1.. highlight:: console 2 3kdig – Advanced DNS lookup utility 4================================== 5 6Synopsis 7-------- 8 9:program:`kdig` [*common-settings*] [*query* [*settings*]]... 10 11:program:`kdig` **-h** 12 13Description 14----------- 15 16This utility sends one or more DNS queries to a nameserver. Each query can have 17individual *settings*, or it can be specified globally via *common-settings*, 18which must precede *query* specification. 19 20Parameters 21.......... 22 23*query* 24 *name* | **-q** *name* | **-x** *address* | **-G** *tapfile* 25 26*common-settings*, *settings* 27 [*query_class*] [*query_type*] [**@**\ *server*]... [*options*] 28 29*name* 30 Is a domain name that is to be looked up. 31 32*server* 33 Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query 34 to. An additional port can be specified using address:port ([address]:port 35 for IPv6 address), address@port, or address#port notation. If no server is 36 specified, the servers from :file:`/etc/resolv.conf` are used. 37 38If no arguments are provided, :program:`kdig` sends NS query for the root 39zone. 40 41Query classes 42............. 43 44A *query_class* can be either a DNS class name (IN, CH) or generic class 45specification **CLASS**\ *XXXXX* where *XXXXX* is a corresponding decimal 46class number. The default query class is IN. 47 48Query types 49........... 50 51A *query_type* can be either a DNS resource record type 52(A, AAAA, NS, SOA, DNSKEY, ANY, etc.) or one of the following: 53 54**TYPE**\ *XXXXX* 55 Generic query type specification where *XXXXX* is a corresponding decimal 56 type number. 57 58**AXFR** 59 Full zone transfer request. 60 61**IXFR=**\ *serial* 62 Incremental zone transfer request for specified SOA serial number 63 (i.e. all zone updates since the specified zone version are to be returned). 64 65**NOTIFY=**\ *serial* 66 Notify message with a SOA serial hint specified. 67 68**NOTIFY** 69 Notify message with a SOA serial hint unspecified. 70 71The default query type is A. 72 73Options 74....... 75 76**-4** 77 Use the IPv4 protocol only. 78 79**-6** 80 Use the IPv6 protocol only. 81 82**-b** *address* 83 Set the source IP address of the query to *address*. The address must be a 84 valid address for local interface or :: or 0.0.0.0. An optional port 85 can be specified in the same format as the *server* value. 86 87**-c** *class* 88 An explicit *query_class* specification. See possible values above. 89 90**-d** 91 Enable debug messages. 92 93**-h**, **--help** 94 Print the program help. 95 96**-k** *keyfile* 97 Use the TSIG key stored in a file *keyfile* to authenticate the request. The 98 file must contain the key in the same format as accepted by the 99 **-y** option. 100 101**-p** *port* 102 Set the nameserver port number or service name to send a query to. The default 103 port is 53. 104 105**-q** *name* 106 Set the query name. An explicit variant of *name* specification. If no *name* 107 is provided, empty question section is set. 108 109**-t** *type* 110 An explicit *query_type* specification. See possible values above. 111 112**-V**, **--version** 113 Print the program version. 114 115**-x** *address* 116 Send a reverse (PTR) query for IPv4 or IPv6 *address*. The correct name, class 117 and type is set automatically. 118 119**-y** [*alg*:]\ *name*:*key* 120 Use the TSIG key named *name* to authenticate the request. The *alg* 121 part specifies the algorithm (the default is hmac-sha256) and *key* specifies 122 the shared secret encoded in Base64. 123 124**-E** *tapfile* 125 Export a dnstap trace of the query and response messages received to the 126 file *tapfile*. 127 128**-G** *tapfile* 129 Generate message output from a previously saved dnstap file *tapfile*. 130 131**+**\ [\ **no**\ ]\ **multiline** 132 Wrap long records to more lines and improve human readability. 