Make the dig command more efficient with scripts!

Introduction

Hello, I'm Kita, a third-year engineer.
The dig (Domain Information Groper) command is often used to check domain settings, but how do you use it on a daily basis?
Today, I'd like to introduce some tips on how to use scripts to make the dig command more efficient!

dig command

To reiterate, the dig (Domain Information Groper) command is a handy tool that is essential for infrastructure engineers, as it sends queries to DNS servers such as "What is the IP address of this domain?" and "Where is the mail server?"
We have already introduced the dig command our blog

Although the dig command is useful, it has the following two drawbacks:

1. Limitations of type specification :
dig can only query one type of record type per execution, so even if you list them like " dig domain A MX ", only the last specified MX record will actually be queried.
Therefore, if you want to check multiple types, you need to run each type separately.

2. ANY queries have become a mere formality :
Previously , you could retrieve multiple records for a domain by specifying something like
dig beyondjapan.com ANY RFC8482 which was established by the Internet Engineering Task Force, it is now common for implementations to return only a minimal response to ANY queries.

[Examples of ANY failures]

beyondjapan.com. 3600 IN HINFO "RFC8482" ""

* HINFO "RFC8482" is a rejection response from the server saying "We do not provide a bulk response, so please make individual requests."

Automatic continuous queries with scripts

If the dig command cannot retrieve all records at once, you would normally have to manually enter the command multiple times.
However, this becomes more time-consuming as the number of records to be searched increases, and it is also more likely to result in mistakes such as missing a check.

So, this time, we will introduce a way to execute " survey items (txt) " and " executable programs (scripts) " separately, which will save you the trouble of having to manually re-enter commands over and over again and allow you to accurately retrieve multiple records all at once!

How to execute the script

① Create a list of records you want to investigate.
First, in your local environment (Ubuntu / WSL, etc.), create a text file (records.txt) in which the record types you want to investigate for the target domain are listed on one line each. Move to the directory and prepare it as follows:

vi records.txt

■ Contents of records.txt

A MX TXT NS

② Create an execution script
Next, create a script (dig-check.sh) that automatically reads the list above (records.txt) and runs dig continuously.
*Since records.txt and dig-check.sh are created by specifying only the file name, records.txt, in the script, please create them in the same directory to prevent read errors (file not found)!

vi dig-check.sh

■ Contents of dig-check.sh

#!/bin/bash DOMAIN=$1 # Display an error if no domain name is specified if [ -z "$DOMAIN" ]; then echo "Usage: ./dig-check.sh [Domain name]" exit 1 fi echo "--- Domain: $DOMAIN ---" # Read and execute records.txt line by line while read type; do # Skip if there is an empty line [ -z "$type" ] && continue echo "[$type Record]" dig $DOMAIN $type +short echo "" done < records.txt

③Give the script permission to run
The script (dig-check.sh) created in ② is not yet recognized as a file that can be executed.

■Permission status of the script (dig-check.sh) after creation

-rw-r--r-- 1 root root 453 Feb 26 17:59 dig-check.sh

Type the following command to grant permissions:

chmod +x dig-check.sh

■ Permission status of the script (dig-check.sh) after adjustment

-rwxr-xr-x 1 root root 453 Feb 26 17:59 dig-check.sh

*Since records.txt is a text file, this operation is not necessary

Text file (records.txt): The script only "reads" the contents, so it can run with standard permissions (-rw-r--r--).
Script file (dig-check.sh): Permissions must be set because the OS needs to be given permission (+x: execution permission) to run the script as a program.

④ Specify the domain and execute.
This time, let's execute it using "example.com" as an example.
Now, the items written in records.txt will be output all at once by the script, so you can check the settings in a shorter time!
* ./ means "execute the file in the current directory," so if you are in a different directory, please move to the target directory before executing it.

./dig-check.sh example.com

■ Output results

--- Domain: example.com --- [A Record] 104.18.27.120 104.18.26.120 [MX Record] 0 . [TXT Record] "v=spf1 -all" "_k2n1y4vw3qtb4skdx9e7dxt97qrmmq9" [NS Record] elliott.ns.cloudflare.com. hera.ns.cloudflare.com.

Notes on script execution

The bulk acquisition script introduced here is merely a tool that checks the items listed in records.txt in order. Therefore, while it is convenient, please be aware of the following two points!

■Unknown records cannot be found :
For example, if you only list "A/MX" in records.txt, TXT records will not be displayed even if they are set for the target domain.

■It is not possible to check "everything that is registered" :
Due to the structure of DNS, it is difficult to obtain a complete "list of configured records" from the server side.
Therefore, this method is not intended to "obtain all settings when you do not know what is registered," but rather to check multiple pre-specified records more quickly and accurately than manually.

Conclusion

"You used to type commands one by one" - checking multiple settings with the dig command. With a little ingenuity, separating the txt file and scripts, you can prevent human errors such as missing checks when executing them manually, and save a lot of time!

This time we have introduced an example of checking multiple settings for one domain, but in practice there may be situations where you want to check all 10 domains you manage.
In that case, you can prepare an additional domain list (domains.txt) and run the script in a double loop.

I hope to provide a more detailed introduction at a later date!
I hope this article was helpful to you.
Thank you for reading to the end.