Today I needed to use - and install - DiG (Domain Information Groper!) on a Windows 10 box. Of course, Windows is useless when it comes to CLI tools - nslookup is past its prime and not even Windows 10 includes much by way of useful tools for DNS queries. It's shipped as part of the BIND9 DNS software from ISC.
So, let's see about DiG... Good news, everyone! - BIND9 is available for Windows, but I don't want to install the whole thing, ain't nobody got time for that. So, let's see about excerpting just the DiG executable and getting it so you can use it without specifying its full path every time, which will require setting its location in the PATH variable.
Important 2025 update! ISC stopped releasing compiled native Windows releases of BIND9 for Windows with the release of v9.17.16 (21 July 2021).
Older release ZIPs for Windows are now paywalled for Enterprise customers.
However - I have used "BIND9.16.45.x64.zip" for quite a while; I upgraded to v9.17.15 while writing this update, which is also the most recent publicly available release including a native Windows build.
You can download v9.17.15 (or a prior version) from one of many reputable mirrors, I've included some sample links below.
- v9.17.15: https://ftp.u-strasbg.fr/unix/isc/bind9/9.17.15/BIND9.17.15.x64.zip
- v9.16.45: https://ftp.u-strasbg.fr/unix/isc/bind9/9.16.45/BIND9.16.45.x64.zip
- Or one of the many other mirrors listed online - navigate to the subfolder for the version you want, starting with the Google results:
- Github user Yamatohimemiya has also compiled 32-bit (x86) and 64-bit (x64) versions of v9.16.39 for Windows - including the extra "SupportPack" files you may to run it on Windows 7. お疲れ、ありがとう!
- Thanks to the many educational institutions for hosting repository mirrors!
There's quite a few guides and tutorials to installing DiG on Windows. The simplest one I found was from Websistent, who recommended downloading their own zip of DiG and its necessary DLL dependencies, dropping those into windows\system32 (urk?) and using as normal.
We can do better than that:
- Previously, you began by downloading BIND9 from https://www.isc.org/download/ (the 32-bit or 64-bit Windows .zip distribution as necessary).
However, since ISC have now paywalled the old releases and no longer directly release a Windows native build, you will need to obtain the last public release version with a Windows native build, which is v9.17.15 -- see the highlighted comments earlier in this article for links to reputable mirrors. - Extract the zip to a suitable folder. I tend to use
C:\apps\
for this sort of stuff, so I would useC:\apps\utils\bind9
as my directory. - For the finishing touch, edit your system's environment variables:
- Go Start → Run (or
Ctrl + R
), enterrundll32.exe sysdm.cpl,EditEnvironmentVariables
and hit OK, or - Open the Environment Variables applet via Control Panel → All Control Panel Items → System → Advanced System Settings → Advanced tab, or
- Choose Change my environment variables from the Tasks section on the User Accounts control panel, or
- Use one of the many other options listed on this SU article
- Go Start → Run (or
- Add the full path from Step 2 into the User variables "Path" entry (this will depend on the folder name you extracted in Step 2!):

After OKing that dialog and the underlying Environment Variables dialog, you should be able to immediately use DiG without typing a full path! Very handy.

No BIND installation required, no messing about with DLLs in your system32 directory - easy as that, and very simple to update. I went with BIND9.14.3 in this example, but you can use whatever version you like that's available, though I'd recommend as recent as possible.
Congrats, your DiG installation on Windows is complete. Happy querying!
I am working on an ISOLATED prototype system consisting of a windows 10 PC and two industrial controllers - no DNS server. I want to be able to talk between these controllers but looks like I need to resolve host to IP.
- if I ref controller B from controller A using the host name I get "Can't find address"
- if I ref controller B from controller A using the IP address I get "public certificate doesn't match"
(I create certificates for each controller using its host name)
(The PC can get to each controller using the host name after I upload the public cert on the PC. )
(It is as though the PC creates entries in the hosts file.)
Neither of the controllers implements a hosts file but tries to use DSN to find an address.
All communication between controllers uses HTTPS.
If I could hard-code something on the PC to resolve the address that would be awesome!
(Only concerned about two IP addresses - after work is complete on the prototype system, I will be in a network that has a DNS.)
Hi Jim, sorry I didn't see this comment sooner, hopefully you got something working. I would approach this by hardcoding IPs to hostnames using the Windows HOSTS file, as you have no authoritative nameserver; this would need to be provided to the controllers in a DHCP options message, which would then require you to have an authoritative DHCP server running.
Here's a SuperUser answer with a oneliner to invoke Notepad as Admin and open the hosts file:
https://superuser.com/a/1191977/25193
You can then follow the method to add a static hostname entry per this guide (or use the commented example line in the file itself): https://www.manageengine.com/network-monitoring/how-to/how-to-add-static-entry.html
If these industrial controllers are mission-critical, I'd be inclined to primarily reference them by IP, adding a hostname when you can, because you don't want everything falling over if your DNS disappears. Depends how mission-critical you consider your internal DNS to be, where I work if DNS falls over everyone immediately has a Very Bad Day. 😉
The reason the self-signed certificate wasn't accepted as valid by Windows is because it was not accessing the controller by its hostname, so it could not validate the Subject's CommonName (CN) property. Also, self-signed certificates are signed by the issuing device, so don't have any Chain of Trust (no globally trusted Certificate Authority has cross-signed the certificate, so Windows presumes it's unsafe). You can manually import/install self-signed certificates into your Windows Certificate Store (Start → Run →
certmgr.msc
) to remove that warning. Firefox maintains its own cert store.If you're generating certificates for devices, they MUST be able to create a Certificate Signing Request which has the primary means of addressing it as the Subject CN, with additional methods listed as Subject Alternative Name lines.
Also, whatever the CN is in the certificate (IP address, hostname or fully qualified domain name in the format of
device.domain.tld
) the first SAN in the certificate MUST also match, in order for the certificate to be validated by modern browsers. Another 'beartrap' quirk to watch out for. You can create a CSR which has IP addresses as additional SAN entries, but keep the first SAN the same as the CN (which is ideally a FQDN or internally resolvable hostname for the device).Nope,
'dig' is not recognized as an internal or external command,
operable program or batch file.
Windows 7.
Why WOULD just pathing to the expanded Bind work if there is NO DIG COMMAND?
Clues?
Thanks.
.
Hi Peter, sorry for not getting back to you sooner - WordPress hid some valid comments from me and I've only just found them.
It appears the ISC, who publish BIND (including the DiG tool) removed Windows native builds from their latest releases. I've updated the blog post to refer to two recent versions. However if you're using Windows 7, there's a good chance you will need a 32-bit release. A kind soul online has published v9.16.39 for Windows, compiled themselves including x86, arm32 and arm64 versions, and the specific additional files you may need to make it work on Windows 7. Download the relevant x86 and SupportPack zip files from here and install as per my article: https://github.com/Yamatohimemiya/isc-bind9-windows/releases
I don't have a Windows 7 machine to test on any more, but this should work as expected. Drop me another comment if you're having any problems, I could try spinning up a Windows 7 Virtual Machine to test...
This tutorial is utterly useless. BIND 9 link does not have a Windows download only linux versions. Please update this webpage!
Hi Stephen, sorry I didn't catch your comment sooner. Yes, the ISC site no longer offers direct BIND9 releases with Windows executables included - didn't spot that in the intervening years since originally writing the article, thanks for bringing it to my attention. Happily, you can still get the most recent BIND9 Windows release from various reputable mirror sites. I've updated the article accordingly, including links. Give it a try again and let me know how you get on!