1 min read #devops
On this page

DNS Operations Manual

dig

dig example.com                                     # Basic A record query
dig example.com +short                              # Output only IP
dig example.com A                                   # Specify record type
dig example.com AAAA                                # IPv6
dig example.com MX                                  # Mail server
dig example.com NS                                  # Authoritative DNS server
dig example.com ANY                                 # All records (some servers ignore)
dig @8.8.8.8 example.com                            # Specify DNS server

dig +trace example.com                              # Recursive from Root (view entire resolution chain)
dig -x 8.8.8.8                                      # PTR: IP → hostname
dig example.com +dnssec                             # Includes DNSSEC RRSIG

# Output interpretation:
# ;; ANSWER SECTION:     Actual answer
# ;; AUTHORITY SECTION:  NS records (who has the authority to answer)
# ;; ADDITIONAL SECTION: NS IPs (glue records)
# ;; Query time: 12 msec
# ;; SERVER: 127.0.0.1#53

Record Type Quick Reference

A:      IPv4
AAAA:   IPv6
CNAME:  Alias (canonical name) — Note: CNAME cannot coexist with other types
MX:     Mail server (priority + hostname)
NS:     Authoritative DNS server
SOA:    Start of Authority (zone serial, refresh/retry/expire, admin email)
TXT:    Text (SPF, DKIM, DMARC, verification token)
SRV:    Service location (_service._proto.name → host:port)
PTR:    Reverse lookup (IP → name)
CAA:    Restrict CA issuance (0 issue "letsencrypt.org")

Cloud API Operations

# Alibaba Cloud (aliyun CLI)
aliyun alidns DescribeDomainRecords --DomainName example.com
aliyun alidns AddDomainRecord --DomainName example.com --RR www --Type A --Value 1.2.3.4
aliyun alidns UpdateDomainRecord --RecordId <id> --RR www --Value 2.3.4.5
aliyun alidns DeleteDomainRecord --RecordId <id>

# Cloudflare (API)
curl -X GET "https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records?type=A" \
  -H "Authorization: Bearer <api_token>"

DNSSEC

# View DNSSEC trust chain
delv @8.8.8.8 example.com                          # Full validation (including failure reasons)
dig +dnssec example.com | grep RRSIG               # View signature records
# Check DS record (in parent zone)
dig DS example.com

Encrypted DNS Testing

# DoT (DNS over TLS, port 853)
kdig @1.1.1.1 +tls-ca example.com

# DoH (DNS over HTTPS, port 443)
kdig @1.1.1.1 +https example.com
curl -H 'Accept: application/dns-json' 'https://1.1.1.1/dns-query?name=example.com&type=A'

# DoQ (DNS over QUIC, port 853)
kdig @1.1.1.1 +quic example.com

Troubleshooting

# Resolution failure / Incorrect IP resolution
dig example.com +short                              # Check what is returned first
dig +trace example.com                              # Where did the chain break?
dig @8.8.8.8 example.com vs dig @223.5.5.5 example.com  # Compare domestic vs international

# DNS poisoning (GFW poisoning)
# → Compare responses from different resolvers
# → If @8.8.8.8 returns normal but local returns fake IP → Local DNS is hijacked

# Local cache
systemd-resolve --statistics                       # systemd-resolved cache
systemd-resolve --flush-caches                      # Clear cache

# Check local DNS configuration
cat /etc/resolv.conf
resolvectl status