1KDIG(1) Knot DNS KDIG(1)
2
3
4
6 kdig - Advanced DNS lookup utility
7
9 kdig [common-settings] [query [settings]]...
10
11 kdig -h
12
14 This utility sends one or more DNS queries to a nameserver. Each query
15 can have individual settings, or it can be specified globally via com‐
16 mon-settings, which must precede query specification.
17
18 Parameters
19 query name | -q name | -x address | -G tapfile
20
21 common-settings, settings
22 [query_class] [query_type] [@server]... [options]
23
24 name Is a domain name that is to be looked up.
25
26 server Is a domain name or an IPv4 or IPv6 address of the nameserver to
27 send a query to. An additional port can be specified using ad‐
28 dress:port ([address]:port for IPv6 address), address@port, or
29 address#port notation. If no server is specified, the servers
30 from /etc/resolv.conf are used.
31
32 If no arguments are provided, kdig sends NS query for the root zone.
33
34 Query classes
35 A query_class can be either a DNS class name (IN, CH) or generic class
36 specification CLASSXXXXX where XXXXX is a corresponding decimal class
37 number. The default query class is IN.
38
39 Query types
40 A query_type can be either a DNS resource record type (A, AAAA, NS,
41 SOA, DNSKEY, ANY, etc.) or one of the following:
42
43 TYPEXXXXX
44 Generic query type specification where XXXXX is a corresponding
45 decimal type number.
46
47 AXFR Full zone transfer request.
48
49 IXFR=serial
50 Incremental zone transfer request for specified SOA serial num‐
51 ber (i.e. all zone updates since the specified zone version are
52 to be returned).
53
54 NOTIFY=serial
55 Notify message with a SOA serial hint specified.
56
57 NOTIFY Notify message with a SOA serial hint unspecified.
58
59 The default query type is A.
60
61 Options
62 -4 Use the IPv4 protocol only.
63
64 -6 Use the IPv6 protocol only.
65
66 -b address
67 Set the source IP address of the query to address. The address
68 must be a valid address for local interface or :: or 0.0.0.0. An
69 optional port can be specified in the same format as the server
70 value.
71
72 -c class
73 An explicit query_class specification. See possible values
74 above.
75
76 -d Enable debug messages.
77
78 -h, --help
79 Print the program help.
80
81 -k keyfile
82 Use the TSIG key stored in a file keyfile to authenticate the
83 request. The file must contain the key in the same format as ac‐
84 cepted by the -y option.
85
86 -p port
87 Set the nameserver port number or service name to send a query
88 to. The default port is 53.
89
90 -q name
91 Set the query name. An explicit variant of name specification.
92 If no name is provided, empty question section is set.
93
94 -t type
95 An explicit query_type specification. See possible values above.
96
97 -V, --version
98 Print the program version.
99
100 -x address
101 Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
102 name, class and type is set automatically.
103
104 -y [alg:]name:key
105 Use the TSIG key named name to authenticate the request. The alg
106 part specifies the algorithm (the default is hmac-sha256) and
107 key specifies the shared secret encoded in Base64.
108
109 -E tapfile
110 Export a dnstap trace of the query and response messages re‐
111 ceived to the file tapfile.
112
113 -G tapfile
114 Generate message output from a previously saved dnstap file tap‐
115 file.
116
117 +[no]multiline
118 Wrap long records to more lines and improve human readability.
119
120 +[no]short
121 Show record data only.
122
123 +[no]generic
124 Use the generic representation format when printing resource
125 record types and data.
126
127 +[no]crypto
128 Display the DNSSEC keys and signatures values in base64, instead
129 of omitting them.
130
131 +[no]aaflag
132 Set the AA flag.
133
134 +[no]tcflag
135 Set the TC flag.
136
137 +[no]rdflag
138 Set the RD flag.
139
140 +[no]recurse
141 Same as +[no]rdflag
142
143 +[no]raflag
144 Set the RA flag.
145
146 +[no]zflag
147 Set the zero flag bit.
148
149 +[no]adflag
150 Set the AD flag.
151
152 +[no]cdflag
153 Set the CD flag.
154
155 +[no]dnssec
156 Set the DO flag.
157
158 +[no]all
159 Show all packet sections.
160
161 +[no]qr
162 Show the query packet.
163
164 +[no]header
165 Show the packet header.
166
167 +[no]comments
168 Show commented section names.
169
170 +[no]opt
171 Show the EDNS pseudosection.
172
173 +[no]opttext
174 Try to show unknown EDNS options as text.
175
176 +[no]question
177 Show the question section.
178
179 +[no]answer
180 Show the answer section.
181
182 +[no]authority
183 Show the authority section.
184
185 +[no]additional
186 Show the additional section.
187
188 +[no]tsig
189 Show the TSIG pseudosection.
190
191 +[no]stats
192 Show trailing packet statistics.
193
194 +[no]class
195 Show the DNS class.
196
197 +[no]ttl
198 Show the TTL value.
199
200 +[no]tcp
201 Use the TCP protocol (default is UDP for standard query and TCP
202 for AXFR/IXFR).
203
204 +[no]fastopen
205 Use TCP Fast Open.
206
207 +[no]ignore
208 Don't use TCP automatically if a truncated reply is received.
209
210 +[no]keepopen
211 Keep TCP connection open for the following query if it has the
212 same connection configuration. This applies to +tcp, +tls, and
213 +https operations. The connection is considered in the context
214 of a single kdig call only.
215
216 +[no]tls
217 Use TLS with the Opportunistic privacy profile (RFC 7858#sec‐
218 tion-4.1).
