1KDIG(1)                            Knot DNS                            KDIG(1)
2
3
4

NAME

6       kdig - Advanced DNS lookup utility
7

SYNOPSIS

9       kdig [common-settings] [query [settings]]...
10
11       kdig -h
12

DESCRIPTION

14       This  utility sends one or more DNS queries to a nameserver. Each query
15       can have individual settings, or it can be specified globally via  com‐
16       mon-settings, which must precede query specification.
17
18   Parameters
19       query  name | -q name | -x address | -G tapfile
20
21       common-settings, settings
22              [query_class] [query_type] [@server]... [options]
23
24       name   Is a domain name that is to be looked up.
25
26       server Is a domain name or an IPv4 or IPv6 address of the nameserver to
27              send a query to. An additional port can be specified  using  ad‐
28              dress:port  ([address]:port  for IPv6 address), address@port, or
29              address#port notation. A value which begins with  '/'  character
30              is  considered  an  absolute  UNIX  socket path. If no server is
31              specified, the servers from /etc/resolv.conf are used.
32
33       If no arguments are provided, kdig sends NS query for the root zone.
34
35   Query classes
36       A query_class can be either a DNS class name (IN, CH) or generic  class
37       specification  CLASSXXXXX  where XXXXX is a corresponding decimal class
38       number. The default query class is IN.
39
40   Query types
41       A query_type can be either a DNS resource record  type  (A,  AAAA,  NS,
42       SOA, DNSKEY, ANY, etc.) or one of the following:
43
44       TYPEXXXXX
45              Generic  query type specification where XXXXX is a corresponding
46              decimal type number.
47
48       AXFR   Full zone transfer request.
49
50       IXFR=serial
51              Incremental zone transfer request for specified SOA serial  num‐
52              ber  (i.e. all zone updates since the specified zone version are
53              to be returned).
54
55       NOTIFY=serial
56              Notify message with a SOA serial hint specified.
57
58       NOTIFY Notify message with a SOA serial hint unspecified.
59
60       The default query type is A.
61
62   Options
63       -4     Use the IPv4 protocol only.
64
65       -6     Use the IPv6 protocol only.
66
67       -b address
68              Set the source IP address of the query to address.  The  address
69              must be a valid address for local interface or :: or 0.0.0.0. An
70              optional port can be specified in the same format as the  server
71              value.
72
73       -c class
74              An  explicit  query_class  specification.  See  possible  values
75              above.
76
77       -d     Enable debug messages.
78
79       -h, --help
80              Print the program help.
81
82       -k keyfile
83              Use the TSIG key stored in a file keyfile  to  authenticate  the
84              request. The file must contain the key in the same format as ac‐
85              cepted by the -y option.
86
87       -p port
88              Set the nameserver port number or service name to send  a  query
89              to. The default port is 53.
90
91       -q name
92              Set  the  query name. An explicit variant of name specification.
93              If no name is provided, empty question section is set.
94
95       -t type
96              An explicit query_type specification. See possible values above.
97
98       -V, --version
99              Print the program version.
100
101       -x address
102              Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
103              name, class and type is set automatically.
104
105       -y [alg:]name:key
106              Use the TSIG key named name to authenticate the request. The alg
107              part specifies the algorithm (the default  is  hmac-sha256)  and
108              key specifies the shared secret encoded in Base64.
109
110       -E tapfile
111              Export  a  dnstap  trace  of the query and response messages re‐
112              ceived to the file tapfile.
113
114       -G tapfile
115              Generate message output from a previously saved dnstap file tap‐
116              file.
117
118       +[no]multiline
119              Wrap long records to more lines and improve human readability.
120
121       +[no]short
122              Show record data only.
123
124       +[no]generic
125              Use  the  generic  representation  format when printing resource
126              record types and data.
127
128       +[no]crypto
129              Display the DNSSEC keys and signatures values in base64, instead
130              of omitting them.
131
132       +[no]aaflag
133              Set the AA flag.
134
135       +[no]tcflag
136              Set the TC flag.
137
138       +[no]rdflag
139              Set the RD flag.
140
141       +[no]recurse
142              Same as +[no]rdflag
143
144       +[no]raflag
145              Set the RA flag.
146
147       +[no]zflag
148              Set the zero flag bit.
149
150       +[no]adflag
151              Set the AD flag.
152
153       +[no]cdflag
154              Set the CD flag.
155
156       +[no]dnssec
157              Set the DO flag.
158
159       +[no]all
160              Show all packet sections.
161
162       +[no]qr
163              Show the query packet.
164
165       +[no]header
166              Show the packet header.
167
168       +[no]comments
169              Show commented section names.
170
171       +[no]opt
172              Show the EDNS pseudosection.
173
174       +[no]opttext
175              Try to show unknown EDNS options as text.
176
177       +[no]optpresent
178              Show  EDNS in presentation format according to the specification
179              in version draft-peltan-edns-presentation-format-01.
180
181       +[no]question
182              Show the question section.
183
184       +[no]answer
185              Show the answer section.
186
187       +[no]authority
188              Show the authority section.
189
190       +[no]additional
191              Show the additional section.
