[](https://pypi.python.org/pypi/dnsdiag/) []() [](https://pepy.tech/project/dnsdiag) [](https://pepy.tech/project/dnsdiag) []() [](https://hub.docker.com/r/farrokhi/dnsdiag) [](https://github.com/farrokhi/dnsdiag/stargazers)
DNS Measurement, Troubleshooting and Security Auditing Toolset
===============================================================
Have you ever wondered if your ISP is [intercepting your DNS
traffic](https://medium.com/decentralize-today/is-your-isp-hijacking-your-dns-traffic-f3eb7ccb0ee7))?
Have you noticed any unusual behavior in your DNS responses, or been redirected to
the wrong address and suspected something might be off with your DNS? We offer a
suite of tools to perform basic audits on your DNS requests and responses, helping
you ensure your DNS is functioning as expected.
With `dnsping`, you can measure the response time of any DNS server for arbitrary
queries. Similar to the regular ping utility, dnsping offers comparable
functionality for DNS requests, helping you monitor server responsiveness.
You can also trace the route of your DNS request to its destination using
`dnstraceroute`, verifying that it isn't being redirected or intercepted. By
comparing DNS queries sent to the same server, `dnstraceroute` allows you to
observe any differences in the paths taken, alerting you to possible issues.
`dnseval` assesses multiple DNS resolvers to help you choose the best DNS resolver
for your network. While using your own DNS resolver is recommended to avoid
reliance on third-party DNS resolvers, `dnseval` can assist in selecting the
optimal DNS resolver when needed. It lets you compare DNS servers based on
performance (latency) and reliability (packet loss), giving you a comprehensive
view for informed decision-making.
# Installation
There are several ways to use this toolset, though we recommend running it
directly from the source code for optimal flexibility and control.
## Source Code
1. Check out the git repository and install dependencies:
```
git clone https://github.com/farrokhi/dnsdiag.git
cd dnsdiag
pip3 install -r requirements.txt
```
2. You can alternatively install the package using pip:
```
pip3 install dnsdiag
```
## Using uv (Recommended)
[uv](https://docs.astral.sh/uv/) is a fast Python package manager that can run tools directly without installation:
```bash
# Run dnsping directly without installation
uvx --from dnsdiag dnsping google.com
# Run with specific options
uvx --from dnsdiag dnsping -c 5 --tls -s 8.8.8.8 example.com
# Run dnstraceroute
uvx --from dnsdiag dnstraceroute cloudflare.com
# Run dnseval
uvx --from dnsdiag dnseval -f public-servers.txt github.com
```
To install dnsdiag persistently:
```bash
# Install dnsdiag tools
uv tool install dnsdiag
# Upgrade to the latest version
uv tool upgrade dnsdiag
```
## Binary Package
From time to time, binary packages will be released for Windows, Mac OS X and Linux. You can grab the latest release from [releases page](https://github.com/farrokhi/dnsdiag/releases).
## Docker
If you prefer not to install `dnsdiag` on your local machine, you can use the
Docker image to run the tools in a containerized environment. For example:
```
docker run --network host -it --rm farrokhi/dnsdiag dnsping.py
```
# dnsping
`dnsping` allows you to "ping" a DNS resolver by sending an arbitrary DNS query multiple times. For a full list of supported command-line options, use `--help`. Here are a few key flags:
- Use `--tcp`, `--tls`, `--doh`, `--quic` or `--http3` to select the transport protocol (default is UDP).
- Use `--flags` to display response flags, including EDNS flags, for each response.
- Use `--dnssec` to request DNSSEC validation, if available.
- Extended DNS Error messages ([RFC 8914](https://www.rfc-editor.org/rfc/rfc8914)) are automatically displayed when present.
- Use `--nsid` to display the Name Server Identifier (NSID) if available ([RFC 5001](https://www.rfc-editor.org/rfc/rfc5001)).
- Use `--ecs` to include EDNS Client Subnet information for geographic routing optimization.
- Use `--cookie` to display DNS cookies ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873)) when present in responses.
