1KDIG(1) Knot DNS KDIG(1)
2
6 kdig - Advanced DNS lookup utility
7
9 kdig [common-settings] [query [settings]]...
10 kdig -h
12
14 This utility sends one or more DNS queries to a nameserver. Each query
15 can have individual settings, or it can be specified globally via com‐
16 mon-settings, which must precede query specification.
17 Parameters
19 query name | -q name | -x address | -G tapfile
20 common-settings, settings
22 [query_class] [query_type] [@server]... [options]
23 name Is a domain name that is to be looked up.
25 server Is a domain name or an IPv4 or IPv6 address of the nameserver to
27 send a query to. An additional port can be specified using ad‐
28 dress:port ([address]:port for IPv6 address), address@port, or
29 address#port notation. A value which begins with '/' character
30 is considered an absolute UNIX socket path. If no server is
31 specified, the servers from /etc/resolv.conf are used.
32 If no arguments are provided, kdig sends NS query for the root zone.
34 Query classes
36 A query_class can be either a DNS class name (IN, CH) or generic class
37 specification CLASSXXXXX where XXXXX is a corresponding decimal class
38 number. The default query class is IN.
39 Query types
41 A query_type can be either a DNS resource record type (A, AAAA, NS,
42 SOA, DNSKEY, ANY, etc.) or one of the following:
43 TYPEXXXXX
45 Generic query type specification where XXXXX is a corresponding
46 decimal type number.
47 AXFR Full zone transfer request.
49 IXFR=serial
51 Incremental zone transfer request for specified SOA serial num‐
52 ber (i.e. all zone updates since the specified zone version are
53 to be returned).
54 NOTIFY=serial
56 Notify message with a SOA serial hint specified.
57 NOTIFY Notify message with a SOA serial hint unspecified.
59 The default query type is A.
61 Options
63 -4 Use the IPv4 protocol only.
64 -6 Use the IPv6 protocol only.
66 -b address
68 Set the source IP address of the query to address. The address
69 must be a valid address for local interface or :: or 0.0.0.0. An
70 optional port can be specified in the same format as the server
71 value.
72 -c class
74 An explicit query_class specification. See possible values
75 above.
76 -d Enable debug messages.
78 -h, --help
80 Print the program help.
81 -k keyfile
83 Use the TSIG key stored in a file keyfile to authenticate the
84 request. The file must contain the key in the same format as ac‐
85 cepted by the -y option.
86 -p port
88 Set the nameserver port number or service name to send a query
89 to. The default port is 53.
90 -q name
92 Set the query name. An explicit variant of name specification.
93 If no name is provided, empty question section is set.
94 -t type
96 An explicit query_type specification. See possible values above.
97 -V, --version
99 Print the program version.
100 -x address
102 Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
103 name, class and type is set automatically.
104 -y [alg:]name:key
106 Use the TSIG key named name to authenticate the request. The alg
107 part specifies the algorithm (the default is hmac-sha256) and
108 key specifies the shared secret encoded in Base64.
109 -E tapfile
111 Export a dnstap trace of the query and response messages re‐
112 ceived to the file tapfile.
113 -G tapfile
115 Generate message output from a previously saved dnstap file tap‐
116 file.
117 +[no]multiline
119 Wrap long records to more lines and improve human readability.
120 +[no]short
122 Show record data only.
123 +[no]generic
125 Use the generic representation format when printing resource
126 record types and data.
127 +[no]crypto
129 Display the DNSSEC keys and signatures values in base64, instead
130 of omitting them.
131 +[no]aaflag
133 Set the AA flag.
134 +[no]tcflag
136 Set the TC flag.
137 +[no]rdflag
139 Set the RD flag.
140 +[no]recurse
142 Same as +[no]rdflag
143 +[no]raflag
145 Set the RA flag.
146 +[no]zflag
148 Set the zero flag bit.
149 +[no]adflag
151 Set the AD flag.
152 +[no]cdflag
154 Set the CD flag.
155 +[no]dnssec
157 Set the DO flag.
158 +[no]all
160 Show all packet sections.
161 +[no]qr
163 Show the query packet.
164 +[no]header
166 Show the packet header.
167 +[no]comments
169 Show commented section names.
170 +[no]opt
172 Show the EDNS pseudosection.
173 +[no]opttext
175 Try to show unknown EDNS options as text.
176 +[no]optpresent
178 Show EDNS in presentation format according to the specification
179 in version draft-peltan-edns-presentation-format-01.
180 +[no]question
182 Show the question section.
183 +[no]answer
185 Show the answer section.
186 +[no]authority
188 Show the authority section.
189 +[no]additional
191 Show the additional section.
192 +[no]tsig
194 Show the TSIG pseudosection.
195 +[no]stats
197 Show trailing packet statistics.
198 +[no]class
200 Show the DNS class.
201 +[no]ttl
203 Show the TTL value.
204 +[no]tcp
206 Use the TCP protocol (default is UDP for standard query and TCP
207 for AXFR/IXFR).
208 +[no]fastopen
210 Use TCP Fast Open.
211 +[no]ignore
213 Don't use TCP automatically if a truncated reply is received.
214 +[no]keepopen
216 Keep TCP connection open for the following query if it has the
217 same connection configuration. This applies to +tcp, +tls, and
218 +https operations. The connection is considered in the context
219 of a single kdig call only.
220 +[no]tls
222 Use TLS with the Opportunistic privacy profile (RFC 7858#sec‐
223 tion-4.1).
