pydig: a DNS query tool written in Python
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
pydiglib Check content length for HTTPS. Jun 1, 2018
.gitignore Version 1.0. Reorganize into modules. Feb 14, 2015
COPYING Initial commit Jan 1, 2012
README Updates .. May 6, 2018
RFC Misc small updates. May 4, 2018
pydig Version 1.0. Reorganize into modules. Feb 14, 2015
pydig.1 Version 1.4.0 May 5, 2018 Cleanup. May 6, 2018


Program:	pydig (a DNS query tool written in Python)
Version:	1.4.0
Written by:	Shumon Huque <>


	A program to perform DNS queries and exercise various existing
	and emerging features of the DNS protocol. It works mostly 
	similar to the dig program that comes with ISC BIND. I wrote
	it mostly for fun, and for helping me to learn more esoteric
	features of the DNS. Occasionally I use this to quickly prototype
	proposed enhancements to the DNS. Some of the more recent
	such features include EDNS client subnet, chain query, cookies,
	DNS over TLS, EDNS padding, DNS over HTTPS, and more.

	RR type and class codes (qtype and qclass) unknown to this 
	program can be specified with the TYPE123 and CLASS123 syntax.


	pydig [list of options] <qname> [<qtype>] [<qclass>]
	pydig @server +walk <zone>


        -h                        print program usage information
        @server                   server to query
        -pNN                      use port NN (default is port 53)
        -bIP                      use IP as source IP address
        +tcp                      send query via TCP
        +ignore                   ignore truncation (don't retry with TCP)
        +aaonly                   set authoritative answer bit
        +cdflag                   set checking disabled bit
        +adflag                   set authenticated data bit
        +norecurse                set rd bit to 0 (recursion not desired)
        +edns[=N]                 use EDNS with specified version (default 0)
        +ednsflags=N              set EDNS flags field to N
        +ednsopt=###[:value]      set generic EDNS option
        +bufsize=NN               use EDNS with specified UDP payload size
        +dnssec                   request DNSSEC RRs in response
        +nsid                     send NSID (Name Server ID) option
        +expire                   send an EDNS Expire option
        +cookie[=xxx]             send EDNS cookie option
        +subnet=addr              send EDNS client subnet option
	+chainquery[=name]        send EDNS chain query	option
	+padding[=N]              send EDNS padding option (def blocksize 128)
        +hex                      print hexdump of rdata field
        +walk                     walk (enumerate) a DNSSEC secured zone
	+0x20			  randomize case of query name (bit 0x20 hack)
        -4                        perform queries with IPv4
        -6                        perform queries with IPv6
        -d                        request additional debugging output
	-k/path/to/keyfile        use TSIG key in specified file
        -iNNN                     use specified message id
        -tNNN                     use this TSIG timestamp (secs since epoch)
        -y<alg>:<name>:<key>      use specified TSIG alg, name, key
        +tls=auth|noauth          use TLS with|without authentication
        +tls_port=N               use N as the TLS port (default is 853)
        +tls_fallback             Fallback from TLS to TCP on TLS failure
        +tls_hostname=name        Check hostname in TLS server certificate
        +https[=url]              use HTTPS transport with optional URL

IXFR (Incremental Zone Transfer) queries are supported with the syntax
of "IXFR=NNNN" for the <qtype>, where NNNN is the zone serial number.

Example usage:

       pydig A
       pydig A IN
       pydig @ MX
       pydig SRV
       pydig @ +dnssec +norecurse NAPTR
       pydig -6 +hex
       pydig @ +walk
       pydig @ -yhmac-md5:my.secret.key.:YWxidXMgZHVtYmxlZG9yZSByaWNoYXJkIGRhd2tpbnM= axfr
       pydig @ -yhmac-sha256:my.secret.key.:NBGFWFr+rR/uu14B94Ab1+u81M2DTqB65gOv16nG8Xw= axfr
       pydig @ +tls=auth AAAA
       pydig +padding=256 AAAA
       pydig +https A


	For TSIG (Transaction Signature) signed messages, the program
	supports HMAC-MD5/SHA1/SHA256/SHA384/SHA256. It doesn't yet
	support GSS-TSIG.

	It decodes but does not yet verify signatures in DNSSEC secured 

	It does not perform iterative resolution (eg. dig's +trace).

	Specific features of TLS depend on the version of Python in
	use. TLS server certificate verification and hostname 
	verification require quite recent versions of Python.

	HTTPS support requires the "requests" module. If no URL
	is specified via the +https option, then by default Cloudflare's
	DNS over HTTPS server is queried (


	Python 2.7 (or later) or Python 3.x


	1. (as root) python install

Shumon Huque
E-mail: shuque -at-

Copyright (c) 2006 - 2017, Shumon Huque. 
All rights reserved. This program is free software; you can redistribute 
it and/or modify it under the same terms of the GNU General Public License.