```shell
./dnsping.py -c 5 --dnssec --flags --tls -t AAAA -s 8.8.8.8 brokendnssec.net
```
```
dnsping.py DNS: 8.8.8.8:853, hostname: brokendnssec.net, proto: TLS, class: IN, type: AAAA, flags: [RD]
75 bytes from 8.8.8.8: seq=1 time=73.703 ms SERVFAIL [QR RD RA -- DO] [EDE:10("For brokendnssec.net/soa")]
75 bytes from 8.8.8.8: seq=2 time=69.523 ms SERVFAIL [QR RD RA -- DO] [EDE:10("For brokendnssec.net/soa")]
75 bytes from 8.8.8.8: seq=3 time=58.058 ms SERVFAIL [QR RD RA -- DO] [EDE:10("For brokendnssec.net/soa")]
75 bytes from 8.8.8.8: seq=4 time=54.235 ms SERVFAIL [QR RD RA -- DO] [EDE:10("For brokendnssec.net/soa")]
75 bytes from 8.8.8.8: seq=5 time=57.806 ms SERVFAIL [QR RD RA -- DO] [EDE:10("For brokendnssec.net/soa")]
--- 8.8.8.8 dnsping statistics ---
5 requests transmitted, 5 responses received, 0% lost
min=54.235 ms, avg=22.665 ms, max=69.523 ms, stddev=38.202 ms
```
`dnsping` also provides statistics such as minimum, maximum, and average
response times, along with jitter (standard deviation) and packet loss.
Here are a few interesting use cases for `dnsping`:
- Comparing response times across different transport protocols (e.g., UDP vs. DoH).
- Evaluating the reliability of your DNS server by measuring jitter and packet loss.
- Measuring response times with DNSSEC enabled using the `--dnssec` flag.
- Testing EDNS Client Subnet behavior for geolocation-aware responses:
```shell
./dnsping.py -c 3 --ecs 203.0.113.0/24 -s 94.140.14.14 google.com
```
```
dnsping.py DNS: 94.140.14.14:53, hostname: google.com, proto: UDP, class: IN, type: A, flags: [RD]
66 bytes from 94.140.14.14: seq=1 time=31.407 ms NOERROR [ECS:203.0.113.0/24/24]
66 bytes from 94.140.14.14: seq=2 time=29.156 ms NOERROR [ECS:203.0.113.0/24/24]
66 bytes from 94.140.14.14: seq=3 time=30.892 ms NOERROR [ECS:203.0.113.0/24/24]
--- 94.140.14.14 dnsping statistics ---
3 requests transmitted, 3 responses received, 0% lost
min=29.156 ms, avg=30.485 ms, max=31.407 ms, stddev=1.176 ms
```
- Identifying DNS servers using the NSID option:
```shell
./dnsping.py -c 2 --nsid -s 8.8.8.8 google.com
```
```
dnsping.py DNS: 8.8.8.8:53, hostname: google.com, proto: UDP, class: IN, type: A, flags: [RD]
68 bytes from 8.8.8.8: seq=1 time=36.399 ms NOERROR [NSID:gpdns-ams]
68 bytes from 8.8.8.8: seq=2 time=32.156 ms NOERROR [NSID:gpdns-ams]
--- 8.8.8.8 dnsping statistics ---
2 requests transmitted, 2 responses received, 0% lost
min=32.156 ms, avg=34.278 ms, max=36.399 ms, stddev=2.122 ms
```
- Testing DNS cookies for enhanced security and cache optimization:
```shell
./dnsping.py -c 2 --cookie -s anyns.pch.net quad9.net
```
```
dnsping.py DNS: anyns.pch.net:53, hostname: quad9.net, proto: UDP, class: IN, type: A, flags: [RD]
82 bytes from anyns.pch.net: seq=1 time=30.552 ms NOERROR [COOKIE:27f609c017bb2ec4ea70de5c68eec3fc39f6a53ee49c55f8]
82 bytes from anyns.pch.net: seq=2 time=24.794 ms NOERROR [COOKIE:719631dd9fcce722d3ac859b68eec3fd2e5430b5c8a7f8cf]
--- anyns.pch.net dnsping statistics ---
2 requests transmitted, 2 responses received, 0% lost
min=24.794 ms, avg=27.673 ms, max=30.552 ms, stddev=4.072 ms
```
# dnstraceroute
`dnstraceroute` is a utility that traces the path of your DNS requests to their
destination. You may want to compare this with your actual network traceroute to
ensure that your DNS traffic is not being routed through any unwanted paths.
