legs/dnslarp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
domain name system larping
4 commits 1 branch 0 tags 100 MiB
  • Go 98.6%
  • Makefile 1.4%
Find a file
Exact
segaskid 350b106fa5
Some checks failed
ci / test (push) Has been cancelled
Details
ci / release-builds (push) Has been cancelled
Details
Finalize release metadata and artifacts
2026-06-06 12:34:36 +00:00
.forgejo/workflows first commit 2026-06-06 11:17:05 +00:00
.gitea/workflows first commit 2026-06-06 11:17:05 +00:00
cmd/dnslarp first commit 2026-06-06 11:17:05 +00:00
dist Finalize release metadata and artifacts 2026-06-06 12:34:36 +00:00
docs Finalize release metadata and artifacts 2026-06-06 12:34:36 +00:00
examples first commit 2026-06-06 11:17:05 +00:00
internal Finalize release metadata and artifacts 2026-06-06 12:34:36 +00:00
man Expand dnslarp with authorized network diagnostics 2026-06-06 12:30:00 +00:00
CHANGELOG.md Expand dnslarp with authorized network diagnostics 2026-06-06 12:30:00 +00:00
CONTRIBUTING.md Expand dnslarp with authorized network diagnostics 2026-06-06 12:30:00 +00:00
go.mod first commit 2026-06-06 11:17:05 +00:00
go.sum first commit 2026-06-06 11:17:05 +00:00
LICENSE first commit 2026-06-06 11:17:05 +00:00
Makefile Finalize release metadata and artifacts 2026-06-06 12:34:36 +00:00
README.md Finalize release metadata and artifacts 2026-06-06 12:34:36 +00:00
SECURITY.md first commit 2026-06-06 11:17:05 +00:00

README.md

dnslarp

Author: v3ga

dnslarp is a portable Go CLI for DNS and network diagnostics with authorized assessment workflows. It is built for operators who need terminal-first visibility into DNS records, resolver behavior, DNSSEC posture, authoritative delegation, propagation, IP ownership, TCP reachability, TLS certificates, HTTP endpoint behavior, health findings, and report output.

dnslarp is intended only for domains, resolvers, and infrastructure that you own, administer, or are explicitly authorized to test.

Capabilities

  • Record lookup over UDP, TCP, DNS-over-TLS, and DNS-over-HTTPS
  • IP address and hostname inspection with scope classification, PTR lookup, and optional RDAP ownership lookup
  • Authorized bounded TCP port reachability checks with CIDR expansion limits, port-count limits, rate limits, and concurrency limits
  • TLS certificate and negotiated connection inspection
  • HTTP status, redirect, header, latency, body-size, and TLS metadata inspection
  • A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, CAA, PTR, DS, DNSKEY, RRSIG, NSEC, NSEC3, TLSA, SVCB, and HTTPS queries
  • EDNS0 buffer sizing and DNSSEC DO-bit support
  • IDNA and punycode normalization
  • Iterative delegation trace from root nameservers
  • Resolver benchmarking with warmup, rate limiting, concurrency limits, percentiles, success rate, timeout rate, SERVFAIL rate, NXDOMAIN consistency, and ranking
  • Propagation checks across resolver sets with expected answer matching
  • DNSSEC material inspection and validation-state reporting through resolver-authenticated data and DNSSEC RR evidence
  • Domain health audit with scored findings, authoritative reachability probes, lame delegation detection, recursion exposure checks, SOA serial spread detection, TTL analytics, mail posture checks, DNSSEC, CAA, SPF, DMARC, DKIM selector checks, wildcard detection, address leakage checks, and remediation text
  • Terminal pulse dashboard across multiple domains and resolvers
  • Explicitly gated AXFR testing for authorized zones
  • Streaming monitor mode with Ctrl-C summary
  • Terminal, JSON, YAML, Markdown, and self-contained HTML reporting
  • XDG/platform-aware configuration
  • Runtime doctor checks for configuration and resolver reachability
  • Shell completion generation for bash, zsh, and fish

Safety Model

dnslarp fails closed for sensitive assessment actions. AXFR requires both --axfr and --i-am-authorized. TCP port reachability checks require --i-am-authorized. The tool validates timeout, retry, rate, concurrency, transport, resolver, record type, EDNS0 size, port list, CIDR expansion, and domain input before network operations.

dnslarp does not attempt to bypass access controls. It does not hide resolver, authoritative, transport, or timeout failures. Failed checks are reported as evidence.