133 134**+**\ [\ **no**\ ]\ **short** 135 Show record data only. 136 137**+**\ [\ **no**\ ]\ **generic** 138 Use the generic representation format when printing resource record types 139 and data. 140 141**+**\ [\ **no**\ ]\ **crypto** 142 Display the DNSSEC keys and signatures values in base64, instead of omitting them. 143 144**+**\ [\ **no**\ ]\ **aaflag** 145 Set the AA flag. 146 147**+**\ [\ **no**\ ]\ **tcflag** 148 Set the TC flag. 149 150**+**\ [\ **no**\ ]\ **rdflag** 151 Set the RD flag. 152 153**+**\ [\ **no**\ ]\ **recurse** 154 Same as **+**\ [\ **no**\ ]\ **rdflag** 155 156**+**\ [\ **no**\ ]\ **raflag** 157 Set the RA flag. 158 159**+**\ [\ **no**\ ]\ **zflag** 160 Set the zero flag bit. 161 162**+**\ [\ **no**\ ]\ **adflag** 163 Set the AD flag. 164 165**+**\ [\ **no**\ ]\ **cdflag** 166 Set the CD flag. 167 168**+**\ [\ **no**\ ]\ **dnssec** 169 Set the DO flag. 170 171**+**\ [\ **no**\ ]\ **all** 172 Show all packet sections. 173 174**+**\ [\ **no**\ ]\ **qr** 175 Show the query packet. 176 177**+**\ [\ **no**\ ]\ **header** 178 Show the packet header. 179 180**+**\ [\ **no**\ ]\ **comments** 181 Show commented section names. 182 183**+**\ [\ **no**\ ]\ **opt** 184 Show the EDNS pseudosection. 185 186**+**\ [\ **no**\ ]\ **opttext** 187 Try to show unknown EDNS options as text. 188 189**+**\ [\ **no**\ ]\ **question** 190 Show the question section. 191 192**+**\ [\ **no**\ ]\ **answer** 193 Show the answer section. 194 195**+**\ [\ **no**\ ]\ **authority** 196 Show the authority section. 197 198**+**\ [\ **no**\ ]\ **additional** 199 Show the additional section. 200 201**+**\ [\ **no**\ ]\ **tsig** 202 Show the TSIG pseudosection. 203 204**+**\ [\ **no**\ ]\ **stats** 205 Show trailing packet statistics. 206 207**+**\ [\ **no**\ ]\ **class** 208 Show the DNS class. 209 210**+**\ [\ **no**\ ]\ **ttl** 211 Show the TTL value. 212 213**+**\ [\ **no**\ ]\ **tcp** 214 Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR). 215 216**+**\ [\ **no**\ ]\ **fastopen** 217 Use TCP Fast Open. 218 219**+**\ [\ **no**\ ]\ **ignore** 220 Don't use TCP automatically if a truncated reply is received. 221 222**+**\ [\ **no**\ ]\ **keepopen** 223 Keep TCP connection open for the following query if it has the same connection 224 configuration. This applies to +tcp, +tls, and +https operations. The connection 225 is considered in the context of a single kdig call only. 226 227**+**\ [\ **no**\ ]\ **tls** 228 Use TLS with the Opportunistic privacy profile (:rfc:`7858#section-4.1`). 229 230**+**\ [\ **no**\ ]\ **tls-ca**\[\ =\ *FILE*\] 231 Use TLS with a certificate validation. Certification authority certificates 232 are loaded from the specified PEM file (default is system certificate storage 233 if no argument is provided). 234 Can be specified multiple times. If the +tls-hostname option is not provided, 235 the name of the target server (if specified) is used for strict authentication. 236 237**+**\ [\ **no**\ ]\ **tls-pin**\ =\ *BASE64* 238 Use TLS with the Out-of-Band key-pinned privacy profile (:rfc:`7858#section-4.2`). 239 The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo. 240 Can be specified multiple times. 241 242**+**\ [\ **no**\ ]\ **tls-hostname**\ =\ *STR* 243 Use TLS with a remote server hostname check. 244 245**+**\ [\ **no**\ ]\ **tls-sni**\ =\ *STR* 246 Use TLS with a Server Name Indication. 247 248**+**\ [\ **no**\ ]\ **tls-keyfile**\ =\ *FILE* 249 Use TLS with a client keyfile. 250 251**+**\ [\ **no**\ ]\ **tls-certfile**\ =\ *FILE* 252 Use TLS with a client certfile. 253 254**+**\ [\ **no**\ ]\ **tls-ocsp-stapling**\[\ =\ *H*\] 255 Use TLS with a valid stapled OCSP response for the server certificate 256 (%u or specify hours). OCSP responses older than the specified period are 257 considered invalid. 258 259**+**\ [\ **no**\ ]\ **https**\[\ =\ *URL*\] 260 Use HTTPS (DNS-over-HTTPS) in wire format (:rfc:`1035#section-4.2.1`). 261 It is also possible to specify URL=\[authority\]\[/path\] where request 262 will be sent to. Any leading scheme and authority indicator (i.e. //) are ignored. 263 Authority might also be specified as the *server* (using the parameter `@`). 264 If *path* is specified and *authority* is missing, then the *server* 265 is used as authority together with the specified *path*. 