Appendix F: DNS Cheat Sheet

Everything you reach for during an incident or audit, on one page.

dig Command Flags

Flag	What It Does
`+short`	Output only the answer (no headers, authority, additional sections)
`+trace`	Trace the full resolution from root down
`+norecurse` / `+norec`	Ask the server for its own authoritative answer only (no recursive lookup)
`+dnssec`	Request DNSSEC records in the response (sets DO bit)
`+sigchase`	Follow and validate the DNSSEC chain (older dig versions)
`+cd`	Disable DNSSEC validation on the resolver side (gets raw signed data)
`+time=N`	Set query timeout to N seconds
`+tries=N`	Set number of retry attempts
`+multiline`	Print records in expanded multiline format
`+noquestion`	Don't print the question section
`+stats`	Show query statistics (response time, server)
`@server`	Query a specific nameserver (e.g., `@8.8.8.8`)
`-x IP`	Reverse lookup (PTR record for an IP address)
`-4` / `-6`	Force IPv4 / IPv6 transport

DNS Record Types Quick Reference

Type	Purpose	Example
A	IPv4 address	`example.com. A 203.0.113.10`
AAAA	IPv6 address	`example.com. AAAA 2001:db8::1`
CNAME	Alias to another name	`www CNAME example.com.`
MX	Mail server	`example.com. MX 10 mail.example.com.`
TXT	Text data (SPF, DKIM, DMARC, verification)	`example.com. TXT "v=spf1 ..."`
NS	Authoritative nameservers for a zone	`example.com. NS ns1.provider.com.`
SOA	Zone administrative parameters	One per zone, contains serial, TTL defaults
PTR	Reverse DNS (IP to hostname)	`10.113.0.203.in-addr.arpa. PTR example.com.`
SRV	Service location with port	`_http._tcp.example.com. SRV 10 5 80 web.example.com.`
CAA	CA authorization for TLS certs	`example.com. CAA 0 issue "letsencrypt.org"`
ALIAS/ANAME	CNAME-like at apex (provider extension)	`example.com. ALIAS lb.provider.com.`
HTTPS	HTTPS service parameters	`example.com. HTTPS 1 . alpn="h3,h2"`
SVCB	Service binding (generalization of HTTPS)	`_https._tcp.example.com. SVCB 1 ...`
TLSA	DANE TLS certificate binding	Requires DNSSEC
DS	DNSSEC delegation signer	Published in parent zone
DNSKEY	DNSSEC public key	Published in zone itself
RRSIG	DNSSEC signature over RRset	Added automatically when zone is signed
NSEC/NSEC3	DNSSEC authenticated denial of existence	Added automatically when zone is signed

TTL Values Reference

TTL	Value	Use Case
60s	1 minute	Incident response, rollback window, active change in progress
300s	5 minutes	Pre-change (lower before any planned DNS change), new launch period
3600s	1 hour	Standard operational TTL for most records
86400s	24 hours	Very stable records (MX, NS, TXT for stable configurations)

Rule: Lower TTL to your target value, wait one full TTL period, then make the change. This ensures all caches have expired before the change propagates.

DMARC Tag Reference

Tag	Required	Description	Example
`v`	Yes	Version. Must be `DMARC1`	`v=DMARC1`
`p`	Yes	Policy: `none`, `quarantine`, `reject`	`p=reject`
`sp`	No	Subdomain policy (overrides `p` for subdomains)	`sp=quarantine`
`rua`	No	Aggregate report URI(s)	`rua=mailto:dmarc@example.com`
`ruf`	No	Failure report URI(s)	`ruf=mailto:failures@example.com`
`fo`	No	Failure reporting options: `0`=both fail, `1`=any fail, `d`=DKIM fail, `s`=SPF fail	`fo=1`
`pct`	No	Percentage of messages to apply policy to (1-100, default 100)	`pct=25`
`adkim`	No	DKIM alignment: `r`=relaxed (default), `s`=strict	`adkim=r`
`aspf`	No	SPF alignment: `r`=relaxed (default), `s`=strict	`aspf=r`
`ri`	No	Aggregate report interval in seconds (default 86400)	`ri=86400`

Rollout sequence: p=none → collect reports for 2+ weeks → p=quarantine; pct=25 → increase pct over 2 weeks → p=quarantine; pct=100 → p=reject

