功能描述

Alicloud DNS Diagnostic Skill. Diagnose DNS resolution failures, domain unreachable issues, NXDOMAIN errors, DNS record propagation delays, DNS hijacking, an...

使用说明 (SKILL.md)

Alibaba Cloud DNS Resolution Diagnostics (Customer Self-Service)

Name: Alibabacloud Dns Resolve Diagnose
Author: sdk-team

Scenario Description

Diagnose real-time DNS resolution anomalies covering the following products:

Product	Typical Issues
Public Authoritative DNS (Alibaba Cloud DNS)	Resolution failure, incorrect results, changes not propagated, smart routing misconfiguration
Global Traffic Manager (GTM)	GTM scheduling anomaly, CNAME not effective, address pool failover failure
PrivateZone (Internal DNS)	Cannot resolve domain within VPC, zone records not effective
Third-party DNS	Domain registered on Alibaba Cloud but DNS hosted elsewhere, ECS cannot resolve external domains

Architecture: dig + whois + Alibaba Cloud OpenAPI (Alidns/Domain/PrivateZone) + boce nationwide probing

Not applicable: Domain resolves but website unreachable, HTTPS certificate errors, slow page load, 5xx errors, domain registration/transfer, CDN/WAF issues.

Installation

Pre-check: Aliyun CLI >= 3.3.3 required

Run aliyun version to verify >= 3.3.3. If not installed or version too low, run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to install/update, or see references/cli-installation-guide.md for installation instructions.

Pre-check: Aliyun CLI plugin update required

[MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation. [MUST] run aliyun plugin update to ensure that any existing plugins are always up-to-date.

Additional tools:

Tool	Purpose	Installation
`python3` (>= 3.7)	Run diagnostic scripts	macOS: `brew install [email protected]`; Debian/Ubuntu: `sudo apt install python3`
`dig`	DNS queries and tracing	macOS: built-in; Debian/Ubuntu: `sudo apt install dnsutils`
`whois`	Domain registration info	macOS: built-in; Debian/Ubuntu: `sudo apt install whois`
`playwright`	Nationwide probing	`pip install playwright && playwright install chromium`

Authentication

Pre-check: Alibaba Cloud Credentials Required

Security Rules:

NEVER read, echo, or print AK/SK values

NEVER ask the user to input AK/SK directly in the conversation or command line

NEVER use aliyun configure set with literal credential values

ONLY use aliyun configure list to check credential status
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).

If no valid profile exists, the skill will skip OpenAPI config check and rely on dig/whois/boce only.

RAM Policy

See references/ram-policies.md for the full permission list.

[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:

Read references/ram-policies.md to get the full list of permissions required by this SKILL

Use ram-permission-diagnose skill to guide the user through requesting the necessary permissions

Pause and wait until the user confirms that the required permissions have been granted

Parameter Confirmation

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.

Parameter	Required	Description	Default
Domain	Yes	Full domain name (e.g., `www.example.com`)	None
Issue description	Yes	Brief description of the problem	None
Record type	Optional	DNS record type to query	A

Core Workflow

Observability (MUST follow for every aliyun command)

Upon loading this skill, generate a random session ID (32-char lowercase hex string) and store it for the entire session. Example:

SESSION_ID=$(cat /dev/urandom | LC_ALL=C tr -dc 'a-f0-9' | head -c 32)

Every aliyun business API command MUST include the --user-agent parameter using this template:

--user-agent AlibabaCloud-Agent-Skills/alibabacloud-dns-resolve-diagnose/{session-id}

Where {session-id} is replaced with the generated session ID value. For example:

aliyun alidns describe-domain-info --DomainName example.com --read-timeout 30 --connect-timeout 10 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-dns-resolve-diagnose/${SESSION_ID}

Note: Do NOT use --user-agent on system/tool commands (configure, plugin, help, version, etc.) — only on business API commands.

