LinuxCommandLibrary

drill

Query DNS records

TLDR

Lookup the IP(s) associated with a hostname (A records)

$ drill [example.com]
copy

Lookup the mail server(s) associated with a given domain name (MX record)
$ drill mx [example.com]
copy

Get all types of records for a given domain name
$ drill any [example.com]
copy

Specify an alternate DNS server to query
$ drill [example.com] @[8.8.8.8]
copy

Perform a reverse DNS lookup on an IP address (PTR record)
$ drill -x [8.8.8.8]
copy

Perform DNSSEC trace from root servers down to a domain name
$ drill -TD [example.com]
copy

Show DNSKEY record(s) for a domain name
$ drill -s dnskey [example.com]
copy

SYNOPSIS

drill [OPTIONS] name [TYPE] [CLASS]
drill [-DDKLSVdfgkoTrst] [-p port] [-o query-option...] [-s address] [-q name] [-i filename] [-y keyname:keyalgo:keydata | keyfile] [name] [@server] [type] [class]

PARAMETERS

-D
    Enables displaying the full DNSSEC validation path.

-S
    Shows DNSSEC security status, including Authenticated Data (AD) or Checking Disabled (CD) flags.

-H
    Performs the DNS query over HTTPS (DoH) for enhanced privacy.

-T
    Performs the DNS query over TLS (DoT) for enhanced privacy.

-s


    Specifies the IP address or hostname of the DNS server to query instead of the default.

-p
    Sets the destination port number for the DNS query (default is 53).

-t
    Forces the use of TCP for the DNS query instead of the default UDP.

-r
    Disables recursion, setting the RD (Recursion Desired) bit to 0 in the query.

-V
    Displays the version information of drill and exits.

-o
    Provides a flexible way to add specific query options. Common options include rd (recursion desired), no-rd, short (minimal output), noshort, aa (authoritative answer), etc.

-y
    Specifies a TSIG (Transaction Signature) key for authenticated DNS queries or updates. Format can be keyname:keyalgo:keydata or a keyfile.

name
    The domain name or IP address to resolve (e.g., example.com).

type
    The type of DNS record to query (e.g., A, AAAA, MX, NS, SOA, PTR, SRV). Defaults to A if omitted.

class
    The DNS class of the query (e.g., IN for Internet, CH for Chaos). Defaults to IN if omitted.

DESCRIPTION

drill is a command-line utility from the ldns library suite, designed for performing DNS queries. It serves as a modern, lightweight, and often preferred alternative to traditional tools like dig, offering a cleaner and more parseable output format.

It supports a wide range of DNS record types, including A, AAAA, MX, NS, SOA, PTR, SRV, and numerous others. A key strength of drill lies in its robust support for DNSSEC (DNS Security Extensions), allowing users to validate DNS responses and inspect the DNSSEC chain. Furthermore, recent versions include support for encrypted DNS protocols such as DNS over TLS (DoT) and DNS over HTTPS (DoH), enhancing privacy and security for DNS lookups. Its simplicity in usage combined with advanced features makes it an invaluable tool for network administrators, security professionals, and developers.

CAVEATS

While drill offers a cleaner interface and strong DNSSEC support, its output format is distinct from dig, which might require a learning curve for users accustomed to traditional DNS tools. The availability of advanced features like DNS over TLS (DoT) and DNS over HTTPS (DoH) depends on the version of the ldns library it was compiled against, and may not be present in older distributions.

DNSSEC FOCUS

One of drill's primary design goals was to provide robust and native support for DNSSEC, allowing users to easily inspect and validate the authenticity and integrity of DNS responses. It can display the entire DNSSEC validation path, including DS, DNSKEY, RRSIG, and NSEC/NSEC3 records, which is crucial for troubleshooting DNSSEC deployments and understanding the trust chain.

CLEANER OUTPUT

Compared to dig, drill typically produces a more concise and parseable output by default. This makes it particularly well-suited for integration into scripts and automated systems, as it simplifies the programmatic processing of DNS query results. While it offers options for more verbose output, its default behavior prioritizes clarity and essential information.

HISTORY

drill was developed by NLnet Labs as a core component of the ldns library project, an initiative to create a modern, lightweight, and secure DNS library. It emerged as a response to the growing need for a robust command-line DNS tool capable of natively handling DNSSEC validation and providing clearer output than its predecessors. Its evolution has focused on enhancing DNS security and privacy, incorporating features like comprehensive DNSSEC support and, in more recent iterations, encrypted DNS protocols such as DoT and DoH. drill has steadily gained traction among users who prioritize security and a streamlined command-line experience for their DNS lookup needs.

SEE ALSO

dig(1), host(1), nslookup(1), ldns(3)

Copied to clipboard