1KDIG(1)                            Knot DNS                            KDIG(1)
2
3
4

NAME

6       kdig - Advanced DNS lookup utility
7

SYNOPSIS

9       kdig [common-settings] [query [settings]]...
10
11       kdig -h
12

DESCRIPTION

14       This  utility sends one or more DNS queries to a nameserver. Each query
15       can have individual settings, or it can be specified globally via  com‐
16       mon-settings, which must precede query specification.
17
18   Parameters
19       query  name | -q name | -x address | -G tapfile
20
21       common-settings, settings
22              [query_class] [query_type] [@server]... [options]
23
24       name   Is a domain name that is to be looked up.
25
26       server Is a domain name or an IPv4 or IPv6 address of the nameserver to
27              send a query to. An additional port can be specified  using  ad‐
28              dress:port  ([address]:port  for IPv6 address), address@port, or
29              address#port notation. If no server is  specified,  the  servers
30              from /etc/resolv.conf are used.
31
32       If no arguments are provided, kdig sends NS query for the root zone.
33
34   Query classes
35       A  query_class can be either a DNS class name (IN, CH) or generic class
36       specification CLASSXXXXX where XXXXX is a corresponding  decimal  class
37       number. The default query class is IN.
38
39   Query types
40       A  query_type  can  be  either a DNS resource record type (A, AAAA, NS,
41       SOA, DNSKEY, ANY, etc.) or one of the following:
42
43       TYPEXXXXX
44              Generic query type specification where XXXXX is a  corresponding
45              decimal type number.
46
47       AXFR   Full zone transfer request.
48
49       IXFR=serial
50              Incremental  zone transfer request for specified SOA serial num‐
51              ber (i.e. all zone updates since the specified zone version  are
52              to be returned).
53
54       NOTIFY=serial
55              Notify message with a SOA serial hint specified.
56
57       NOTIFY Notify message with a SOA serial hint unspecified.
58
59       The default query type is A.
60
61   Options
62       -4     Use the IPv4 protocol only.
63
64       -6     Use the IPv6 protocol only.
65
66       -b address
67              Set  the  source IP address of the query to address. The address
68              must be a valid address for local interface or :: or 0.0.0.0. An
69              optional  port can be specified in the same format as the server
70              value.
71
72       -c class
73              An  explicit  query_class  specification.  See  possible  values
74              above.
75
76       -d     Enable debug messages.
77
78       -h, --help
79              Print the program help.
80
81       -k keyfile
82              Use  the  TSIG  key stored in a file keyfile to authenticate the
83              request. The file must contain the key in the same format as ac‐
84              cepted by the -y option.
85
86       -p port
87              Set  the  nameserver port number or service name to send a query
88              to. The default port is 53.
89
90       -q name
91              Set the query name. An explicit variant of  name  specification.
92              If no name is provided, empty question section is set.
93
94       -t type
95              An explicit query_type specification. See possible values above.
96
97       -V, --version
98              Print the program version.
99
100       -x address
101              Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
102              name, class and type is set automatically.
103
104       -y [alg:]name:key
105              Use the TSIG key named name to authenticate the request. The alg
106              part  specifies  the  algorithm (the default is hmac-sha256) and
107              key specifies the shared secret encoded in Base64.
108
109       -E tapfile
110              Export a dnstap trace of the query  and  response  messages  re‐
111              ceived to the file tapfile.
112
113       -G tapfile
114              Generate message output from a previously saved dnstap file tap‐
115              file.
116
117       +[no]multiline
118              Wrap long records to more lines and improve human readability.
119
120       +[no]short
121              Show record data only.
122
123       +[no]generic
124              Use the generic representation  format  when  printing  resource
125              record types and data.
126
127       +[no]crypto
128              Display the DNSSEC keys and signatures values in base64, instead
129              of omitting them.
130
131       +[no]aaflag
132              Set the AA flag.
133
134       +[no]tcflag
135              Set the TC flag.
136
137       +[no]rdflag
138              Set the RD flag.
139
140       +[no]recurse
141              Same as +[no]rdflag
142
143       +[no]raflag
144              Set the RA flag.
145
146       +[no]zflag
147              Set the zero flag bit.
148
149       +[no]adflag
150              Set the AD flag.
151
152       +[no]cdflag
153              Set the CD flag.
154
155       +[no]dnssec
156              Set the DO flag.
157
158       +[no]all
159              Show all packet sections.
160
161       +[no]qr
162              Show the query packet.
163
164       +[no]header
165              Show the packet header.
166
167       +[no]comments
168              Show commented section names.
169
170       +[no]opt
171              Show the EDNS pseudosection.
172
173       +[no]opttext
174              Try to show unknown EDNS options as text.
175
176       +[no]question
177              Show the question section.
178
179       +[no]answer
180              Show the answer section.
181
182       +[no]authority
183              Show the authority section.
184
185       +[no]additional
186              Show the additional section.
187
188       +[no]tsig
189              Show the TSIG pseudosection.
190
191       +[no]stats
192              Show trailing packet statistics.
193
194       +[no]class
195              Show the DNS class.
196
197       +[no]ttl
198              Show the TTL value.
199
200       +[no]tcp
201              Use the TCP protocol (default is UDP for standard query and  TCP
202              for AXFR/IXFR).
203
204       +[no]fastopen
205              Use TCP Fast Open (default with TCP).
206
207       +[no]ignore
208              Don't use TCP automatically if a truncated reply is received.
209
210       +[no]tls
211              Use  TLS  with  the Opportunistic privacy profile (RFC 7858#sec‐
212              tion-4.1).
213
214       +[no]tls-ca[=FILE]
215              Use TLS with a certificate validation.  Certification  authority
216              certificates  are loaded from the specified PEM file (default is
217              system certificate storage if no argument is provided).  Can  be
218              specified  multiple  times.  If  the +tls-hostname option is not
219              provided, the name of the target server (if specified)  is  used
220              for strict authentication.
221
222       +[no]tls-pin=BASE64
223              Use  TLS  with  the  Out-of-Band key-pinned privacy profile (RFC
224              7858#section-4.2).  The PIN must be  a  Base64  encoded  SHA-256
225              hash of the X.509 SubjectPublicKeyInfo.  Can be specified multi‐
226              ple times.
227
228       +[no]tls-hostname=STR
229              Use TLS with a remote server hostname check.
230
231       +[no]tls-sni=STR
232              Use TLS with a Server Name Indication.
233
234       +[no]tls-keyfile=FILE
235              Use TLS with a client keyfile.
236
237       +[no]tls-certfile=FILE
238              Use TLS with a client certfile.
239
240       +[no]tls-ocsp-stapling[=H]
241              Use TLS with a valid stapled OCSP response for the  server  cer‐
242              tificate  (%u  or  specify hours). OCSP responses older than the
243              specified period are considered invalid.
244
245       +[no]https[=URL]
246              Use  HTTPS  (DNS-over-HTTPS)  in  wire  format  (RFC   1035#sec‐
247              tion-4.2.1).   It  is  also  possible  to  specify  URL=[author‐
248              ity][/path] where request will be send. Authority might also  be
249              specified  as  server name (parameter @).  Library libnghttp2 is
250              required.
251
252       +[no]https-get
253              Use HTTPS with HTTP/GET method instead of the default  HTTP/POST
254              method.  Library libnghttp2 is required.
255
256       +[no]nsid
257              Request the nameserver identifier (NSID).
258
259       +[no]bufsize=B
260              Set EDNS buffer size in bytes (default is 512 bytes).
261
262       +[no]padding[=B]
263              Use  EDNS(0) padding option to pad queries, optionally to a spe‐
264              cific size. The default is to pad queries with a sensible amount
265              when  using  +tls,  and  not to pad at all when queries are sent
266              without TLS.  With no argument (i.e., just +padding)  pad  every
267              query  with a sensible amount regardless of the use of TLS. With
268              +nopadding, never pad.
269
270       +[no]alignment[=B]
271              Align the query to B-byte-block message using the  EDNS(0)  pad‐
272              ding option (default is no or 128 if no argument is specified).
273
274       +[no]subnet=SUBN
275              Set EDNS(0) client subnet SUBN=addr/prefix.
276
277       +[no]edns[=N]
278              Use EDNS version (default is 0).
279
280       +[no]timeout=T
281              Set  the  wait-for-reply  interval in seconds (default is 5 sec‐
282              onds). This timeout applies to each query attempt. An attempt to
283              set  T to less than 1 will result in a query timeout of 1 second
284              being applied.
285
286       +[no]retry=N
287              Set the number (>=0) of UDP retries (default is 2). This doesn't
288              apply to AXFR/IXFR.
289
290       +[no]cookie=HEX
291              Attach EDNS(0) cookie to the query.
292
293       +[no]badcookie
294              Repeat a query with the correct cookie.
295
296       +[no]ednsopt[=CODE[:HEX]]
297              Send  custom  EDNS option. The CODE is EDNS option code in deci‐
298              mal, HEX is an optional hex encoded string to use as EDNS option
299              value.  This  argument  can  be  used multiple times. +noednsopt
300              clears all EDNS options specified by +ednsopt.
301
302       +noidn Disable the IDN transformation to ASCII and vice versa. IDN sup‐
303              port  depends on libidn availability during project building! If
304              used in common-settings, all IDN transformations  are  disabled.
305              If  used  in  the individual query settings, transformation from
306              ASCII is disabled on output for the particular query. Note  that
307              IDN transformation does not preserve domain name letter case.
308

