Total Pageviews

Thursday, 5 May 2016


dnsjava is an implementation of DNS in Java. It supports all defined record types (including the DNSSEC types), and unknown types. It can be used for queries, zone transfers, and dynamic updates. It includes a cache which can be used by clients, and a minimal implementation of a server. It supports TSIG authenticated messages, partial DNSSEC verification, and EDNS0.
dnsjava provides functionality above and beyond that of the InetAddress class. Since it is written in pure Java, dnsjava is fully threadable, and in many cases is faster than using InetAddress.
dnsjava provides both high and low level access to DNS. The high level functions perform queries for records of a given name, type, and class, and return the answer or reason for failure. There are also functions similar to those in the InetAddress class. A cache is used to reduce the number of DNS queries sent. The low level functions allow direct manipulation of DNS messages and records, as well as allowing additional resolver properties to be set.
A simple tool for doing DNS lookups, a 'dig' clone and a dynamic update client are included, as well as a simple authoritative-only server.
For more information, see the README file in the source distribution.
For information on the sample programs included, see the USAGE file in the source distribution.
For API documentation, see the Javadoc documentation in the source distribution or the examples.html file.
Please read this documentation before asking questions.
dnsjava is under the BSD license.
Other software using dnsjava

Similar software

The dnsjava project is hosted at Sourceforge.
The current version can also be downloaded here, and the current Changelog viewed here. Releases are only published to and Sourceforge.




A DNSSEC validating stub resolver for Java.
Build Status Coverage Status Maven Central

Is this library safe to use?

Maybe. There's been no audit of the code so far, so there are absolutely no guarantees. The rest depends currently on your use case: the proof that a positive response is correct should be safe to use. Most of the NXDOMAIN/NODATA responses are safe too, but there are some corner cases that have no tests yet.
Unit tests are currently covering over 95% of the code, including 123 from the current production Unbound. Also keep in mind that while most of the code paths are covered by unit tests, this does not mean it is performing according to the RFCs or that something that should be checked for is really done.
See the To-Do list for more details.


This project is based on the work of the Unbound Java prototype from 2005/2006. The Unbound prototype was stripped from all unnecessary parts, heavily modified, complemented with more than 300 unit test and found bugs were fixed.

Released versions

  • 1.1: Change logging to slf4j
  • 1.0: Initial release


The project is intended to be used as a Resolver for DNSJAVA. Validated, secure responses contain the DNS AD-flag, while responses that failed validation return the SERVFAIL-RCode. Insecure responses return the actual return code without the AD-flag set. The reason why the validation failed or is insecure is provided as a localized string in the additional section under the record ./65280/TXT (a TXT record for the owner name of the root zone in the private query class ValidatingResolver.VALIDATION_REASON_QCLASS).



import org.jitsi.dnssec.validator.ValidatingResolver;
import org.xbill.DNS.*;

public class ResolveExample {
    static String ROOT = ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5";

    public static void main(String[] args) throws Exception {
        // Send two sample queries using a standard DNSJAVA resolver
        SimpleResolver sr = new SimpleResolver("");
        System.out.println("Standard resolver:");
        sendAndPrint(sr, "");
        sendAndPrint(sr, "");

        // Send the same queries using the validating resolver with the
        // trust anchor of the root zone
        ValidatingResolver vr = new ValidatingResolver(sr);
        vr.loadTrustAnchors(new ByteArrayInputStream(ROOT.getBytes("ASCII")));
        System.out.println("\n\nValidating resolver:");
        sendAndPrint(vr, "");
        sendAndPrint(vr, "");

    private static void sendAndPrint(Resolver vr, String name) throws IOException {
        System.out.println("\n---" + name);
        Record qr = Record.newRecord(Name.fromConstantString(name), Type.A, DClass.IN);
        Message response = vr.send(Message.newQuery(qr));
        System.out.println("AD-Flag: " + response.getHeader().getFlag(Flags.AD));
        System.out.println("RCode:   " + Rcode.string(response.getRcode()));
        for (RRset set : response.getSectionRRsets(Section.ADDITIONAL)) {
            if (set.getName().equals(Name.root) && set.getType() == Type.TXT
                    && set.getDClass() == ValidatingResolver.VALIDATION_REASON_QCLASS) {
                System.out.println("Reason:  " + ((TXTRecord) set.first()).getStrings().get(0));
This should result in an output like
Standard resolver:
AD-Flag: false
AD-Flag: false

Validating resolver:
AD-Flag: false
Reason:  Could not establish a chain of trust to keys for []. Reason: Did not match a DS to a DNSKEY.
AD-Flag: true


Run mvn package


Fork of the project purely to integrate more easily with maven central, GitHub, etc.