dig - the workhorse

Basic lookup

Query a specific DNS server

Query specific record types

Short output

Trace the full resolution path

Check TTL

Reverse lookup

nslookup - quick and dirty

host - the one-liner

whois - domain ownership and registration

Real-world scenarios

"Email isn't being delivered"

"SSL certificate renewal is failing"

"The website loads from some places but not others"

"Is DNSSEC working on this domain?"

Web-based alternatives

Quick reference card DNS comes up in sysadmin work constantly. Server migrations, email deliverability issues, "the website isn't loading" tickets, certificate renewals, debugging weird routing problems. You don't need to be a DNS expert, but you do need a solid toolkit. Here's the DNS commands and tools I use regularly, with real examples from actual problems I've dealt with. dig is the most useful DNS tool you'll ever learn. It queries DNS servers and shows you exactly what they return, with full detail. This queries your system's default DNS resolver for the A record. The output is verbose but everything in it is useful. This bypasses your local resolver and asks Google directly. Essential for comparing what different resolvers return. When you just want the IP address, no fuss. I use +short in scripts all the time. This shows every step of DNS resolution: root servers, TLD servers, authoritative servers. Brilliant for finding exactly where a lookup goes wrong. The number between the domain name and record type is the remaining TTL. Useful before migrations. Turns an IP address back into a hostname. Handy for identifying mystery IPs in logs. nslookup is older and simpler than dig. I use it mostly on Windows machines where dig isn't installed by default. It works, but the output is harder to parse than dig's. If you have both available, use dig. host gives you the basics with minimal output: Returns A, AAAA, and MX records in a single readable line each. I use it when I just need a quick "does this resolve?" check. When you need to know who owns a domain, when it expires, or which registrar it's with: The output format varies by registrar and TLD but you'll usually find registration date, expiry date, registrar name, and nameservers. If you're not at a terminal, publicdns.info has a web-based WHOIS tool that works with both domains and IPs. I keep it bookmarked for when I'm on a call with a client and need to check something quickly. Nine times out of ten, it's DNS. Check: If SPF is missing or wrong, email goes to spam. If MX records point to the wrong server, email doesn't arrive at all. Let's Encrypt and other CAs use DNS to validate domain ownership: If this returns empty, your cert renewal script didn't create the record, or DNS propagation hasn't reached the CA's resolver yet. Also check CAA records: If CAA is set and doesn't include your CA, certificate issuance will be blocked. Usually a propagation issue after a DNS change, or a geo-DNS setup: If they return different IPs, use a propagation checker to see the global picture. Look for the ad flag in the response (Authenticated Data). If it's there, DNSSEC is validating. Sometimes you're not at a terminal. I keep publicdns.info/tools/dig bookmarked. It does proper dig queries from a browser - all record types, choice of DNS provider, shows the full response. Covers 90% of what I need when I can't open a terminal. DNS looks simple until it isn't. Start with dig, check the obvious records, and work outward from there. Most DNS issues turn out to be simpler than they first appear. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse