unbound-host(1) unbound 1.18.0 unbound-host(1) #
unbound-host(1) unbound 1.18.0 unbound-host(1)
NNAAMMEE #
uunnbboouunndd--hhoosstt - unbound DNS lookup utility
SSYYNNOOPPSSIISS #
uunnbboouunndd--hhoosstt [--CC _c_o_n_f_i_g_f_i_l_e] [--vvddhhrr4466DD] [--cc _c_l_a_s_s] [--tt _t_y_p_e] [--yy _k_e_y] [--ff
_k_e_y_f_i_l_e] [--FF _n_a_m_e_d_k_e_y_f_i_l_e] _h_o_s_t_n_a_m_e
DDEESSCCRRIIPPTTIIOONN #
UUnnbboouunndd--hhoosstt uses the Unbound validating resolver to query for the
hostname and display results. With the --vv option it displays validation
status: secure, insecure, bogus (security failure).
By default it reads no configuration file whatsoever. It attempts to
reach the internet root servers. With --CC an Unbound config file and with
--rr resolv.conf can be read.
The available options are:
_h_o_s_t_n_a_m_e
This name is resolved (looked up in the DNS). If a IPv4 or IPv6
address is given, a reverse lookup is performed.
--hh Show the version and commandline option help.
--vv Enable verbose output and it shows validation results, on every
line. Secure means that the NXDOMAIN (no such domain name),
nodata (no such data) or positive data response validated
correctly with one of the keys. Insecure means that that domain
name has no security set up for it. Bogus (security failure)
means that the response failed one or more checks, it is likely
wrong, outdated, tampered with, or broken.
--dd Enable debug output to stderr. One -d shows what the resolver and
validator are doing and may tell you what is going on. More times,
-d -d, gives a lot of output, with every packet sent and received.
--cc _c_l_a_s_s
Specify the class to lookup for, the default is IN the internet
class.
--tt _t_y_p_e
Specify the type of data to lookup. The default looks for IPv4,
IPv6 and mail handler data, or domain name pointers for reverse
queries.
--yy _k_e_y Specify a public key to use as trust anchor. This is the base for
a chain of trust that is built up from the trust anchor to the
response, in order to validate the response message. Can be given
as a DS or DNSKEY record. For example -y "example.com DS 31560 5
1 1CFED84787E6E19CCF9372C1187325972FE546CD". #
--DD Enables DNSSEC validation. Reads the root anchor from the default
configured root anchor at the default location,
_/_v_a_r_/_u_n_b_o_u_n_d_/_d_b_/_r_o_o_t_._k_e_y.
--ff _k_e_y_f_i_l_e
Reads keys from a file. Every line has a DS or DNSKEY record, in
the format as for -y. The zone file format, the same as dig and
drill produce.
--FF _n_a_m_e_d_k_e_y_f_i_l_e
Reads keys from a BIND-style named.conf file. Only the trusted-key
{}; entries are read.
--CC _c_o_n_f_i_g_f_i_l_e
Uses the specified unbound.conf to prime _l_i_b_u_n_b_o_u_n_d(3). Pass it
as first argument if you want to override some options from the
config file with further arguments on the commandline.
--rr Read /etc/resolv.conf, and use the forward DNS servers from there
(those could have been set by DHCP). More info in _r_e_s_o_l_v_._c_o_n_f(5).
Breaks validation if those servers do not support DNSSEC.
--44 Use solely the IPv4 network for sending packets.
--66 Use solely the IPv6 network for sending packets.
EEXXAAMMPPLLEESS #
Some examples of use. The keys shown below are fakes, thus a security
failure is encountered.
$ unbound-host www.example.com
$ unbound-host -v -y "example.com DS 31560 5 1
1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com
$ unbound-host -v -y "example.com DS 31560 5 1
1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153 #
EEXXIITT CCOODDEE #
The unbound-host program exits with status code 1 on error, 0 on no
error. The data may not be available on exit code 0, exit code 1 means
the lookup encountered a fatal error.
SSEEEE AALLSSOO #
_u_n_b_o_u_n_d_._c_o_n_f(5), _u_n_b_o_u_n_d(8).
NLnet Labs August 30, 2023 unbound-host(1)