`dnstraceroute` supports multiple transport protocols:
- UDP (default) - Traditional DNS queries
- TCP (`--tcp`) - DNS over TCP
- DoQ (`--quic`) - DNS over QUIC (supported by AdGuard DNS)
- DoH3 (`--http3`) - DNS over HTTP/3 (supported by Google DNS and Cloudflare)
```shell
./dnstraceroute.py --expert --asn -C -t A -s 8.8.4.4 facebook.com
```
You can also test modern DNS protocols:
```shell
# Test DNS over QUIC with AdGuard DNS
./dnstraceroute.py --quic -s 94.140.14.14 -c 3 google.com
# Test DNS over HTTP/3 with Google DNS
./dnstraceroute.py --http3 -s 8.8.8.8 -c 3 google.com
```
```
dnstraceroute.py DNS: 8.8.4.4:53, hostname: facebook.com, rdatatype: A
1 192.168.0.1 (192.168.0.1) 1 ms
2 192.168.28.177 (192.168.28.177) 4 ms
3 192.168.0.1 (192.168.0.1) 693 ms
4 172.19.4.17 (172.19.4.17) 3 ms
5 dns.google (8.8.4.4) [AS15169 GOOGLE, US] 8 ms
=== Expert Hints ===
[*] public DNS server is next to a private IP address (possible hijacking)
```
Using the `--expert` flag with `dnstraceroute` will enable the display of expert
hints, including warnings about potential DNS traffic hijacking.
# dnseval
`dnseval` is a bulk ping utility that sends arbitrary DNS queries to a specified
list of DNS servers, allowing you to compare their response times
simultaneously.
You can use `dnseval` to evaluate response times across different transport
protocols, including UDP (default), TCP, DoT (DNS over TLS), DoH (DNS over
HTTPS), DoQ (DNS over QUIC), and DoH3 (DNS over HTTP/3) by using the `--tcp`,
`--tls`, `--doh`, `--quic`, and `--http3` flags, respectively.
## Protocol Support Summary
| Tool | UDP | TCP | TLS (DoT) | DoH | DoQ | DoH3 |
|------|-----|-----|-----------|-----|-----|------|
| `dnsping` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| `dnstraceroute` | ✓ | ✓ | - | - | ✓ | ✓ |
| `dnseval` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
*DoQ: DNS over QUIC, DoH3: DNS over HTTP/3*
```shell
./dnseval.py --skip-warmup --dnssec -c10 -f public-servers.txt ripe.net
```
```
server avg(ms) min(ms) max(ms) stddev(ms) lost(%) ttl flags response
---------------------------------------------------------------------------------------------------------------------
1.0.0.1 29.01 14.15 45.36 8.60 %0 300 QR -- -- RD RA AD -- DO NOERROR
1.1.1.1 23.90 18.14 42.07 7.83 %0 300 QR -- -- RD RA AD -- DO NOERROR
1.0.0.2 25.90 21.36 31.58 4.26 %0 300 QR -- -- RD RA AD -- DO NOERROR
1.1.1.2 22.68 18.36 32.15 3.96 %0 300 QR -- -- RD RA AD -- DO NOERROR
1.0.0.3 22.53 18.98 32.52 3.94 %0 300 QR -- -- RD RA AD -- DO NOERROR
1.1.1.3 21.70 20.25 22.97 0.77 %0 299 QR -- -- RD RA AD -- DO NOERROR
2606:4700:4700::1001 21.70 19.13 27.50 2.28 %0 299 QR -- -- RD RA AD -- DO NOERROR
2606:4700:4700::1111 22.63 20.42 30.18 3.13 %0 299 QR -- -- RD RA AD -- DO NOERROR
2606:4700:4700::1002 24.97 20.89 44.63 7.16 %0 299 QR -- -- RD RA AD -- DO NOERROR
2606:4700:4700::1112 23.24 21.37 25.87 1.48 %0 298 QR -- -- RD RA AD -- DO NOERROR
2606:4700:4700::1003 21.68 19.28 24.88 1.65 %0 298 QR -- -- RD RA AD -- DO NOERROR
2606:4700:4700::1113 22.61 19.86 26.09 1.73 %0 299 QR -- -- RD RA AD -- DO NOERROR
195.46.39.39 25.56 16.42 55.37 15.37 %0 300 QR -- -- RD RA -- -- -- NOERROR
195.46.39.40 19.08 16.51 23.86 2.24 %0 300 QR -- -- RD RA -- -- -- NOERROR
2a05:d014:939:3300::39 0.00 0.00 0.00 0.00 %100 N/A -- -- -- -- -- -- -- -- No Response
