REF: AI Tools/ChatGPT
🧠 Understanding DNS Lookup and dig Command Output — A Complete Guide with Examples
If you’ve ever used the internet, you’ve used DNS — even if you didn’t know it. The Domain Name System (DNS) converts human-friendly names like www.example.com into IP addresses like 93.184.216.34.
Let’s explore how a DNS lookup works using the dig command, and understand each section of the DNS response: header, question, answer, authority, additional, flags, and more.
🔍 DNS Lookup: dig Command Output
The dig (Domain Information Groper) command is one of the most powerful tools for testing and analyzing DNS lookups.
🧭 Example Command
dig www.example.com
🧩 Typical Output (Explained)
; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 3600 IN A 93.184.216.34
;; AUTHORITY SECTION:
example.com. 172800 IN NS a.iana-servers.net.
example.com. 172800 IN NS b.iana-servers.net.
;; ADDITIONAL SECTION:
a.iana-servers.net. 172800 IN A 199.43.135.53
b.iana-servers.net. 172800 IN A 199.43.133.53
a.iana-servers.net. 172800 IN AAAA 2001:500:8f::53
;; Query time: 25 msec
;; SERVER: 192.168.56.10#53(192.168.56.10)
;; WHEN: Tue Oct 08 10:12:44 EDT 2025
;; MSG SIZE rcvd: 210
🧱 Breakdown by Sections
| Section | Meaning | Example / Explanation |
|---|---|---|
| HEADER | Metadata about the query and server response | status: NOERROR → successful lookup. Flags show query type and recursion status. |
| QUESTION SECTION | What was asked | www.example.com. IN A → asking for IPv4 address. |
| ANSWER SECTION | The direct answer | www.example.com. 3600 IN A 93.184.216.34 → host IP address. |
| AUTHORITY SECTION | Which servers are authoritative for the zone | example.com. IN NS a.iana-servers.net. |
| ADDITIONAL SECTION | Supplementary info (IPs of NS records) | Lists A and AAAA records of the name servers. |
| FOOTER | Timing, query server, and message size | SERVER: 192.168.56.10#53 shows which DNS server responded. |
⚙️ Dig Command Details
Sometimes your dig output might look different. This depends on options, configuration, or empty sections.
Why You Might Not See All Sections
- Some dig versions suppress empty sections.
- A
.digrcfile might set defaults like+shortor+noall. - Flags like
+shortsimplify the output.
✅ Show All Sections Explicitly
dig www.example.com +noall +answer +authority +additional +comments
Or, for a recursive trace:
dig www.example.com +trace
To check if .digrc is hiding sections:
cat ~/.digrc
📦 Additional Section Explained
The Additional Section provides helpful data such as the IP addresses of the name servers listed in the Authority Section.
Example:
Authority Section:
example.com. IN NS a.iana-servers.net.
Additional Section:
a.iana-servers.net. IN A 199.43.135.53
This saves time by avoiding another DNS lookup.
Command to show it:
dig example.com +noall +answer +authority +additional +comments
🧩 DNS Message Structure
Every DNS message (query or response) has the same structure:
- Header (12 bytes)
- Question Section
- Answer Section
- Authority Section
- Additional Section
DNS Header Format
| Field | Size (bits) | Description |
|---|---|---|
| ID | 16 | Identifier to match queries and responses |
| Flags | 16 | Operation and response flags |
| QDCOUNT | 16 | Number of questions |
| ANCOUNT | 16 | Number of answers |
| NSCOUNT | 16 | Number of authority records |
| ARCOUNT | 16 | Number of additional records |
Example Header:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
🚩 DNS Flag Details
Flags define how the message behaves and what the result means.