Install

git clone https://git.nadeko.net/legs/dnslarp
cd dnslarp
make build
sudo make install

Direct build:

make build

Release builds:

make release
make checksums

Quickstart

dnslarp lookup example.com -t A -t AAAA --resolver 1.1.1.1
dnslarp lookup example.com -t A --transport doh --resolver https://cloudflare-dns.com/dns-query
dnslarp trace example.com -t A
dnslarp health example.com --transport doh --resolver https://cloudflare-dns.com/dns-query
dnslarp pulse example.com cloudflare.com --transport doh
dnslarp bench --domain example.com --domain cloudflare.com --transport doh
dnslarp report example.com --format html --output dnslarp-report.html --transport doh
dnslarp doctor --transport doh
dnslarp ip 1.1.1.1 --rdap
dnslarp tls example.com:443
dnslarp http https://example.com
dnslarp ports 192.0.2.10 --ports web --i-am-authorized

Commands

lookup

dnslarp lookup DOMAIN [DOMAIN...] -t TYPE [--resolver RESOLVER]

Queries one or more record types for one or more domains. Output includes resolver, transport, latency, RCODE, flags, answer, authority, additional records, canonical name, and DNSSEC signals.

trace

dnslarp trace DOMAIN -t A

Performs iterative resolution from root servers through referrals. Reports delegation steps, NS records, glue, CNAME hops, response timing, and failure points.

bench

dnslarp bench --domain example.com --domain cloudflare.com --runs 5 --rate 20 --concurrency 8

Benchmarks resolvers with safe defaults. Ranking uses reliability, latency, and SERVFAIL behavior. Output includes min, median, average, p95, p99, max, success rate, timeout rate, SERVFAIL count, NXDOMAIN count, and score.

propagation

dnslarp propagation example.com -t A --expect 93.184.216.34
dnslarp propagation example.com -t A --until-consistent --interval 30s --max-duration 10m

Checks answers across resolver sets. Reports divergence, expected-value mismatches, NXDOMAIN variance, SERVFAIL variance, and consistency state.

dnssec

dnslarp dnssec cloudflare.com --transport doh

Inspects DS, DNSKEY, RRSIG, NSEC, and NSEC3 evidence where available. Reports secure, insecure, bogus, or indeterminate state with reasons.

health

dnslarp health example.com --dkim-selector default

Runs a scored domain health audit. Findings include severity, check name, evidence, and remediation. High or critical findings return exit code 3.

pulse

dnslarp pulse example.com cloudflare.com --transport doh

Runs a terminal operations dashboard across domains and resolvers. It combines health grade, score, severity counts, DNSSEC state, DMARC and CAA posture, authoritative availability, TTL range, resolver telemetry, and record consistency.

records

dnslarp records example.com
dnslarp records example.com --deep

Dumps common DNS record types and groups the result by response data. Deep mode includes extended DNSSEC and reverse-oriented record types.

compare

dnslarp compare example.com -t A --resolver 1.1.1.1 --resolver 8.8.8.8

Compares answers between resolvers. Reports differences by RCODE and normalized answer set.

axfr

dnslarp axfr example.com --server ns1.example.com --axfr --i-am-authorized --output zone.txt

Attempts a zone transfer only when both explicit AXFR and authorization flags are present. If AXFR succeeds, output must be written with --output.

monitor

dnslarp monitor example.com --mode health --interval 1m --max-duration 30m
dnslarp monitor example.com --mode lookup -t A --jsonl

Runs lookup, health, or propagation repeatedly and prints a final summary when interrupted or when the max duration expires.

report

dnslarp report example.com --format markdown --output report.md
dnslarp report example.com --format html --output report.html

