样,控制查询的域名中要至少含有多少个 '.' 才被认为是 FQDN 。默认是1
+bufsize=B
Set the UDP message buffer size advertised using EDNS0
to B
bytes. The maximum and
minimum sizes of this buffer are 65535
and 0 respectively. Values outside this
range are rounded up or
down appropriately.
+[no]multiline
Print records like the SOA records in a verbose multi-line for-
mat with human-readable comments. The
default is to print each
record on a single line,
to facilitate machine parsing of the
dig output.
# 注释 :对于 SOA 这样含有多行的记录,默认是在一行上输出。使用 multiline 模式可以按照 zone data files 的格式输出。
+[no]fail
Do not try the next server if
you receive a SERVFAIL. The
default is to not try
the next server which is the reverse of
normal stub resolver behaviour.
# 注释 :当收到 SERVFAIL 后,是否会查询下一个 name server 。默认是不查询,这跟 Resolver 的方式相反。
+[no]besteffort
Attempt to display the contents of messages which
are malformed (畸形的).
The default is to not display malformed answers.
# 注释 :对于那些有问题的响应是否显示,默认是不显示。
+[no]dnssec
Requests DNSSEC records
be sent by setting the DNSSEC OK bit
(DO) in the the OPT record in
the additional section of the
query.
MULTIPLE QUERIES [多个查询]
The BIND
9 implementation of dig supports specifying multiple queries
on the command line (in addition to supporting
the -f batch file
option). Each of those queries can be
supplied with its own set of
flags, options and query options.
# 注释 :dig 除了可以通过
-f 方式来一次发出多个查询外,还可以在命令行的方式下发出多个查询,每个查询可以有自己的输出选项和查询选项
In this case,
each query argument represent an individual query in the
command-line syntax described above.
Each consists of any of the stan-
dard options and flags, the name to be
looked up, an optional query
type and class and
any query options that should be applied to that
query.
A global set of
query options, which should be applied to all queries,
can also be supplied. These global query
options must precede the first
tuple of name, class, type, options,
flags, and query options supplied
on the command
line. Any global query options (except the +[no]cmd
option) can be overridden by a
query-specific set of query options. For
example:
dig +qr any -x 127.0.0.1 isc.org ns +noqr
shows
how dig could be used from the command
line to make three
lookups: an ANY query for , a reverse lookup of 127.0.0.1
and a query for the NS
records of isc.org. A global query option of
+qr is applied, so that dig shows the
initial query it made for each
lookup. The final query has a
local query option of +noqr which means
that dig will not print the initial
query when it looks up the NS
records for isc.org.
FILES
/etc/resolv.conf
SEE ALSO
host(1), named(8), dnssec-keygen(8),
RFC1035.
BUGS
There are probably too many query options.
BIND9 Jun 30,
2000 DIG(1)