1drill(1)                    General Commands Manual                   drill(1)
2
3
4

NAME

6       drill - get (debug) information out of DNS(SEC)
7

SYNOPSIS

9       drill [ OPTIONS ] name [ @server ] [ type ] [ class ]
10
11

DESCRIPTION

13       drill  is a tool to designed to get all sorts of information out of the
14       DNS. It is specifically designed to be used with DNSSEC.
15
16       The name drill is a pun on dig. With drill you should be able get  even
17       more information than with dig.
18
19       If  no  arguments are given class defaults to 'IN' and type to 'A'. The
20       server(s) specified in /etc/resolv.conf are used to query against.
21
22
23       name Ask for this name.
24
25
26       @server Send to query to this server. If not specified  use  the  name‐
27       servers from /etc/resolv.conf.
28
29
30       type  Ask for this RR type. If type is not given on the command line it
31       defaults to 'A'. Except when doing a reverse lookup when it defaults to
32       'PTR'.
33
34
35       class Use this class when querying.
36
37

SAMPLE USAGE

39       drill mx miek.nl Show the MX records of the domain miek.nl
40
41
42       drill -S jelte.nlnetlabs.nl
43              Chase  any  signatures in the jelte.nlnetlab.nl domain. This op‐
44              tion is only available when ldns has been compiled with openssl-
45              support.
46
47
48       drill -TD www.example.com
49              Do a DNSSEC (-D) trace (-T) from the rootservers down to www.ex‐
50              ample.com.  This option only works when ldns has  been  compiled
51              with openssl support.
52
53
54       drill -s dnskey jelte.nlnetlabs.nl
55              Show the DNSKEY record(s) for jelte.nlnetlabs.nl. For each found
56              DNSKEY record also print the DS record.
57
58

OPTIONS

60       -D     Enable DNSSEC in the  query.  When  querying  for  DNSSEC  types
61              (DNSKEY, RRSIG, DS and NSEC) this is not automatically enabled.
62
63
64       -T     Trace  name  from  the  root  down.  When  using this option the
65              @server arguments is not used.
66
67
68       -S     Chase the signature(s) of 'name' to a known key or as high up in
69              the tree as possible.
70
71
72       -I  IPv4 or IPv6 address
73              Source  address  to  query  from.   The source address has to be
74              present on an interface of the host running drill.
75
76
77       -V level
78              Be more verbose. Set level to 5 to see the actual query that  is
79              sent.
80
81
82       -Q     Quiet mode, this overrules -V.
83
84
85       -f file
86              Read the query from a file. The query must be dumped with -w.
87
88
89       -i file
90              read  the  answer  from  the file instead from the network. This
91              aids in debugging and can be used to check if a query on disk is
92              valid.   If  the file contains binary data it is assumed to be a
93              query in network order.
94
95
96       -w file
97              Write an answer packet to file.
98
99
100       -q file
101              Write the query packet to file.
102
103
104       -v     Show drill's version.
105
106
107       -h     Show a short help message.
108
109
110   QUERY OPTIONS
111       -4     Stay on ip4. Only send queries to ip4 enabled nameservers.
112
113
114       -6     Stay on ip6. Only send queries to ip6 enabled nameservers.
115
116
117       -a     Use the resolver structure's fallback mechanism if the answer is
118              truncated (TC=1). If a truncated packet is received and this op‐
119              tion is set, drill will first send a new query with EDNS0 buffer
120              size 4096.
121
122              If  the  EDNS0 buffer size was already set to 512+ bytes, or the
123              above retry also results in a  truncated  answer,  the  resolver
124              structure will fall back to TCP.
125
126
127       -b size
128              Use size as the buffer size in the EDNS0 pseudo RR.
129
130
131       -c file
132              Use  file  instead of /etc/resolv.conf for nameserver configura‐
133              tion.
134
135
136       -d domain
137              When tracing (-T), start from this domain instead of the root.
138
139
140       -t     Use TCP/IP when querying a server
141
142
143       -k keyfile
144              Use this file to read a (trusted) key from. When this options is
145              given  drill tries to validate the current answer with this key.
146              No chasing is done. When drill is doing a secure trace, this key
147              will  be  used  as  trust  anchor.  Can contain a DNSKEY or a DS
148              record.
149
150              Alternatively, when DNSSEC enabled tracing  (-TD)  or  signature
151              chasing (-S), if -k is not specified, and a default trust anchor
152              (/var/lib/unbound/root.key) exists and contains a  valid  DNSKEY
153              or DS record, it will be used as the trust anchor.
154
155
156       -o mnemonic
157              Use  this  option to set or unset specific header bits. A bit is
158              set by using the bit mnemonic in CAPITAL letters. A bit is unset
159              when the mnemonic is given in lowercase. The following mnemonics
160              are understood by drill:
161
162                      QR, qr: set, unset QueRy (default: on)
163                      AA, aa: set, unset Authoritative Answer (default: off)
164                      TC, tc: set, unset TrunCated (default: off)
165                      RD, rd: set, unset Recursion Desired (default: on)
166                      CD, cd: set, unset Checking Disabled  (default: off)
167                      RA, ra: set, unset Recursion Available  (default: off)
168                      AD, ad: set, unset Authenticated Data (default: off)
169
170              Thus: -o CD, will enable Checking Disabled, which instructs  the
171              cache to not validate the answers it gives out.
172
173
174       -p port
175              Use this port instead of the default of 53.
176
177
178       -r file
179              When tracing (-T), use file as a root servers hint file.
180
181
182       -s     When encountering a DNSKEY print the equivalent DS also.
183
184
185       -u     Use UDP when querying a server. This is the default.
186
187
188       -w file
189              write  the answer to a file. The file will contain a hexadecimal
190              dump of the query. This can be used in conjunction with -f.
191
192
193       -x     Do a reverse lookup. The type argument is not used, it is preset
194              to PTR.
195
196
197       -y <name:key[:algo]>
198              specify  named  base64  tsig key, and optional an algorithm (de‐
199              faults to hmac-md5.sig-alg.reg.int)
200
201
202       -z     don't randomize the nameserver list before sending queries.
203
204

EXIT STATUS

206       The exit status is 0 if the looked up answer is secure and trusted,  or
207       insecure.   The  exit  status  is  not 0 if the looked up answer is un‐
208       trusted or bogus, or an error occurred while performing the lookup.
209
210

FILES

212       /var/lib/unbound/root.key
213              The file from which trusted keys are loaded when no -k option is
214              given.
215

SEE ALSO

217       unbound-anchor(8)
218
219

AUTHOR

221       Jelte Jansen and Miek Gieben. Both of NLnet Labs.
222
223

REPORTING BUGS

225       Report bugs to <ldns-team@nlnetlabs.nl>.
226
227

BUGS

230       Copyright (c) 2004-2008 NLnet Labs.  Licensed under the revised BSD li‐
231       cense. There is NO warranty; not even for  MERCHANTABILITY  or  FITNESS
232       FOR A PARTICULAR PURPOSE.
233
234

SEE ALSO

236       dig(1), RFC403{3,4,5}.
237
238
239
240                                  28 May 2006                         drill(1)
Impressum