192
193       +[no]tsig
194              Show the TSIG pseudosection.
195
196       +[no]stats
197              Show trailing packet statistics.
198
199       +[no]class
200              Show the DNS class.
201
202       +[no]ttl
203              Show the TTL value.
204
205       +[no]tcp
206              Use the TCP protocol (default is UDP for standard query and  TCP
207              for AXFR/IXFR).
208
209       +[no]fastopen
210              Use TCP Fast Open.
211
212       +[no]ignore
213              Don't use TCP automatically if a truncated reply is received.
214
215       +[no]keepopen
216              Keep  TCP  connection open for the following query if it has the
217              same connection configuration. This applies to +tcp,  +tls,  and
218              +https  operations.  The connection is considered in the context
219              of a single kdig call only.
220
221       +[no]tls
222              Use TLS with the Opportunistic privacy  profile  (RFC  7858#sec‐
223              tion-4.1).
224
225       +[no]tls-ca[=FILE]
226              Use  TLS  with a certificate validation. Certification authority
227              certificates are loaded from the specified PEM file (default  is
228              system  certificate storage if no argument is provided).  Can be
229              specified multiple times. If the  +tls-hostname  option  is  not
230              provided,  the  name of the target server (if specified) is used
231              for strict authentication.
232
233       +[no]tls-pin=BASE64
234              Use TLS with the Out-of-Band  key-pinned  privacy  profile  (RFC
235              7858#section-4.2).   The  PIN  must  be a Base64 encoded SHA-256
236              hash of the X.509 SubjectPublicKeyInfo.  Can be specified multi‐
237              ple times.
238
239       +[no]tls-hostname=STR
240              Use TLS with a remote server hostname check.
241
242       +[no]tls-sni=STR
243              Use TLS with a Server Name Indication.
244
245       +[no]tls-keyfile=FILE
246              Use TLS with a client keyfile.
247
248       +[no]tls-certfile=FILE
249              Use TLS with a client certfile.
250
251       +[no]tls-ocsp-stapling[=H]
252              Use  TLS  with a valid stapled OCSP response for the server cer‐
253              tificate (%u or specify hours). OCSP responses  older  than  the
254              specified period are considered invalid.
255
256       +[no]https[=URL]
257              Use   HTTPS  (DNS-over-HTTPS)  in  wire  format  (RFC  1035#sec‐
258              tion-4.2.1).   It  is  also  possible  to  specify  URL=[author‐
259              ity][/path]  where  request  will be sent to. Any leading scheme
260              and authority indicator (i.e. //) are ignored.  Authority  might
261              also  be  specified  as  the server (using the parameter @).  If
262              path is specified and authority is missing, then the  server  is
263              used  as  authority  together  with the specified path.  Library
264              libnghttp2 is required.
265
266       +[no]https-get
267              Use HTTPS with HTTP/GET method instead of the default  HTTP/POST
268              method.  Library libnghttp2 is required.
269
270       +[no]quic
271              Use QUIC (DNS-over-QUIC).
272
273       +[no]nsid
274              Request the nameserver identifier (NSID).
275
276       +[no]bufsize=B
277              Set EDNS buffer size in bytes (default is 4096 bytes).
278
279       +[no]padding[=B]
280              Use  EDNS(0) padding option to pad queries, optionally to a spe‐
281              cific size. The default is to pad queries with a sensible amount
282              when  using  +tls,  and  not to pad at all when queries are sent
283              without TLS.  With no argument (i.e., just +padding)  pad  every
284              query  with a sensible amount regardless of the use of TLS. With
285              +nopadding, never pad.
286
287       +[no]alignment[=B]
288              Align the query to B-byte-block message using the  EDNS(0)  pad‐
289              ding option (default is no or 128 if no argument is specified).
290
291       +[no]subnet=SUBN
292              Set EDNS(0) client subnet SUBN=addr/prefix.
293
294       +[no]edns[=N]
295              Use EDNS version (default is 0).
296
297       +[no]timeout=T
298              Set  the  wait-for-reply  interval in seconds (default is 5 sec‐
299              onds). This timeout applies to each query attempt. Zero value or
300              notimeout is interpreted as infinity.
301
302       +[no]retry=N
303              Set the number (>=0) of UDP retries (default is 2). This doesn't
304              apply to AXFR/IXFR.
305
306       +[no]expire
307              Sets the EXPIRE EDNS option.
308
309       +[no]cookie[=HEX]
310              Attach EDNS(0) cookie to the query.
311
312       +[no]badcookie
313              Repeat a query with the correct cookie.
314
315       +[no]ednsopt[=CODE[:HEX]]
316              Send custom EDNS option. The CODE is EDNS option code  in  deci‐
317              mal, HEX is an optional hex encoded string to use as EDNS option
318              value. This argument can  be  used  multiple  times.  +noednsopt
319              clears all EDNS options specified by +ednsopt.
320
321       +[no]proxy=SRC_ADDR[#SRC_PORT]-DST_ADDR[#DST_PORT]
322              Add PROXYv2 header with the specified source and destination ad‐
323              dresses to the query.  The default source port is 0 and destina‐
324              tion port 53.
325
326       +[no]json
327              Use JSON for output encoding (RFC 8427).
328
329       +noidn Disable the IDN transformation to ASCII and vice versa. IDN sup‐
330              port depends on libidn availability during project building!  If
331              used  in  common-settings, all IDN transformations are disabled.
332              If used in the individual query  settings,  transformation  from
333              ASCII  is disabled on output for the particular query. Note that
334              IDN transformation does not preserve domain name letter case.
335

