Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
dnsviz-probe(1)		    General Commands Manual	       dnsviz-probe(1)

NAME
       dnsviz-probe - issue diagnostic DNS queries

SYNOPSIS
       dnsviz probe [ options ]	[ domain_name... ]

DESCRIPTION
       Perform a series	of diagnostic queries of specified names to either re-
       cursive (default) or authoritative DNS servers, the  results  of	 which
       are  serialized	into  JSON  format.   Its output is used to assess the
       health of DNS deployments,  using,  e.g.,  dnsviz-grok(1)  and  dnsviz-
       graph(1).

       Domain names to be processed may	be passed either as command-line argu-
       ments or	in a file (using the -f	option).  When the -r option is	 used,
       then  the domain	names can simply be implied using the diagnostic query
       input.

       Domain names are	extracted from the diagnostic query input in  conjunc-
       tion  with -r only when -f is not used and no domain names are supplied
       on the command line.  If	the -f option is used, then names may  not  be
       specified on the	command	line.

       The domain names	passed as input	are fully-qualified domain names, such
       as example.com, www.example.com,	 _443._tcp.example.com,	 1.2.0.192.in-
       addr.arpa,  or  8.b.d.0.1.0.0.2.ip6.arpa.   Because  it is implied that
       specified domain	names are fully	qualified, no trailing dot  is	neces-
       sary.

OPTIONS
       -f filename
	      Read names from a	file (one name per line), instead of from com-
	      mand line.

	      If this option is	used, then names may not be specified  on  the
	      command line.

       -d level
	      Set  debug  level	 to  a value from 0 to 3, with increasing ver-
	      bosity.  The default is "2" (informational-level output).

       -r filename
	      Read diagnostic query input from the specified file, instead  of
	      querying servers.	 Specify "-" to	read from standard input.

       -t threads
	      Specify  the  number  of	threads	 to use	for issuing diagnostic
	      queries for different names in parallel.	The default is to exe-
	      cute diagnostic queries of names serially.

       -4     Use IPv4 only.

       -6     Use IPv6 only.

       -b address
	      Specify  a  source IPv4 or IPv6 address for queries, rather than
	      detecting	it.

	      This option can be used more than	once to	supply	both  an  IPv4
	      and an IPv6 address.

	      The use of this option is	sometimes necessary when using a dual-
	      homed machine, and it is desirable to use	the non-default	inter-
	      face for queries.

       -u url Specify  the  URL	(HTTP/HTTPS only) for a	DNS looking glass that
	      will send	the diagnostic queries,	rather than sending  them  lo-
	      cally.

		     Examples:

			    Issue  DNS	queries	from www.example.com using the
			    cgi	script dnsviz-lg.cgi:
			    http://www.example.com/cgi-bin/dnsviz-lg.cgi

			    Same, but use HTTP Basic authentication:
			    http://username:password@www.example.com/cgi-
			    bin/dnsviz-lg.cgi

	      Note that	a looking glass	that uses https	is only	supported when
	      using python version 2.7.9 or greater.

       -k     When -u is used to specify the URL of a DNS looking glass, don't
	      verify the server-side TLS cert.

       -a ancestor
	      Issue  diagnostic	queries	of each	domain name through the	speci-
	      fied ancestor.  The default for recursive	mode is	"." (i.e., is-
	      sue queries all the way to the root).   The default for authori-
	      tative mode (i.e., with -A) is the domain	name itself.

       -R type[,type...]
	      Issue diagnostic queries for only	the specified  type(s)	(e.g.,
	      A,  AAAA).   The default is to pick query	types based on the na-
	      ture of the name (e.g., the number of labels, whether  it	 is  a
	      subdomain	of .arpa, labels indicating association	to TLSA	or SRV
	      records, etc.) and whether there are NS records detected	(i.e.,
	      it is a zone).

       -s server[,server...]
	      Designate	one or more servers for	recursive queries, rather than
	      using those specified in /etc/resolv.conf.

	      Each server specified may	either be an address (IPv4 or IPv6), a
	      domain  name  (which  will  be  resolved to an address using the
	      standard resolution process), or both, using the syntax name=ad-
	      dress.   Note that when both a name and an address are specified
	      (name=address), the name is only used  for  identification  pur-
	      poses,  and  it  doesn't matter whether the name resolves	to the
	      corresponding address (or	at all,	for that  matter).   IPv6  ad-
	      dresses	 must	be   wrapped   in   square   brackets,	 e.g.,
	      "[2001:db8::1]".

	      Each server value	may optionally be suffixed with	a numeric port
	      on  which	the server should be contacted.	 If not	specified, the
	      standard DNS port, 53, is	used.

	      The following are	example	server values:

		     ns1.example.com
		     ns1.example.com:5333
		     ns1.example.com=192.0.2.1
		     ns1.example.com=[2001:db8::1]
		     ns1.example.com=[2001:db8::1]:5333
		     192.0.2.1

	      This option cannot be used in conjunction	with -A.

       -A     Query authoritative servers, rather than (the default) recursive
	      servers.

