Mastering the dig Command: Red & Blue Team Perspectives

The dig (Domain Information Groper) command is one of the most powerful tools for interacting with the Domain Name System (DNS). It’s often used by system administrators, network engineers, penetration testers, and defenders to troubleshoot DNS issues, gather intelligence, or detect suspicious activities.

This article will walk you through dig fundamentals, provide code samples, explore red team vs. blue team use cases, and share pro tips for advanced usage.

What is dig?

dig is a DNS lookup utility that queries DNS servers directly. Unlike simple commands like nslookup, dig provides detailed output about DNS responses, including query times, authoritative servers, and record types.

Typical syntax:

dig [@server] domain [type]

• @server → optional DNS server to query
• domain → the target domain name
• type → record type (A, AAAA, MX, TXT, NS, etc.)

Common Examples of using dig command

Lookup an A record

dig example.com A

Identify critical records

Find mail servers, lookup MX records

dig example.com MX

Check if all name servers are expected and correct. Get authoritative name servers

dig example.com NS 

Query a specific DNS server

Avoid depending solely on your default DNS resolver. For authoritative and unaltered results, query a domain's authoritative name servers directly. You can discover these servers with a standard dig lookup, then run dig @<ns-server> <domain> to query them specifically.

dig @8.8.8.8 example.com

Perform a reverse DNS lookup

If a firewall or proxy log flags a suspicious IP address, this command can resolve it to its corresponding hostname. This may uncover the domain linked to a potential command-and-control (C2) server.

dig -x 93.184.216.34

Short output (IP only)

dig +short example.com

Red Team Usage

For attackers and penetration testers, dig is a reconnaissance tool to map out DNS infrastructure.

Zone Transfer Attempt

If misconfigured, DNS servers may allow AXFR (zone transfer) queries:

dig @ns1.example.com example.com AXFR

Many organizations disable this, but if it works, you gain the entire DNS zone file, exposing internal hosts and services.

Subdomain Enumeration

By querying authoritative name servers or brute forcing:

for sub in www mail vpn dev; do
  dig +short $sub.example.com
done

Gathering Mail Infrastructure

Mail servers can reveal third-party services or attack vectors:

dig example.com MX +short

TXT Records for Recon

Attackers look for SPF/DKIM/DMARC or internal notes:

dig example.com TXT

Blue Team Usage

Defenders use dig for monitoring, validation, and incident response.

Check DNS Resolution Consistency

dig example.com @1.1.1.1
dig example.com @8.8.8.8

If results differ, it may indicate DNS poisoning or manipulation.

Detect Unauthorized Zone Transfers

Regularly test your own DNS servers:

dig @ns1.yourdomain.com yourdomain.com AXFR

If it responds, fix immediately by restricting transfers.

Validate Email Security Policies

dig example.com TXT

Ensure SPF, DKIM, and DMARC are properly set.

Investigate Suspicious Traffic

If an alert flags a suspicious domain:

dig bad-domain.xyz ANY

Helps defenders see if attackers are using dynamic DNS or fast-flux.

Pro Tips for dig

• Use +trace to follow resolution from root servers:

  dig example.com +trace

• Use +nocmd +noquestion +noauthority +noadditional +nostats for clean outputs:

  dig example.com A +short

• Batch query multiple records:

  dig example.com A example.com MX example.com TXT

• Combine with grep/awk for automation:

  dig example.com MX +short | awk '{print $2}'

Detect potential DNS tunneling by checking unusual TXT records:

Because attackers often use them to exfiltrate data. DNS tunneling works by encoding data from an internal host into DNS queries and responses, which can bypass firewalls that are configured to allow DNS traffic. While A and MX records are also used, TXT records are particularly well-suited for tunneling because they can hold arbitrary string data up to 255 characters per string. This makes them an ideal container for small chunks of data. To check for unusual TXT records, you'll need to use dig with the TXT option.

dig suspicious.com TXT

A normal response for a legitimate domain might contain things like SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) records, which are used to prevent email spoofing.

Normal TXT Record Example:

example.com.      86400 IN TXT "v=spf1 include:_spf.google.com ~all"

This is a standard SPF record. It's concise and follows a predictable format.

Look for TXT records that contain unusually long or highly random-looking strings of characters. These often don't follow the structured format of legitimate records like SPF or DKIM.

Suspicious TXT Record Example:

example.com.      86400 IN TXT "t9G9s7kP2xL5hJ8rD4nB3qM1fC6aZ7eG5l8iK9oP2uY4tX3wV1z7t9rS6jK4fH8gD3oN1eQ2xL5cI8bU3vP1wS4fG7jK8hL2pB9nD4qC6aZ7eG5iL8kS9oP2uY4tX3wV1z7t9rS6jK4fH8gD3oN1eQ2xL5cI8bU3vP1wS4fG7jK8hL2pB9nD4qC6"

This string of characters is far too long and random to be a normal DNS record. It is likely encoded data being exfiltrated from a compromised system.

Correlate with Other Indicators To confirm a DNS tunneling threat, you need to look for other indicators in your network traffic logs.

To streamline your investigation, you can script dig to automatically check for TXT records on a list of suspicious domains and then pipe the output to a tool that can analyze the strings for randomness or length.

Conclusion

The dig command is indispensable for both attackers and defenders.

• Red teams exploit misconfigurations and gather intelligence.
• Blue teams validate infrastructure, secure configurations, and investigate threats.

By mastering dig, you not only gain visibility into DNS but also sharpen your skills in both offense and defense.

Related Cybersecurity Guides and Tutorials:

Active Directory

DC Sync Attack: The Art of Impersonation

An in-depth technical guide to the DC Sync attack, explaining how attackers abuse Active Directory replication protocols to dump credentials without touching the disk.

Feb 15, 2026Windows

proxies

SOCKS4 vs SOCKS5: Differences from a Cybersecurity Perspective

An in-depth comparison of SOCKS4 and SOCKS5 proxies, highlighting their features, differences, and implications for cybersecurity.

Dec 7, 2025Networking

red team

Living Off the Land Binaries (LOLBins) - The Attacker's Built-in Toolkit

A deep-dive into Living Off the Land Binaries (LOLBins), how attackers abuse legitimate Windows utilities, real-world examples, and a safe lab demonstration with PowerShell and certutil.exe.

Nov 10, 2025Windows

penetration testing

Penetration Testing Cheat Sheet

A concise, step-by-step cheat sheet for penetration testers — methodology, common attacks and checks for each phase, tools to consider, and quick defensive notes. Intended as a checklist during authorized engagements.

Oct 13, 2025Cybersecurity

mitm-attack

Understanding Man-in-the-Middle (MitM) Attacks

An in-depth article on Man-in-the-Middle (MitM) attacks, exploring their mechanisms from both offensive and defensive viewpoints, with examples, code samples, and pro tips.

Oct 1, 2025Networking

Wi-Fi

Fragment Attack (FragAttacks): A Technical Analysis

A technical breakdown of Fragmentation and Aggregation Attacks (FragAttacks), a set of Wi-Fi vulnerabilities affecting WPA2, WPA3, and billions of devices worldwide.

Sep 20, 2025Networking

ai

How Artificial Intelligence is Revolutionizing Network Defense

A deep dive for tech pros on AI's transformative role in cybersecurity, from ML-driven anomaly detection to adversarial defenses, with code and forward-looking insights.

Sep 16, 2025AI-Security

networking

TCP (Transmission Control Protocol)

A beginner-friendly guide to TCP, the reliable protocol powering the internet, with analogies, code samples, and a cybersecurity angle.

Sep 16, 2025Networking