Skip to content

Commit

Permalink
Help improvements (#117)
Browse files Browse the repository at this point in the history
Improve help messages for better readability and consistency
  • Loading branch information
farrokhi authored Oct 25, 2024
1 parent da56232 commit 51924c6
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 70 deletions.
105 changes: 55 additions & 50 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,31 +3,35 @@
DNS Measurement, Troubleshooting and Security Auditing Toolset
===============================================================

Ever been wondering if your ISP is [hijacking your DNS traffic](https://medium.com/decentralize-today/is-your-isp-hijacking-your-dns-traffic-f3eb7ccb0ee7)? Ever observed any
misbehavior with your DNS responses? Ever been redirected to wrong address and
suspected something is wrong with your DNS? Here we have a [set of tools](http://github.com/farrokhi/dnsdiag) to
perform basic audits on your DNS requests and responses to make sure your DNS is
working as you expect.

You can measure the response time of any given DNS server for arbitrary requests
using `dnsping`. Just like traditional ping utility, it gives you similar
functionality for DNS requests.

You can also trace the path your DNS request takes to destination to make sure
it is not being redirected or hijacked. This can be done by comparing different
DNS queries being sent to the same DNS server using `dnstraceroute` and observe
if there is any difference between the path.

`dnseval` evaluates multiple DNS resolvers and helps you choose the best DNS
server for your network. While it is highly recommended using your own DNS
resolver and never trust any third-party DNS server, but in case you need to
choose the best DNS forwarder for your network, `dnseval` lets you compare
different DNS servers from performance (latency) and reliability (loss) point
of view.
Have you ever wondered if your ISP is [intercepting your DNS
traffic](https://medium.com/decentralize-today/is-your-isp-hijacking-your-dns-traffic-f3eb7ccb0ee7))?
Have you noticed any unusual behavior in your DNS responses, or been redirected to
the wrong address and suspected something might be off with your DNS? We offer a
suite of tools to perform basic audits on your DNS requests and responses, helping
you ensure your DNS is functioning as expected.

With `dnsping`, you can measure the response time of any DNS server for arbitrary
queries. Similar to the regular ping utility, dnsping offers comparable
functionality for DNS requests, helping you monitor server responsiveness.

You can also trace the route of your DNS request to its destination using
`dnstraceroute`, verifying that it isn't being redirected or intercepted. By
comparing DNS queries sent to the same server, `dnstraceroute` allows you to
observe any differences in the paths taken, alerting you to possible issues.


`dnseval` assesses multiple DNS resolvers to help you choose the best DNS resolver
for your network. While using your own DNS resolver is recommended to avoid
reliance on third-party DNS resolvers, `dnseval` can assist in selecting the
optimal DNS resolver when needed. It lets you compare DNS servers based on
performance (latency) and reliability (packet loss), giving you a comprehensive
view for informed decision-making.


# Installation

There are several ways that you can use this toolset. However, using the source code is always recommended.
There are several ways to use this toolset, though we recommend running it
directly from the source code for optimal flexibility and control.

## Source Code

Expand All @@ -51,23 +55,22 @@ From time to time, binary packages will be released for Windows, Mac OS X and Li

## Docker

If you don't want to install dnsdiags on your local machine, you may use the docker image and run programs in a container. For example:
If you prefer not to install `dnsdiag` on your local machine, you can use the
Docker image to run the tools in a containerized environment. For example:

```
docker run --network host -it --rm farrokhi/dnsdiag dnsping.py
```

# dnsping
dnsping pings a DNS resolver by sending an arbitrary DNS query for given number of times.
A complete explanation of supported command line flags is shown by using `--help`. Here are a few useful flags:

- Using `--tcp`, `--tls` and `--doh` to select transport protocol. Default is UDP.
- Using `--flags` to display response flags (including EDNS flags) for each response
- Using `--dnssec` to request DNSSEC if available
- Using `--ede` to display Extended DNS Error messages ([RFC 8914](https://www.rfc-editor.org/rfc/rfc8914))
- Using `--nsid` to display Name Server Identifier (NSID) if available ([RFC 5001](https://www.rfc-editor.org/rfc/rfc5001))
`dnsping` allows you to "ping" a DNS resolver by sending an arbitrary DNS query multiple times. For a full list of supported command-line options, use `--help`. Here are a few key flags:

In addition to UDP, you can ping using TCP, DoT (DNS over TLS) and DoH (DNS over HTTPS) using `--tcp`, `--tls` and `--doh` respectively.
- Use `--tcp`, `--tls`, or `--doh` to select the transport protocol (default is UDP).
- Use `--flags` to display response flags, including EDNS flags, for each response.
- Use `--dnssec` to request DNSSEC validation if available.
- Use `--ede` to display Extended DNS Error messages ([RFC 8914](https://www.rfc-editor.org/rfc/rfc8914)).
- Use `--nsid` to display the Name Server Identifier (NSID) if available ([RFC 5001](https://www.rfc-editor.org/rfc/rfc5001)).

```shell
./dnsping.py -c 5 --dnssec --flags --tls --ede -t AAAA -s 8.8.8.8 brokendnssec.net
Expand All @@ -86,22 +89,24 @@ dnsping.py DNS: 8.8.8.8:853, hostname: brokendnssec.net, proto: TLS, class: IN,
min=90.882 ms, avg=101.064 ms, max=115.479 ms, stddev=12.394 ms
```

It also displays statistics such as minimum, maximum and average response time as well as
jitter (stddev) and lost packets.
`dnsping` also provides statistics such as minimum, maximum, and average
response times, along with jitter (standard deviation) and packet loss.

