1KDIG(1)                            Knot DNS                            KDIG(1)
2
3
4

NAME

6       kdig - Advanced DNS lookup utility
7

SYNOPSIS

9       kdig [common-settings] [query [settings]]...
10
11       kdig -h
12

DESCRIPTION

14       This  utility sends one or more DNS queries to a nameserver. Each query
15       can have individual settings, or it can be specified globally via  com‐
16       mon-settings, which must precede query specification.
17
18   Parameters
19       query  name | -q name | -x address | -G tapfile
20
21       common-settings, settings
22              [query_class] [query_type] [@server]... [options]
23
24       name   Is a domain name that is to be looked up.
25
26       server Is a domain name or an IPv4 or IPv6 address of the nameserver to
27              send a query to. An additional port can be specified  using  ad‐
28              dress:port  ([address]:port  for IPv6 address), address@port, or
29              address#port notation. If no server is  specified,  the  servers
30              from /etc/resolv.conf are used.
31
32       If no arguments are provided, kdig sends NS query for the root zone.
33
34   Query classes
35       A  query_class can be either a DNS class name (IN, CH) or generic class
36       specification CLASSXXXXX where XXXXX is a corresponding  decimal  class
37       number. The default query class is IN.
38
39   Query types
40       A  query_type  can  be  either a DNS resource record type (A, AAAA, NS,
41       SOA, DNSKEY, ANY, etc.) or one of the following:
42
43       TYPEXXXXX
44              Generic query type specification where XXXXX is a  corresponding
45              decimal type number.
46
47       AXFR   Full zone transfer request.
48
49       IXFR=serial
50              Incremental  zone transfer request for specified SOA serial num‐
51              ber (i.e. all zone updates since the specified zone version  are
52              to be returned).
53
54       NOTIFY=serial
55              Notify message with a SOA serial hint specified.
56
57       NOTIFY Notify message with a SOA serial hint unspecified.
58
59       The default query type is A.
60
61   Options
62       -4     Use the IPv4 protocol only.
63
64       -6     Use the IPv6 protocol only.
65
66       -b address
67              Set  the  source IP address of the query to address. The address
68              must be a valid address for local interface or :: or 0.0.0.0. An
69              optional  port can be specified in the same format as the server
70              value.
71
72       -c class
73              An  explicit  query_class  specification.  See  possible  values
74              above.
75
76       -d     Enable debug messages.
77
78       -h, --help
79              Print the program help.
80
81       -k keyfile
82              Use  the  TSIG  key stored in a file keyfile to authenticate the
83              request. The file must contain the key in the same format as ac‐
84              cepted by the -y option.
85
86       -p port
87              Set  the  nameserver port number or service name to send a query
88              to. The default port is 53.
89
90       -q name
91              Set the query name. An explicit variant of  name  specification.
92              If no name is provided, empty question section is set.
93
94       -t type
95              An explicit query_type specification. See possible values above.
96
97       -V, --version
98              Print the program version.
99
100       -x address
101              Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
102              name, class and type is set automatically.
103
104       -y [alg:]name:key
105              Use the TSIG key named name to authenticate the request. The alg
106              part  specifies  the  algorithm (the default is hmac-sha256) and
107              key specifies the shared secret encoded in Base64.
108
109       -E tapfile
110              Export a dnstap trace of the query  and  response  messages  re‐
111              ceived to the file tapfile.
112
113       -G tapfile
114              Generate message output from a previously saved dnstap file tap‐
115              file.
116
117       +[no]multiline
118              Wrap long records to more lines and improve human readability.
119
120       +[no]short
121              Show record data only.
122
123       +[no]generic
124              Use the generic representation  format  when  printing  resource
125              record types and data.
126
127       +[no]crypto
128              Display the DNSSEC keys and signatures values in base64, instead
129              of omitting them.
130
131       +[no]aaflag
132              Set the AA flag.
133
134       +[no]tcflag
135              Set the TC flag.
136
137       +[no]rdflag
138              Set the RD flag.
139
140       +[no]recurse
141              Same as +[no]rdflag
142
143       +[no]raflag
144              Set the RA flag.
145
146       +[no]zflag
147              Set the zero flag bit.
148
149       +[no]adflag
150              Set the AD flag.
151
152       +[no]cdflag
153              Set the CD flag.
154
155       +[no]dnssec
156              Set the DO flag.
157
158       +[no]all
159              Show all packet sections.
160
161       +[no]qr
162              Show the query packet.
163
164       +[no]header
165              Show the packet header.
166
167       +[no]comments
168              Show commented section names.
169
170       +[no]opt
171              Show the EDNS pseudosection.
172
173       +[no]opttext
174              Try to show unknown EDNS options as text.
175
176       +[no]question
177              Show the question section.
178
179       +[no]answer
180              Show the answer section.
181
182       +[no]authority
