1KDIG(1) Knot DNS KDIG(1)
2
6 kdig - Advanced DNS lookup utility
7
9 kdig [common-settings] [query [settings]]...
10 kdig -h
12
14 This utility sends one or more DNS queries to a nameserver. Each query
15 can have individual settings, or it can be specified globally via com‐
16 mon-settings, which must precede query specification.
17 Parameters
19 query name | -q name | -x address | -G tapfile
20 common-settings, settings
22 [query_class] [query_type] [@server]... [options]
23 name Is a domain name that is to be looked up.
25 server Is a domain name or an IPv4 or IPv6 address of the nameserver to
27 send a query to. An additional port can be specified using
28 address:port ([address]:port for IPv6 address), address@port, or
29 address#port notation. If no server is specified, the servers
30 from /etc/resolv.conf are used.
31 If no arguments are provided, kdig sends NS query for the root zone.
33 Query classes
35 A query_class can be either a DNS class name (IN, CH) or generic class
36 specification CLASSXXXXX where XXXXX is a corresponding decimal class
37 number. The default query class is IN.
38 Query types
40 A query_type can be either a DNS resource record type (A, AAAA, NS,
41 SOA, DNSKEY, ANY, etc.) or one of the following:
42 TYPEXXXXX
44 Generic query type specification where XXXXX is a corresponding
45 decimal type number.
46 AXFR Full zone transfer request.
48 IXFR=serial
50 Incremental zone transfer request for specified starting SOA
51 serial number.
52 NOTIFY=serial
54 Notify message with a SOA serial hint specified.
55 NOTIFY Notify message with a SOA serial hint unspecified.
57 The default query type is A.
59 Options
61 -4 Use the IPv4 protocol only.
62 -6 Use the IPv6 protocol only.
64 -b address
66 Set the source IP address of the query to address. The address
67 must be a valid address for local interface or :: or 0.0.0.0. An
68 optional port can be specified in the same format as the server
69 value.
70 -c class
72 An explicit query_class specification. See possible values
73 above.
74 -d Enable debug messages.
76 -h, --help
78 Print the program help.
79 -k keyfile
81 Use the TSIG key stored in a file keyfile to authenticate the
82 request. The file must contain the key in the same format as
83 accepted by the -y option.
84 -p port
86 Set the nameserver port number or service name to send a query
87 to. The default port is 53.
88 -q name
90 Set the query name. An explicit variant of name specification.
91 If no name is provided, empty question section is set.
92 -t type
94 An explicit query_type specification. See possible values above.
95 -V, --version
97 Print the program version.
98 -x address
100 Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
101 name, class and type is set automatically.
102 -y [alg:]name:key
104 Use the TSIG key named name to authenticate the request. The alg
105 part specifies the algorithm (the default is hmac-sha256) and
106 key specifies the shared secret encoded in Base64.
107 -E tapfile
109 Export a dnstap trace of the query and response messages
110 received to the file tapfile.
111 -G tapfile
113 Generate message output from a previously saved dnstap file tap‐
114 file.
115 +[no]multiline
117 Wrap long records to more lines and improve human readability.
118 +[no]short
120 Show record data only.
121 +[no]generic
123 Use the generic representation format when printing resource
124 record types and data.
125 +[no]crypto
127 Display the DNSSEC keys and signatures values in hexdump,
128 instead of omitting them.
129 +[no]aaflag
131 Set the AA flag.
132 +[no]tcflag
134 Set the TC flag.
135 +[no]rdflag
137 Set the RD flag.
138 +[no]recurse
140 Same as +[no]rdflag
141 +[no]raflag
143 Set the RA flag.
144 +[no]zflag
146 Set the zero flag bit.
147 +[no]adflag
149 Set the AD flag.
150 +[no]cdflag
152 Set the CD flag.
153 +[no]dnssec
155 Set the DO flag.
156 +[no]all
158 Show all packet sections.
159 +[no]qr
161 Show the query packet.
162 +[no]header
164 Show the packet header.
165 +[no]comments
167 Show commented section names.
168 +[no]opt
170 Show the EDNS pseudosection.
171 +[no]question
173 Show the question section.
174 +[no]answer
176 Show the answer section.
177 +[no]authority
179 Show the authority section.
180 +[no]additional
182 Show the additional section.
183 +[no]tsig
185 Show the TSIG pseudosection.
186 +[no]stats
188 Show trailing packet statistics.
189 +[no]class
191 Show the DNS class.
192 +[no]ttl
194 Show the TTL value.
195 +[no]tcp
197 Use the TCP protocol (default is UDP for standard query and TCP
198 for AXFR/IXFR).
