1KDIG(1) Knot DNS KDIG(1)
2
6 kdig - Advanced DNS lookup utility
7
9 kdig [common-settings] [query [settings]]...
10 kdig -h
12
14 This utility sends one or more DNS queries to a nameserver. Each query
15 can have individual settings, or it can be specified globally via com‐
16 mon-settings, which must precede query specification.
17 Parameters
19 query name | -q name | -x address | -G tapfile
20 common-settings, settings
22 [query_class] [query_type] [@server]... [options]
23 name Is a domain name that is to be looked up.
25 server Is a domain name or an IPv4 or IPv6 address of the nameserver to
27 send a query to. An additional port can be specified using
28 address:port ([address]:port for IPv6 address), address@port, or
29 address#port notation. If no server is specified, the servers
30 from /etc/resolv.conf are used.
31 If no arguments are provided, kdig sends NS query for the root zone.
33 Query classes
35 A query_class can be either a DNS class name (IN, CH) or generic class
36 specification CLASSXXXXX where XXXXX is a corresponding decimal class
37 number. The default query class is IN.
38 Query types
40 A query_type can be either a DNS resource record type (A, AAAA, NS,
41 SOA, DNSKEY, ANY, etc.) or one of the following:
42 TYPEXXXXX
44 Generic query type specification where XXXXX is a corresponding
45 decimal type number.
46 AXFR Full zone transfer request.
48 IXFR=serial
50 Incremental zone transfer request for specified SOA serial num‐
51 ber (i.e. all zone updates since the specified zone version are
52 to be returned).
53 NOTIFY=serial
55 Notify message with a SOA serial hint specified.
56 NOTIFY Notify message with a SOA serial hint unspecified.
58 The default query type is A.
60 Options
62 -4 Use the IPv4 protocol only.
63 -6 Use the IPv6 protocol only.
65 -b address
67 Set the source IP address of the query to address. The address
68 must be a valid address for local interface or :: or 0.0.0.0. An
69 optional port can be specified in the same format as the server
70 value.
71 -c class
73 An explicit query_class specification. See possible values
74 above.
75 -d Enable debug messages.
77 -h, --help
79 Print the program help.
80 -k keyfile
82 Use the TSIG key stored in a file keyfile to authenticate the
83 request. The file must contain the key in the same format as
84 accepted by the -y option.
85 -p port
87 Set the nameserver port number or service name to send a query
88 to. The default port is 53.
89 -q name
91 Set the query name. An explicit variant of name specification.
92 If no name is provided, empty question section is set.
93 -t type
95 An explicit query_type specification. See possible values above.
96 -V, --version
98 Print the program version.
99 -x address
101 Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
102 name, class and type is set automatically.
103 -y [alg:]name:key
105 Use the TSIG key named name to authenticate the request. The alg
106 part specifies the algorithm (the default is hmac-sha256) and
107 key specifies the shared secret encoded in Base64.
108 -E tapfile
110 Export a dnstap trace of the query and response messages
111 received to the file tapfile.
112 -G tapfile
114 Generate message output from a previously saved dnstap file tap‐
115 file.
116 +[no]multiline
118 Wrap long records to more lines and improve human readability.
119 +[no]short
121 Show record data only.
122 +[no]generic
124 Use the generic representation format when printing resource
125 record types and data.
126 +[no]crypto
128 Display the DNSSEC keys and signatures values in base64, instead
129 of omitting them.
130 +[no]aaflag
132 Set the AA flag.
133 +[no]tcflag
135 Set the TC flag.
136 +[no]rdflag
138 Set the RD flag.
139 +[no]recurse
141 Same as +[no]rdflag
142 +[no]raflag
144 Set the RA flag.
145 +[no]zflag
147 Set the zero flag bit.
148 +[no]adflag
150 Set the AD flag.
151 +[no]cdflag
153 Set the CD flag.
154 +[no]dnssec
156 Set the DO flag.
157 +[no]all
159 Show all packet sections.
160 +[no]qr
162 Show the query packet.
163 +[no]header
165 Show the packet header.
166 +[no]comments
168 Show commented section names.
169 +[no]opt
171 Show the EDNS pseudosection.
172 +[no]question
174 Show the question section.
175 +[no]answer
177 Show the answer section.
178 +[no]authority
180 Show the authority section.
181 +[no]additional
183 Show the additional section.
184 +[no]tsig
186 Show the TSIG pseudosection.
187 +[no]stats
189 Show trailing packet statistics.
190 +[no]class
192 Show the DNS class.
193 +[no]ttl
195 Show the TTL value.
196 +[no]tcp
198 Use the TCP protocol (default is UDP for standard query and TCP
199 for AXFR/IXFR).
