Skip to content
Yet another DNS query tracing/analysis tool written in Go
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
cache Initial commit for Github repo. May 22, 2019
hints Initial commit for Github repo. May 22, 2019
.gitignore Initial commit for Github repo. May 22, 2019
LICENSE Add LICENSE. May 22, 2019 fix install command May 22, 2019
main.go Initial commit for Github repo. May 22, 2019


GitHub license GitHub release Build Status


dnstrace is yet another DNS query/response tracing tool. Its purpose is to emulate iterative (with RD flag being unset) DNS queries usually being sent from any DNS recursor and traverse DNS authoritative hierarchy in search for the given query name and query type, assuming IN class. It will display every query and response, indicating reasons (delegations, CNAME following, missing glue etc.) for any new sub-query and additionally displaying individual and total response time.

EDNS is supported (with 4096 message payload size), as well as TCP failover in case of UDP communication issues (truncated messages and/or timeouts). When using EDNS it is also possible to manually (or automatically through Ipify) specify Client-Subnet option to test for Geo-aware DNS responses.

It is also possible to set Recursion Desired flag which essentially disables DNS tracing and relies on local resolver (from /etc/resolver.conf) or remote DNS cache/resolver to perform all iterative queries and return the final result.



There are two ways of installing dnstrace:


Download your preferred flavor from the releases page and install manually.

Using go get

go get



Usage: ./dnstrace [option] [qtype] qname [@server]
  -client string
    	Sends EDNS Client Subnet option with specified IP address
    	Enable EDNS support in queries (default true)
    	Fallback to 4K UDP message buffer size and then to TCP (default true)
    	Ignore tracing sub-requests when missing glue
  -port int
    	Use to send DNS queries to non-standard ports (default 53)
    	Toggle RD (recursion desired) flag in queries
    	Use TCP when querying DNS servers

NB: Nameserver (@server) will be ignored if not using recurse flag and random root nameserver will be used instead.
Client option (-client) accepts "external" keyword and will use to get your public IP.  When using recurse (-recurse)
flag, if nameserver is not specified (@server), system resolver (from /etc/resolv.conf) will be used.  All boolean flags
accept true or false arguments, for instance "-edns=false"

This tool is typically used to establish worst-case scenario RTT for iterative queries being sent from resolvers and
doesn't necessarily reflect real life.

Typical use case is to specify one or more qtypes (MX, A, NS etc.) and one or more qnames (for example,, etc.). When there is no qtype specified, A is assumed. If temporary result is CNAME and qtype is A, dnstrace will attempt to follow CNAME to the target. Internet qclass (IN) is assumed at all times.

It is possible to override default flag values by specifiying values, for example -edns=false or -client=

Typical use case would be:

dnstrace a

Then we are not interested in seeing sub-queries being sent to resolve missing glue for NS delegations, -ignoresub flag can be used.

Bugs, feature requests, etc.

Please open a PR or report an issue. Thanks!

You can’t perform that action at this time.