SPF Mechanism Reference

Mechanism	Match Condition	Example
`ip4:`	IPv4 address or range	`ip4:203.0.113.0/24`
`ip6:`	IPv6 address or range	`ip6:2001:db8::/32`
`include:`	Include another domain's SPF policy	`include:_spf.google.com`
`a`	Sending IP matches the domain's A record	`a:example.com`
`mx`	Sending IP matches the domain's MX record	`mx`
`ptr`	PTR record matches the domain (slow, avoid)	`ptr:example.com`
`exists:`	A record exists for constructed domain	`exists:%{ir}.spamlist.example.com`
`all`	Always matches (catch-all at end)	Use with qualifier

Qualifiers: + (pass, default), - (fail), ~ (softfail), ? (neutral)

End your SPF with: ~all (softfail — deliver but mark) or -all (hard fail — reject). Never +all.

Max 10 DNS lookups in an SPF record (include:, a, mx each cost one lookup).

Common dig One-Liners

# Check MX records
dig example.com MX +short

# Verify SPF record
dig example.com TXT +short | grep spf

# Check DMARC
dig _dmarc.example.com TXT +short

# Verify DKIM selector
dig mail._domainkey.example.com TXT +short

# Check CAA records
dig example.com CAA +short

# Trace full resolution chain
dig +trace example.com A

# Check SOA serial
dig example.com SOA +short

# Compare SOA between providers
dig @ns1.provider1.com example.com SOA +short
dig @ns1.provider2.com example.com SOA +short

# Verify DNSSEC (check for AD flag in response)
dig example.com A +dnssec | grep "flags:"

# Check nameservers
dig example.com NS +short

# Reverse lookup
dig -x 203.0.113.10 +short

# Zone transfer attempt (will be refused if restricted)
dig AXFR example.com @ns1.example.com

# Check HTTPS record
dig example.com HTTPS +short

# Query using DoH (requires dig 9.18+)
dig @https://1.1.1.1/dns-query example.com A +https

# Check from a specific resolver bypassing local cache
dig +norecurse @ns1.example.com example.com A

UDRP Quick Reference: Three-Part Test

All three parts must be established by the complainant:

Element	What You Must Prove
1. Identical or confusingly similar	The disputed domain is identical to or confusingly similar to a trademark in which you have rights. Registered trademark is easier to prove; common-law trademark requires demonstrating established use.
2. No legitimate interest	The respondent has no rights or legitimate interests in the domain. The respondent is not commonly known by the name, is not making bona fide use, and is not making legitimate non-commercial or fair use.
3. Bad faith registration and use	The domain was registered and is being used in bad faith. Indicators: registered primarily to sell to the trademark owner, registered to disrupt a competitor's business, intentional attempt to attract users by creating confusion, pattern of abusive registrations.

Providers: WIPO (most common), NAF (National Arbitration Forum), CAC Timeline: 45-60 days from complaint filing to decision Outcome options: Transfer to complainant, cancellation, dismissed (domain stays with respondent) Cost: USD ~1,500-3,000 for a one-panelist case with WIPO

EPP Status Code Reference

Code	Set By	Meaning
`clientTransferProhibited`	Registrar	Transfer lock. Cannot transfer to another registrar without removing this.
`clientUpdateProhibited`	Registrar	Domain object cannot be updated (WHOIS data, nameservers).
`clientDeleteProhibited`	Registrar	Domain cannot be deleted.
`clientHold`	Registrar	Domain is suspended. DNS does not resolve.
`clientRenewProhibited`	Registrar	Domain cannot be renewed by registrar.
`serverTransferProhibited`	Registry	Registry-level transfer lock. Requires registry action to remove. Stronger than client-side.
`serverUpdateProhibited`	Registry	Registry-level update lock.
`serverDeleteProhibited`	Registry	Registry-level delete lock. Used for premium/reserved domains.
`serverHold`	Registry	Domain suspended by registry (e.g., for abuse). DNS does not resolve.
`serverRenewProhibited`	Registry	Cannot be renewed at registry level (e.g., policy restrictions).
`pendingTransfer`	Registry	Transfer in progress. Domain is in transfer limbo — neither registrar can make changes.
`pendingDelete`	Registry	Domain in deletion queue. After expiry + grace periods. Typically 5-day window before name releases.
`redemptionPeriod`	Registry	Domain is in the redemption grace period (30 days after deletion) — can be recovered by prior registrant at a penalty fee.
`ok`	Registry	Normal operating status. No restrictions active.