NOTES

310       Options -k and -y can not be used simultaneously.
311
312       Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
313

EXIT VALUES

315       Exit  status of 0 means successful operation. Any other exit status in‐
316       dicates an error.
317

EXAMPLES

319       1. Get A records for example.com:
320
321             $ kdig example.com A
322
323       2. Perform AXFR for zone example.com from the server 192.0.2.1:
324
325             $ kdig example.com -t AXFR @192.0.2.1
326
327       3. Get A records for example.com from 192.0.2.1 and reverse lookup  for
328          address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
329
330             $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
331
332       4. Get  SOA  record  for example.com, use TLS, use system certificates,
333          check for specified hostname, check for certificate pin,  and  print
334          additional debug info:
335
336             $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
337               +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
338
339       5. DNS over HTTPS examples (various DoH implementations):
340
341             $ kdig @1.1.1.1 +https example.com.
342             $ kdig @193.17.47.1 +https=/doh example.com.
343             $ kdig @8.8.4.4 +https +https-get example.com.
344

FILES

346       /etc/resolv.conf
347

SEE ALSO

349       khost(1), knsupdate(1), keymgr(8).
350

AUTHOR

352       CZ.NIC Labs <https://www.knot-dns.cz>
353
355       Copyright 2010–2021, CZ.NIC, z.s.p.o.
356
357
358
359
3603.0.6                             2021-05-12                           KDIG(1)
Impressum