2a05:d014:939:3300::40 0.00 0.00 0.00 0.00 %100 N/A -- -- -- -- -- -- -- -- No Response
208.67.220.220 30.60 14.54 120.64 31.88 %0 300 QR -- -- RD RA AD -- DO NOERROR
208.67.222.222 21.78 17.42 36.45 6.06 %0 50 QR -- -- RD RA AD -- DO NOERROR
2620:0:ccc::2 29.48 19.23 98.29 24.22 %0 299 QR -- -- RD RA AD -- DO NOERROR
2620:0:ccd::2 22.36 17.90 30.18 3.98 %0 299 QR -- -- RD RA AD -- DO NOERROR
216.146.35.35 172.53 114.46 360.87 71.47 %0 299 QR -- -- RD RA AD -- DO NOERROR
216.146.36.36 187.36 118.21 324.32 59.08 %0 110 QR -- -- RD RA AD -- DO NOERROR
209.244.0.3 46.49 25.23 115.86 28.19 %0 300 QR -- -- RD RA -- -- DO NOERROR
209.244.0.4 58.33 28.09 109.18 29.20 %0 299 QR -- -- RD RA -- -- DO NOERROR
4.2.2.1 64.58 30.21 86.79 30.19 %25 299 QR -- -- RD RA -- -- DO NOERROR
4.2.2.2 40.54 22.69 74.80 20.76 %0 70 QR -- -- RD RA -- -- DO NOERROR
4.2.2.3 90.62 90.62 90.62 0.00 %50 70 QR -- -- RD RA -- -- DO NOERROR
4.2.2.4 31.53 23.80 70.93 14.51 %0 294 QR -- -- RD RA -- -- DO NOERROR
4.2.2.5 24.11 24.05 24.18 0.09 %33 294 QR -- -- RD RA -- -- DO NOERROR
80.80.80.80 0.00 0.00 0.00 0.00 %100 N/A -- -- -- -- -- -- -- -- No Response
80.80.81.81 0.00 0.00 0.00 0.00 %100 N/A -- -- -- -- -- -- -- -- No Response
8.8.4.4 28.35 20.85 39.14 7.24 %0 300 QR -- -- RD RA AD -- DO NOERROR
8.8.8.8 21.22 16.22 24.93 2.39 %0 299 QR -- -- RD RA AD -- DO NOERROR
```
### Author
Babak Farrokhi
- github: [github.com/farrokhi](https://github.com/farrokhi/)
- website: [farrokhi.net](https://farrokhi.net/)
- mastodon: [@farrokhi@unix.family](https://unix.family/@farrokhi)
- twitter: [@farrokhi](https://twitter.com/farrokhi)
### License
dnsdiag is released under a 2 clause BSD license.
Raw data
{
"_id": null,
"home_page": null,
"name": "dnsdiag",
"maintainer": null,
"docs_url": "https://pythonhosted.org/dnsdiag/",
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": "dns, traceroute, ping, performance",
"author": null,
"author_email": "Babak Farrokhi <babak@farrokhi.net>",
"download_url": "https://files.pythonhosted.org/packages/ca/d9/78cfc5408dff2807f7408179a8e15f7640501bf017dcdd63e04d8a8195a0/dnsdiag-2.9.0.tar.gz",
"platform": null,
"description": "[](https://pypi.python.org/pypi/dnsdiag/) []() [](https://pepy.tech/project/dnsdiag) [](https://pepy.tech/project/dnsdiag) []() [](https://hub.docker.com/r/farrokhi/dnsdiag) [](https://github.com/farrokhi/dnsdiag/stargazers) \n\nDNS Measurement, Troubleshooting and Security Auditing Toolset\n===============================================================\n\nHave you ever wondered if your ISP is [intercepting your DNS\ntraffic](https://medium.com/decentralize-today/is-your-isp-hijacking-your-dns-traffic-f3eb7ccb0ee7))?\nHave you noticed any unusual behavior in your DNS responses, or been redirected to\nthe wrong address and suspected something might be off with your DNS? We offer a\nsuite of tools to perform basic audits on your DNS requests and responses, helping\nyou ensure your DNS is functioning as expected.\n\nWith `dnsping`, you can measure the response time of any DNS server for arbitrary\nqueries. Similar to the regular ping utility, dnsping offers comparable\nfunctionality for DNS requests, helping you monitor server responsiveness.