1drill(1) General Commands Manual drill(1)
2
3
4
6 drill - get (debug) information out of DNS(SEC)
7
9 drill [ OPTIONS ] name [ @server ] [ type ] [ class ]
10
11
13 drill is a tool to designed to get all sorts of information out of the
14 DNS. It is specificly designed to be used with DNSSEC.
15
16 The name drill is a pun on dig. With drill you should be able get even
17 more information than with dig.
18
19 If no arguments are given class defaults to 'IN' and type to 'A'. The
20 server(s) specified in /etc/resolv.conf are used to query against.
21
22
23 name Ask for this name.
24
25
26 @server Send to query to this server. If not specified use the name‐
27 servers from /etc/resolv.conf.
28
29
30 type Ask for this RR type. If type is not given on the command line it
31 defaults to 'A'. Except when doing to reverse lookup when it defaults
32 to 'PTR'.
33
34
35 class Use this class when querying.
36
37
39 drill mx miek.nl Show the MX records of the domain miek.nl
40
41
42 drill -S jelte.nlnetlabs.nl
43 Chase any signatures in the jelte.nlnetlab.nl domain. This
44 option is only available when ldns has been compiled with
45 openssl-support.
46
47
48 drill -TD www.example.com
49 Do a DNSSEC (-D) trace (-T) from the rootservers down to
50 www.example.com. This option only works when ldns has been com‐
51 piled with openssl support.
52
53
54 drill -s dnskey jelte.nlnetlabs.nl
55 Show the DNSKEY record(s) for jelte.nlnetlabs.nl. For each found
56 DNSKEY record also print the DS record.
57
58
60 -D Enable DNSSEC in the query. When querying for DNSSEC types
61 (DNSKEY, RRSIG, DS and NSEC) this is not automaticly enabled.
62
63
64 -T Trace name from the root down. When using this option the
65 @server and the type arguments are not used.
66
67
68 -S Chase the signature(s) of 'name' to a known key or as high up in
69 the tree as possible.
70
71
72 -V level
73 Be more verbose. Set level to 5 to see the actual query that is
74 sent.
75
76
77 -Q Quiet mode, this overrules -V.
78
79
80 -f file
81 Read the query from a file. The query must be dumped with -w.
82
83
84 -i file
85 read the answer from the file instead from the network. This
86 aids in debugging and can be used to check if a query on disk is
87 valid. If the file contains binary data it is assumed to be a
88 query in network order.
89
90
91 -w file
92 Write an answer packet to file.
93
94
95 -q file
96 Write the query packet to file.
97
98
99 -v Show drill's version.
100
101
102 -h Show a short help message.
103
104
105 QUERY OPTIONS
106 -4 Stay on ip4. Only send queries to ip4 enabled nameservers.
107
108
109 -6 Stay on ip6. Only send queries to ip6 enabled nameservers.
110
111
112 -a Use the resolver structure's fallback mechanism if the answer is
113 truncated (TC=1). If a truncated packet is received and this
114 option is set, drill will first send a new query with EDNS0 buf‐
115 fer size 4096.
116
117 If the EDNS0 buffer size was already set to 512+ bytes, or the
118 above retry also results in a truncated answer, the resolver
119 structure will fall back to TCP.
120
121
122 -b size
123 Use size as the buffer size in the EDNS0 pseudo RR.
124
125
126 -c file
127 Use file instead of /etc/resolv.conf for nameserver configura‐
128 tion.
129
130
131 -d domain
132 When tracing (-T), start from this domain instead of the root.
133
134
135 -t Use TCP/IP when querying a server
136
137
138 -k keyfile
139 Use this file to read a (trusted) key from. When this options is
140 given drill tries to validate the current answer with this key.
141 No chasing is done. When drill is doing a secure trace, this key
142 will be used as trust anchor. Can contain a DNSKEY or a DS
143 record.
144
145 Alternatively, when DNSSEC enabled tracing (-TD) or signature
146 chasing (-S), if -k is not specified, and a default trust anchor
147 (/var/lib/unbound/root.key) exists and contains a valid DNSKEY
148 or DS record, it will be used as the trust anchor.
149
150
151 -o mnemonic
152 Use this option to set or unset specific header bits. A bit is
153 set by using the bit mnemonic in CAPITAL letters. A bit is unset
154 when the mnemonic is given in lowercase. The following mnemonics
155 are understood by drill:
156
157 QR, qr: set, unset QueRy (default: on)
158 AA, aa: set, unset Authoritative Answer (default: off)
159 TC, tc: set, unset TrunCated (default: off)
160 RD, rd: set, unset Recursion Desired (default: on)
161 CD, cd: set, unset Checking Disabled (default: off)
162 RA, ra: set, unset Recursion Available (default: off)
163 AD, ad: set, unset Authenticated Data (default: off)
164
165 Thus: -o CD, will enable Checking Disabled, which instructs the
166 cache to not validate the answers it gives out.
167
168
169 -p port
170 Use this port instead of the default of 53.
171
172
173 -r file
174 When tracing (-T), use file as a root servers hint file.
175
176
177 -s When encountering a DNSKEY print the equivalent DS also.
178
179
180 -u Use UDP when querying a server. This is the default.
181
182
183 -w file
184 write the answer to a file. The file will contain a hexadecimal
185 dump of the query. This can be used in conjunction with -f.
186
187
188 -x Do a reverse loopup. The type argument is not used, it is preset
189 to PTR.
190
191
192 -y <name:key[:algo]>
193 specify named base64 tsig key, and optional an algorithm
194 (defaults to hmac-md5.sig-alg.reg.int)
195
196
197 -z don't randomize the nameserver list before sending queries.
198
199
201 /var/lib/unbound/root.key
202 The file from which trusted keys are loaded when no -k option is
203 given.
204
206 unbound-anchor(8)
207
208
210 Jelte Jansen and Miek Gieben. Both of NLnet Labs.
211
212
214 Report bugs to <ldns-team@nlnetlabs.nl>.
215
216
219 Copyright (c) 2004-2008 NLnet Labs. Licensed under the revised BSD
220 license. There is NO warranty; not even for MERCHANTABILITY or FITNESS
221 FOR A PARTICULAR PURPOSE.
222
223
225 dig(1), RFC403{3,4,5}.
226
227
228
229 28 May 2006 drill(1)