200 +[no]fastopen
202 Use TCP Fast Open (default with TCP).
203 +[no]ignore
205 Don't use TCP automatically if a truncated reply is received.
206 +[no]tls
208 Use TLS with the Opportunistic privacy profile (RFC 7858#sec‐
209 tion-4.1).
210 +[no]tls-ca[=FILE]
212 Use TLS with a certificate validation. Certification authority
213 certificates are loaded from the specified PEM file (default is
214 system certificate storage if no argument is provided). Can be
215 specified multiple times. If the +tls-hostname option is not
216 provided, the name of the target server (if specified) is used
217 for strict authentication.
218 +[no]tls-pin=BASE64
220 Use TLS with the Out-of-Band key-pinned privacy profile (RFC
221 7858#section-4.2). The PIN must be a Base64 encoded SHA-256
222 hash of the X.509 SubjectPublicKeyInfo. Can be specified multi‐
223 ple times.
224 +[no]tls-hostname=STR
226 Use TLS with a remote server hostname check.
227 +[no]tls-sni=STR
229 Use TLS with a Server Name Indication.
230 +[no]tls-keyfile=FILE
232 Use TLS with a client keyfile.
233 +[no]tls-certfile=FILE
235 Use TLS with a client certfile.
236 +[no]tls-ocsp-stapling[=H]
238 Use TLS with a valid stapled OCSP response for the server cer‐
239 tificate (%u or specify hours). OCSP responses older than the
240 specified period are considered invalid.
241 +[no]nsid
243 Request the nameserver identifier (NSID).
244 +[no]bufsize=B
246 Set EDNS buffer size in bytes (default is 512 bytes).
247 +[no]padding[=B]
249 Use EDNS(0) padding option to pad queries, optionally to a spe‐
250 cific size. The default is to pad queries with a sensible amount
251 when using +tls, and not to pad at all when queries are sent
252 without TLS. With no argument (i.e., just +padding) pad every
253 query with a sensible amount regardless of the use of TLS. With
254 +nopadding, never pad.
255 +[no]alignment[=B]
257 Align the query to B-byte-block message using the EDNS(0) pad‐
258 ding option (default is no or 128 if no argument is specified).
259 +[no]subnet=SUBN
261 Set EDNS(0) client subnet SUBN=addr/prefix.
262 +[no]edns[=N]
264 Use EDNS version (default is 0).
265 +[no]timeout=T
267 Set the wait-for-reply interval in seconds (default is 5 sec‐
268 onds). This timeout applies to each query attempt. An attempt to
269 set T to less than 1 will result in a query timeout of 1 second
270 being applied.
271 +[no]retry=N
273 Set the number (>=0) of UDP retries (default is 2). This doesn't
274 apply to AXFR/IXFR.
275 +[no]cookie=HEX
277 Attach EDNS(0) cookie to the query.
278 +[no]badcookie
280 Repeat a query with the correct cookie.
281 +[no]ednsopt[=CODE[:HEX]]
283 Send custom EDNS option. The CODE is EDNS option code in deci‐
284 mal, HEX is an optional hex encoded string to use as EDNS option
285 value. This argument can be used multiple times. +noednsopt
286 clears all EDNS options specified by +ednsopt.
287 +noidn Disable the IDN transformation to ASCII and vice versa. IDN sup‐
289 port depends on libidn availability during project building! If
290 used in common-settings, all IDN transformations are disabled.
291 If used in the individual query settings, transformation from
292 ASCII is disabled on output for the particular query. Note that
293 IDN transformation does not preserve domain name letter case.
294
296 Options -k and -y can not be used simultaneously.
297 Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
299
301 Exit status of 0 means successful operation. Any other exit status
302 indicates an error.
303
305 1. Get A records for example.com:
306 $ kdig example.com A
308 2. Perform AXFR for zone example.com from the server 192.0.2.1:
310 $ kdig example.com -t AXFR @192.0.2.1
312 3. Get A records for example.com from 192.0.2.1 and reverse lookup for
314 address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
315 $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
317 4. Get SOA record for example.com, use TLS, use system certificates,
319 check for specified hostname, check for certificate pin, and print
320 additional debug info:
321 $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
323 +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
324
326 /etc/resolv.conf
327
329 khost(1), knsupdate(1), keymgr(8).
330
332 CZ.NIC Labs <https://www.knot-dns.cz>
333
335 Copyright 2010–2020, CZ.NIC, z.s.p.o.
3362.9.3 2020-03-03 KDIG(1)