\n\nYou can also trace the route of your DNS request to its destination using\n`dnstraceroute`, verifying that it isn't being redirected or intercepted. By\ncomparing DNS queries sent to the same server, `dnstraceroute` allows you to\nobserve any differences in the paths taken, alerting you to possible issues.\n\n\n`dnseval` assesses multiple DNS resolvers to help you choose the best DNS resolver\nfor your network. While using your own DNS resolver is recommended to avoid\nreliance on third-party DNS resolvers, `dnseval` can assist in selecting the\noptimal DNS resolver when needed. It lets you compare DNS servers based on\nperformance (latency) and reliability (packet loss), giving you a comprehensive\nview for informed decision-making.\n\n\n# Installation\n\nThere are several ways to use this toolset, though we recommend running it\ndirectly from the source code for optimal flexibility and control.\n\n## Source Code\n\n1. Check out the git repository and install dependencies:\n\n```\ngit clone https://github.com/farrokhi/dnsdiag.git\ncd dnsdiag\npip3 install -r requirements.txt\n```\n\n2. You can alternatively install the package using pip:\n\n```\npip3 install dnsdiag\n```\n\n## Using uv (Recommended)\n\n[uv](https://docs.astral.sh/uv/) is a fast Python package manager that can run tools directly without installation:\n\n```bash\n# Run dnsping directly without installation\nuvx --from dnsdiag dnsping google.com\n\n# Run with specific options\nuvx --from dnsdiag dnsping -c 5 --tls -s 8.8.8.8 example.com\n\n# Run dnstraceroute\nuvx --from dnsdiag dnstraceroute cloudflare.com\n\n# Run dnseval\nuvx --from dnsdiag dnseval -f public-servers.txt github.com\n```\n\nTo install dnsdiag persistently:\n\n```bash\n# Install dnsdiag tools\nuv tool install dnsdiag\n\n# Upgrade to the latest version\nuv tool upgrade dnsdiag\n```\n\n## Binary Package\n\nFrom time to time, binary packages will be released for Windows, Mac OS X and Linux. You can grab the latest release from [releases page](https://github.com/farrokhi/dnsdiag/releases).\n\n## Docker\n\nIf you prefer not to install `dnsdiag` on your local machine, you can use the\nDocker image to run the tools in a containerized environment. For example:\n\n```\ndocker run --network host -it --rm farrokhi/dnsdiag dnsping.py\n```\n\n# dnsping\n\n`dnsping` allows you to \"ping\" a DNS resolver by sending an arbitrary DNS query multiple times. For a full list of supported command-line options, use `--help`. Here are a few key flags:\n\n- Use `--tcp`, `--tls`, `--doh`, `--quic` or `--http3` to select the transport protocol (default is UDP).\n- Use `--flags` to display response flags, including EDNS flags, for each response.\n- Use `--dnssec` to request DNSSEC validation, if available.\n- Extended DNS Error messages ([RFC 8914](https://www.rfc-editor.org/rfc/rfc8914)) are automatically displayed when present.\n- Use `--nsid` to display the Name Server Identifier (NSID) if available ([RFC 5001](https://www.rfc-editor.org/rfc/rfc5001)).\n- Use `--ecs` to include EDNS Client Subnet information for geographic routing optimization.\n- Use `--cookie` to display DNS cookies ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873)) when present in responses.