dig

# lookup
drill -t -p 443 djh.im @208.67.220.220 # tcp, custom port, custom dns server(@)

# trace
drill -TD apple.com # w DNSSEC
drill -T apple.com # w/o DNSSEC

• drill doesn't aim to be a 100% drop-in replacement for dig
  • drill -Q works similar to dig +short
  • Does not have +multiline like dig

getent hosts apple.com # get shit from /etc/hosts, this is what you'd get if you type the same in firefox

• Gets you stuff from nsswitch, unlike dig/nslookup which query a dns nameserver.
• This is what you want to see if you made changes to /etc/hosts

• Some services use TXT records for domain validation
• Now domain validation using txt records is debatable
  • Suggestion is to use opaque token and do linear search of all txt records on verification side instead of txt record value to be something like name=value_token
  • But using opaque token, as a webmaster you loose track of what that opaque token even refers to!

• Just use drill txt stripe.com, Example.

  ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 34543
  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;; stripe.com.	IN	TXT
  
  ;; ANSWER SECTION:
  stripe.com.	600	IN	TXT	"3l1wm9pqffwmrbvq2f5tbwjwtb8gjbr7"
  stripe.com.	600	IN	TXT	"MS=ms80697640"
  stripe.com.	600	IN	TXT	"apple-domain-verification=8kIS0gmJTvILWQuI"
  stripe.com.	600	IN	TXT	"atlassian-domain-verification=upLp21qQgja1aHG2gnAb1AmXRqb/zG0UK1a0n3zTSXZg5DgOSttR3i5uzA3T9Cdk"
  stripe.com.	600	IN	TXT	"docker-verification=ccde1a0d-8d2c-44b5-9d20-6c4e19113fc9"
  stripe.com.	600	IN	TXT	"google-site-verification=PrlpJHdk11CIkPsiXoHEAJevWHAk39JRFAqVSe9l7n0"
  stripe.com.	600	IN	TXT	"google-site-verification=ZgGi2-xDdfnaWxdfjn5AqtUS11jKWqSXAV_EHODFzdE"
  

See (All) DNS Resource Records

# drill -Q <record_name> <record_name>.dns.netmeister.org.
# drill -Q txt <record_name>.dns.netmeister.org.
# eg.
drill -Q a a.dns.netmeister.org.
drill -Q txt a.dns.netmeister.org. # 2 txt recs