Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KDIG(1)				   Knot	DNS			       KDIG(1)

       kdig - Advanced DNS lookup utility

       kdig [common-settings] [query [settings]]...

       kdig -h

       This  utility sends one or more DNS queries to a	nameserver. Each query
       can have	individual settings, or	it can be specified globally via  com-
       mon-settings, which must	precede	query specification.

       query  name | -q	name | -x address | -G tapfile

       common-settings,	settings
	      [query_class] [query_type] [@server]... [options]

       name   Is a domain name that is to be looked up.

       server Is a domain name or an IPv4 or IPv6 address of the nameserver to
	      send a query to. An additional port can be specified  using  ad-
	      dress:port  ([address]:port  for IPv6 address), address@port, or
	      address#port notation. If	no server is  specified,  the  servers
	      from /etc/resolv.conf are	used.

       If no arguments are provided, kdig sends	NS query for the root zone.

   Query classes
       A  query_class can be either a DNS class	name (IN, CH) or generic class
       specification CLASSXXXXX	where XXXXX is a corresponding	decimal	 class
       number. The default query class is IN.

   Query types
       A  query_type  can  be  either a	DNS resource record type (A, AAAA, NS,
       SOA, DNSKEY, ANY, etc.) or one of the following:

	      Generic query type specification where XXXXX is a	 corresponding
	      decimal type number.

       AXFR   Full zone	transfer request.

	      Incremental  zone	transfer request for specified SOA serial num-
	      ber (i.e.	all zone updates since the specified zone version  are
	      to be returned).

	      Notify message with a SOA	serial hint specified.

       NOTIFY Notify message with a SOA	serial hint unspecified.

       The default query type is A.

       -4     Use the IPv4 protocol only.

       -6     Use the IPv6 protocol only.

       -b address
	      Set  the	source IP address of the query to address. The address
	      must be a	valid address for local	interface or ::	or An
	      optional	port can be specified in the same format as the	server

       -c class
	      An  explicit  query_class	 specification.	 See  possible	values

       -d     Enable debug messages.

       -h, --help
	      Print the	program	help.

       -k keyfile
	      Use  the	TSIG  key stored in a file keyfile to authenticate the
	      request. The file	must contain the key in	the same format	as ac-
	      cepted by	the -y option.

       -p port
	      Set  the	nameserver port	number or service name to send a query
	      to. The default port is 53.

       -q name
	      Set the query name. An explicit variant of  name	specification.
	      If no name is provided, empty question section is	set.

       -t type
	      An explicit query_type specification. See	possible values	above.

       -V, --version
	      Print the	program	version.

       -x address
	      Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
	      name, class and type is set automatically.

       -y [alg:]name:key
	      Use the TSIG key named name to authenticate the request. The alg
	      part  specifies  the  algorithm (the default is hmac-sha256) and
	      key specifies the	shared secret encoded in Base64.

       -E tapfile
	      Export a dnstap trace of the query  and  response	 messages  re-
	      ceived to	the file tapfile.

       -G tapfile
	      Generate message output from a previously	saved dnstap file tap-

	      Wrap long	records	to more	lines and improve human	readability.

	      Show record data only.

	      Use the generic representation  format  when  printing  resource
	      record types and data.

	      Display the DNSSEC keys and signatures values in base64, instead
	      of omitting them.

	      Set the AA flag.

	      Set the TC flag.

	      Set the RD flag.

	      Same as +[no]rdflag

	      Set the RA flag.

	      Set the zero flag	bit.

	      Set the AD flag.

	      Set the CD flag.

	      Set the DO flag.

	      Show all packet sections.

	      Show the query packet.

	      Show the packet header.

	      Show commented section names.

	      Show the EDNS pseudosection.

	      Try to show unknown EDNS options as text.

	      Show the question	section.

	      Show the answer section.

	      Show the authority section.

	      Show the additional section.

	      Show the TSIG pseudosection.

	      Show trailing packet statistics.

	      Show the DNS class.

	      Show the TTL value.

	      Use the TCP protocol (default is UDP for standard	query and  TCP
	      for AXFR/IXFR).

	      Use TCP Fast Open	(default with TCP).

	      Don't use	TCP automatically if a truncated reply is received.

