Overview
cboxdk/dns
cboxdk/dns is a zero-runtime-dependency DNS toolkit for PHP 8.4+. It speaks the
DNS wire protocol over raw sockets, which lets it read a zone's answer from the
zone's own authoritative nameservers rather than from a recursive resolver's
cache. That single capability is the foundation for everything else: reliable
domain-ownership verification, honest propagation checking, DNSSEC chain
validation, and a full diagnostics engine.
Mental model
Everything is built on one contract — Cbox\Dns\Contracts\Resolver:
public function query(
string $host,
RecordType $type,
?string $nameserver = null, // target a specific server...
bool $recursion = true, // ...with recursion off, to read a zone directly
bool $dnssec = false, // set the EDNS0 DO bit to fetch RRSIG/DNSKEY/DS
): DnsResponse;
Three implementations ship: SocketResolver (raw UDP/TCP, the default),
HttpsResolver (DNS-over-HTTPS), and FakeResolver (in-memory, for tests). Every
higher-level capability composes a Resolver, so the whole library is drivable
offline by swapping in the fake.
The facade Cbox\Dns\Dns wires the common tasks together so each is a single call:
use Cbox\Dns\Dns;
use Cbox\Dns\Enums\RecordType;
$dns = new Dns; // default socket resolver
$dns->lookup('example.com', RecordType::MX); // DnsResponse
$dns->verifyDomain('example.com', $token); // bool (authoritative)
$dns->checkPropagation('www.example.com', RecordType::A, 'example.com');
$dns->dnssec()->validate('cloudflare.com'); // ValidationResult
$dns->diagnose('example.com'); // Report
Everything the facade composes is public, so you can reach past it —
$dns->resolver(), $dns->authoritative() — whenever you need finer control.
Sections
- Quickstart — zero to working in one read.
- Requirements — PHP and extension versions.
- Getting started — installation and testing with
the
FakeResolver. - Core concepts — the resolvers, authoritative reads, domain verification, propagation, and the overall architecture.
- DNSSEC — chain validation, supported algorithms, and the deny-by-default threat model.
- Diagnostics — the check catalog and the propagation provider registry.
- Cookbook — task-oriented recipes.
- Security — threat model and honest scope.
Scope
This is a DNS-only library. Live SMTP diagnostics, RBL/blacklist lookups, and geo-distributed propagation vantage points are deliberately out of v1 — see Diagnostics and Propagation for the honest boundaries.