How to use nslookup and dig to diagnose DNS issues

    Introduction

    nslookup and dig are command-line tools for querying DNS servers. They help you verify that DNS records are correctly configured and diagnose resolution problems.

    nslookup — Quick DNS queries

    nslookup is available on Windows, macOS, and Linux. It is the simplest tool for quick lookups.

    Look up an A record

    nslookup example.com

    Output:

    Server:    8.8.8.8
Address:   8.8.8.8#53

Non-authoritative answer:
Name:      example.com
Address:   93.184.216.34

    Look up a specific record type

    nslookup -type=MX example.com
nslookup -type=TXT example.com
nslookup -type=CNAME www.example.com
nslookup -type=NS example.com

    Query a specific DNS server

    nslookup example.com 8.8.8.8
nslookup example.com 1.1.1.1

    This is useful to check if a record has propagated to public DNS servers.

    dig — Advanced DNS queries

    dig (Domain Information Groper) provides much more detailed output and is the preferred tool for DNS troubleshooting on Linux.

    Installation

    sudo apt install dnsutils      # Debian/Ubuntu
sudo yum install bind-utils    # AlmaLinux/RHEL

    Basic A record lookup

    dig example.com

    Key sections of the output:

    ;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            3600    IN      A       93.184.216.34

;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 31 10:00:00 UTC 2026
;; MSG SIZE  rcvd: 56

    Look up specific record types

    dig example.com MX
dig example.com TXT
dig example.com NS
dig example.com AAAA
dig example.com CNAME

    Query a specific DNS server

    dig @8.8.8.8 example.com
dig @1.1.1.1 example.com MX

    Short output (answer only)

    dig +short example.com
dig +short example.com MX

    Output:

    93.184.216.34

    Trace the full DNS resolution path

    dig +trace example.com

    This shows the complete resolution chain from root servers down to the authoritative server. Very useful for debugging propagation issues.

    Check a specific DKIM record

    dig selector1._domainkey.example.com TXT +short

    Check SPF record

    dig example.com TXT +short | grep spf

    Check DMARC record

    dig _dmarc.example.com TXT +short

    Reverse DNS lookup (PTR)

    dig -x 93.184.216.34

    Common diagnostic scenarios

    Verify MX records for email

    dig example.com MX +short

    Expected output for Google Workspace:

    1 aspmx.l.google.com.
5 alt1.aspmx.l.google.com.
5 alt2.aspmx.l.google.com.

    Check if DNS changes have propagated

    Query multiple public DNS servers and compare results:

    dig @8.8.8.8 example.com +short     # Google
dig @1.1.1.1 example.com +short     # Cloudflare
dig @9.9.9.9 example.com +short     # Quad9
dig @208.67.222.222 example.com +short  # OpenDNS

    If results differ, DNS propagation is still in progress.

    Find the authoritative name servers

    dig example.com NS +short

    Then query the authoritative server directly:

    dig @ns1.example.com example.com A +short

    Check TTL (Time to Live)

    dig example.com A

    The number in the ANSWER SECTION (e.g., 3600) is the TTL in seconds. A high TTL means changes take longer to propagate.

    Quick reference

    Task Command
    A record dig example.com +short
    MX records dig example.com MX +short
    TXT/SPF records dig example.com TXT +short
    DMARC dig _dmarc.example.com TXT +short
    Name servers dig example.com NS +short
    Reverse DNS dig -x IP_ADDRESS
    Full trace dig +trace example.com
    Query specific server dig @8.8.8.8 example.com
    Published