mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-23 10:06:25 +01:00
17d15b2511
MFC after: 3 weeks
254 lines
6.2 KiB
Groff
254 lines
6.2 KiB
Groff
.\" @(#)drill.1 1.7.0 14-Jul-2004 OF;
|
|
.TH drill 1 "28 May 2006"
|
|
.SH NAME
|
|
drill \- get (debug) information out of DNS(SEC)
|
|
.SH SYNOPSIS
|
|
.B drill
|
|
[
|
|
.IR OPTIONS
|
|
]
|
|
.IR name
|
|
[
|
|
.IR @server
|
|
]
|
|
[
|
|
.IR type
|
|
]
|
|
[
|
|
.IR class
|
|
]
|
|
|
|
.SH DESCRIPTION
|
|
\fBdrill\fR is a tool to designed to get all sorts of information out of the
|
|
DNS. It is specificly designed to be used with DNSSEC.
|
|
.PP
|
|
The name \fBdrill\fR is a pun on \fBdig\fR. With \fBdrill\fR you should be able
|
|
get even more information than with \fBdig\fR.
|
|
.PP
|
|
If no arguments are given class defaults to 'IN' and type to 'A'. The
|
|
server(s) specified in /etc/resolv.conf are used to query against.
|
|
|
|
.PP
|
|
\fIname\fR
|
|
Ask for this name.
|
|
|
|
.PP
|
|
\fI@server\fR
|
|
Send to query to this server. If not specified use the nameservers from
|
|
\fI/etc/resolv.conf\fR.
|
|
|
|
.PP
|
|
\fItype\fR
|
|
Ask for this RR type. If type is not given on the command line it defaults
|
|
to 'A'. Except when doing to reverse lookup when it defaults to 'PTR'.
|
|
|
|
.PP
|
|
\fIclass\fR
|
|
Use this class when querying.
|
|
|
|
.SH SAMPLE USAGE
|
|
\fBdrill mx miek.nl\fR
|
|
Show the MX records of the domain miek.nl
|
|
|
|
.TP
|
|
\fBdrill -S jelte.nlnetlabs.nl\fR
|
|
Chase any signatures in the jelte.nlnetlab.nl domain. This option is
|
|
only available when ldns has been compiled with openssl-support.
|
|
|
|
.TP
|
|
\fBdrill -TD www.example.com\fR
|
|
Do a DNSSEC (-D) trace (-T) from the rootservers down to www.example.com.
|
|
This option only works when ldns has been compiled with openssl support.
|
|
|
|
.TP
|
|
\fBdrill -s dnskey jelte.nlnetlabs.nl\fR
|
|
Show the DNSKEY record(s) for jelte.nlnetlabs.nl. For each found DNSKEY
|
|
record also print the DS record.
|
|
|
|
.SH OPTIONS
|
|
|
|
.TP
|
|
\fB\-D
|
|
Enable DNSSEC in the query. When querying for DNSSEC types (DNSKEY, RRSIG,
|
|
DS and NSEC) this is \fInot\fR automaticly enabled.
|
|
|
|
.TP
|
|
\fB\-T
|
|
Trace \fIname\fR from the root down. When using this option the @server and
|
|
the type arguments are not used.
|
|
|
|
.TP
|
|
\fB\-S
|
|
Chase the signature(s) of 'name' to a known key or as high up in
|
|
the tree as possible.
|
|
|
|
.TP
|
|
\fB\-I \fIIPv4 or IPv6 address\fR
|
|
Source address to query from. The source address has to be present
|
|
on an interface of the host running drill.
|
|
|
|
.TP
|
|
\fB\-V \fIlevel\fR
|
|
Be more verbose. Set level to 5 to see the actual query that is sent.
|
|
|
|
.TP
|
|
\fB\-Q
|
|
Quiet mode, this overrules -V.
|
|
|
|
.TP
|
|
\fB\-f \fIfile\fR
|
|
Read the query from a file. The query must be dumped with -w.
|
|
|
|
.TP
|
|
\fB\-i \fIfile\fR
|
|
read the answer from the file instead from the network. This aids
|
|
in debugging and can be used to check if a query on disk is valid.
|
|
If the file contains binary data it is assumed to be a query in
|
|
network order.
|
|
|
|
.TP
|
|
\fB\-w \fIfile\fR
|
|
Write an answer packet to file.
|
|
|
|
.TP
|
|
\fB\-q \fIfile\fR
|
|
Write the query packet to file.
|
|
|
|
.TP
|
|
\fB\-v
|
|
Show drill's version.
|
|
|
|
.TP
|
|
\fB\-h
|
|
Show a short help message.
|
|
|
|
.SS QUERY OPTIONS
|
|
|
|
.TP
|
|
\fB\-4
|
|
Stay on ip4. Only send queries to ip4 enabled nameservers.
|
|
|
|
.TP
|
|
\fB\-6
|
|
Stay on ip6. Only send queries to ip6 enabled nameservers.
