Provided by: dnsviz_0.6.6-1_all 
NAME
dnsviz-probe - issue diagnostic DNS queries
SYNOPSIS
dnsviz probe [ options ] [ domain_name... ]
DESCRIPTION
Perform a series of diagnostic queries of specified names to either recursive (default) or
authoritative DNS servers, the results of which are serialized into JSON format. Its
output is used to assess the health of DNS deployments, using, e.g., dnsviz-grok(1) and
dnsviz-graph(1).
Domain names to be processed may be passed either as command-line arguments or in a file
(using the -f option). When the -r option is used, then the domain names can simply be
implied using the diagnostic query input.
Domain names are extracted from the diagnostic query input in conjunction with -r only
when -f is not used and no domain names are supplied on the command line. If the -f
option is used, then names may not be specified on the command line.
The domain names passed as input are fully-qualified domain names, such as example.com,
www.example.com, _443._tcp.example.com, 1.2.0.192.in-addr.arpa, or
8.b.d.0.1.0.0.2.ip6.arpa. Because it is implied that specified domain names are fully
qualified, no trailing dot is necessary.
OPTIONS
-f filename
Read names from a file (one name per line), instead of from command line.
If this option is used, then names may not be specified on the command line.
-d level
Set debug level to a value from 0 to 3, with increasing verbosity. The default is
"2" (informational-level output).
-r filename
Read diagnostic query input from the specified file, instead of querying servers.
Specify "-" to read from standard input.
-t threads
Specify the number of threads to use for issuing diagnostic queries for different
names in parallel. The default is to execute diagnostic queries of names serially.
-4 Use IPv4 only.
-6 Use IPv6 only.
-b address
Specify a source IPv4 or IPv6 address for queries, rather than detecting it.
This option can be used more than once to supply both an IPv4 and an IPv6 address.
The use of this option is sometimes necessary when using a dual-homed machine, and
it is desirable to use the non-default interface for queries.
-u url Specify the URL (HTTP/HTTPS only) for a DNS looking glass that will send the
diagnostic queries, rather than sending them locally.
Examples:
Issue DNS queries from www.example.com using the cgi script dnsviz-
lg.cgi:
http://www.example.com/cgi-bin/dnsviz-lg.cgi
Same, but use HTTP Basic authentication:
http://username:password@www.example.com/cgi-bin/dnsviz-lg.cgi
Note that a looking glass that uses https is only supported when using python
version 2.7.9 or greater.
-k When -u is used to specify the URL of a DNS looking glass, don't verify the server-
side TLS cert.
-a ancestor
Issue diagnostic queries of each domain name through the specified ancestor. The
default for recursive mode is "." (i.e., issue queries all the way to the root).
The default for authoritative mode (i.e., with -A) is the domain name itself.
-R type[,type...]
Issue diagnostic queries for only the specified type(s) (e.g., A, AAAA). The
default is to pick query types based on the nature of the name (e.g., the number of
labels, whether it is a subdomain of .arpa, labels indicating association to TLSA
or SRV records, etc.) and whether there are NS records detected (i.e., it is a
zone).
-s server[,server...]
Designate one or more servers for recursive queries, rather than using those
specified in /etc/resolv.conf.
Each server specified may either be an address (IPv4 or IPv6), a domain name (which
will be resolved to an address using the standard resolution process), or both,
using the syntax name=address. Note that when both a name and an address are
specified (name=address), the name is only used for identification purposes, and it
doesn't matter whether the name resolves to the corresponding address (or at all,
for that matter). IPv6 addresses must be wrapped in square brackets, e.g.,
"[2001:db8::1]".
Each server value may optionally be suffixed with a numeric port on which the
server should be contacted. If not specified, the standard DNS port, 53, is used.
The following are example server values:
ns1.example.com
ns1.example.com:5333
ns1.example.com=192.0.2.1
ns1.example.com=[2001:db8::1]
ns1.example.com=[2001:db8::1]:5333
192.0.2.1
This option cannot be used in conjunction with -A.
