• Stars
    star
    939
  • Rank 48,667 (Top 1.0 %)
  • Language
    Python
  • License
    BSD 2-Clause "Sim...
  • Created almost 9 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DNS Measurement, Troubleshooting and Security Auditing Toolset

PyPI PyPI Downloads PyPI Docker Pulls GitHub stars

DNS Measurement, Troubleshooting and Security Auditing Toolset

Ever been wondering if your ISP is hijacking your DNS traffic? Ever observed any misbehavior with your DNS responses? Ever been redirected to wrong address and suspected something is wrong with your DNS? Here we have a set of tools to perform basic audits on your DNS requests and responses to make sure your DNS is working as you expect.

You can measure the response time of any given DNS server for arbitrary requests using dnsping. Just like traditional ping utility, it gives you similar functionality for DNS requests.

You can also trace the path your DNS request takes to destination to make sure it is not being redirected or hijacked. This can be done by comparing different DNS queries being sent to the same DNS server using dnstraceroute and observe if there is any difference between the path.

dnseval evaluates multiple DNS resolvers and helps you choose the best DNS server for your network. While it is highly recommended using your own DNS resolver and never trust any third-party DNS server, but in case you need to choose the best DNS forwarder for your network, dnseval lets you compare different DNS servers from performance (latency) and reliability (loss) point of view.

Installation

There are several ways that you can use this toolset. However, using the source code is always recommended.

Source Code

  1. Check out the git repository and install dependencies:
git clone https://github.com/farrokhi/dnsdiag.git
cd dnsdiag
pip3 install -r requirements.txt
  1. You can alternatively install the package using pip:
pip3 install dnsdiag

Binary Package

From time to time, binary packages will be released for Windows, Mac OS X and Linux. You can grab the latest release from releases page.

Docker

If you don't want to install dnsdiags on your local machine, you may use the docker image and run programs in a container. For example:

docker run --network host -it --rm farrokhi/dnsdiag dnsping.py

dnsping

dnsping pings a DNS resolver by sending an arbitrary DNS query for given number of times. A complete explanation of supported command line flags is shown by using --help. Here are a few useful flags:

  • Using --tcp, --tls and --doh to select transport protocol. Default is UDP.
  • Using --flags to display response flags for each response
  • Using --dnssec to request DNSSEC if available

In addition to UDP, you can ping using TCP, DoT (DNS over TLS) and DoH (DNS over HTTPS) using --tcp, --tls and --doh respectively.

./dnsping.py -c 5 --dnssec --flags --tls -t AAAA -s 9.9.9.9 ripe.net
dnsping.py DNS: 9.9.9.9:853, hostname: ripe.net, proto: TLS, rdatatype: AAAA, flags: RD
169 bytes from 9.9.9.9: seq=1   time=279.805 ms [QR RD RA AD]  NOERROR
169 bytes from 9.9.9.9: seq=2   time=107.237 ms [QR RD RA AD]  NOERROR
169 bytes from 9.9.9.9: seq=3   time=96.747  ms [QR RD RA AD]  NOERROR
169 bytes from 9.9.9.9: seq=4   time=107.782 ms [QR RD RA AD]  NOERROR
169 bytes from 9.9.9.9: seq=5   time=94.713  ms [QR RD RA AD]  NOERROR

--- 9.9.9.9 dnsping statistics ---
5 requests transmitted, 5 responses received, 0% lost
min=94.713 ms, avg=137.257 ms, max=279.805 ms, stddev=79.908 ms

It also displays statistics such as minimum, maximum and average response time as well as jitter (stddev) and lost packets.

There are several interesting use cases for dnsping, including:

  • Comparing response times using different transport protocols (e.g. UDP vs DoH)
  • Measuring how reliable your DNS server is, by measuring Jitter and packet loss
  • Measuring responses times when DNSSEC is enabled using --dnssec

dnstraceroute

dnstraceroute is a traceroute utility to figure out the path that your DNS request is passing through to get to its destination. You may want to compare it to your actual network traceroute and make sure your DNS traffic is not routed to any unwanted path.

In addition to UDP, it also supports TCP as transport protocol, using --tcp flag.

