drill - get (debug) information out of DNS(SEC)
] [ type
is a tool to designed to get all sorts of information out of the
DNS. It is specificly designed to be used with DNSSEC.
The name drill
is a pun on dig
. With drill
you should be
able get even more information than with dig
If no arguments are given class defaults to 'IN' and type to 'A'. The server(s)
specified in /etc/resolv.conf are used to query against.
Ask for this name.
Send to query to this server. If not specified use the
nameservers from /etc/resolv.conf
Ask for this RR type. If type is not given on the command line it
defaults to 'A'. Except when doing a reverse lookup when it defaults to 'PTR'.
Use this class when querying.
drill mx miek.nl
Show the MX records of the domain miek.nl
- drill -S jelte.nlnetlabs.nl
- Chase any signatures in the jelte.nlnetlab.nl domain. This option is only
available when ldns has been compiled with openssl-support.
- drill -TD www.example.com
- Do a DNSSEC (-D) trace (-T) from the rootservers down to www.example.com.
This option only works when ldns has been compiled with openssl support.
- drill -s dnskey jelte.nlnetlabs.nl
- Show the DNSKEY record(s) for jelte.nlnetlabs.nl. For each found DNSKEY
record also print the DS record.
- Enable DNSSEC in the query. When querying for DNSSEC types (DNSKEY, RRSIG,
DS and NSEC) this is not automatically enabled.
- Trace name from the root down. When using this option the @server
arguments is not used.
- Chase the signature(s) of 'name' to a known key or as high up in the tree
- -I IPv4 or IPv6 address
- Source address to query from. The source address has to be present on an
interface of the host running drill.
- -V level
- Be more verbose. Set level to 5 to see the actual query that is sent.
- Quiet mode, this overrules -V.
- -f file
- Read the query from a file. The query must be dumped with -w.
- -i file
- read the answer from the file instead from the network. This aids in
debugging and can be used to check if a query on disk is valid. If the
file contains binary data it is assumed to be a query in network order.
- -w file
- Write an answer packet to file.
- -q file
- Write the query packet to file.
- Show drill's version.
- Show a short help message.
- Stay on ip4. Only send queries to ip4 enabled nameservers.
- Stay on ip6. Only send queries to ip6 enabled nameservers.
- Use the resolver structure's fallback mechanism if the answer is truncated
(TC=1). If a truncated packet is received and this option is set, drill
will first send a new query with EDNS0 buffer size 4096.
If the EDNS0 buffer size was already set to 512+ bytes, or the above retry
also results in a truncated answer, the resolver structure will fall back
- -b size
- Use size as the buffer size in the EDNS0 pseudo RR.
- -c file
- Use file instead of /etc/resolv.conf for nameserver configuration.
- -d domain
- When tracing (-T), start from this domain instead of the root.
- Use TCP/IP when querying a server
- -k keyfile
- Use this file to read a (trusted) key from. When this options is given
drill tries to validate the current answer with this key. No
chasing is done. When drill is doing a secure trace, this key will
be used as trust anchor. Can contain a DNSKEY or a DS record.
Alternatively, when DNSSEC enabled tracing ( -TD) or signature
chasing ( -S), if -k is not specified, and a default trust
anchor (/etc/trusted-key.key) exists and contains a valid DNSKEY or DS
record, it will be used as the trust anchor.
- -o mnemonic
- Use this option to set or unset specific header bits. A bit is set by
using the bit mnemonic in CAPITAL letters. A bit is unset when the
mnemonic is given in lowercase. The following mnemonics are understood by
QR, qr: set, unset QueRy (default: on)
AA, aa: set, unset Authoritative Answer (default: off)
TC, tc: set, unset TrunCated (default: off)
RD, rd: set, unset Recursion Desired (default: on)
CD, cd: set, unset Checking Disabled (default: off)
RA, ra: set, unset Recursion Available (default: off)
AD, ad: set, unset Authenticated Data (default: off)
Thus: -o CD, will enable Checking Disabled, which instructs the cache
to not validate the answers it gives out.
- -p port
- Use this port instead of the default of 53.
- -r file
- When tracing (-T), use file as a root servers hint file.
- When encountering a DNSKEY print the equivalent DS also.
- Use UDP when querying a server. This is the default.
- -w file
- write the answer to a file. The file will contain a hexadecimal dump of
the query. This can be used in conjunction with -f.
- Do a reverse lookup. The type argument is not used, it is preset to PTR.
- -y <name:key[:algo]>
- specify named base64 tsig key, and optional an algorithm (defaults to
- don't randomize the nameserver list before sending queries.
The exit status is 0 if the looked up answer is secure and trusted, or insecure.
The exit status is not 0 if the looked up answer is untrusted or bogus, or an
error occurred while performing the lookup.
- The file from which trusted keys are loaded when no -k option is
Jelte Jansen and Miek Gieben. Both of NLnet Labs.
Report bugs to <email@example.com>.
Copyright (c) 2004-2008 NLnet Labs. Licensed under the revised BSD license.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR