1SDIG(1) PowerDNS Authoritative Server SDIG(1)
2
6 sdig - Perform a DNS query and show the results
7
9 sdig IP-ADDRESS-OR-DOH-URL PORT QNAME QTYPE [OPTION]
10
12 sdig sends a DNS query to IP-ADDRESS-OR-DOH-URL on port PORT and dis‐
13 plays the answer in a formatted way. If the address starts with an h,
14 it is assumed to be a DoH endpoint, and PORT is ignored. If qname and
15 qtype are both - and tcp is used, multiple lines are read from stdin,
16 where each line contains a qname and a type. If the address is stdin,
17 a DNS packet is read from stdin instead of from the network, and PORT
18 is ignored. All input is literal and case sensitive. Queries need op‐
19 tion recurse to expect a resource record reply if the query target is
20 not known to be the authoritative server for that record.
21
23 These options can be added to the commandline in any order.
24 class CLASSNUM
26 Send the query in the numbered class (like 3 for CHAOS) instead
27 of the default 1 (for IN).
28 dnssec Set the DO bit to request DNSSEC information.
30 ednssubnet SUBNET
32 Send SUBNET in the edns-client-subnet option. If this option is
33 not set, no edns-client-subnet option is set in the query.
34 hidesoadetails
36 Don't show the SOA serial in the response.
37 hidettl
39 Replace TTLs with [ttl] in the response.
40 proxy TCP? SRC DST
42 Wrap query in PROXYv2 protocol with these parameters. The first
43 parameter accepts 0 for UDP and 1 for TCP. The second and third
44 take IP addresses and port.
45 recurse
47 Set the RD bit in the question.
48 showflags
50 Show the NSEC3 flags in the response (they are hidden by de‐
51 fault).
52 dumpluaraw
54 Display record contents in a form suitable for dnsdist's
55 SpoofRawAction.
56 tcp Use TCP instead of UDP to send the query.
58 dot use DoT instead of UDP to send a query. Implies tcp.
60 insecure
62 when using DoT, do not validate the server certificate.
63 fastOpen
65 when using TCP or, DoT, enable TCP Fast Open
66 subjectName name
68 when using DoT, verify the server certificate is issued for
69 name. The openssl provider will accept an empty name and still
70 make sure the certificate is issued by a trusted CA, gnutls will
71 only do the validation if a name is given. Default is the empty
72 name. Also, note that older provide libraries might not validate
73 at all.
74 caStore file
76 when using DoT, read the trusted CA certificates from file. De‐
77 fault is to use the system provided CA store.
78 tlsProvider name
80 when using DoT, use TLS provider name. Currently supported (if
81 compiled in): openssl and gnutls. Default is openssl if avail‐
82 able.
83 xpf XPFCODE XPFVERSION XPFPROTO XPFSRC XPFDST
85 Send an XPF additional with these parameters.
86 opcode OPNUM
88 Use opcode OPNUM instead of 0 (Query). For example, sdig
89 192.0.2.1 53 example.com SOA opcode 4 sends a NOTIFY.
90
92 Simple queries to local resolvers
93 sdig 127.0.0.1 53 example.com AAAA recurse sdig ::1 53 exam‐
94 ple.com A recurse
95 Query to a DNS-over-HTTPS server requesting dnssec and recursion
97 sdig https://dns.example.net/dns-query 443 example.com A dnssec
98 recurse
99
101 PowerDNS.COM BV
102
104 2001-2022, PowerDNS.COM BV
105 Apr 12, 2022 SDIG(1)