./dnstraceroute.py --expert --asn -C -t A -s 8.8.4.4 facebook.com
dnstraceroute.py DNS: 8.8.4.4:53, hostname: facebook.com, rdatatype: A
1	192.168.0.1 (192.168.0.1) 1 ms
2	192.168.28.177 (192.168.28.177) 4 ms
3	192.168.0.1 (192.168.0.1) 693 ms
4	172.19.4.17 (172.19.4.17) 3 ms
5	dns.google (8.8.4.4) [AS15169 GOOGLE, US] 8 ms

=== Expert Hints ===
 [*] public DNS server is next to a private IP address (possible hijacking)

Using --expert will instruct dnstraceroute to print expert hints (such as warnings of possible DNS traffic hijacking).

dnseval

dnseval is a bulk ping utility that sends an arbitrary DNS query to a give list of DNS servers. This script is meant for comparing response time of multiple DNS servers at once.

You can use dnseval to compare response times using different transport protocols such as UDP (default), TCP, DoT and DoH using --tcp, --tls and --doh respectively.

./dnseval.py --dnssec -t AAAA -f public-servers.txt -c10 ripe.net
server                   avg(ms)     min(ms)     max(ms)     stddev(ms)  lost(%)  ttl        flags                  response
----------------------------------------------------------------------------------------------------------------------------
1.0.0.1                  36.906      7.612       152.866     50.672      %0       300        QR -- -- RD RA AD --   NOERROR
1.1.1.1                  7.752       7.512       8.132       0.183       %0       298        QR -- -- RD RA AD --   NOERROR
2606:4700:4700::1001     7.661       7.169       8.102       0.240       %0       297        QR -- -- RD RA AD --   NOERROR
2606:4700:4700::1111     7.802       7.000       8.128       0.312       %0       296        QR -- -- RD RA AD --   NOERROR
195.46.39.39             14.723      7.024       78.239      22.362      %0       300        QR -- -- RD RA -- --   NOERROR
195.46.39.40             7.524       6.972       10.897      1.191       %0       300        QR -- -- RD RA -- --   NOERROR
208.67.220.220           70.519      6.694       180.229     66.516      %0       300        QR -- -- RD RA AD --   NOERROR
208.67.222.222           37.868      6.663       107.601     41.178      %0       300        QR -- -- RD RA AD --   NOERROR
2620:0:ccc::2            31.471      6.768       178.647     56.546      %0       299        QR -- -- RD RA AD --   NOERROR
2620:0:ccd::2            20.651      6.699       145.029     43.702      %0       300        QR -- -- RD RA AD --   NOERROR
216.146.35.35            19.338      6.713       131.198     39.306      %0       300        QR -- -- RD RA AD --   NOERROR
216.146.36.36            107.741     73.421      266.969     58.003      %0       299        QR -- -- RD RA AD --   NOERROR
209.244.0.3              14.717      7.015       80.329      23.058      %0       300        QR -- -- RD RA -- --   NOERROR
209.244.0.4              7.184       7.003       8.197       0.361       %0       300        QR -- -- RD RA -- --   NOERROR
4.2.2.1                  7.040       6.994       7.171       0.052       %0       299        QR -- -- RD RA -- --   NOERROR
4.2.2.2                  14.358      6.968       79.964      23.052      %0       300        QR -- -- RD RA -- --   NOERROR
4.2.2.3                  7.083       6.945       7.265       0.091       %0       299        QR -- -- RD RA -- --   NOERROR
4.2.2.4                  7.103       6.990       7.238       0.086       %0       299        QR -- -- RD RA -- --   NOERROR
4.2.2.5                  7.100       7.025       7.267       0.074       %0       299        QR -- -- RD RA -- --   NOERROR
80.80.80.80              149.924     53.310      247.395     97.311      %0       299        QR -- -- RD RA AD --   NOERROR
80.80.81.81              144.262     53.360      252.564     97.759      %0       298        QR -- -- RD RA AD --   NOERROR
8.8.4.4                  9.196       7.160       10.974      1.484       %0       299        QR -- -- RD RA AD --   NOERROR
8.8.8.8                  7.847       7.056       9.866       0.836       %0       299        QR -- -- RD RA AD --   NOERROR
2001:4860:4860::8844     31.819      7.194       155.761     50.671      %0       299        QR -- -- RD RA AD --   NOERROR
2001:4860:4860::8888     7.773       7.200       9.814       0.777       %0       298        QR -- -- RD RA AD --   NOERROR
9.9.9.9                  21.894      6.670       81.434      30.299      %0       300        QR -- -- RD RA AD --   NOERROR
2620:fe::fe              21.177      6.723       80.046      30.062      %0       300        QR -- -- RD RA AD --   NOERROR

Author

Babak Farrokhi

License

dnsdiag is released under a 2 clause BSD license.