|
|
|
|
.TP
|
|
\fB\-a
|
|
Use the resolver structure's fallback mechanism if the answer
|
|
is truncated (TC=1). If a truncated packet is received and this
|
|
option is set, drill will first send a new query with EDNS0
|
|
buffer size 4096.
|
|
|
|
If the EDNS0 buffer size was already set to 512+ bytes, or the
|
|
above retry also results in a truncated answer, the resolver
|
|
structure will fall back to TCP.
|
|
|
|
.TP
|
|
\fB\-b \fIsize\fR
|
|
Use size as the buffer size in the EDNS0 pseudo RR.
|
|
|
|
.TP
|
|
\fB\-c \fIfile\fR
|
|
Use file instead of /etc/resolv.conf for nameserver configuration.
|
|
|
|
.TP
|
|
\fB\-d \fIdomain\fR
|
|
When tracing (-T), start from this domain instead of the root.
|
|
|
|
.TP
|
|
\fB\-t
|
|
Use TCP/IP when querying a server
|
|
|
|
.TP
|
|
\fB\-k \fIkeyfile\fR
|
|
Use this file to read a (trusted) key from. When this options is
|
|
given \fBdrill\fR tries to validate the current answer with this
|
|
key. No chasing is done. When \fBdrill\fR is doing a secure trace, this
|
|
key will be used as trust anchor. Can contain a DNSKEY or a DS record.
|
|
|
|
Alternatively, when DNSSEC enabled tracing (\fB-TD\fR) or signature
|
|
chasing (\fB-S\fR), if \fB-k\fR is not specified, and a default trust anchor
|
|
(@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record,
|
|
it will be used as the trust anchor.
|
|
|
|
.TP
|
|
\fB\-o \fImnemonic\fR
|
|
Use this option to set or unset specific header bits. A bit is
|
|
set by using the bit mnemonic in CAPITAL letters. A bit is unset when
|
|
the mnemonic is given in lowercase. The following mnemonics are
|
|
understood by \fBdrill\fR:
|
|
|
|
QR, qr: set, unset QueRy (default: on)
|
|
AA, aa: set, unset Authoritative Answer (default: off)
|
|
TC, tc: set, unset TrunCated (default: off)
|
|
RD, rd: set, unset Recursion Desired (default: on)
|
|
CD, cd: set, unset Checking Disabled (default: off)
|
|
RA, ra: set, unset Recursion Available (default: off)
|
|
AD, ad: set, unset Authenticated Data (default: off)
|
|
|
|
Thus: \fB-o CD\fR, will enable Checking Disabled, which instructs the
|
|
cache to not validate the answers it gives out.
|
|
|
|
.TP
|
|
\fB\-p \fIport\fR
|
|
Use this port instead of the default of 53.
|
|
|
|
.TP
|
|
\fB\-r \fIfile\fR
|
|
When tracing (-T), use file as a root servers hint file.
|
|
|
|
.TP
|
|
\fB\-s
|
|
When encountering a DNSKEY print the equivalent DS also.
|
|
|
|
.TP
|
|
\fB\-u
|
|
Use UDP when querying a server. This is the default.
|
|
|
|
.TP
|
|
\fB\-w \fIfile\fR
|
|
write the answer to a file. The file will contain a hexadecimal dump
|
|
of the query. This can be used in conjunction with -f.
|
|
|
|
.TP
|
|
\fB\-x
|
|
Do a reverse loopup. The type argument is not used, it is preset to PTR.
|
|
|
|
.TP
|
|
\fB\-y \fI<name:key[:algo]>\fR
|
|
specify named base64 tsig key, and optional an algorithm (defaults to hmac-md5.sig-alg.reg.int)
|
|
|
|
.TP
|
|
\fB\-z \fR
|
|
don't randomize the nameserver list before sending queries.
|
|
|
|
.SH "EXIT STATUS"
|
|
The exit status is 0 if the looked up answer is secure and trusted,
|
|
or insecure.
|
|
The exit status is not 0 if the looked up answer is untrusted or bogus,
|
|
or an error occurred while performing the lookup.
|
|
|
|
.SH "FILES"
|
|
.TP
|
|
@LDNS_TRUST_ANCHOR_FILE@
|
|
The file from which trusted keys are loaded when no \fB-k\fR option is given.
|
|
.SH "SEE ALSO"
|
|
.LP
|
|
unbound-anchor(8)
|
|
|
|
.SH AUTHOR
|
|
Jelte Jansen and Miek Gieben. Both of NLnet Labs.
|
|
|
|
.SH REPORTING BUGS
|
|
Report bugs to <ldns-team@nlnetlabs.nl>.
|
|
|
|
.SH BUGS
|
|
|
|
.SH COPYRIGHT
|
|
Copyright (c) 2004-2008 NLnet Labs.
|
|
Licensed under the revised BSD license. There is NO warranty; not even for MERCHANTABILITY or
|
|
FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
.SH SEE ALSO
|
|
\fBdig\fR(1), \fIRFC403{3,4,5}\fR.
|