Program: pydig (a DNS query tool written in Python)
Version: 1.00
Written by: Shumon Huque <shuque@gmail.com>
Description:
A small python program to perform DNS queries. It works mostly
similarly to the dig program that comes with Bind. I wrote it
mostly for fun, while trying to understand DNSSEC. And in general,
for most queries, there is no reason to use it in preference to
dig. However, it does a few things differently that I needed from
time to time, such as: optionally presenting a hexdump of the
resource data rather than decoding it; decoding the exponent in
a RSA/SHA-1 DNSKEY; printing out names of DNSSEC related crypto
hashes, algorithms and algorithm parameters, key sizes; counting
how many compression references were followed; implementing the
0x20 bit case randomization hack; providing more detailed statistics
on TSIG authenticated zone transfers, reporting query/response size
amplification factor, etc. It also has an option to walk a DNSSEC
secured zone and enumerate all its resource records - this obviously
only works on NSEC zones.
RR type and class codes (qtype and qclass) unknown to this
program can be specified with the TYPE123 and CLASS123 syntax.
Usage:
pydig [list of options] <qname> [<qtype>] [<qclass>]
pydig @server +walk <zone>
Options:
-h print program usage information
@server server to query
-pNN use port NN
-bIP use IP as source IP address
+tcp send query via TCP
+aaonly set authoritative answer bit
+cdflag set checking disabled bit
+norecurse set rd bit to 0 (recursion not desired)
+edns0 use EDNS0 with 4096 octet UDP payload
+dnssec request DNSSEC RRs in response
+hex print hexdump of rdata field
+walk walk (enumerate) a DNSSEC secured zone
+0x20 randomize case of query name (bit 0x20 hack)
-4 perform queries with IPv4
-6 perform queries with IPv6
-d request additional debugging output
-k/path/to/keyfile use TSIG key in specified file
-iNNN use specified message id
-tNNN use this TSIG timestamp (secs since epoch)
-y<alg>:<name>:<key> use specified TSIG alg, name, key
Example usage:
pydig www.example.com
pydig www.example.com A
pydig www.example.com A IN
pydig @10.0.1.2 example.com MX
pydig @dns1.example.com _blah._tcp.foo.example.com SRV
pydig @192.168.42.6 +dnssec +norecurse blah.example.com NAPTR
pydig @dns2.example.com -6 +hex www.example.com
pydig @192.168.72.3 +walk secure.example.com
pydig @192.168.14.7 -yhmac-md5:my.secret.key.:YWxidXMgZHVtYmxlZG9yZSByaWNoYXJkIGRhd2tpbnM= example.com axfr
pydig @192.168.14.7 -yhmac-sha256:my.secret.key.:NBGFWFr+rR/uu14B94Ab1+u81M2DTqB65gOv16nG8Xw= example.com axfr
Limitations:
Expects well formed (ie. correct) DNS responses. Otherwise
it will likely generate an exception and terminate itself
ungracefully.
Certain combinations of options don't make any sense (eg.
+tcp and +edns0). pydig doesn't bother to check that, and
just ignores the nonsensical ones. Certain options also
imply other options, eg. +walk and +dnssec imply +edns0.
For TSIG (Transaction Signature) signed messages, the program
supports HMAC-MD5/SHA1/SHA256/SHA384/SHA256. It doesn't yet
support GSS-TSIG.
It does not yet verify signatures in DNSSEC secured data.
It does not perform iterative resolution (eg. dig's +trace).
Pre-requisites:
Python 2.5 (or later)
Platforms:
Tested on the following platforms:
Solaris 8, 9, 10, and 11
Linux 2.x
FreeBSD 9.x
Mac OS X 10.4 through 10.7
and with Python 2.3 - 2.7
Installation:
1. (as root) python setup.py install
Shumon Huque
E-mail: shuque -at- gmail.com
Web: https://www.huque.com/~shuque/
Copyright (c) 2006 - 2014, Shumon Huque.
All rights reserved. This program is free software; you can redistribute
it and/or modify it under the same terms of the GNU General Public License.