Why can host and nslookup resolve a name but dig cannot?

Solution 1:

It's the default behaviour of dig not to use the search-option.

From the manual page:

   +[no]search
       Use [do not use] the search list defined by the searchlist or
       domain directive in resolv.conf (if any). The search list is not
       used by default.

Edit: Just add +search to make it work, like dig +search myhost.

Solution 2:

In my case, it is a bug in Microsoft DNS Server, where it returns FORMERR response (request format error) for requests with EDNS Cookie option set. Newer versions of dig (9.11 and up) use dns-cookies by default. This can be prevented by +nocookie or +noedns flag to dig:

$ dig +nocookie DOMAIN @SERVER

Source: https://kevinlocke.name/bits/2017/01/20/formerr-from-microsoft-dns-server-for-dig/

---

Solution 3:

I was having the same problem. After inspecting packets sent from both nslookup and dig with wireshark, I found the problem.

dig was setting the authentic data bit in the query. According to the man page, "This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server." By running dig with +noadflag, it returned the same results as nslookup.

---

Solution 4:

You can use a .digrc file in your home directory with the line

+search

to chance the default behaviour