The shohei server provides AI-accessible infrastructure diagnostics tools for DNS, TLS, email security, and network analysis:
check_dns: Query DNS records (A, AAAA, MX, TXT, CNAME, NS, etc.) for a domain.check_tls_chain: Inspect TLS certificate chains, including full chain validation, expiry warnings, issuer verification, and optional DANE/TLSA record checking (configurable port, default 443).check_email_security: Validate a domain's email security posture by checking MX records, SPF, DKIM, and DMARC configurations with a 0β100 compliance score.check_propagation_global: Verify DNS consistency for a domain across 6 global resolvers (Google, Cloudflare, Quad9, OpenDNS, 1.1.1.1, 8.8.8.8).benchmark_latency: Measure and compare DNS query latency across multiple transport protocols (System, DoH, DoT, DoQ) for a given domain.
Enables DNS queries via Cloudflare's 1.1.1.1 resolver, supporting DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC.
Provides DNS diagnostics, DNSSEC chain validation, and DANE/TLSA checks using Cloudflare's DNS infrastructure.
Enables DNS queries via Google Public DNS (8.8.8.8), supporting DNS-over-HTTPS and DNS-over-QUIC.
shohei
π Crates.io
π CI
π License: MIT
π MSRV
shohei β Rust infrastructure diagnostics library with MCP server for Claude. Automate DNS, TLS, email security, and DNS propagation checks via AI agents. DNSSEC chain validation, DANE/TLSA, and modern protocols built in. Use in Rust projects or hand to Claude for autonomous diagnosis.
MCP server for Claude β Call shohei diagnostics from Claude Desktop; ask "Check example.com's TLS certificate" and get full chain analysis
TLS certificate inspection β DANE/TLSA validation (RFC 6698), certificate chain analysis, expiry warnings, issuer chain verification
Email security scoring β MX records, SPF, DKIM, DMARC validation with 0β100 compliance score
DNS propagation checker β Verify domain consistency across 6 global resolvers (Google, Cloudflare, Quad9, OpenDNS, 1.1.1.1, 8.8.8.8)
Latency benchmarking β Multi-transport timing: System, DoH, DoT, DoQ across multiple rounds
DNSSEC chain tree β see every DS, DNSKEY, and trust step from
.to your domain; per-zone validation runs in parallel; add-vfor key tags and algorithm namesIterative resolution trace β watch queries travel from root servers to TLD to authoritative NS
N-way server comparison β diff any number of resolvers simultaneously with
--compareDoH, DoT, and DoQ β DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC built in
Zone transfer (AXFR) β dump an entire zone from an authoritative server with
--axfrMultiple record types β
--type a --type aaaa --type mxqueries all types concurrently in a single invocationReverse DNS β
-x 1.2.3.4resolves PTR records for IPv4 and IPv6Stdin and file batch mode β pipe a list of domains or use
-f domains.txtJSON output β pipe-friendly for scripting and automation
Watch mode β auto-refresh at a set interval with
--watchInteractive TUI β browse records, DNSSEC chain, and trace in a single terminal window (
--features tui)
Why shohei?
AI-First Infrastructure Diagnostics
Most infrastructure tools are CLI-only. shohei is built for AI agents:
MCP Server Ready: Expose all diagnostics to Claude, ChatGPT, and custom AI agents without writing integration code
Claude Desktop Integration: Ask Claude "Check example.com's TLS certificate" β get automated diagnosis with full chain analysis
Structured Async APIs: Every function returns serializable types (
DnsCheckResult,TlsCheckResult,EmailSecurityResult) β perfect for agentsNo CLI, No Python: Pure Rust library + MCP server; scales from single checks to automated monitoring
Developer-Friendly
Library-first design: Import into Rust projects, CI/CD pipelines, or automation frameworks
Trust chain validation: The only open-source library that validates DNS β DNSSEC β TLS β DANE/TLSA in one call
Modern protocols: DoH, DoT, DoQ, DNSSEC, DANE/TLSA all built in
Automation-friendly: Concurrent queries, batching, multi-resolver checks, and programmatic APIs
Compared to alternatives (dig, dog, drill): shohei is composableβuse it in tests, monitoring, CI/CD, or hand it to Claude for autonomous diagnosis.