224 +[no]tls-ca[=FILE]
226 Use TLS with a certificate validation. Certification authority
227 certificates are loaded from the specified PEM file (default is
228 system certificate storage if no argument is provided). Can be
229 specified multiple times. If the +tls-hostname option is not
230 provided, the name of the target server (if specified) is used
231 for strict authentication.
232 +[no]tls-pin=BASE64
234 Use TLS with the Out-of-Band key-pinned privacy profile (RFC
235 7858#section-4.2). The PIN must be a Base64 encoded SHA-256
236 hash of the X.509 SubjectPublicKeyInfo. Can be specified multi‐
237 ple times.
238 +[no]tls-hostname=STR
240 Use TLS with a remote server hostname check.
241 +[no]tls-sni=STR
243 Use TLS with a Server Name Indication.
244 +[no]tls-keyfile=FILE
246 Use TLS with a client keyfile.
247 +[no]tls-certfile=FILE
249 Use TLS with a client certfile.
250 +[no]tls-ocsp-stapling[=H]
252 Use TLS with a valid stapled OCSP response for the server cer‐
253 tificate (%u or specify hours). OCSP responses older than the
254 specified period are considered invalid.
255 +[no]https[=URL]
257 Use HTTPS (DNS-over-HTTPS) in wire format (RFC 1035#sec‐
258 tion-4.2.1). It is also possible to specify URL=[author‐
259 ity][/path] where request will be sent to. Any leading scheme
260 and authority indicator (i.e. //) are ignored. Authority might
261 also be specified as the server (using the parameter @). If
262 path is specified and authority is missing, then the server is
263 used as authority together with the specified path. Library
264 libnghttp2 is required.
265 +[no]https-get
267 Use HTTPS with HTTP/GET method instead of the default HTTP/POST
268 method. Library libnghttp2 is required.
269 +[no]quic
271 Use QUIC (DNS-over-QUIC).
272 +[no]nsid
274 Request the nameserver identifier (NSID).
275 +[no]bufsize=B
277 Set EDNS buffer size in bytes (default is 4096 bytes).
278 +[no]padding[=B]
280 Use EDNS(0) padding option to pad queries, optionally to a spe‐
281 cific size. The default is to pad queries with a sensible amount
282 when using +tls, and not to pad at all when queries are sent
283 without TLS. With no argument (i.e., just +padding) pad every
284 query with a sensible amount regardless of the use of TLS. With
285 +nopadding, never pad.
286 +[no]alignment[=B]
288 Align the query to B-byte-block message using the EDNS(0) pad‐
289 ding option (default is no or 128 if no argument is specified).
290 +[no]subnet=SUBN
292 Set EDNS(0) client subnet SUBN=addr/prefix.
293 +[no]edns[=N]
295 Use EDNS version (default is 0).
296 +[no]timeout=T
298 Set the wait-for-reply interval in seconds (default is 5 sec‐
299 onds). This timeout applies to each query attempt. Zero value or
300 notimeout is interpreted as infinity.
301 +[no]retry=N
303 Set the number (>=0) of UDP retries (default is 2). This doesn't
304 apply to AXFR/IXFR.
305 +[no]expire
307 Sets the EXPIRE EDNS option.
308 +[no]cookie[=HEX]
310 Attach EDNS(0) cookie to the query.
311 +[no]badcookie
313 Repeat a query with the correct cookie.
314 +[no]ednsopt[=CODE[:HEX]]
316 Send custom EDNS option. The CODE is EDNS option code in deci‐
317 mal, HEX is an optional hex encoded string to use as EDNS option
318 value. This argument can be used multiple times. +noednsopt
319 clears all EDNS options specified by +ednsopt.
320 +[no]proxy=SRC_ADDR[#SRC_PORT]-DST_ADDR[#DST_PORT]
322 Add PROXYv2 header with the specified source and destination ad‐
323 dresses to the query. The default source port is 0 and destina‐
324 tion port 53.
325 +[no]json
327 Use JSON for output encoding (RFC 8427).
328 +noidn Disable the IDN transformation to ASCII and vice versa. IDN sup‐
330 port depends on libidn availability during project building! If
331 used in common-settings, all IDN transformations are disabled.
332 If used in the individual query settings, transformation from
333 ASCII is disabled on output for the particular query. Note that
334 IDN transformation does not preserve domain name letter case.
335
337 Options -k and -y can not be used simultaneously.
338 Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
340
342 Exit status of 0 means successful operation. Any other exit status in‐
343 dicates an error.
344
346 1. Get A records for example.com:
347 $ kdig example.com A
349 2. Perform AXFR for zone example.com from the server 192.0.2.1:
351 $ kdig example.com -t AXFR @192.0.2.1
353 3. Get A records for example.com from 192.0.2.1 and reverse lookup for
355 address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
356 $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
358 4. Get SOA record for example.com, use TLS, use system certificates,
360 check for specified hostname, check for certificate pin, and print
361 additional debug info:
362 $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
364 +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
365 5. DNS over HTTPS examples (various DoH implementations):
367 $ kdig @1.1.1.1 +https example.com.
369 $ kdig @193.17.47.1 +https=/doh example.com.
370 $ kdig @8.8.4.4 +https +https-get example.com.
371 $ kdig @8.8.8.8 +https +tls-hostname=dns.google +fastopen example.com.
372 6. More queries share one DoT connection:
374 $ kdig @1.1.1.1 +tls +keepopen abc.example.com A mail.example.com AAAA
376
378 /etc/resolv.conf
379
381 khost(1), knsupdate(1), keymgr(8).
382
384 CZ.NIC Labs <https://www.knot-dns.cz>
385
387 Copyright 2010–2023, CZ.NIC, z.s.p.o.
3883.3.2 2023-10-20 KDIG(1)