Generates terminal, JSON, YAML, Markdown, or self-contained HTML reports with posture score, authoritative probe evidence, record inventory, health findings, DNSSEC state, propagation results, and benchmark summaries.

ip

dnslarp ip 1.1.1.1 --rdap
dnslarp ip example.com

Inspects IP addresses and hostnames. Output includes resolved IP, IP version, address scope, PTR names, and optional RDAP ownership data for public addresses.

ports

dnslarp ports example.com --ports web --i-am-authorized
dnslarp ports 192.0.2.0/30 --ports 22,80,443 --i-am-authorized

Runs bounded TCP reachability checks. This is not a stealth scanner and does not attempt bypass behavior. CIDR expansion is capped at 1024 addresses, port lists are capped at 1000 ports, and global rate/concurrency limits apply.

tls

dnslarp tls example.com:443
dnslarp tls 203.0.113.10:443 --sni example.com

Inspects TLS negotiation and leaf certificate metadata, including protocol version, cipher suite, verification state, validity window, subject, issuer, and SANs.

http

dnslarp http https://example.com
dnslarp http example.com --method GET --body

Inspects HTTP status, redirect final URL, headers, latency, optional body byte count, and TLS metadata for HTTPS endpoints.

doctor

dnslarp doctor --transport doh

Checks runtime readiness. It validates config path handling, safety limits, resolver syntax, transport behavior, and live resolver reachability against example.com.

config

dnslarp config path
dnslarp config show
dnslarp config set timeout 3s
dnslarp config set resolvers 1.1.1.1,8.8.8.8,9.9.9.9
dnslarp config reset

Configuration is stored through the platform config directory. On Unix-like systems this normally resolves to ~/.config/dnslarp/config.yaml. Set DNSLARP_CONFIG to override the path.

Global Flags

Flag Purpose
--json Write JSON output
--yaml Write YAML output
--table Write terminal table output
--no-color Disable color output
--timeout Per-query timeout
--retries Query retries
--concurrency Concurrent operation limit
--rate Query rate limit per second
--resolver Resolver address or DoH endpoint
--resolver-file File containing resolvers
--transport udp, tcp, dot, or doh
--i-am-authorized Authorization affirmation for assessment actions
--output Output file path
--verbose Verbose diagnostics
--quiet Suppress non-result output
--edns-size EDNS0 UDP buffer size
--dnssec-do Set DNSSEC DO bit

Resolver Presets

dnslarp includes public resolver presets for Cloudflare, Google, Quad9, OpenDNS, AdGuard, Control D, and NextDNS public endpoints where the selected transport is technically supported. For DoH and DoT, defaults are selected from transport-appropriate endpoints.

Output Formats

Terminal output is the default. Use machine-readable output for automation:

dnslarp health example.com --json
dnslarp pulse example.com cloudflare.com --yaml
dnslarp report example.com --format json --output report.json

Completions and Manpage

dnslarp completion bash > completions/dnslarp.bash
dnslarp completion zsh > completions/_dnslarp
dnslarp completion fish > completions/dnslarp.fish
dnslarp manpage > man/dnslarp.1

Exit Codes

Code Meaning
0 Success or no serious findings
1 Operational error
2 Invalid usage
3 High or critical health findings
4 DNSSEC bogus
5 Timeout threshold exceeded

Development and Verification

make fmt
make test
make verify
make build

The CI workflow runs tests and a static-ish binary build. Release builds are produced with make release; checksums are produced with make checksums.

Release binaries embed the version, git commit, and UTC build timestamp. Override VERSION, COMMIT, or DATE when reproducing a release build.

Operational Notes

  • UDP DNS may be blocked by some networks. Use --transport doh when direct UDP/TCP DNS is unavailable.
  • DNSSEC status depends partly on the selected resolver returning authenticated data. dnslarp also reports DNSSEC record evidence so the reason for indeterminate states is visible.
  • Authoritative probes require direct access to authoritative nameserver addresses over UDP/53.
  • Health findings are diagnostic evidence, not a substitute for change review or zone-owner policy.