Feature | shohei | dig | dog | doggo | q | delv | drill |
Colored output | β | β | β | β | |||
DNSSEC chain-of-trust tree | β | ||||||
DNSSEC validation | β | β | β | β | |||
Iterative resolution trace (visual) | β | ||||||
Authority + Additional sections | β | β | β | β | |||
N-way server comparison ( | β | ||||||
Zone transfer (AXFR) | β | β | β | ||||
Watch / auto-refresh ( | β | ||||||
Script-friendly output ( | β | ||||||
Multiple record types ( | β | β | |||||
Reverse DNS shorthand ( | β | β | β | ||||
Force TCP ( | β | β | β | ||||
Disable recursion ( | β | β | β | β | |||
Query latency display | β | β | β | β | |||
DNS-over-HTTPS (DoH) | β | β | β | β | β | ||
DNS-over-TLS (DoT) | β | β | β | β | β | ||
DNS-over-QUIC (DoQ) | β | β | |||||
JSON output | β | β | β | β | β | ||
Interactive TUI | β |
dig = BIND utils 9.16+; q = natesales/q; delv = BIND DNSSEC-validating resolver; drill = ldns-based
Related MCP server: net-mcp
Installation
As a library (Rust projects)
Add to your Cargo.toml:
[dependencies]
shohei = "0.4"Then import and use:
use shohei::resolver::standard::query;
#[tokio::main]
async fn main() {
let result = query("example.com", "A").await;
println!("{:?}", result);
}For full API documentation: cargo doc --open or docs.rs/shohei.
As a CLI (manual diagnosis)
cargo install shoheiOr download a pre-built binary from the releases page.
For the interactive TUI mode:
cargo install shohei --features tuiLibrary Examples
shohei is designed to be imported and composed in Rust projects. See the examples/ directory:
propagation_check.rs β Check if a domain is propagated globally
tls_chain_verify.rs β Validate TLS certificate chains (Phase 2)
email_security.rs β Check email security records (Phase 1)
Run examples:
cargo run --example propagation_check -- example.com
cargo run --example tls_chain_verify -- example.com
cargo run --example email_security -- example.comCLI Usage
The CLI is a convenient wrapper around the library for manual inspection and testing.
DNS record query
shohei google.com # A records (default)
shohei google.com --type AAAA # AAAA records
shohei google.com --type NS # Nameservers
shohei gmail.com --type MX # Mail exchangers
# Multiple record types in one command
shohei google.com --type a --type aaaa --type mx# Security / DNSSEC-related record types
shohei google.com --type caa # Certificate Authority Authorization
shohei github.com --type sshfp # SSH fingerprints
shohei _443._tcp.example.com --type tlsa # DANE TLSAReverse DNS
Resolve the PTR record for an IP address. IPv4 and IPv6 are both supported.
shohei -x 1.1.1.1 # β one.one.one.one
shohei -x 2606:4700:4700::1111 # IPv6 reverse lookupDNSSEC chain of trust
Validate the full DNSSEC chain from the root trust anchor down to the target domain. Each zone's DS and DNSKEY records are checked individually.
shohei cloudflare.com --dnssec
# Verbose: show key tags, algorithm names, and KSK/ZSK roles
shohei cloudflare.com --dnssec --verboseIterative resolution trace
Step through the full resolution path β root servers β TLD nameservers β authoritative nameservers.
shohei google.com --traceModern transports
# DNS-over-HTTPS
shohei google.com --doh https://dns.google/dns-query
# DNS-over-TLS
shohei google.com --dot 1.1.1.1:853
# DNS-over-QUIC
shohei google.com --doq 8.8.8.8
# Custom resolver
shohei google.com --server 8.8.8.8Authority and Additional sections
When querying an authoritative server directly, shohei displays the Authority Section (NS referrals) and Additional Section (glue A/AAAA records) β matching dig's default behavior.
# Query the .com TLD nameserver for google.com β shows NS referral + glue records
shohei google.com -s 192.5.6.30 --no-recurse
# Query an authoritative nameserver directly
shohei example.com -s 199.43.135.53 --no-recurse --type nsForce TCP
Force DNS queries over TCP instead of UDP. Useful for large responses that get truncated (TC bit set) or environments that block UDP/53.
shohei example.com -s 8.8.8.8 --tcpShort output
Strip all decoration and return just the record data β one value per line. Ideal for shell scripting.
shohei gmail.com --type MX --shortCompare resolvers
Query the same domain from multiple DNS servers simultaneously and diff the results. Useful for detecting CDN anycast differences or verifying a new resolver. Repeat --compare for N-way comparison.
# Show that both servers return the same NS records
shohei cloudflare.com --type NS --server 8.8.8.8 --compare 1.1.1.1
# Reveal CDN-induced A record differences
shohei google.com --server 8.8.8.8 --compare 1.1.1.1
# N-way comparison across three resolvers
shohei google.com --server 8.8.8.8 --compare 1.1.1.1 --compare 9.9.9.9Zone transfer (AXFR)
Fetch the complete zone from an authoritative server. Requires -s to specify the authoritative nameserver.
shohei zonetransfer.me --axfr -s 81.4.108.41Batch / stdin mode
Pipe a newline-separated list of domains and shohei queries each one in sequence.