Core Principles

Mandatory constraint — MUST use scripts for diagnosis, manual troubleshooting is FORBIDDEN:

NEVER use curl, ping, telnet, nc, nslookup, traceroute, wget to troubleshoot directly

ALL diagnostic steps must be executed through the Python scripts provided by this skill

If a script fails, fix the dependency and retry — do NOT fall back to raw commands

Agent's role: execute scripts -> read analysis results -> format output for user

Python Version Detection

PYTHON=""
for cmd in python3.13 python3.12 python3.11 python3.10 python3.9 python3.8 python3; do
  if command -v $cmd &>/dev/null; then
    ver=$($cmd -c "import sys; print(sys.version_info >= (3,7))" 2>/dev/null)
    if [ "$ver" = "True" ]; then PYTHON=$cmd; break; fi
  fi
done
echo "Using Python: $PYTHON ($($PYTHON --version))"

Use $PYTHON instead of python3 in all subsequent commands.

Quick Mode (Recommended, 5 seconds)

$PYTHON scripts/dns_quick_check.py --domain \x3Cdomain>

Suitable for: DNS resolution failure, quick confirmation. Not suitable for: nationwide probing, OpenAPI config comparison, complex issues (GTM/PrivateZone).

Full Mode (Detailed diagnosis, 30-60 seconds)

Execute steps in order. Output results to user immediately after each step.

Step 0: Quick Pre-check

mkdir -p /tmp/dns_diag_\x3Cdomain>
$PYTHON scripts/dns_quick_check.py --domain \x3Cdomain> > /tmp/dns_diag_\x3Cdomain>/quick.json
$PYTHON scripts/dns_analyze.py quick --file /tmp/dns_diag_\x3Cdomain>/quick.json

Product type determination: NS contains *.alidns.com / *.hichina.com -> Alibaba Cloud DNS; otherwise -> third-party DNS.

Step 1: Config Check (requires credentials)

Skip this step if credentials are not configured.

# Check if domain is in current account
$PYTHON scripts/dns_openapi.py check --domain \x3Croot_domain>
# Query DNS records
$PYTHON scripts/dns_openapi.py records --domain \x3Czone> --rr \x3Chost_record>
# Query domain config details
$PYTHON scripts/dns_openapi.py domain-info --domain \x3Czone>

Short-circuit rule: If Step 1 identifies a definitive root cause at config level (incorrect record value, missing record, suspended record), skip Step 2 and proceed to Step 3.

Step 2: Nationwide Probing

If not short-circuited by Step 1, this step MUST NOT be skipped.

$PYTHON scripts/dns_boce.py both --domain \x3Cdomain> > /tmp/dns_diag_\x3Cdomain>/both.json
$PYTHON scripts/dns_analyze.py probe \
    --dns /tmp/dns_diag_\x3Cdomain>/dns_probe.json \
    --http /tmp/dns_diag_\x3Cdomain>/http_probe.json

Step 3: Comprehensive Analysis and Report

$PYTHON scripts/dns_analyze.py all \
    --quick /tmp/dns_diag_\x3Cdomain>/quick.json \
    --dns /tmp/dns_diag_\x3Cdomain>/dns_probe.json \
    --http /tmp/dns_diag_\x3Cdomain>/http_probe.json

Root cause priority: P0 Domain expired/locked -> P1 DNS provider/recursive interruption -> P2 ICP block/partial route failure/config anomaly.

Verification

See references/verification-method.md

Degradation Strategy

Unavailable Tool	Fallback
Playwright	Attempt install first (`$PYTHON -m pip install playwright && $PYTHON -m playwright install chromium`); only if install fails, degrade to multi-server dig comparison
OpenAPI	Skip authoritative record query, compare dig results with probing results only
dig	Use nslookup as substitute (limited, no trace)
All unavailable	WHOIS basic check only

Command Reference

See references/related-commands.md

Best Practices

Quick mode first — resolve simple issues in 5 seconds without running full flow
Immediate output per step — do not wait for all steps to complete
Save data — all raw data saved to /tmp/dns_diag_\x3Cdomain>/
Trust analysis scripts — core conclusions from analysis scripts; agent only formats and supplements
No manual troubleshooting — never use curl/ping/telnet for direct investigation

