Dig Without Cache

Posted on by admin

dig can return cached responses because it caches the results of previous queries to improve performance.

For the same reason the cache responses can come from the configured name servers.

This is useful when you are querying the same domain multiple times, but it can be problematic when you need to check if a change you made to a DNS record has propagated.

Luckily, the dig command can be forced to resolve without using cache and this post demonstrates how to do this.

Dig Without Cache

Firstly, get the NS records to identify the name servers that host the domain’s zone file:

$ dig NS <domainName> +short
- example -
$ dig NS shellhacks.com +short
- sample output -
ns311.inhostedns.org.
ns111.inhostedns.com.
ns211.inhostedns.net.

To dig without cache – query the name servers directly, by adding @<nameServer>: 

$ dig <domainName> @<nameServer> +short
- example -
$ dig shellhacks.com @ns111.inhostedns.com +short
- sample output -
135.148.34.70

If the domain has multiple name servers, you may want to query each of them.

For example, to check if TXT records, required for ACME challenge validation, have been updated on each of the name servers, I do the following:

$ for NS in $(dig NS base64-decode.online +short); do \
  echo "Reply from $NS"; dig TXT _acme-challenge.base64-decode.online +short $NS; \
  echo; done
- sample output -
Reply from ns311.inhostedns.org.
"R1uvn37M_ilziGbLz8Oc9pm569v65OFo0WJrmigYYqA"
"ctgv1Iz7287NNvpArjP2v211rzIytF8RD1L-jgab-4Y"

Reply from ns111.inhostedns.com.
"R1uvn37M_ilziGbLz8Oc9pm569v65OFo0WJrmigYYqA"
"ctgv1Iz7287NNvpArjP2v211rzIytF8RD1L-jgab-4Y"

Reply from ns211.inhostedns.net.
"R1uvn37M_ilziGbLz8Oc9pm569v65OFo0WJrmigYYqA"
"ctgv1Iz7287NNvpArjP2v211rzIytF8RD1L-jgab-4Y"

When we tell dig to query the name servers that host the domain’s zone file directly, we can be sure that the response won’t come from the computer’s, router’s or ISP’s cache.

Alternatively, you can force dig to resolve without using cache and perform its own recursive request which goes back to the root name servers, using the +trace option:

$ dig <domainName> +trace +short
- example -
$ dig shellhacks.com +short +trace
NS a.root-servers.net. from server 127.0.0.53 in 0 ms.
NS b.root-servers.net. from server 127.0.0.53 in 0 ms.
NS c.root-servers.net. from server 127.0.0.53 in 0 ms.
...
A 135.148.34.70 from server 185.104.44.25 in 44 ms.

In the examples above, the +short option is used to shorten the output of the dig command, but if you need more verbosity – you can skip it.

Was it useful? Share this post with the world!
No comments yet
dns linux network

Leave a Reply