| Flag | Bit(s) | Meaning | Example |
|---|---|---|---|
| QR | 0 | 0 = Query, 1 = Response | Response has QR=1 |
| Opcode | 1–4 | Query type | Usually 0 = standard |
| AA | 5 | Authoritative Answer | Shown if reply is from the domain’s own DNS |
| TC | 6 | Truncated Message | Response too large for UDP |
| RD | 7 | Recursion Desired | Client requests recursion |
| RA | 8 | Recursion Available | Server supports recursion |
| RCODE | 12–15 | Response Code | 0 = No Error, 3 = NXDOMAIN |
Example from dig:
;; flags: qr rd ra; status: NOERROR
Meaning:
qr: this is a responserd: recursion desiredra: recursion availableNOERROR: successful query
📦 Encapsulation in DNS
Encapsulation means wrapping one protocol’s data inside another as it moves through network layers.
Layer-by-Layer Breakdown
| Layer | Protocol | Encapsulated Data | Example |
|---|---|---|---|
| Application | DNS | DNS Query/Response | “What is IP of www.example.com?” |
| Transport | UDP or TCP | DNS Message | UDP Port 53 |
| Network | IP | UDP Segment | Source: 192.168.1.2 → Dest: 8.8.8.8 |
| Data Link | Ethernet | IP Packet | MAC to MAC transfer |
Visual Stack:
+-----------------------------+
| DNS Message (Header + Data) |
+-----------------------------+
| UDP Header (Port 53) |
+-----------------------------+
| IP Header |
+-----------------------------+
| Ethernet Frame |
+-----------------------------+
Most queries use UDP port 53, while TCP port 53 is used for large responses (like DNSSEC or zone transfers).
🧾 Dig Diagnostic Data (Not Header)
When you run dig, the first two lines are diagnostic, not part of the DNS message.
; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> www.example.com
;; global options: +cmd
| Line | Source | Part of DNS Message? |
|---|---|---|
; <<>> DiG ... <<>> | dig program banner | ❌ No |
;; global options: | Local configuration | ❌ No |
;; ->>HEADER<<- ... | Actual DNS message header | ✅ Yes |
❓ Question Section Data
The Question Section specifies what the client is asking for.
| Field | Description | Example |
|---|---|---|
| QNAME | Domain name requested | www.example.com |
| QTYPE | Record type | A (IPv4 address) |
| QCLASS | Usually IN (Internet) | IN |
Example from dig:
;; QUESTION SECTION:
;www.example.com. IN A
This means:
“The client is asking for the IPv4 address (A record) of www.example.com.”
📘 Resource Records (RRs)
A Resource Record is the building block of DNS data — it contains a single piece of information about a domain.
Structure of a Resource Record
| Field | Description | Example |
|---|---|---|
| NAME | The domain name | www.example.com. |
| TYPE | Type of record (A, MX, NS, etc.) | A |
| CLASS | Usually IN (Internet) | IN |
| TTL | Time to Live (cache duration) | 3600 |
| RDATA | The actual data (depends on type) | 93.184.216.34 |
Example
| NAME | TYPE | CLASS | TTL | RDATA |
|---|---|---|---|---|
| www.example.com | A | IN | 3600 | 93.184.216.34 |
Sections Containing RRs:
- Answer Section – Direct answers.
- Authority Section – Authoritative servers.
- Additional Section – Supporting data like IPs of NS servers.
💡 In short:
A Resource Record is a fact about a domain — and every DNS answer you receive is made up of one or more RRs.
🧭 Summary
| Concept | Purpose |
|---|---|
| DNS Lookup | Converts domain names to IP addresses |
| Dig Tool | Displays DNS message details |
| Header | Metadata and flags |
| Question Section | The query being asked |
| Answer Section | The actual result |
| Authority Section | References to authoritative servers |
| Additional Section | Helpful extra data (e.g., NS IPs) |
| Resource Records | Core data units of DNS |
| Encapsulation | How DNS travels across network layers |
✨ Final Thought
Next time you run dig www.example.com, you’re not just seeing text — you’re watching a complete, multi-layered exchange between your computer and the world’s DNS infrastructure.
Understanding these sections gives you the power to troubleshoot, teach, or secure networks with confidence.
“