183              Show the authority section.
184
185       +[no]additional
186              Show the additional section.
187
188       +[no]tsig
189              Show the TSIG pseudosection.
190
191       +[no]stats
192              Show trailing packet statistics.
193
194       +[no]class
195              Show the DNS class.
196
197       +[no]ttl
198              Show the TTL value.
199
200       +[no]tcp
201              Use the TCP protocol (default is UDP for standard query and  TCP
202              for AXFR/IXFR).
203
204       +[no]fastopen
205              Use TCP Fast Open.
206
207       +[no]ignore
208              Don't use TCP automatically if a truncated reply is received.
209
210       +[no]keepopen
211              Keep  TCP  connection open for the following query if it has the
212              same connection configuration. This applies to +tcp,  +tls,  and
213              +https  operations.  The connection is considered in the context
214              of a single kdig call only.
215
216       +[no]tls
217              Use TLS with the Opportunistic privacy  profile  (RFC  7858#sec‐
218              tion-4.1).
219
220       +[no]tls-ca[=FILE]
221              Use  TLS  with a certificate validation. Certification authority
222              certificates are loaded from the specified PEM file (default  is
223              system  certificate storage if no argument is provided).  Can be
224              specified multiple times. If the  +tls-hostname  option  is  not
225              provided,  the  name of the target server (if specified) is used
226              for strict authentication.
227
228       +[no]tls-pin=BASE64
229              Use TLS with the Out-of-Band  key-pinned  privacy  profile  (RFC
230              7858#section-4.2).   The  PIN  must  be a Base64 encoded SHA-256
231              hash of the X.509 SubjectPublicKeyInfo.  Can be specified multi‐
232              ple times.
233
234       +[no]tls-hostname=STR
235              Use TLS with a remote server hostname check.
236
237       +[no]tls-sni=STR
238              Use TLS with a Server Name Indication.
239
240       +[no]tls-keyfile=FILE
241              Use TLS with a client keyfile.
242
243       +[no]tls-certfile=FILE
244              Use TLS with a client certfile.
245
246       +[no]tls-ocsp-stapling[=H]
247              Use  TLS  with a valid stapled OCSP response for the server cer‐
248              tificate (%u or specify hours). OCSP responses  older  than  the
249              specified period are considered invalid.
250
251       +[no]https[=URL]
252              Use   HTTPS  (DNS-over-HTTPS)  in  wire  format  (RFC  1035#sec‐
253              tion-4.2.1).   It  is  also  possible  to  specify  URL=[author‐
254              ity][/path]  where  request  will be sent to. Any leading scheme
255              and authority indicator (i.e. //) are ignored.  Authority  might
256              also  be  specified  as  the server (using the parameter @).  If
257              path is specified and authority is missing, then the  server  is
258              used  as  authority  together  with the specified path.  Library
259              libnghttp2 is required.
260
261       +[no]https-get
262              Use HTTPS with HTTP/GET method instead of the default  HTTP/POST
263              method.  Library libnghttp2 is required.
264
265       +[no]nsid
266              Request the nameserver identifier (NSID).
267
268       +[no]bufsize=B
269              Set EDNS buffer size in bytes (default is 4096 bytes).
270
271       +[no]padding[=B]
272              Use  EDNS(0) padding option to pad queries, optionally to a spe‐
273              cific size. The default is to pad queries with a sensible amount
274              when  using  +tls,  and  not to pad at all when queries are sent
275              without TLS.  With no argument (i.e., just +padding)  pad  every
276              query  with a sensible amount regardless of the use of TLS. With
277              +nopadding, never pad.
278
279       +[no]alignment[=B]
280              Align the query to B-byte-block message using the  EDNS(0)  pad‐
281              ding option (default is no or 128 if no argument is specified).
282
283       +[no]subnet=SUBN
284              Set EDNS(0) client subnet SUBN=addr/prefix.
285
286       +[no]edns[=N]
287              Use EDNS version (default is 0).
288
289       +[no]timeout=T
290              Set  the  wait-for-reply  interval in seconds (default is 5 sec‐
291              onds). This timeout applies to each query attempt. Zero value or
292              notimeout is intepreted as infinity.
293
294       +[no]retry=N
295              Set the number (>=0) of UDP retries (default is 2). This doesn't
296              apply to AXFR/IXFR.
297
298       +[no]cookie[=HEX]
299              Attach EDNS(0) cookie to the query.
300
301       +[no]badcookie
302              Repeat a query with the correct cookie.
303
304       +[no]ednsopt[=CODE[:HEX]]
305              Send custom EDNS option. The CODE is EDNS option code  in  deci‐
306              mal, HEX is an optional hex encoded string to use as EDNS option
307              value. This argument can  be  used  multiple  times.  +noednsopt
308              clears all EDNS options specified by +ednsopt.
309
310       +noidn Disable the IDN transformation to ASCII and vice versa. IDN sup‐
311              port depends on libidn availability during project building!  If
312              used  in  common-settings, all IDN transformations are disabled.
313              If used in the individual query  settings,  transformation  from
314              ASCII  is disabled on output for the particular query. Note that
315              IDN transformation does not preserve domain name letter case.
316

