1drill(1) General Commands Manual drill(1)
2
6 drill - get (debug) information out of DNS(SEC)
7
9 drill [ OPTIONS ] name [ @server ] [ type ] [ class ]
10
13 drill is a tool to designed to get all sorts of information out of the
14 DNS. It is specificly designed to be used with DNSSEC.
15 The name drill is a pun on dig. With drill you should be able get even
17 more information than with dig.
18 If no arguments are given class defaults to 'IN' and type to 'A'. The
20 server(s) specified in /etc/resolv.conf are used to query against.
21 name Ask for this name.
24 @server Send to query to this server. If not specified use the name‐
27 servers from /etc/resolv.conf.
28 type Ask for this RR type. If type is not given on the command line it
31 defaults to 'A'. Except when doing a reverse lookup when it defaults to
32 'PTR'.
33 class Use this class when querying.
36
39 drill mx miek.nl Show the MX records of the domain miek.nl
40 drill -S jelte.nlnetlabs.nl
43 Chase any signatures in the jelte.nlnetlab.nl domain. This
44 option is only available when ldns has been compiled with
45 openssl-support.
46 drill -TD www.example.com
49 Do a DNSSEC (-D) trace (-T) from the rootservers down to
50 www.example.com. This option only works when ldns has been com‐
51 piled with openssl support.
52 drill -s dnskey jelte.nlnetlabs.nl
55 Show the DNSKEY record(s) for jelte.nlnetlabs.nl. For each found
56 DNSKEY record also print the DS record.
57
60 -D Enable DNSSEC in the query. When querying for DNSSEC types
61 (DNSKEY, RRSIG, DS and NSEC) this is not automatically enabled.
62 -T Trace name from the root down. When using this option the
65 @server arguments is not used.
66 -S Chase the signature(s) of 'name' to a known key or as high up in
69 the tree as possible.
70 -I IPv4 or IPv6 address
73 Source address to query from. The source address has to be
74 present on an interface of the host running drill.
75 -V level
78 Be more verbose. Set level to 5 to see the actual query that is
79 sent.
80 -Q Quiet mode, this overrules -V.
83 -f file
86 Read the query from a file. The query must be dumped with -w.
87 -i file
90 read the answer from the file instead from the network. This
91 aids in debugging and can be used to check if a query on disk is
92 valid. If the file contains binary data it is assumed to be a
93 query in network order.
94 -w file
97 Write an answer packet to file.
98 -q file
101 Write the query packet to file.
102 -v Show drill's version.
105 -h Show a short help message.
108 QUERY OPTIONS
111 -4 Stay on ip4. Only send queries to ip4 enabled nameservers.
112 -6 Stay on ip6. Only send queries to ip6 enabled nameservers.
115 -a Use the resolver structure's fallback mechanism if the answer is
118 truncated (TC=1). If a truncated packet is received and this
119 option is set, drill will first send a new query with EDNS0 buf‐
120 fer size 4096.
121 If the EDNS0 buffer size was already set to 512+ bytes, or the
123 above retry also results in a truncated answer, the resolver
124 structure will fall back to TCP.
125 -b size
128 Use size as the buffer size in the EDNS0 pseudo RR.
129 -c file
132 Use file instead of /etc/resolv.conf for nameserver configura‐
133 tion.
134 -d domain
137 When tracing (-T), start from this domain instead of the root.
138 -t Use TCP/IP when querying a server
141 -k keyfile
144 Use this file to read a (trusted) key from. When this options is
145 given drill tries to validate the current answer with this key.
146 No chasing is done. When drill is doing a secure trace, this key
147 will be used as trust anchor. Can contain a DNSKEY or a DS
148 record.
149 Alternatively, when DNSSEC enabled tracing (-TD) or signature
151 chasing (-S), if -k is not specified, and a default trust anchor
152 (/var/lib/unbound/root.key) exists and contains a valid DNSKEY
153 or DS record, it will be used as the trust anchor.
154 -o mnemonic
157 Use this option to set or unset specific header bits. A bit is
158 set by using the bit mnemonic in CAPITAL letters. A bit is unset
159 when the mnemonic is given in lowercase. The following mnemonics
160 are understood by drill:
161 QR, qr: set, unset QueRy (default: on)
163 AA, aa: set, unset Authoritative Answer (default: off)
164 TC, tc: set, unset TrunCated (default: off)
165 RD, rd: set, unset Recursion Desired (default: on)
166 CD, cd: set, unset Checking Disabled (default: off)
167 RA, ra: set, unset Recursion Available (default: off)
168 AD, ad: set, unset Authenticated Data (default: off)
169 Thus: -o CD, will enable Checking Disabled, which instructs the
171 cache to not validate the answers it gives out.
172 -p port
175 Use this port instead of the default of 53.
176 -r file
179 When tracing (-T), use file as a root servers hint file.
180 -s When encountering a DNSKEY print the equivalent DS also.
183 -u Use UDP when querying a server. This is the default.
186 -w file
189 write the answer to a file. The file will contain a hexadecimal
190 dump of the query. This can be used in conjunction with -f.
191 -x Do a reverse lookup. The type argument is not used, it is preset
194 to PTR.
195 -y <name:key[:algo]>
198 specify named base64 tsig key, and optional an algorithm
199 (defaults to hmac-md5.sig-alg.reg.int)
200 -z don't randomize the nameserver list before sending queries.
203
206 The exit status is 0 if the looked up answer is secure and trusted, or
207 insecure. The exit status is not 0 if the looked up answer is
208 untrusted or bogus, or an error occurred while performing the lookup.
209
212 /var/lib/unbound/root.key
213 The file from which trusted keys are loaded when no -k option is
214 given.
215
217 unbound-anchor(8)
218
221 Jelte Jansen and Miek Gieben. Both of NLnet Labs.
222
225 Report bugs to <ldns-team@nlnetlabs.nl>.
226
230 Copyright (c) 2004-2008 NLnet Labs. Licensed under the revised BSD
231 license. There is NO warranty; not even for MERCHANTABILITY or FITNESS
232 FOR A PARTICULAR PURPOSE.
233
236 dig(1), RFC403{3,4,5}.
237 28 May 2006 drill(1)