References

File	Content
references/ram-policies.md	RAM permission policies
references/api-reference.md	OpenAPI parameter reference
references/examples.md	Diagnostic case studies
references/related-commands.md	CLI command table
references/verification-method.md	Verification methods
references/cli-installation-guide.md	CLI installation guide
references/acceptance-criteria.md	Acceptance criteria

Notes

All operations are read-only queries; no configuration will be modified
OpenAPI calls require read permissions for the corresponding products
PrivateZone only works within VPC; public dig queries returning nothing is normal behavior

安全使用建议

Install only after reviewing the setup commands. Avoid running the curl-to-bash installer blindly, do not let the agent update/install Aliyun plugins automatically, use a least-privilege read-only DNS RAM role, avoid entering secrets on command lines, and do not submit internal or sensitive domains/URLs to boce or public DNS/WHOIS services unless that disclosure is acceptable.

能力标签

requires-walletrequires-oauth-tokenrequires-sensitive-credentials

能力评估

⚠ Purpose & Capability

The main purpose, DNS diagnosis, is coherent with dig, WHOIS, Alibaba Cloud read APIs, and boce probing, but the artifacts also include STS role assumption, credential/profile setup guidance, broad CLI administration examples, and external probing that go beyond a tightly scoped DNS-only helper.

⚠ Instruction Scope

The skill requires parameter confirmation and says not to read or print AK/SK values, which is good, but it also uses broad triggers, mandates script execution, and normalizes automatic CLI plugin installation/update behavior without enough user control.

⚠ Install Mechanism

Installation guidance includes curl-piped-to-bash, pip/Playwright browser installation, global Aliyun CLI plugin updates, and an import-time script path that sets auto-plugin-install and installs plugins if the CLI exists.

⚠ Credentials

DNS/WHOIS/network probing is expected for this purpose, but the skill may send user domains or URLs to boce.aliyun.com and query local Alibaba Cloud credential/profile state, including role ARN and region, without a clear opt-in boundary for sensitive/internal targets.

⚠ Persistence & Privilege

The skill’s notes claim operations are read-only, yet it changes Aliyun CLI configuration, installs/updates plugins, and provides persistent credential configuration examples; this creates a mismatch between stated impact and actual setup behavior.

版本历史

v0.0.1-beta.1

alibabacloud-dns-resolve-diagnose 0.0.1-beta.1 - Initial beta release of the Alibaba Cloud DNS Diagnostic Skill - Diagnoses DNS resolution failures, domain unreachable issues, NXDOMAIN errors, record propagation delays, and DNS hijacking across Alibaba Cloud DNS, GTM, PrivateZone, and third-party DNS - Automates WHOIS, recursive tracing, OpenAPI config verification, and nationwide probing via boce - Detailed installation, authentication, and security pre-checks included - Enforces script-based diagnostics—disallows manual troubleshooting with system/network tools - Introduces both quick and full mode workflows for issue detection and reporting

元数据

Slug alibabacloud-dns-resolve-diagnose

版本 0.0.1-beta.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Alibabacloud Dns Resolve Diagnose 是什么？

Alicloud DNS Diagnostic Skill. Diagnose DNS resolution failures, domain unreachable issues, NXDOMAIN errors, DNS record propagation delays, DNS hijacking, an... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 35 次。

如何安装 Alibabacloud Dns Resolve Diagnose？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install alibabacloud-dns-resolve-diagnose」即可一键安装，无需额外配置。

Alibabacloud Dns Resolve Diagnose 是免费的吗？

是的，Alibabacloud Dns Resolve Diagnose 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Alibabacloud Dns Resolve Diagnose 支持哪些平台？

Alibabacloud Dns Resolve Diagnose 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Alibabacloud Dns Resolve Diagnose？

由 alibabacloud-skills-team（@sdk-team）开发并维护，当前版本 v0.0.1-beta.1。

Alibabacloud Dns Resolve Diagnose