6 awl.1
Sam Therapy edited this page 1 week ago


awl - DNS lookup tool


awl [ OPTIONS ] name [ @server ] [ type ], where

name is the query to make (example: froth.zone)
@server is the server to query (example: dns.froth.zone)
type is the DNS resource type (example: AAAA)


awl (awls want licorice) is a simple tool designed to make DNS queries, much like the venerable dig(1). An awl is a tool used to make small holes, typically used in leatherworking.

awl is designed to be a more "modern" version of drill(1) by including some more recent RFCs and output options.

When no arguments are given, awl will perform an NS query on the root ('.').

When a nameserver is not given, awl will query a random system nameserver. If one cannot be found, awl will query localhost.


Anything in [brackets] is optional.

-D, --dnssec, +dnssec

Enable DNSSEC. This needs to be manually enabled.


Set verbosity Accepted values are as follows:

  • 0: Only log errors.

  • 1: Log warnings. This is the default.

  • 2: Log information Default when specifying just -v.

  • 3: Log information useful for debugging.

Setting a value lower than 0 disables logging entirely.

By default, specifying just -v sets the verbosity to 2 (info).


Print the version and exit.


Show a "short" help message.

Query Options


Only make query over IPv4


Only make query over IPv6

-p, --port port

Sets the port to query. Default ports listed below.

  • 53 for UDP and TCP

  • 853 for TLS and QUIC

  • 443 for HTTPS

-q, --query domain

Domain to query (eg. example.com)

-c, --class class

DNS class to query (eg. IN, CH) The default is IN.

-t, --qType type

DNS type to query (eg. A, AAAA, NS) The default is A.

--no-truncate, +ignore

Ignore UDP truncation (by default, awl retries with TCP).

--no-bad-cookie, +[no]badcookie

[Do not] ignore BADCOOKIE responses

--tcp, +tcp, +vc

Use TCP for the query (see RFC 7766).

--dnscrypt, +dnscrypt

Use DNSCrypt.

-T, --tls, +tls

Use DNS-over-TLS, implies --tcp (see RFC 7858)

--tls-host string

Set hostname to use for TLS certificate validation. Default is the name of the domain when querying over TLS, and empty for IPs.


Ignore TLS validation when performing a DNS query.

-H. --https, +https

Use DNS-over-HTTPS (see RFC 8484).

-Q. --quic, +quic

Use DNS-over-QUIC (see RFC 9250).

-x, --reverse

Do a reverse lookup. Sets default type to PTR. awl automatically makes an IP or phone number canonical.

--timeout seconds, +timeout=seconds

Set the timeout period. Floating point numbers are accepted. 0.5 seconds is the minimum.

--retries int, +tries=int, +retry=int

Set the number of retries. Retry is one more than tries, dig style.

DNS Flags

--aa[=bool], +[no]aaflag

(Set, Unset) AA (Authoritative Answer) flag.

--ad[=bool], +[no]adflag

(Set, Unset) AD (Authenticated Data) flag.

--tc[=bool], +[no]tcflag

(Set, Unset) TC (TrunCated) flag

-z[=bool], +[no]zflag

(Set, Unset) Z (Zero) flag.

--cd[=bool], +[no]cdflag

(Set, Unset) CD (Checking Disabled) flag.

--qr[=bool], +[no]qrflag

(Set, Unset) QR (QueRy) flag.

--rd[=bool], +[no]rdflag

(Set, Unset) RD (Recursion Desired) flag.

--ra[=bool], +[no]raflag

(Set, Unset) RA (Recursion Available) flag.


All of these options except disabling EDNS imply +edns.

--no-edns, +noedns

Disable EDNS.

--edns-ver, +edns[=int]

Enable EDNS and set EDNS version. The maximum value is 255, and the minimum (default) value is 0.

--expire. +[no]expire

Send an EDNS Expire.

--nsid, +[no]nsid

Send an EDNS name server ID request.

--no-cookie, +[no]cookie[=string]

Send an EDNS cookie. This is enabled by default with a random string.

--keep-alive, +[no]keepalive, +[no]keepopen

Send an EDNS keep-alive. This does nothing unless using TCP.

--buffer-size int, +bufize=int

Set the UDP message buffer size, using EDNS. Max is 65535, minimum is zero. The default value is 1232.

--zflag int, +ednsflags=int

Set the must-be-zero EDNS flags. Decimal, hexadecimal and octal are supported. Trying to set DO will be ignored.

--subnet ip[/prefix], +[no]subnet=ip[/prefix]

Send an EDNS Client Subnet option with the specified address.

Like dig(1), setting the IP to, ::/0 or 0 will signal the resolver to not use any client information when returning the query.

Output Display

--no-question, +[no]question

Toggle the display of the Question section.

--no-answer, +[no]answer

Toggle the display of the Answer section.

--no-answer, +[no]answer

Toggle the display of the Answer section.

--no-authority, +[no]authority

Toggle the display of the Authority section.

--no-additional, +[no]additional

Toggle the display of the Additional section.

--no-statistics, +[no]stats

Toggle the display of the Statistics (additional comments) section.

Output Formats

-j, --json, +json

Print the query results as JSON.

-X, --xml, +xml

Print the query results as XML.

-y, --yaml, +yaml

Print the query results as YAML.

-s, --short, +short

Print just the address of the answer.


The exit code is 0 when a query is successfully made and received. This includes SERVFAILs, NOTIMPL among others.


awl grumbulon.xyz -j +cd

Run a query of your local resolver for the A records of grumbulon.xyz, print them as JSON and disable DNSSEC verification.

awl +short example.com AAAA @

Query for the AAAA records of example.com, print just the answers

awl -xT PTR @dns.google

Query dns.google over TLS for the PTR record to the IP address


drill(1), dig(1)


RFC 1034,1035 (UDP), 7766 (TCP), 7858 (TLS), 8484 (HTTPS), 9230 (QUIC)

Probably more, https://www.statdns.com/rfc


OPT records are only printed when using a standard output, not JSON/XML/YAML.

Full parity with dig(1) is not complete.

This man page is probably not complete.

Likely numerous more, report them either to the tracker https://git.froth.zone/sam/awl/issues or via email ~sammefishe/awl-dev@lists.sr.ht