	      Use  TLS	with  the Opportunistic	privacy	profile	(RFC 7858#sec-

	      Use TLS with a certificate validation.  Certification  authority
	      certificates  are	loaded from the	specified PEM file (default is
	      system certificate storage if no argument	is provided).  Can  be
	      specified	 multiple  times.  If  the +tls-hostname option	is not
	      provided,	the name of the	target server (if specified)  is  used
	      for strict authentication.

	      Use  TLS	with  the  Out-of-Band key-pinned privacy profile (RFC
	      7858#section-4.2).  The PIN must be  a  Base64  encoded  SHA-256
	      hash of the X.509	SubjectPublicKeyInfo.  Can be specified	multi-
	      ple times.

	      Use TLS with a remote server hostname check.

	      Use TLS with a Server Name Indication.

	      Use TLS with a client keyfile.

	      Use TLS with a client certfile.

	      Use TLS with a valid stapled OCSP	response for the  server  cer-
	      tificate	(%u  or	 specify hours). OCSP responses	older than the
	      specified	period are considered invalid.

	      Use  HTTPS  (DNS-over-HTTPS)  in	wire  format  (RFC   1035#sec-
	      tion-4.2.1).   It	 is  also  possible  to	 specify  URL=[author-
	      ity][/path] where	request	will be	send. Authority	might also  be
	      specified	 as  server name (parameter @).	 Library libnghttp2 is

	      Use HTTPS	with HTTP/GET method instead of	the default  HTTP/POST
	      method.  Library libnghttp2 is required.

	      Request the nameserver identifier	(NSID).

	      Set EDNS buffer size in bytes (default is	512 bytes).

	      Use  EDNS(0) padding option to pad queries, optionally to	a spe-
	      cific size. The default is to pad	queries	with a sensible	amount
	      when  using  +tls,  and  not to pad at all when queries are sent
	      without TLS.  With no argument (i.e., just +padding)  pad	 every
	      query  with a sensible amount regardless of the use of TLS. With
	      +nopadding, never	pad.

	      Align the	query to B-byte-block message using the	 EDNS(0)  pad-
	      ding option (default is no or 128	if no argument is specified).

	      Set EDNS(0) client subnet	SUBN=addr/prefix.

	      Use EDNS version (default	is 0).

	      Set  the	wait-for-reply	interval in seconds (default is	5 sec-
	      onds). This timeout applies to each query	attempt. An attempt to
	      set  T to	less than 1 will result	in a query timeout of 1	second
	      being applied.

	      Set the number (>=0) of UDP retries (default is 2). This doesn't
	      apply to AXFR/IXFR.

	      Attach EDNS(0) cookie to the query.

	      Repeat a query with the correct cookie.

	      Send  custom  EDNS option. The CODE is EDNS option code in deci-
	      mal, HEX is an optional hex encoded string to use	as EDNS	option
	      value.  This  argument  can  be  used multiple times. +noednsopt
	      clears all EDNS options specified	by +ednsopt.

       +noidn Disable the IDN transformation to	ASCII and vice versa. IDN sup-
	      port  depends on libidn availability during project building! If
	      used in common-settings, all IDN transformations	are  disabled.
	      If  used	in  the	individual query settings, transformation from
	      ASCII is disabled	on output for the particular query. Note  that
	      IDN transformation does not preserve domain name letter case.

       Options -k and -y can not be used simultaneously.

       Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.

       Exit  status of 0 means successful operation. Any other exit status in-
       dicates an error.

       1. Get A	records	for

	     $ kdig	A

       2. Perform AXFR for zone from the server

	     $ kdig	-t AXFR	@

       3. Get A	records	for	from and reverse lookup  for
	  address 2001:DB8::1 from Both using the TCP protocol:

	     $ kdig +tcp -t	A @ -x	2001:DB8::1 @

       4. Get  SOA  record  for, use TLS, use system certificates,
	  check	for specified hostname,	check for certificate pin,  and	 print
	  additional debug info:

	     $ kdig -d @ +tls-ca \
	       +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa

       5. DNS over HTTPS examples (various DoH implementations):

	     $ kdig @ +https
	     $ kdig @ +https=/doh
	     $ kdig @ +https +https-get


       khost(1), knsupdate(1), keymgr(8).

       CZ.NIC Labs <>

       Copyright 2010a2020, CZ.NIC, z.s.p.o.

3.0.3				  2020-12-15			       KDIG(1)


Want to link to this manual page? Use this URL:

home | help