Move dig down the row of DNS resolvers

... because there's a higher possibility for the stable branch that people use $HOME/.digrc
2025-01-06 00:39:44 +01:00 · 2021-07-31 15:22:05 +02:00 · 2021-07-31 15:22:05 +02:00 · ac2b43170b
commit ac2b43170b
parent 8d6609f1b9
1 changed files with 15 additions and 15 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -361,7 +361,7 @@ HAS_AES256_GCM=false
 HAS_ZLIB=false
 HAS_DIG=false
 HAS_DIG_R=true
-DIG_R='-r'
+DIG_R="-r"
 HAS_HOST=false
 HAS_DRILL=false
 HAS_NSLOOKUP=false
@ -17910,15 +17910,15 @@ get_a_record() {
               fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
          fi
     fi
-     if [[ -z "$ip4" ]] && "$HAS_DIG"; then
-          ip4=$(filter_ip4_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
-     fi
     if [[ -z "$ip4" ]] && "$HAS_HOST"; then
          ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | awk '/address/ { print $NF }'))
     fi
     if [[ -z "$ip4" ]] && "$HAS_DRILL"; then
          ip4=$(filter_ip4_address $(drill a "$1" | awk '/ANSWER SECTION/,/AUTHORITY SECTION/ { print $NF }' | awk '/^[0-9]/'))
     fi
+     if [[ -z "$ip4" ]] && "$HAS_DIG"; then
+          ip4=$(filter_ip4_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
+     fi
     if [[ -z "$ip4" ]] && "$HAS_NSLOOKUP"; then
          ip4=$(filter_ip4_address $(strip_lf "$(nslookup -querytype=a "$1" 2>/dev/null | awk '/^Name/ { getline; print $NF }')"))
     fi
@ -17953,12 +17953,12 @@ get_aaaa_record() {
               else
                    fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
               fi
-          elif "$HAS_DIG"; then
-               ip6=$(filter_ip6_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
          elif "$HAS_HOST"; then
               ip6=$(filter_ip6_address $(host -t aaaa "$1" | awk '/address/ { print $NF }'))
          elif "$HAS_DRILL"; then
               ip6=$(filter_ip6_address $(drill aaaa "$1" | awk '/ANSWER SECTION/,/AUTHORITY SECTION/ { print $NF }' | awk '/^[0-9]/'))
+          elif "$HAS_DIG"; then
+               ip6=$(filter_ip6_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
          elif "$HAS_NSLOOKUP"; then
               ip6=$(filter_ip6_address $(strip_lf "$(nslookup -type=aaaa "$1" 2>/dev/null | awk '/'"^${a}"'.*AAAA/ { print $NF }')"))
          fi
@ -17988,16 +17988,16 @@ get_caa_rr_record() {
     # for dig +short the output always starts with '0 issue [..]' or '\# 19 [..]' so we normalize thereto to keep caa_flag, caa_property
     # caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3
     OPENSSL_CONF=""
-     if "$HAS_DIG"; then
-          raw_caa="$(dig $DIG_R +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
-          # empty if no CAA record
-     elif "$HAS_DRILL"; then
+     if "$HAS_DRILL"; then
          raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')"
     elif "$HAS_HOST"; then
          raw_caa="$(host -t type257 $1)"
          if grep -Ewvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then
               raw_caa="$(sed -e 's/^.*has CAA record //' -e 's/^.*has TYPE257 record //' <<< "$raw_caa")"
          fi
+     elif "$HAS_DIG"; then
+          raw_caa="$(dig $DIG_R +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
+          # empty if no CAA record
     elif "$HAS_NSLOOKUP"; then
          raw_caa="$(strip_lf "$(nslookup -type=type257 $1 | grep -w rdata_257)")"
          if [[ -n "$raw_caa" ]]; then
@ -18059,10 +18059,10 @@ get_mx_record() {
     # we need the last two columns here
     if "$HAS_HOST"; then
          mxs="$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')"
-     elif "$HAS_DIG"; then
-          mxs="$(dig $DIG_R +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')"
     elif "$HAS_DRILL"; then
          mxs="$(drill mx $1 | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')"
+     elif "$HAS_DIG"; then
+          mxs="$(dig $DIG_R +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')"
     elif "$HAS_NSLOOKUP"; then
          mxs="$(strip_lf "$(nslookup -type=MX "$1" 2>/dev/null | awk '/mail exchanger/ { print $(NF-1), $NF }')")"
     else
@ -18161,13 +18161,13 @@ determine_rdns() {
          elif "$HAS_DIG"; then
               rDNS=$(dig $DIG_R -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }')
          fi
-     elif "$HAS_DIG"; then
-          # 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server
-          rDNS=$(dig $DIG_R -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }')    # +short returns also CNAME, e.g. openssl.org
     elif "$HAS_HOST"; then
          rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }')
     elif "$HAS_DRILL"; then
          rDNS=$(drill -x ptr $nodeip 2>/dev/null | awk '/ANSWER SECTION/ { getline; print $NF }')
+     elif "$HAS_DIG"; then
+          # 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server
+          rDNS=$(dig $DIG_R -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }')    # +short returns also CNAME, e.g. openssl.org
     elif "$HAS_NSLOOKUP"; then
          rDNS=$(strip_lf "$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')")
     fi