The name drill is a pun on dig. With drill you should be able get even more information than with dig.

The arguments to drill may be placed in any order. If no arguments are given class defaults to 'IN' and type to 'A'. The server(s) specified in /etc/resolv.conf are used to query against.

@server Send to query to this server. If not specified use the nameservers from /etc/resolv.conf.

type Ask for this RR type. If type is not given on the command line it defaults to 'A'. Except when doing to reverse lookup there is defaults to 'PTR'.

name Ask for this name.

class Use this class when querying.

drill -S jelte.nlnetlabs.nl

Chase any signatures a the jelte.nlnetlab.nl domain.

drill -TD

Do a DNSSEC (-D) trace (-T) from the rootservers down to www.example.com.

drill -s dnskey jelte.nlnetlabs.nl

Show the DNSKEY record(s) for jelte.nlnetlabs.nl. For each found DNSKEY record also print the DS record.

-D

Enable DNSSEC in the query. When querying for DNSSEC types (DNSKEY, RRSIG, DS and NSEC) this is automaticly enabled.

-S

Chase the signature(s) of 'name' to a known key or as high up in the tree as possible.

-T

Trace name from the root down. When using this option the @server and the type arguments are not used.

-V

Be more verbose. Enable once for more messages on the screen. Enable twice for a hexdump of the packets sent.

-4

Stay on ip4. Only send queries to ip4 enabled nameservers.

-6

Stay on ip6. Only send queries to ip6 enabled nameservers.

-a

Don't try the next nameserver on SERVFAIL. The default is to do this.

-b size

-c

Use TCP/IP when querying a server.

-f file

Read the query from a file. The query must be dumped with -w.

-i file

read the answer from the file instead from the network. This aids in debugging and can be used to check if a query on disk is valid. If the file contains binary data it is assumed to be a query in network order.

-k keyfile

Use this file to read a (trusted) key from. When this options is given drill tries to validate the current answer with this key. No chasing is done.

-p port

Use this port instead of the DNS default of 53.

-r

Don't set the RD bit in the query - the default is yes.

-s

When encountering a DNSKEY print the DS also.

-u

Use UDP when querying a server. This is the default.

-v

-w file

write the answer to a file. The file will contain a hexadecimal dump of the query. This can be used in conjunction with -f.

-x

Do a reverse loopup. The type argument is not used, it is preset to PTR.

With -TD (trace + DNSSEC) drill will securely trace from the root down. If the optional -k argument is given a genuine chain of trust can be established. [bla bla, Miek please add more]