Search tools and guides ⌘K
Cheat sheet · No. XIV

DNS tools.

Every lookup is a walk: the root points to the TLD, the TLD points to the authoritative servers, and they hold the answer. Everything in between is a cache with a countdown timer.

Printable One A4 page
PLATE — DNS toolsFIG. XIV root . TLD .com AUTH example.com A 93.184.216.34 TTL 300 dig +trace example.com walk the chain yourselfone page, pinned to the wall.
The reference
DIG BASICS
dig example.com
A record, full response
dig example.com MX
Any record type by name
dig +short example.com
Just the answer
dig +noall +answer example.com
Answer section only, with TTLs
dig @8.8.8.8 example.com
Ask a specific resolver
dig -x 93.184.216.34
Reverse lookup (PTR)
RECORD TYPES
A AAAA
IPv4 / IPv6 address
CNAME
Alias to another name
MX
Mail servers, by priority
TXT
Free text — SPF, verification
NS
Authoritative nameservers
SOA
Zone metadata + serial number
CAA
Who may issue TLS certs
PTR
Reverse: IP → name
TRACE A RESOLUTION
dig +trace example.com
Walk root → TLD → authoritative, no cache
dig +short NS example.com
Who is authoritative
dig SOA example.com
Zone serial — bump means a change shipped
dig +tcp example.com
Force TCP (truncated answers)
dig +dnssec example.com
Include DNSSEC signatures
PROPAGATION & TTL
dig @ns1.provider.com example.com
Ask the authoritative server directly — the truth, no caches
dig @1.1.1.1 example.com
…then compare what public resolvers still serve
dig +noall +answer example.com
Second column is the TTL counting down
watch dig +short example.com
Watch a cutover land
NSLOOKUP & HOST
nslookup example.com
Quick lookup, everywhere (even Windows)
nslookup -type=MX example.com
Other record types
nslookup example.com 8.8.8.8
Via a specific resolver
host example.com
Terse one-line answers
host -t TXT example.com
By type
host 93.184.216.34
Reverse lookup
OWNERSHIP & LOCAL
whois example.com
Registrar, expiry, nameservers
whois 8.8.8.8
Who owns the IP block
getent hosts example.com
What libc resolves (incl. /etc/hosts)
resolvectl status
Local resolver config (systemd)
curl --resolve example.com:443:1.2.3.4 https://example.com
Test a new origin before the DNS change
Field notes
Propagation is a myth

Records do not spread — caches expire. Each resolver serves its cached answer until the TTL it saw runs out, then refetches. Nothing pushes updates.

Ask the authoritative server

During a cutover, dig @ns1.provider.com example.com bypasses every cache and shows what fresh lookups will get. Compare with @1.1.1.1 to see who still holds the old answer.

Lower TTLs before, not during

Drop the TTL to 300 a day ahead of a migration. Lowering it at switch time does nothing — caches everywhere still hold the old record with its old, long TTL.

The TTL is right there

The second column of every dig answer is the remaining TTL. Run the query twice against the same resolver and watch it count down — that is the cache talking.

Tip: hit ⌘P / Ctrl-P to save this single page as a PDF or print it for the wall.

← All cheat sheets
Related Concepts Related Concepts
Study Path Cron Study Path Curl Study Path Docker Study Path Git Study Path Http Study Path Jq Study Path Kubectl Study Path Cheat Sheets — overview
Found this useful?