\n\n```shell\n./dnsping.py -c 5 --dnssec --flags --tls -t AAAA -s 8.8.8.8 brokendnssec.net\n```\n\n```\ndnsping.py DNS: 8.8.8.8:853, hostname: brokendnssec.net, proto: TLS, class: IN, type: AAAA, flags: [RD]\n75 bytes from 8.8.8.8: seq=1 time=73.703 ms SERVFAIL [QR RD RA -- DO] [EDE:10(\"For brokendnssec.net/soa\")]\n75 bytes from 8.8.8.8: seq=2 time=69.523 ms SERVFAIL [QR RD RA -- DO] [EDE:10(\"For brokendnssec.net/soa\")]\n75 bytes from 8.8.8.8: seq=3 time=58.058 ms SERVFAIL [QR RD RA -- DO] [EDE:10(\"For brokendnssec.net/soa\")]\n75 bytes from 8.8.8.8: seq=4 time=54.235 ms SERVFAIL [QR RD RA -- DO] [EDE:10(\"For brokendnssec.net/soa\")]\n75 bytes from 8.8.8.8: seq=5 time=57.806 ms SERVFAIL [QR RD RA -- DO] [EDE:10(\"For brokendnssec.net/soa\")]\n\n--- 8.8.8.8 dnsping statistics ---\n5 requests transmitted, 5 responses received, 0% lost\nmin=54.235 ms, avg=22.665 ms, max=69.523 ms, stddev=38.202 ms\n```\n\n`dnsping` also provides statistics such as minimum, maximum, and average\nresponse times, along with jitter (standard deviation) and packet loss.\n\nHere are a few interesting use cases for `dnsping`:\n\n- Comparing response times across different transport protocols (e.g., UDP vs. DoH).\n- Evaluating the reliability of your DNS server by measuring jitter and packet loss.\n- Measuring response times with DNSSEC enabled using the `--dnssec` flag.\n- Testing EDNS Client Subnet behavior for geolocation-aware responses:\n\n```shell\n./dnsping.py -c 3 --ecs 203.0.113.0/24 -s 94.140.14.14 google.com\n```\n\n```\ndnsping.py DNS: 94.140.14.14:53, hostname: google.com, proto: UDP, class: IN, type: A, flags: [RD]\n66 bytes from 94.140.14.14: seq=1 time=31.407 ms NOERROR [ECS:203.0.113.0/24/24]\n66 bytes from 94.140.14.14: seq=2 time=29.156 ms NOERROR [ECS:203.0.113.0/24/24]\n66 bytes from 94.140.14.14: seq=3 time=30.892 ms NOERROR [ECS:203.0.113.0/24/24]\n\n--- 94.140.14.14 dnsping statistics ---\n3 requests transmitted, 3 responses received, 0% lost\nmin=29.156 ms, avg=30.485 ms, max=31.407 ms, stddev=1.176 ms\n```\n\n- Identifying DNS servers using the NSID option:\n\n```shell\n./dnsping.py -c 2 --nsid -s 8.8.8.8 google.com\n```\n\n```\ndnsping.py DNS: 8.8.8.8:53, hostname: google.com, proto: UDP, class: IN, type: A, flags: [RD]\n68 bytes from 8.8.8.8: seq=1 time=36.399 ms NOERROR [NSID:gpdns-ams]\n68 bytes from 8.8.8.8: seq=2 time=32.156 ms NOERROR [NSID:gpdns-ams]\n\n--- 8.8.8.8 dnsping statistics ---\n2 requests transmitted, 2 responses received, 0% lost\nmin=32.156 ms, avg=34.278 ms, max=36.399 ms, stddev=2.122 ms\n```\n\n- Testing DNS cookies for enhanced security and cache optimization:\n\n```shell\n./dnsping.py -c 2 --cookie -s anyns.pch.net quad9.net\n```\n\n```\ndnsping.py DNS: anyns.pch.net:53, hostname: quad9.net, proto: UDP, class: IN, type: A, flags: [RD]\n82 bytes from anyns.pch.net: seq=1 time=30.552 ms NOERROR [COOKIE:27f609c017bb2ec4ea70de5c68eec3fc39f6a53ee49c55f8]\n82 bytes from anyns.pch.net: seq=2 time=24.794 ms NOERROR [COOKIE:719631dd9fcce722d3ac859b68eec3fd2e5430b5c8a7f8cf]\n\n--- anyns.pch.net dnsping statistics ---\n2 requests transmitted, 2 responses received, 0% lost\nmin=24.794 ms, avg=27.673 ms, max=30.552 ms, stddev=4.072 ms\n```\n\n\n# dnstraceroute\n\n`dnstraceroute` is a utility that traces the path of your DNS requests to their\ndestination. You may want to compare this with your actual network traceroute to\nensure that your DNS traffic is not being routed through any unwanted paths.