266 Library *libnghttp2* is required. 267 268**+**\ [\ **no**\ ]\ **https-get** 269 Use HTTPS with HTTP/GET method instead of the default HTTP/POST method. 270 Library *libnghttp2* is required. 271 272**+**\ [\ **no**\ ]\ **nsid** 273 Request the nameserver identifier (NSID). 274 275**+**\ [\ **no**\ ]\ **bufsize**\ =\ *B* 276 Set EDNS buffer size in bytes (default is 4096 bytes). 277 278**+**\ [\ **no**\ ]\ **padding**\[\ =\ *B*\] 279 Use EDNS(0) padding option to pad queries, optionally to a specific 280 size. The default is to pad queries with a sensible amount when using 281 +tls, and not to pad at all when queries are sent without TLS. With 282 no argument (i.e., just +padding) pad every query with a sensible 283 amount regardless of the use of TLS. With +nopadding, never pad. 284 285**+**\ [\ **no**\ ]\ **alignment**\[\ =\ *B*\] 286 Align the query to B\-byte-block message using the EDNS(0) padding option 287 (default is no or 128 if no argument is specified). 288 289**+**\ [\ **no**\ ]\ **subnet**\ =\ *SUBN* 290 Set EDNS(0) client subnet SUBN=addr/prefix. 291 292**+**\ [\ **no**\ ]\ **edns**\[\ =\ *N*\] 293 Use EDNS version (default is 0). 294 295**+**\ [\ **no**\ ]\ **timeout**\ =\ *T* 296 Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout 297 applies to each query attempt. Zero value or *notimeout* is intepreted as 298 infinity. 299 300**+**\ [\ **no**\ ]\ **retry**\ =\ *N* 301 Set the number (>=0) of UDP retries (default is 2). This doesn't apply to 302 AXFR/IXFR. 303 304**+**\ [\ **no**\ ]\ **cookie**\ =\ *HEX* 305 Attach EDNS(0) cookie to the query. 306 307**+**\ [\ **no**\ ]\ **badcookie** 308 Repeat a query with the correct cookie. 309 310**+**\ [\ **no**\ ]\ **ednsopt**\[\ =\ *CODE*\[:*HEX*\]\] 311 Send custom EDNS option. The *CODE* is EDNS option code in decimal, *HEX* 312 is an optional hex encoded string to use as EDNS option value. This argument 313 can be used multiple times. +noednsopt clears all EDNS options specified by 314 +ednsopt. 315 316**+noidn** 317 Disable the IDN transformation to ASCII and vice versa. IDN support depends 318 on libidn availability during project building! If used in *common-settings*, 319 all IDN transformations are disabled. If used in the individual query *settings*, 320 transformation from ASCII is disabled on output for the particular query. Note 321 that IDN transformation does not preserve domain name letter case. 322 323Notes 324----- 325 326Options **-k** and **-y** can not be used simultaneously. 327 328Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead. 329 330Exit values 331----------- 332 333Exit status of 0 means successful operation. Any other exit status indicates 334an error. 335 336Examples 337-------- 338 3391. Get A records for example.com:: 340 341 $ kdig example.com A 342 3432. Perform AXFR for zone example.com from the server 192.0.2.1:: 344 345 $ kdig example.com -t AXFR @192.0.2.1 346 3473. Get A records for example.com from 192.0.2.1 and reverse lookup for address 348 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:: 349 350 $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2 351 3524. Get SOA record for example.com, use TLS, use system certificates, check 353 for specified hostname, check for certificate pin, and print additional 354 debug info:: 355 356 $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \ 357 +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com 358 3595. DNS over HTTPS examples (various DoH implementations):: 360 361 $ kdig @1.1.1.1 +https example.com. 362 $ kdig @193.17.47.1 +https=/doh example.com. 363 $ kdig @8.8.4.4 +https +https-get example.com. 364 $ kdig @8.8.8.8 +https +tls-hostname=dns.google +fastopen example.com. 365 3666. More queries share one DoT connection:: 367 368 $ kdig @1.1.1.1 +tls +keepopen abc.example.com A mail.example.com AAAA 369 370Files 371----- 372 373:file:`/etc/resolv.conf` 374 375See Also 376-------- 377 378:manpage:`khost(1)`, :manpage:`knsupdate(1)`, :manpage:`keymgr(8)`. 379