219
220 +[no]tls-ca[=FILE]
221 Use TLS with a certificate validation. Certification authority
222 certificates are loaded from the specified PEM file (default is
223 system certificate storage if no argument is provided). Can be
224 specified multiple times. If the +tls-hostname option is not
225 provided, the name of the target server (if specified) is used
226 for strict authentication.
227
228 +[no]tls-pin=BASE64
229 Use TLS with the Out-of-Band key-pinned privacy profile (RFC
230 7858#section-4.2). The PIN must be a Base64 encoded SHA-256
231 hash of the X.509 SubjectPublicKeyInfo. Can be specified multi‐
232 ple times.
233
234 +[no]tls-hostname=STR
235 Use TLS with a remote server hostname check.
236
237 +[no]tls-sni=STR
238 Use TLS with a Server Name Indication.
239
240 +[no]tls-keyfile=FILE
241 Use TLS with a client keyfile.
242
243 +[no]tls-certfile=FILE
244 Use TLS with a client certfile.
245
246 +[no]tls-ocsp-stapling[=H]
247 Use TLS with a valid stapled OCSP response for the server cer‐
248 tificate (%u or specify hours). OCSP responses older than the
249 specified period are considered invalid.
250
251 +[no]https[=URL]
252 Use HTTPS (DNS-over-HTTPS) in wire format (RFC 1035#sec‐
253 tion-4.2.1). It is also possible to specify URL=[author‐
254 ity][/path] where request will be sent to. Any leading scheme
255 and authority indicator (i.e. //) are ignored. Authority might
256 also be specified as the server (using the parameter @). If
257 path is specified and authority is missing, then the server is
258 used as authority together with the specified path. Library
259 libnghttp2 is required.
260
261 +[no]https-get
262 Use HTTPS with HTTP/GET method instead of the default HTTP/POST
263 method. Library libnghttp2 is required.
264
265 +[no]nsid
266 Request the nameserver identifier (NSID).
267
268 +[no]bufsize=B
269 Set EDNS buffer size in bytes (default is 512 bytes).
270
271 +[no]padding[=B]
272 Use EDNS(0) padding option to pad queries, optionally to a spe‐
273 cific size. The default is to pad queries with a sensible amount
274 when using +tls, and not to pad at all when queries are sent
275 without TLS. With no argument (i.e., just +padding) pad every
276 query with a sensible amount regardless of the use of TLS. With
277 +nopadding, never pad.
278
279 +[no]alignment[=B]
280 Align the query to B-byte-block message using the EDNS(0) pad‐
281 ding option (default is no or 128 if no argument is specified).
282
283 +[no]subnet=SUBN
284 Set EDNS(0) client subnet SUBN=addr/prefix.
285
286 +[no]edns[=N]
287 Use EDNS version (default is 0).
288
289 +[no]timeout=T
290 Set the wait-for-reply interval in seconds (default is 5 sec‐
291 onds). This timeout applies to each query attempt. An attempt to
292 set T to less than 1 will result in a query timeout of 1 second
293 being applied.
294
295 +[no]retry=N
296 Set the number (>=0) of UDP retries (default is 2). This doesn't
297 apply to AXFR/IXFR.
298
299 +[no]cookie=HEX
300 Attach EDNS(0) cookie to the query.
301
302 +[no]badcookie
303 Repeat a query with the correct cookie.
304
305 +[no]ednsopt[=CODE[:HEX]]
306 Send custom EDNS option. The CODE is EDNS option code in deci‐
307 mal, HEX is an optional hex encoded string to use as EDNS option
308 value. This argument can be used multiple times. +noednsopt
309 clears all EDNS options specified by +ednsopt.
310
311 +noidn Disable the IDN transformation to ASCII and vice versa. IDN sup‐
312 port depends on libidn availability during project building! If
313 used in common-settings, all IDN transformations are disabled.
314 If used in the individual query settings, transformation from
315 ASCII is disabled on output for the particular query. Note that
316 IDN transformation does not preserve domain name letter case.
317
319 Options -k and -y can not be used simultaneously.
320
321 Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
322
324 Exit status of 0 means successful operation. Any other exit status in‐
325 dicates an error.
326
328 1. Get A records for example.com:
329
330 $ kdig example.com A
331
332 2. Perform AXFR for zone example.com from the server 192.0.2.1:
333
334 $ kdig example.com -t AXFR @192.0.2.1
335
336 3. Get A records for example.com from 192.0.2.1 and reverse lookup for
337 address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
338
339 $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
340
341 4. Get SOA record for example.com, use TLS, use system certificates,
342 check for specified hostname, check for certificate pin, and print
343 additional debug info:
344
345 $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
346 +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
347
348 5. DNS over HTTPS examples (various DoH implementations):
349
350 $ kdig @1.1.1.1 +https example.com.
351 $ kdig @193.17.47.1 +https=/doh example.com.
352 $ kdig @8.8.4.4 +https +https-get example.com.
353 $ kdig @8.8.8.8 +https +tls-hostname=dns.google +fastopen example.com.
354
355 6. More queries share one DoT connection:
356
357 $ kdig @1.1.1.1 +tls +keepopen abc.example.com A mail.example.com AAAA
358
360 /etc/resolv.conf
361
363 khost(1), knsupdate(1), keymgr(8).
364
366 CZ.NIC Labs <https://www.knot-dns.cz>
367
369 Copyright 2010–2021, CZ.NIC, z.s.p.o.
370
371
372
373
3743.1.4 2021-11-04 KDIG(1)