NOTES

318       Options -k and -y can not be used simultaneously.
319
320       Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
321

EXIT VALUES

323       Exit status of 0 means successful operation. Any other exit status  in‐
324       dicates an error.
325

EXAMPLES

327       1. Get A records for example.com:
328
329             $ kdig example.com A
330
331       2. Perform AXFR for zone example.com from the server 192.0.2.1:
332
333             $ kdig example.com -t AXFR @192.0.2.1
334
335       3. Get  A records for example.com from 192.0.2.1 and reverse lookup for
336          address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
337
338             $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
339
340       4. Get SOA record for example.com, use TLS,  use  system  certificates,
341          check  for  specified hostname, check for certificate pin, and print
342          additional debug info:
343
344             $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
345               +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
346
347       5. DNS over HTTPS examples (various DoH implementations):
348
349             $ kdig @1.1.1.1 +https example.com.
350             $ kdig @193.17.47.1 +https=/doh example.com.
351             $ kdig @8.8.4.4 +https +https-get example.com.
352             $ kdig @8.8.8.8 +https +tls-hostname=dns.google +fastopen example.com.
353
354       6. More queries share one DoT connection:
355
356             $ kdig @1.1.1.1 +tls +keepopen abc.example.com A mail.example.com AAAA
357

FILES

359       /etc/resolv.conf
360

SEE ALSO

362       khost(1), knsupdate(1), keymgr(8).
363

AUTHOR

365       CZ.NIC Labs <https://www.knot-dns.cz>
366
368       Copyright 2010–2022, CZ.NIC, z.s.p.o.
369
370
371
372
3733.1.8                             2022-04-28                           KDIG(1)
Impressum