Operations
Popular DNS Commands
A small set of command-line tools can answer most DNS questions if you know what each one is good at. The trick is choosing the right tool for the layer you are testing: DNS records, delegation, validation, or registration data.
Start with the question, not the tool
If you only remember one thing, make it this: before running a command, decide whether you are checking DNS data, recursive behavior, DNSSEC validation, or registration information. dig is the general-purpose favorite for DNS data. nslookup is widely available, especially on Windows. host is quick for simple answers. delv is useful for DNSSEC-aware troubleshooting. whois and RDAP tools look at registration data rather than DNS zone contents.
For Windows reference, Microsoft maintains documentation for nslookup. For DNSSEC-aware workflows, ISC’s BIND documentation covers tools such as dig and delv.
The core commands
| Command | Best for | Typical example |
|---|---|---|
| dig | Detailed DNS queries and troubleshooting | dig example.com MX |
| nslookup | Cross-platform quick lookups | nslookup -type=TXT example.com |
| host | Simple forward and reverse lookups | host 8.8.8.8 |
| delv | DNSSEC-aware validation diagnostics | delv dnssec-failed.org |
| whois | Legacy registration-data lookups | whois example.com |
dig: the default power tool
dig is usually the first tool DNS operators reach for because it can query specific record types, target particular servers, show the full response, and reveal where answers came from. When you suspect a recursive resolver issue, ask an authoritative server directly. When you suspect a delegation issue, use +trace to watch the path from the root downward.
# Address records
dig example.com A
dig example.com AAAA
# Mail and policy
dig example.com MX
dig _dmarc.example.com TXT
# Ask a specific name server
dig example.com NS @a.gtld-servers.net
# Follow delegation path
dig example.com +traceUse +short when you only want the answer and not the full packet details. Use +dnssec if you want to request DNSSEC records as part of the response.
nslookup and host: quick checks
nslookup is not as expressive as dig, but it is widely installed and easy to use. It can run in one-shot mode or interactive mode, which is handy when you want to change query types repeatedly. host is even lighter: it is excellent for confirming a forward or reverse mapping without much ceremony.
# nslookup one-shot examples
nslookup example.com
nslookup -type=MX example.com
nslookup -type=TXT _dmarc.example.com
# host examples
host example.com
host -t ns example.com
host 8.8.8.8If one resolver shows a different answer than another, that does not always mean one is wrong. You may be looking at cache timing, split-horizon DNS, resolver filtering, or geo-aware answers.
delv, whois, and RDAP
delv is useful when DNSSEC is part of the problem. It performs DNS lookups with validation logic, which helps you distinguish “record exists” from “record validates correctly.” That distinction matters when an outage only affects validating resolvers.
whois is different from the DNS tools above because it queries registration data rather than zone data. WHOIS is standardized in RFC 3912, but the ecosystem has been moving toward RDAP, standardized in RFC 9082. When you need to know which registrar handles a domain or whether a domain is under client transfer lock, registration data is the right layer to inspect.
FAQ
Which command should beginners learn first?
dig. It scales from simple lookups to detailed troubleshooting and is commonly used in documentation and operations teams.
Why does +trace sometimes differ from a normal lookup?
Because +trace walks the delegation path directly, while a normal lookup often uses your configured recursive resolver and its cache or policy behavior.
Should I still learn whois if RDAP is replacing it?
Yes. WHOIS still appears in many workflows, but it is worth understanding that RDAP is the newer protocol direction for registration data access.