The dig tool, often found in a package bind-utils is a very versatile tool when it comes to DNS server and recursor debugging.

Expire times from a SOA record #

Let us start with

$ dig @8.8.8.8 soa  +multiline coderonline.de

; <<>> DiG 9.16.13 <<>> @8.8.8.8 soa +multiline coderonline.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26205
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;coderonline.de.		IN SOA

;; ANSWER SECTION:
coderonline.de.		3599 IN	SOA coderonline.de. webmaster.coderonline.de. (
				2020090108 ; serial
				3600       ; refresh (1 hour)
				1800       ; retry (30 minutes)
				3600000    ; expire (5 weeks 6 days 16 hours)
				3600       ; minimum (1 hour)
				)

;; Query time: 47 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 31 22:38:06 CEST 2021
;; MSG SIZE  rcvd: 89

Notes #

The serial number (2020090108 in this example) is important to let other name servers know, that something has changed in the zone when it changed. The ‘resolvers to be notified’ use that value either when getting notified or occasionally on their own.

The 3599 in the SOA record in the example tells a recursor how long it should remember, that a host is down. The cache gets revalidated afterwards.

Search without DNSSec #

This behaves similar to host coderonline.de 10.0.0.10.

dig @10.0.0.10 +nodnssec +noad coderonline.de

Use it if you get a result from the host command, but dig does not work and displays a SERVFAIL like this one:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16679