Program: pydig (a DNS query tool written in Python) Version: 1.3.0 Written by: Shumon Huque <shuque@gmail.com> Description: A program to perform DNS queries and exercise various existing and emerging features of the DNS protocol. It works mostly similar to the dig program that comes with ISC BIND. I wrote it mostly for fun, and for helping me to learn more esoteric features of the DNS. Occasionally I use this to quickly prototype proposed enhancements to the DNS. Some of the more recent such features include EDNS client subnet, chain query, cookies, DNS over TLS, and more. RR type and class codes (qtype and qclass) unknown to this program can be specified with the TYPE123 and CLASS123 syntax. Usage: pydig [list of options] <qname> [<qtype>] [<qclass>] pydig @server +walk <zone> Options: -h print program usage information @server server to query -pNN use port NN (default is port 53) -bIP use IP as source IP address +tcp send query via TCP +ignore ignore truncation (don't retry with TCP) +aaonly set authoritative answer bit +cdflag set checking disabled bit +norecurse set rd bit to 0 (recursion not desired) +edns[=N] use EDNS with specified version (default 0) +ednsflags=N set EDNS flags field to N +ednsopt=###[:value] set generic EDNS option +bufsize=NN use EDNS with specified UDP payload size +dnssec request DNSSEC RRs in response +nsid send NSID (Name Server ID) option +expire send an EDNS Expire option +cookie[=xxx] send EDNS cookie option +subnet=addr send EDNS client subnet option +chainquery[=name] send EDNS chain query option +hex print hexdump of rdata field +walk walk (enumerate) a DNSSEC secured zone +0x20 randomize case of query name (bit 0x20 hack) -4 perform queries with IPv4 -6 perform queries with IPv6 -d request additional debugging output -k/path/to/keyfile use TSIG key in specified file -iNNN use specified message id -tNNN use this TSIG timestamp (secs since epoch) -y<alg>:<name>:<key> use specified TSIG alg, name, key +tls=auth|noauth use TLS with|without authentication +tls_port=N use N as the TLS port (default is 853) +tls_fallback Fallback from TLS to TCP on TLS failure +tls_hostname=name Check hostname in TLS server certificate Example usage: pydig www.example.com pydig www.example.com A pydig www.example.com A IN pydig @10.0.1.2 example.com MX pydig @dns1.example.com _blah._tcp.foo.example.com SRV pydig @192.168.42.6 +dnssec +norecurse blah.example.com NAPTR pydig @dns2.example.com -6 +hex www.example.com pydig @192.168.72.3 +walk secure.example.com pydig @192.168.14.7 -yhmac-md5:my.secret.key.:YWxidXMgZHVtYmxlZG9yZSByaWNoYXJkIGRhd2tpbnM= example.com axfr pydig @192.168.14.7 -yhmac-sha256:my.secret.key.:NBGFWFr+rR/uu14B94Ab1+u81M2DTqB65gOv16nG8Xw= example.com axfr pydig @185.49.141.38 +tls=auth +tls_hostname=getdnsapi.net www.ietf.org AAAA Limitations: Certain combinations of options don't make any sense (eg. +tcp and +edns0). pydig doesn't bother to check that, and just ignores the nonsensical ones. Certain options also imply other options, eg. +walk and +dnssec imply +edns0. For TSIG (Transaction Signature) signed messages, the program supports HMAC-MD5/SHA1/SHA256/SHA384/SHA256. It doesn't yet support GSS-TSIG. It decodes but does not yet verify signatures in DNSSEC secured data. It does not perform iterative resolution (eg. dig's +trace). Specific features of TLS depend on the version of Python in use. TLS server certificate verification and hostname verification require quite recent versions of Python 2.7.x. Pre-requisites: Python 2.7 (or later) or Python 3.x Platforms: Tested on the following platforms: Solaris 8, 9, 10, and 11 Linux 2.x FreeBSD 9.x and 10.x Mac OS X 10.4 through 10.7 and with Python 2.7.x and Python 3.x. Installation: 1. (as root) python setup.py install Shumon Huque E-mail: shuque -at- gmail.com Web: https://www.huque.com/ Copyright (c) 2006 - 2016, Shumon Huque. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms of the GNU General Public License.