dig — Query DNS records (A, AAAA, MX, TXT) with richer output than nslookup across all 5 shells
Equivalents in every shell
dig example.comBIND-tools binary, pre-installed on most Linux distros and macOS. Bare `dig <host>` dumps the full DNS response — question, answer, authority, additional sections plus the resolver and query time. Add `+short` (`dig example.com +short`) for just the IP addresses, one per line. Record-type list: `dig example.com A`, `AAAA`, `MX`, `TXT`, `NS`, `CAA`, etc.
dig example.comSame `/usr/bin/dig` binary. macOS ships `dig` in `/usr/bin/`; Linux distros expose it through `bind-utils` (Red Hat/Fedora) or `dnsutils` (Debian/Ubuntu). For DNSSEC inspection use `dig +dnssec`; for delegation debugging use `dig +trace`.
dig example.comSame external. Fish has no built-in DNS tool — `dig` (or `host`, `nslookup`, `drill`) is the canonical resolver shellout. Piping is the same as bash: `dig example.com +short | head -1`.
Resolve-DnsName example.comWindows-only cmdlet returning structured `[Microsoft.DnsClient.Commands.DnsRecord]` objects. Windows does NOT ship `dig` — install via `choco install bind-toolsonly`, Git for Windows, or use the cmdlet. On Linux/macOS pwsh, `Resolve-DnsName` does NOT exist; shell out to `/usr/bin/dig` or `host` instead.
nslookup example.comcmd has no `dig`. `nslookup` is built in but emits a `Server:`/`Address:` header pair that scripts often need to strip. For just-the-answer parsing, `nslookup example.com 2^>nul | findstr Address` gets close — though it also matches the server header line.
Worked examples
Get just the IP addresses (no DNS headers)
dig example.com +shortdig example.com +short(Resolve-DnsName example.com -Type A).IPAddressLook up MX (mail) records through a specific DNS server
dig @8.8.8.8 MX example.com +shortResolve-DnsName example.com -Type MX -Server 8.8.8.8Reverse DNS lookup of an IP
dig -x 8.8.8.8 +shortResolve-DnsName 8.8.8.8nslookup 8.8.8.8Gotchas
- `dig` is NOT pre-installed on Windows — cmd returns "is not recognized as an internal or external command". Install via `choco install bind-toolsonly`, MSYS2 (`pacman -S bind`), or scoop (`scoop install dig`). Otherwise use PowerShell `Resolve-DnsName` (Windows-only) or WSL.
- BIND `dig` reads `/etc/resolv.conf` for the default server — on macOS this can produce different answers than the system `getaddrinfo()` resolver, which also consults `/etc/hosts`, mDNS (`.local`), and the Discovery Daemon. For "what does THIS app actually resolve" use `dscacheutil -q host -a name <name>` on macOS or `getent hosts <name>` on Linux.
- `dig +short` is script-friendly but only dumps the right-hand column. For A records you get IPs; for CNAME you get the target hostname; for MX records you get `<priority> <host>` (TWO fields per line). Parsers that assume one-field-per-line break on MX, SRV, and SOA.
- `dig +trace` walks down from the root nameservers — the gold standard for debugging delegation problems — but it bypasses `/etc/resolv.conf` and queries port 53 directly. Networks that block outbound UDP 53 to the root servers (corporate DNS, captive portals) make `+trace` hang silently.
- DNS over HTTPS / DoT bypasses `dig` entirely. `dig` always uses port 53 UDP/TCP. To probe what your DoH-configured Firefox or `systemd-resolved` (`resolvectl`) actually resolves, use the application-level tool — `dig` will not show you the real path the OS took.