\n\n`dnstraceroute` supports multiple transport protocols:\n- UDP (default) - Traditional DNS queries\n- TCP (`--tcp`) - DNS over TCP\n- DoQ (`--quic`) - DNS over QUIC (supported by AdGuard DNS)\n- DoH3 (`--http3`) - DNS over HTTP/3 (supported by Google DNS and Cloudflare)\n\n```shell\n./dnstraceroute.py --expert --asn -C -t A -s 8.8.4.4 facebook.com\n```\n\nYou can also test modern DNS protocols:\n\n```shell\n# Test DNS over QUIC with AdGuard DNS\n./dnstraceroute.py --quic -s 94.140.14.14 -c 3 google.com\n\n# Test DNS over HTTP/3 with Google DNS\n./dnstraceroute.py --http3 -s 8.8.8.8 -c 3 google.com\n```\n\n```\ndnstraceroute.py DNS: 8.8.4.4:53, hostname: facebook.com, rdatatype: A\n1\t192.168.0.1 (192.168.0.1) 1 ms\n2\t192.168.28.177 (192.168.28.177) 4 ms\n3\t192.168.0.1 (192.168.0.1) 693 ms\n4\t172.19.4.17 (172.19.4.17) 3 ms\n5\tdns.google (8.8.4.4) [AS15169 GOOGLE, US] 8 ms\n\n=== Expert Hints ===\n [*] public DNS server is next to a private IP address (possible hijacking)\n```\n\nUsing the `--expert` flag with `dnstraceroute` will enable the display of expert\nhints, including warnings about potential DNS traffic hijacking.\n\n# dnseval\n`dnseval` is a bulk ping utility that sends arbitrary DNS queries to a specified\nlist of DNS servers, allowing you to compare their response times\nsimultaneously.\n\nYou can use `dnseval` to evaluate response times across different transport\nprotocols, including UDP (default), TCP, DoT (DNS over TLS), DoH (DNS over\nHTTPS), DoQ (DNS over QUIC), and DoH3 (DNS over HTTP/3) by using the `--tcp`,\n`--tls`, `--doh`, `--quic`, and `--http3` flags, respectively.\n\n## Protocol Support Summary\n\n| Tool | UDP | TCP | TLS (DoT) | DoH | DoQ | DoH3 |\n|------|-----|-----|-----------|-----|-----|------|\n| `dnsping` | \u2713 | \u2713 | \u2713 | \u2713 | \u2713 | \u2713 |\n| `dnstraceroute` | \u2713 | \u2713 | - | - | \u2713 | \u2713 |\n| `dnseval` | \u2713 | \u2713 | \u2713 | \u2713 | \u2713 | \u2713 |\n\n*DoQ: DNS over QUIC, DoH3: DNS over HTTP/3*\n\n```shell\n./dnseval.py --skip-warmup --dnssec -c10 -f public-servers.txt ripe.net\n```\n\n```\nserver avg(ms) min(ms) max(ms) stddev(ms) lost(%) ttl flags response\n---------------------------------------------------------------------------------------------------------------------\n1.0.0.1 29.01 14.15 45.36 8.60 %0 300 QR -- -- RD RA AD -- DO NOERROR\n1.1.1.1 23.90 18.14 42.07 7.83 %0 300 QR -- -- RD RA AD -- DO NOERROR\n1.0.0.2 25.90 21.36 31.58 4.26 %0 300 QR -- -- RD RA AD -- DO NOERROR\n1.1.1.2 22.68 18.36 32.15 3.96 %0 300 QR -- -- RD RA AD -- DO NOERROR\n1.0.0.3 22.53 18.98 32.52 3.94 %0 300 QR -- -- RD RA AD -- DO NOERROR\n1.1.1.3 21.70 20.25 22.97 0.77 %0 299 QR -- -- RD RA AD -- DO NOERROR\n2606:4700:4700::1001 21.70 19.13 27.50 2.28 %0 299 QR -- -- RD RA AD -- DO NOERROR\n2606:4700:4700::1111 22.63 20.42 30.18 3.13 %0 299 QR -- -- RD RA AD -- DO NOERROR\n2606:4700:4700::1002 24.97 20.89 44.63 7.16 %0 299 QR -- -- RD RA AD -- DO NOERROR\n2606:4700:4700::1112 23.24 21.37 25.87 1.48 %0 298 QR -- -- RD RA AD -- DO NOERROR\n2606:4700:4700::1003 21.68 19.28 24.88 1.65 %0 298 QR -- -- RD RA AD -- DO NOERROR\n2606:4700:4700::1113 22.61 19.86 26.09 1.73 %0 299 QR -- -- RD RA AD -- DO NOERROR\n195.46.39.39 25.56 16.42 55.37 15.37 %0 300 QR -- -- RD RA -- -- -- NOERROR\n195.46.39.40 19.08 16.51 23.86 2.24 %0 300 QR -- -- RD RA -- -- -- NOERROR\n2a05:d014:939:3300::39 0.00 0.00 0.00 0.00 %100 N/A -- -- -- -- -- -- -- -- No Response\n2a05:d014:939:3300::40 0.00 0.00 0.00 0.00 %100 N/A -- -- -- -- -- -- -- -- No Response\n208.67.220.220 30.60 14.54 120.64 31.88 %0 300 QR -- -- RD RA AD -- DO NOERROR\n208.67.222.222 21.78 17.42 36.45 6.06 %0 50 QR -- -- RD RA AD -- DO NOERROR\n2620:0:ccc::2 29.48 19.23 98.29 24.22 %0 299 QR -- -- RD RA AD -- DO NOERROR\n2620:0:ccd::2 22.36 17.90 30.18 3.98 %0 299 QR -- -- RD RA AD -- DO NOERROR\n216.146.35.35 172.53 114.46 360.87 71.47 %0 299 QR -- -- RD RA AD -- DO NOERROR\n216.146.36.36 187.36 118.21 324.32 59.08 %0 110 QR -- -- RD RA AD -- DO NOERROR\n209.244.0.3 46.49 25.23 115.86 28.19 %0 300 QR -- -- RD RA -- -- DO NOERROR\n209.244.0.4 58.33 28.09 109.18 29.20 %0 299 QR -- -- RD RA -- -- DO NOERROR\n4.2.2.1 64.58 30.21 86.79 30.19 %25 299 QR -- -- RD RA -- -- DO NOERROR\n4.2.2.2 40.54 22.69 74.80 20.76 %0 70 QR -- -- RD RA -- -- DO NOERROR\n4.2.2.3 90.62 90.62 90.62 0.00 %50 70 QR -- -- RD RA -- -- DO NOERROR\n4.2.2.4 31.53 23.80 70.93 14.51 %0 294 QR -- -- RD RA -- -- DO NOERROR\n4.2.2.5 24.11 24.05 24.18 0.09 %33 294 QR -- -- RD RA -- -- DO NOERROR\n80.80.80.80 0.00 0.00 0.00 0.00 %100 N/A -- -- -- -- -- -- -- -- No Response\n80.80.81.81 0.00 0.00 0.00 0.00 %100 N/A -- -- -- -- -- -- -- -- No Response\n8.8.4.4 28.35 20.85 39.14 7.24 %0 300 QR -- -- RD RA AD -- DO NOERROR\n8.8.8.8 21.22 16.22 24.93 2.39 %0 299 QR -- -- RD RA AD -- DO NOERROR\n```\n\n### Author\n\nBabak Farrokhi \n\n- github: [github.com/farrokhi](https://github.com/farrokhi/)\n- website: [farrokhi.net](https://farrokhi.net/)\n- mastodon: [@farrokhi@unix.family](https://unix.family/@farrokhi)\n- twitter: [@farrokhi](https://twitter.com/farrokhi)\n\n\n### License\n\ndnsdiag is released under a 2 clause BSD license.\n",
"bugtrack_url": null,
"license": null,
"summary": "DNS Measurement, Troubleshooting and Security Auditing Toolset (ping, traceroute)",
"version": "2.9.0",
"project_urls": {
"Homepage": "https://dnsdiag.org/",
"Issues": "https://github.com/farrokhi/dnsdiag/issues",
"Repository": "https://github.com/farrokhi/dnsdiag"
},
"split_keywords": [
"dns",
" traceroute",
" ping",
" performance"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "cad978cfc5408dff2807f7408179a8e15f7640501bf017dcdd63e04d8a8195a0",
"md5": "ce002dceef2e5dabc676c0ec2e2e9517",
"sha256": "b4fab5db2f8880cac82124f69c12238d537a6de1a58f47ea679a400991c8504c"
},
"downloads": -1,
"filename": "dnsdiag-2.9.0.tar.gz",
"has_sig": false,
"md5_digest": "ce002dceef2e5dabc676c0ec2e2e9517",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 43737,
"upload_time": "2025-10-26T09:32:01",
"upload_time_iso_8601": "2025-10-26T09:32:01.595794Z",
"url": "https://files.pythonhosted.org/packages/ca/d9/78cfc5408dff2807f7408179a8e15f7640501bf017dcdd63e04d8a8195a0/dnsdiag-2.9.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-10-26 09:32:01",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "farrokhi",
"github_project": "dnsdiag",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "aioquic",
"specs": [
[
">=",
"1.2.0"
]
]
},
{
"name": "cryptography",
"specs": [
[
">=",
"42.0.5"
]
]
},
{
"name": "cymruwhois",
"specs": [
[
">=",
"1.6"
]
]
},
{
"name": "dnspython",
"specs": [
[
">=",
"2.8.0"
]
]
},
{
"name": "h2",
"specs": [
[
">=",
"4.1.0"
]
]
},
{
"name": "httpx",
"specs": [
[
">=",
"0.27.0"
]
]
}
],
"lcname": "dnsdiag"
}
JSON