Here are a few interesting use cases for `dnsping`:

There are several interesting use cases for dnsping, including:
- Comparing response times across different transport protocols (e.g., UDP vs. DoH).
- Evaluating the reliability of your DNS server by measuring jitter and packet loss.
- Measuring response times with DNSSEC enabled using the `--dnssec` flag.

- Comparing response times using different transport protocols (e.g. UDP vs DoH)
- Measuring how reliable your DNS server is, by measuring Jitter and packet loss
- Measuring responses times when DNSSEC is enabled using `--dnssec`

# dnstraceroute
dnstraceroute is a traceroute utility to figure out the path that your DNS
request is passing through to get to its destination. You may want to compare
it to your actual network traceroute and make sure your DNS traffic is not
routed to any unwanted path.

In addition to UDP, it also supports TCP as transport protocol, using `--tcp` flag.
`dnstraceroute` is a utility that traces the path of your DNS requests to their
destination. You may want to compare this with your actual network traceroute to
ensure that your DNS traffic is not being routed through any unwanted paths.

In addition to UDP, `dnstraceroute` also supports TCP as a transport protocol
when you use the `--tcp` flag.

```shell
./dnstraceroute.py --expert --asn -C -t A -s 8.8.4.4 facebook.com
Expand All @@ -119,17 +124,17 @@ dnstraceroute.py DNS: 8.8.4.4:53, hostname: facebook.com, rdatatype: A
[*] public DNS server is next to a private IP address (possible hijacking)
```

Using `--expert` will instruct dnstraceroute to print expert hints (such as
warnings of possible DNS traffic hijacking).
Using the `--expert` flag with `dnstraceroute` will enable the display of expert
hints, including warnings about potential DNS traffic hijacking.

# dnseval
dnseval is a bulk ping utility that sends an arbitrary DNS query to a give list
of DNS servers. This script is meant for comparing response time of multiple
DNS servers at once.
`dnseval` is a bulk ping utility that sends arbitrary DNS queries to a specified
list of DNS servers, allowing you to compare their response times
simultaneously.

You can use `dnseval` to compare response times using different transport
protocols such as UDP (default), TCP, DoT and DoH using `--tcp`, `--tls` and
`--doh` respectively.
You can use `dnseval` to evaluate response times across different transport
protocols, including UDP (default), TCP, DoT (DNS over TLS), and DoH (DNS over
HTTPS) by using the `--tcp`, `--tls`, and `--doh` flags, respectively.

```shell
./dnseval.py --dnssec -t AAAA -f public-servers.txt -c10 ripe.net
Expand Down
36 changes: 18 additions & 18 deletions dnseval.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,24 +49,24 @@

def usage():
print("""%s version %s
usage: %s [-ehmvCTXH] [-f server-list] [-j output.json] [-c count] [-t type] [-p port] [-w wait] hostname
-h --help Show this help
-f --file DNS server list to use (default: system resolvers)
-c --count Number of requests to send (default: 10)
-m --cache-miss Force cache miss measurement by prepending a random hostname
-w --wait Maximum wait time for a reply (default: 2)
-t --type DNS request record type (default: A)
-T --tcp Use TCP instead of UDP
-X --tls Use TLS as transport protocol
-j --json Save results as a JSON formatted file
-H --doh Use HTTPS as transport protols (DoH)
-p --port DNS server port number (default: 53 for TCP/UDP and 853 for TLS)
-S --srcip Query source IP address
-e --edns Enable EDNS0
-D --dnssec Enable 'DNSSEC desired' (DO flag) in requests
-C --color Print colorful output
-v --verbose Print actual dns response
Usage: %s [-ehmvCTXH] [-f server-list] [-j output.json] [-c count] [-t type] [-p port] [-w wait] hostname
-h, --help Display this help message
-f, --file Specify a DNS server list file to use (default: system resolvers)
-c, --count Number of requests to send (default: 10)
-m, --cache-miss Force a cache miss measurement by prepending a random hostname
-w, --wait Set the maximum wait time for a reply in seconds (default: 2)
-t, --type Set the DNS request record type (default: A)
-T, --tcp Use TCP as the transport protocol instead of UDP
-X, --tls Use TLS as the transport protocol
-j, --json Save the results to a specified file in JSON format
-H, --doh Use HTTPS as the transport protocol (DoH)
-p, --port Specify the DNS server port number (default: 53 for TCP/UDP, 853 for TLS)
-S, --srcip Set the query source IP address
-e, --edns Enable EDNS0 in requests
-D, --dnssec Enable the 'DNSSEC desired' (DO flag) in requests
-C, --color Enable colorful output
-v, --verbose Print the full DNS response details
""" % (__progname__, __version__, __progname__))
sys.exit()

Expand Down
4 changes: 2 additions & 2 deletions dnsping.py
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@

def usage():
print("""%s version %s
usage: %s [-46aDeEFhLmqnrvTxXH] [-i interval] [-w wait] [-p dst_port] [-P src_port] [-S src_ip]
Usage: %s [-46aDeEFhLmqnrvTxXH] [-i interval] [-w wait] [-p dst_port] [-P src_port] [-S src_ip]
%s [-c count] [-t qtype] [-C class] [-s server] hostname
-h, --help Show this help message
Expand All @@ -76,7 +76,7 @@ def usage():
-C, --class DNS request record class (default: IN)
-a, --answer Display the first matching answer in rdata, if applicable
-e, --edns Enable EDNS0 and set its options
-E, --ede Display EDE messages, when available
-E, --ede Display EDE (Extended DNS Error) messages, when available
-n, --nsid Enable the NSID bit to retrieve resolver identification (implies EDNS)
-D, --dnssec Enable the DNSSEC desired flag (implies EDNS)
-F, --flags Display response flags
Expand Down

0 comments on commit 51924c6

Please sign in to comment.