jmarya/knowledge
jmarya/knowledge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
knowledge/technology/applications/cli/mhost.md
JMARyA ee55a0b016
update
2025-01-30 16:17:23 +01:00

10 KiB
Raw Blame History

obj repo website rev
application https://github.com/lukaspustina/mhost https://mhost.pustina.de 2025-01-30

mhost

A modern take on the classic host DNS lookup utility including an easy to use and very fast Rust lookup library.

Use Cases

Just lookup an IP address

$ mhost l github.com

Just lookup an IP address, using even more than just your local name servers

$ mhost server-lists public-dns -o servers.txt
$ mhost --limit 6000 --max-concurrent-servers 1000 --timeout 1 -f servers.txt l www.github.com

The first command downloads a list of public available name servers that are maintained by the Public DNS community. Usually only a subset of these are reachable, but it still a large set of active name servers.

The second command uses the name servers list from before and queries all of them concurrently. These settings are very aggressive and highly stresses your internet connection. mhost default settings are set much more cautiously.

Just lookup an IP address, using UDP, TCP, DoT, and DoH

$ mhost -s 1.1.1.1 -s tcp:1.1.1.1 -s tls:1.1.1.1:853,tls_auth_name=cloudflare-dns.com -s https:1.1.1.1:443,tls_auth_name=cloudflare-dns.com,name=Cloudflare -p l github.com

As already mentioned before, mhost supports DNS queries over UDP, TCP, DNS over TLS (DoT), as well as DNS over HTTPS (DoH). In the above example, mhost uses all four protocols to query Cloudflares name servers.

This command also shows the syntax for name server specification, which in general is protocol:<host name | ip address>:port,tls_auth_name=hostname,name=human-readable-name.

Discover a domain

Sometimes you want to know which host names and subdomains a domain has. mhost offers a simple command to help you find these. Please mind, that mhost only uses DNS specific discovery methods. If you want even deeper discoveries using Google, Shodan etc. there are other tools available.

$ mhost -p d github.com -p

This command uses the predefined name servers to discover the GitHub domain. The -s reduces all discovered names to real subdomains of github.com..

You can go one more step and explore the autonomous systems GitHub uses. In order to discover those, you can use the following commands:

$ mhost -p l --all -w github.com
$ mhost -p l --all 140.82.121.0/24

Check your name server configuration

$ mhost -p c github.com -p

Usage

mhost has three main commands: lookup, discover, and check. lookup lookups up arbitrary DNS records of a domain name. discover tries various methods to discover host names and subdomains of a domain. check uses lints to check if all records of a domain name adhere to the DNS RFC.

General Options

Option Description
-use-system-resolv-opt Uses options set in /etc/resolv.conf
-no-system-nameservers Ignores nameservers from /etc/resolv.conf
-S, --no-system-lookups Ignores system nameservers for lookups
--resolv-conf <FILE> Uses alternative resolv.conf file
--ndots <NUMBER> Sets number of dots to qualify domain name as FQDN [default: 1]
--search-domain <DOMAIN> Sets the search domain to append if HOSTNAME has less than ndots dots
--system-nameserver <IP ADDR>... Adds system nameserver for system lookups; only IP addresses allowed
-s, --nameserver <HOSTNAME / IP ADDR>... Adds nameserver for lookups
-p, --predefined Adds predefined nameservers for lookups
--predefined-filter <PROTOCOL> Filters predefined nameservers by protocol [default: udp] [possible values: udp, tcp, https, tls]
--list-predefined Lists all predefined nameservers
-f, --nameservers-from-file <FILE> Adds nameservers from file
--limit <NUMBER> Sets max. number of nameservers to query [default: 100]
--max-concurrent-servers <NUMBER> Sets max. concurrent nameservers [default: 10]
--max-concurrent-requests <NUMBER> Sets max. concurrent requests per nameserver [default: 5]
--retries <NUMBER> Sets number of retries if first lookup to nameserver fails [default: 0]
--timeout <TIMEOUT> Sets timeout in seconds for responses [default: 5]
-m, --resolvers-mode <MODE> Sets resolvers lookup mode [default: multi] [possible values: multi, uni]
--wait-multiple-responses Waits until timeout for additional responses from nameservers
--no-abort-on-error Sets do-not-ignore errors from nameservers
--no-abort-on-timeout Sets do-not-ignore timeouts from nameservers
--no-aborts Sets do-not-ignore errors and timeouts from nameservers
-o, --output <FORMAT> Sets the output format for result presentation [default: summary] [possible values: json, summary]
--output-options <OPTIONS> Sets output options
--show-errors Shows error counts
-q, --quiet Does not print anything but results
--no-color Disables colorful output
--ascii Uses only ASCII compatible characters for output

Lookup Options

Option Description
--all Enables lookups for all record types
-s, --service Parses ARG as service spec and set record type to SRV
-w, --whois Retrieves Whois information about A, AAAA, and PTR records
-h, --help Prints help information
-t, --record-type <RECORD TYPE>... Sets record type to lookup, will be ignored in case of IP address lookup [default: A,AAAA,CNAME,MX] [possible values: A, AAAA, ANAME, ANY, CNAME, MX, NULL, NS, PTR, SOA, SRV, TXT]

Discover Options

| Option                              | Description                                                                                |
| ----------------------------------- | ------------------------------------------------------------------------------------------ |
| `-p`, `--show-partial-results`      | Shows results after each lookup step                                                       |
| `-w`, `--wordlist-from-file <FILE>` | Uses wordlist from file                                                                    |
| `--rnd-names-number <NUMBER>`       | Sets number of random domain names to generate for wildcard resolution check [default: 3]  |
| `--rnd-names-len <LEN>`             | Sets length of random domain names to generate for wildcard resolution check [default: 32] |
| `-s`, `--subdomains-only`           | Shows subdomains only omitting all other discovered names                                  |

### Check Options

| Option                        | Description                                 |
| ----------------------------- | ------------------------------------------- |
| `--show-partial-results`      | Shows results after each check step         |
| `--show-intermediate-lookups` | Shows all lookups made during by all checks |
| `--no-cnames`                 | Does not run cname lints                    |
| `--no-soa`                    | Does not run SOA check                      |
| `--no-spf`                    | Does not run SPF check                      |