Lines starting with # are ignored as comments. You can also read targets from a file with -f.
echo -e "google.com\nexample.com\ncloudflare.com" | shohei
cat domains.txt | shohei --type mx --short
shohei -f domains.txt --type mx --shortWatch mode
Repeat the query every N seconds and auto-refresh the display. Press Ctrl+C to stop.
shohei google.com --watch 5 # refresh every 5 seconds
shohei google.com --type A --watch 10Output formats
shohei google.com --output json # JSON for scripting
shohei google.com --output plain # No colors (CI-friendly)Interactive TUI (requires --features tui)
Pre-loads records, DNSSEC chain, and trace in parallel, then presents all three as navigable views.
shohei google.com --tui shohei β google.com
ββ Records βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Query: google.com (A IN) β
β β
β NAME TTL TYPE DATA β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β google.com. 120 A 142.250.x.x β
β ... β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[r] Records [d] DNSSEC [t] Trace [ββ/jk] Scroll [q] QuitKey | Action |
| Records view |
| DNSSEC chain view |
| Iterative trace view |
| Scroll up |
| Scroll down |
| Quit |
Options
Flag | Short | Description |
|
| Record type (repeatable): |
|
| Reverse DNS β auto-converts IP to PTR query (IPv4 and IPv6) |
|
| Read domains from a file (one per line), like |
|
| DNSSEC chain-of-trust validation tree |
|
| Show verbose detail (key tags, algorithms) in DNSSEC chain |
| Iterative resolution path from root servers | |
| Clear RD bit β query authoritative servers directly; shows Authority + Additional sections | |
| Full zone transfer from the server specified with | |
| Force TCP instead of UDP (requires | |
| DNS query timeout in seconds (default: 5, max: 60) | |
| Output data values only, one per line (script-friendly) | |
| Repeat query every N seconds; Ctrl+C to stop | |
| Query an additional server and diff; repeat for N-way comparison | |
| DNS-over-HTTPS (e.g. | |
| DNS-over-TLS (e.g. | |
| DNS-over-QUIC (e.g. | |
|
| Custom DNS server ( |
| Force queries over IPv4 transport | |
| Force queries over IPv6 transport | |
|
|
|
| Interactive TUI (requires |
Trust States
Badge | Meaning |
| DNSSEC-validated, full chain of trust verified |
| Zone unsigned, but parent has no DS delegation (expected) |
| Validation failed β signature mismatch or broken chain |
| DNSSEC not requested, or result unclear |
MCP Server & Claude Integration
β Live Now (v0.5.1+)
MCP (Model Context Protocol) Server lets Claude Desktop and other AI agents call shohei diagnostics directly:
# 1. Install shohei
cargo install shohei
# 2. Register MCP server in Claude Desktop config:
# ~/.config/Claude/claude_desktop_config.json
{
"mcpServers": {
"shohei": {
"command": "/path/to/shohei-mcp"
}
}
}
# 3. Restart Claude Desktop
# 4. Ask Claude: "Check example.com's TLS certificate"Five Tools Available to Claude:
check_dns β Query DNS records (A, AAAA, MX, TXT, CNAME, NS, etc.)
check_tls_chain β Inspect TLS certificates + DANE/TLSA validation
check_email_security β Validate SPF, DKIM, DMARC, MX records
check_propagation_global β Verify DNS consistency across 6 global resolvers
benchmark_latency β Measure DNS latency across System, DoH, DoT, DoQ
Example: Claude diagnoses a domain autonomously:
"Check if example.com's mail configuration is correct, and verify its TLS certificate chain" β Claude calls check_email_security + check_tls_chain β returns full analysis
π MCP shohei in Claude Desktop
Other Integrations
Rust Library:
use shohei;in your projects β structured async APIsCLI: Manual inspection:
shohei example.com --dnssec --traceJSON output: Scripting and tooling:
shohei example.com --output json
Future (v0.6.0+)
GitHub Actions: Automated DNS/TLS checks in CI/CD
Terraform Module: Infrastructure validation
Ansible Module: Playbook integration
See docs/INTEGRATIONS.md for full details.
Built with
hickory-dns β DNSSEC, DoH, DoT support
clap β CLI argument parsing
ratatui β TUI framework (optional
tuifeature)owo-colors β Terminal colors
comfy-table β Record table rendering
License
MIT β see LICENSE
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/kent-tokyo/shohei'
If you have feedback or need assistance with the MCP directory API, please join our Discord server