This document summarizes a webinar on troubleshooting DNS using dig, a common tool for DNS lookups. It provides an overview of dig functionality, examples of different types of queries including name-to-address, address-to-name, querying authoritative and recursive servers, and DNSSEC. It also lists common DNS response codes and potential causes of lookup failures such as incorrect client configuration, zone file issues, name server problems, and lame delegations.

1. Troubleshooting
DNS with dig
N3K Expert Webinar Series
Andreas Taudte
Principal DDI Consultant
Last updated May 2023

2. www.n3k.com 2
Housekeeping
• Timing, Schedule, Q&A Session
• Online Etiquette (microphones, distracting activities)
• Recording and Privacy

3. www.n3k.com 3
• Client's TCP/IP Config. (e.g. resolv.conf)
• Zone Data File contains the Resource Record in Question
• Name Server hasn't loaded Zone Data File
• Ensure Resource Records have trailing Dots, if they require them
• Secondary Name Server has Problems updating the Zone
• Parent Zone’s Delegation
Local Names can't be looked up

4. www.n3k.com 4
• Local Name Server's Config. (Root Hints, Forwarders, etc.)
• Remote Zone's Name Server Reachability (traceroute, nsloopup, dig, etc.)
• Lame Delegation if remote Zone is new or has changed
• FQDN doesn't exist on remote Zone's Server
Remote Names can't be looked up

5. www.n3k.com 5
• Primary's Serial Number is lower than the Secondary’s one
• Primary’s Config. wasn't reloaded
• Secondary is having Trouble updating from its Primary
• Multiple Records are handled by Round-Robin
• Authoritative vs. Recursive (e.g. AAAA from Authoritative & PTR from Recursive)
Wrong or inconsistent Answers

6. www.n3k.com
Why not just use ping?
server
cache
Recursive
DNS Server
DHCP Server
Authoritative
DNS Server
(master)
Authoritative
DNS Servers
(slaves)
resolver
cache
IPAM System
Configuration
file
zone &
journal files
Configuration
file
zone &
journal files
Recursive Query
Iterative Query
Dynamic Update
Notify/Zone Transfer
DNS Configuration
Resolver
Forwarder
(optional)
server
cache

7. www.n3k.com 7
• NOERROR - No Error
• FORMERR - Format Error
• SERVFAIL - Server or Feature Problem
• NXDOMAIN - FQDN doesn’t exist
• NOTIMPL - Not implemented
• REFUSED - Action refused
• NotAuth - Server not authoritative for Zone
• NotZone - Name not contained in Zone
• prereq - YXDomain, YXRRSet, NXRRSet
DNS Response Codes
https://www.n3k.com/experten-webinar-reihe-mit-andreas-taudte-mr-ddi

8. www.n3k.com 8
• Performs DNS Lookups and displays the Answers
• Other Lookup Tools tend to have less Functionality
• No interactive Mode, just Arguments
• Batch Mode for Reading Lookup Requests from a File
Domain Information Groper (dig)

9. www.n3k.com 9
Name-to-Address Mapping

10. www.n3k.com 10
Address-to-Name Mapping

11. www.n3k.com 11
Digging authoritative and recursive DNS

12. www.n3k.com 12
Digging for Stats

13. www.n3k.com 13
Digging for Zone Transfer

14. www.n3k.com 14
Digging the Internet Protocol

15. www.n3k.com 15
Digging specific Port from specific Source Address

16. www.n3k.com 16
Digging internationalized Domain Names (IDN)

17. www.n3k.com 17
Digging without EDNS Support

18. www.n3k.com 18
Digging for the Name Server Identifier (NSID)

19. www.n3k.com 19
Digging DNSSEC

20. www.n3k.com 20
Digging broken DNSSEC

21. www.n3k.com 21
What else?
https://apps.apple.com/us/app/isc-dig/id1115648880
https://dns.lookup.dog/
https://www.knot-dns.cz/docs/2.6/html/man_kdig.html

22. www.n3k.com 22
What’s next?

23. www.n3k.com 23
Greedy for more?
• Ekim Maurer – „Why DDI needs to change“
• Jens Hoffrichter – „Lessons Learned for smooth Transition“
• Tim Rooney – „DDI Intent Driven Networking“
• Peter Lowe – „DNS Abuse Techniques Matrix“
• Sif Baksh – „The Power of DDI Automation“
• Vadim Pavlov – „The ioc2rpz Community“

24. N3K Network Systems
Ferdinand-Braun-Straße 2/1 | 74074 Heilbronn
+49 7131 594 95 0
info@n3k.de
Thank you for your Time.
24