D. J. Bernstein
Internet publication

Command-line tools to debug DNS configuration

The interfaces for these tools are subject to change.
     dnsqr t fqdn
dnsqr asks for records of type t under the domain name fqdn. It prints the results in a human-readable format, more compact than the dig output format.

t may be a name or number. Currently recognized names: any, a, ns, mx, ptr, txt, cname, soa, hinfo, rp, sig, key, aaaa, axfr. Note that, if you want to perform a zone transfer, you should use axfr-get, not dnsqr axfr.

dnsqr is available in djbdns 1.01 and above.

     dnsq t fqdn s
dnsq sends a non-recursive DNS query to DNS server s for records of type t under the domain name fqdn. It prints the results in a human-readable format.
     tinydns-get t fqdn
     tinydns-get t fqdn ip
tinydns-get is like dnsq, but obtains its results from data.cdb in the current directory, in exactly the same way that tinydns and axfrdns obtain results from data.cdb in their root directories. If ip is provided, it simulates the results of a query from IP address ip; this matters if data.cdb differentiates among clients in different locations.
     dnstrace t fqdn r
dnstrace searches for all DNS servers that can affect the resolution of records of type t under the domain name fqdn, starting from the root server r. You can list more than one root server.

dnstrace uses the standard DNS resolution algorithm, but follows all possible paths in the algorithm. It prints all responses it receives from DNS servers; it also prints warnings about slow servers, dead servers, misdelegated (``lame'') servers, and misformatted packets. dnstrace is similar in spirit to DOC and dnswalk but is much more effective than those tools at debugging resolution problems.

In versions 1.03 and above: You can pipe dnstrace through dnstracesort for human-friendly output. dnstrace can take a long time to run, so standard procedure is to save its output in a file:

     dnstrace any www.aol.com a.root-servers.net > AOL &
Then you can run dnstracesort to see the results so far:
     dnstracesort < AOL | less
The dnstracesort output uses ul codes for boldface and underline; these codes are displayed properly by less. Sample results (converted to HTML):
     dnstrace a mail.lanset.com a.root-servers.net | dnstracesort | less
	(note the bad ns2.lanset.com address from the roots)
     dnstrace a www.nasa.gov a.root-servers.net | dnstracesort | less
	(note the lame server)
     dnstrace a www.netscape.com a.root-servers.net | dnstracesort | less
     dnstrace a www.aol.com a.root-servers.net | dnstracesort | less
     dnstrace a www.aol.com `cat /etc/dnsroots.global` | dnstracesort | less

Beware that, as of January 2001, dnstrace produces more than 5 megabytes of output for the complete trace of cr.yp.to starting from all the root servers. It ends up sending more than 6000 queries to more than 200 different servers.