       -x domain[+]:server[,server...]
	      Explicitly  designate authoritative servers for a	domain,	rather
	      than learning them by following delegations.  This  option  dic-
	      tates  which  servers  will  be  queried	for  a domain, but the
	      servers specified	will not be used to check NS  or  glue	record
	      consistency with the child; for that behavior, see -N.

	      The default behavior is to identify and query servers authorita-
	      tive for ancestors of the	specified domain, if other options  so
	      dictate.	 However,  if  the  domain  ends  in "+", then queries
	      aren't issued for	servers	authoritative for ancestor domains  of
	      the domain.  For example,	with the following command:

		     dnsviz  probe  -A	-x  example.com:ns1.example.com	 exam-
		     ple.com

	      the com servers will be queried for DS records for  example.com.
	      However, if the following	is used:

		     dnsviz  probe  -A	-x  example.com+:ns1.example.com exam-
		     ple.com

	      no queries are performed at com servers or above,	 including  DS
	      records for example.com.

	      See  -s  for  the	syntax used for	designating servers.  However,
	      unlike the -s option, a zone file	may be specified in lieu of  a
	      server  name  and/or  address,  in  which	 case  an  instance of
	      named(8) is started, the zone is served from that	instance,  and
	      queries  for  the	 domain	 are directed to the local instance of
	      named(8) serving that zone.  For example,	if example.com.zone is
	      a	file containing	the contents of	the example.com	zone, the fol-
	      lowing command could be used  to	specify	 that  the  zone  file
	      should be	used:

		     dnsviz  probe  -A	-x  example.com:example.com.zone exam-
		     ple.com

	      This option may be used multiple times on	the command line.

	      This option can only be used in conjunction with -A.

       -N domain:server[,server...]
	      Specify delegation information for a domain, i.e.,  the  NS  and
	      glue  records  for  the domain, which would be served by the do-
	      main's parent.  This is used  for	 testing  new  delegations  or
	      testing a	potential change to a delegation.

	      This option has similar usage to that of the -x option.  The ma-
	      jor difference is	that the server	names supplied comprise	the NS
	      record  set,  and	the addresses supplied represent glue records.
	      Thus if there are	discrepancies between  the  authoritative  re-
	      sponses  for  the	 NS RRset and glue and what is supplied	on the
	      command line, an error will be reported when the output is  sub-
	      sequently	assessed, e.g.,	using dnsviz-grok(1).

	      In  lieu	of  specifying	the  record data itself	on the command
	      line, a file may be specified, which contains the	delegation  NS
	      and glue records for the domain.

       -D domain:ds[,ds...]
	      Specify one or more delegation signer (DS) records for a domain.
	      This is used in conjunction with the -N option for  testing  the
	      introduction or change of	DS records.

	      The  DS  records	themselves are specified using the the textual
	      representation of	their record data.  For	example	the  following
	      DS records for example.com:

		     31589 8 1 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE
		     31589			   8			     2
		     CDE0D742D6998AA554A92D890F8184C698CFAC8A26FA59875A990C03
		     E576343C

	      would be specified by passing this value to -D:

		     "31589 8 1	3490A6806D47F17A34C29E2CE80E8A999FFBE4BE,
			31589			     8			     2
		     CDE0D742D6998AA554A92D890F8184C698CFAC8A26FA59875A990C03
		     E576343C"

	      In  lieu	of  specifying	the  record data itself	on the command
	      line, a file may be specified, which contains  the  DS  records.
	      For example:

		     dnsviz probe -D example.com:dsset-example.com.

	      This option must be used in conjunction with the -N option.

       -n     Use the NSID EDNS	option with every DNS query issued.

       -e subnet[:prefix]
	      Use  the	EDNS Client Subnet option with every DNS query issued,
	      using the	specified subnet and prefix as values.	If  prefix  is
	      not specified, the prefix	is the length of the entire address.

       -E     Include  diagnostic DNS queries that can assess EDNS compatibil-
	      ity of servers.

	      If this option is	used, each server probed will be queried  with
	      "future"	EDNS  settings,	 the respective	responses can later be
	      assessed for proper behavior.   These  settings  include	future
	      EDNS versions (i.e., > 0), unknown options, and unknown flags.

       -o filename
	      Write  the  output  to the specified file	instead	of to standard
	      output, which is the default.

       -p     Make JSON	output "pretty"	instead	of minimal (i.e., using	inden-
	      tation  and  newlines).	Note that this is the default when the
	      output is	a TTY.

       -h     Display the usage	and exit.

EXIT CODES
       The exit	codes are:

       0      Program terminated normally.

       1      Incorrect	usage.

       2      The network was unavailable for diagnostic queries.

       3      There was	an error processing the	input or saving	the output.

       4      Program execution	was interrupted, or an unknown error ocurred.

SEE ALSO
       dnsviz(1), dnsviz-grok(1),  dnsviz-graph(1),  dnsviz-print(1),  dnsviz-
       query(1)

0.6.5				  18 Nov 2016		       dnsviz-probe(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXIT CODES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=dnsviz-probe&sektion=1&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help