Chris's Wiki :: blog/sysadmin/DigOptionsForUsefulTests Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/DigOptionsForUsefulTests?atomcommentsDWiki2017-11-27T15:00:18ZRecent comments in Chris's Wiki :: blog/sysadmin/DigOptionsForUsefulTests.From 90.135.254.156 on /blog/sysadmin/DigOptionsForUsefulTeststag:CSpace:blog/sysadmin/DigOptionsForUsefulTests:0a5f8d8d1ff93a10561c5cce8665c0215953297bFrom 90.135.254.156<div class="wikitext"><p>Hmm, I seem to remember <code>drill -T</code> being dropped. Or was it just <code>-TD</code>? Not sure.</p>
<p>Either way, <code>dnstracer -s . $domain</code> is much easier to read.</p>
</div>2017-11-27T15:00:18ZBy Perry Lorier on /blog/sysadmin/DigOptionsForUsefulTeststag:CSpace:blog/sysadmin/DigOptionsForUsefulTests:815336f5e66e84a730b47d840bcd0547272f1b99Perry Lorier<div class="wikitext"><p>DNS servers (or their firewalls) that drop packets with edns0 options, are technically violating the spec, they're supposed to ignore unknown options (or FORMERR if they don't understand edns0 at all). No comfort if you're actually need to query them tho. Hopefully by having people complain to them that dig doesn't work with their setup will get them to fix it, but that's likely to be a very long term fix rather than a short term one.</p>
<p>Recursive resolvers (such as Unbound) have the advantage of state, it can probe and see if the nameserver is likely to respond correctly to various options and decide if it's going to use them or not.</p>
<p>dig also has a trace function: dig +trace www.google.com, which by default lists which server it got what reply from.</p>
<p>Another useful tool when debugging DNS (especially DNSSEC failures) is <a href="http://dnsviz.com/">http://dnsviz.com/</a>.</p>
</div>2017-11-27T10:00:44Z