199 +[no]fastopen
201 Use TCP Fast Open (default with TCP).
202 +[no]ignore
204 Don't use TCP automatically if a truncated reply is received.
205 +[no]tls
207 Use TLS with the Opportunistic privacy profile (RFC 7858#sec‐
208 tion-4.1).
209 +[no]tls-ca[=FILE]
211 Use TLS with a certificate validation. Certification authority
212 certificates are loaded from the specified PEM file (default is
213 system certificate storage if no argument is provided). Can be
214 specified multiple times. If the +tls-hostname option is not
215 provided, the name of the target server (if specified) is used
216 for strict authentication.
217 +[no]tls-pin=BASE64
219 Use TLS with the Out-of-Band key-pinned privacy profile (RFC
220 7858#section-4.2). The PIN must be a Base64 encoded SHA-256
221 hash of the X.509 SubjectPublicKeyInfo. Can be specified multi‐
222 ple times.
223 +[no]tls-hostname=STR
225 Use TLS with a remote server hostname check.
226 +[no]tls-sni=STR
228 Use TLS with a Server Name Indication.
229 +[no]nsid
231 Request the nameserver identifier (NSID).
232 +[no]bufsize=B
234 Set EDNS buffer size in bytes (default is 512 bytes).
235 +[no]padding[=B]
237 Use EDNS(0) padding option to pad queries, optionally to a spe‐
238 cific size. The default is to pad queries with a sensible amount
239 when using +tls, and not to pad at all when queries are sent
240 without TLS. With no argument (i.e., just +padding) pad every
241 query with a sensible amount regardless of the use of TLS. With
242 +nopadding, never pad.
243 +[no]alignment[=B]
245 Align the query to B-byte-block message using the EDNS(0) pad‐
246 ding option (default is no or 128 if no argument is specified).
247 +[no]subnet=SUBN
249 Set EDNS(0) client subnet SUBN=addr/prefix.
250 +[no]edns[=N]
252 Use EDNS version (default is 0).
253 +[no]timeout=T
255 Set the wait-for-reply interval in seconds (default is 5 sec‐
256 onds). This timeout applies to each query attempt.
257 +[no]retry=N
259 Set the number (>=0) of UDP retries (default is 2). This doesn't
260 apply to AXFR/IXFR.
261 +[no]cookie=HEX
263 Attach EDNS(0) cookie to the query.
264 +[no]badcookie
266 Repeat a query with the correct cookie.
267 +[no]ednsopt[=CODE[:HEX]]
269 Send custom EDNS option. The CODE is EDNS option code in deci‐
270 mal, HEX is an optional hex encoded string to use as EDNS option
271 value. This argument can be used multiple times. +noednsopt
272 clears all EDNS options specified by +ednsopt.
273 +noidn Disable the IDN transformation to ASCII and vice versa. IDNA2003
275 support depends on libidn availability during project building!
276
278 Options -k and -y can not be used simultaneously.
279 Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
281
283 1. Get A records for example.com:
284 $ kdig example.com A
286 2. Perform AXFR for zone example.com from the server 192.0.2.1:
288 $ kdig example.com -t AXFR @192.0.2.1
290 3. Get A records for example.com from 192.0.2.1 and reverse lookup for
292 address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
293 $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
295 4. Get SOA record for example.com, use TLS, use system certificates,
297 check for specified hostname, check for certificate pin, and print
298 additional debug info:
299 $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
301 +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
302
304 /etc/resolv.conf
305
307 khost(1), knsupdate(1), keymgr(8).
308
310 CZ.NIC Labs <https://www.knot-dns.cz>
311
313 Copyright 2010–2019, CZ.NIC, z.s.p.o.
3142.7.6 2019-01-23 KDIG(1)