NOTES

337       Options -k and -y can not be used simultaneously.
338
339       Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
340

EXIT VALUES

342       Exit status of 0 means successful operation. Any other exit status  in‐
343       dicates an error.
344

EXAMPLES

346       1. Get A records for example.com:
347
348             $ kdig example.com A
349
350       2. Perform AXFR for zone example.com from the server 192.0.2.1:
351
352             $ kdig example.com -t AXFR @192.0.2.1
353
354       3. Get  A records for example.com from 192.0.2.1 and reverse lookup for
355          address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
356
357             $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
358
359       4. Get SOA record for example.com, use TLS,  use  system  certificates,
360          check  for  specified hostname, check for certificate pin, and print
361          additional debug info:
362
363             $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
364               +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
365
366       5. DNS over HTTPS examples (various DoH implementations):
367
368             $ kdig @1.1.1.1 +https example.com.
369             $ kdig @193.17.47.1 +https=/doh example.com.
370             $ kdig @8.8.4.4 +https +https-get example.com.
371             $ kdig @8.8.8.8 +https +tls-hostname=dns.google +fastopen example.com.
372
373       6. More queries share one DoT connection:
374
375             $ kdig @1.1.1.1 +tls +keepopen abc.example.com A mail.example.com AAAA
376

FILES

378       /etc/resolv.conf
379

SEE ALSO

381       khost(1), knsupdate(1), keymgr(8).
382

AUTHOR

384       CZ.NIC Labs <https://www.knot-dns.cz>
385
387       Copyright 2010–2023, CZ.NIC, z.s.p.o.
388
389
390
391
3923.3.2                             2023-10-20                           KDIG(1)
Impressum