-A Query authoritative servers, rather than (the default) recursive servers.
-x domain[+]:server[,server...]
Explicitly designate authoritative servers for a domain, rather than learning them
by following delegations. This option dictates which servers will be queried for a
domain, but the servers specified will not be used to check NS or glue record
consistency with the child; for that behavior, see -N.
The default behavior is to identify and query servers authoritative for ancestors
of the specified domain, if other options so dictate. However, if the domain ends
in "+", then queries aren't issued for servers authoritative for ancestor domains
of the domain. For example, with the following command:
dnsviz probe -A -x example.com:ns1.example.com example.com
the com servers will be queried for DS records for example.com. However, if the
following is used:
dnsviz probe -A -x example.com+:ns1.example.com example.com
no queries are performed at com servers or above, including DS records for
example.com.
See -s for the syntax used for designating servers. However, unlike the -s option,
a zone file may be specified in lieu of a server name and/or address, in which case
an instance of named(8) is started, the zone is served from that instance, and
queries for the domain are directed to the local instance of named(8) serving that
zone. For example, if example.com.zone is a file containing the contents of the
example.com zone, the following command could be used to specify that the zone file
should be used:
dnsviz probe -A -x example.com:example.com.zone example.com
This option may be used multiple times on the command line.
This option can only be used in conjunction with -A.
-N domain:server[,server...]
Specify delegation information for a domain, i.e., the NS and glue records for the
domain, which would be served by the domain's parent. This is used for testing new
delegations or testing a potential change to a delegation.
This option has similar usage to that of the -x option. The major difference is
that the server names supplied comprise the NS record set, and the addresses
supplied represent glue records. Thus if there are discrepancies between the
authoritative responses for the NS RRset and glue and what is supplied on the
command line, an error will be reported when the output is subsequently assessed,
e.g., using dnsviz-grok(1).
In lieu of specifying the record data itself on the command line, a file may be
specified, which contains the delegation NS and glue records for the domain.
-D domain:ds[,ds...]
Specify one or more delegation signer (DS) records for a domain. This is used in
conjunction with the -N option for testing the introduction or change of DS
records.
The DS records themselves are specified using the the textual representation of
their record data. For example the following DS records for example.com:
31589 8 1 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE
31589 8 2 CDE0D742D6998AA554A92D890F8184C698CFAC8A26FA59875A990C03 E576343C
would be specified by passing this value to -D:
"31589 8 1 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE,
31589 8 2 CDE0D742D6998AA554A92D890F8184C698CFAC8A26FA59875A990C03
E576343C"
In lieu of specifying the record data itself on the command line, a file may be
specified, which contains the DS records. For example:
dnsviz probe -D example.com:dsset-example.com.
This option must be used in conjunction with the -N option.
-n Use the NSID EDNS option with every DNS query issued.
-e subnet[:prefix]
Use the EDNS Client Subnet option with every DNS query issued, using the specified
subnet and prefix as values. If prefix is not specified, the prefix is the length
of the entire address.
-E Include diagnostic DNS queries that can assess EDNS compatibility of servers.
If this option is used, each server probed will be queried with "future" EDNS
settings, the respective responses can later be assessed for proper behavior.
These settings include future EDNS versions (i.e., > 0), unknown options, and
unknown flags.
-o filename
Write the output to the specified file instead of to standard output, which is the
default.
-p Make JSON output "pretty" instead of minimal (i.e., using indentation and
newlines). Note that this is the default when the output is a TTY.
-h Display the usage and exit.
EXIT CODES
The exit codes are:
0 Program terminated normally.
1 Incorrect usage.
2 The network was unavailable for diagnostic queries.
3 There was an error processing the input or saving the output.
4 Program execution was interrupted, or an unknown error ocurred.
SEE ALSO
dnsviz(1), dnsviz-grok(1), dnsviz-graph(1), dnsviz-print(1), dnsviz-query(1)