man_kdig.rst 8.29 KB
Newer Older
1 2
.. highlight:: console

3 4
kdig – Advanced DNS lookup utility
==================================
Jan Včelák's avatar
Jan Včelák committed
5 6 7 8 9 10

Synopsis
--------

:program:`kdig` [*common-settings*] [*query* [*settings*]]...

11
:program:`kdig` **-h**
Jan Včelák's avatar
Jan Včelák committed
12 13 14 15 16 17 18 19

Description
-----------

This utility sends one or more DNS queries to a nameserver. Each query can have
individual *settings*, or it can be specified globally via *common-settings*,
which must precede *query* specification.

Daniel Salzman's avatar
Daniel Salzman committed
20 21 22
Parameters
..........

Jan Včelák's avatar
Jan Včelák committed
23
*query*
24
  *name* | **-q** *name* | **-x** *address* | **-G** *tapfile*
Jan Včelák's avatar
Jan Včelák committed
25 26

*common-settings*, *settings*
Libor Peltan's avatar
Libor Peltan committed
27
  [*query_class*] [*query_type*] [**@**\ *server*]... [*options*]
Jan Včelák's avatar
Jan Včelák committed
28 29 30 31 32 33 34 35 36 37

*name*
  Is a domain name that is to be looked up.

*server*
  Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query
  to. An additional port can be specified using address:port ([address]:port
  for IPv6 address), address@port, or address#port notation. If no server is
  specified, the servers from :file:`/etc/resolv.conf` are used.

Daniel Salzman's avatar
Daniel Salzman committed
38
If no arguments are provided, :program:`kdig` sends NS query for the root
39
zone.
Jan Včelák's avatar
Jan Včelák committed
40

Libor Peltan's avatar
Libor Peltan committed
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71
Query classes
.............

A *query_class* can be either a DNS class name (IN, CH) or generic class
specification **CLASS**\ *XXXXX* where *XXXXX* is a corresponding decimal
class number. The default query class is IN.

Query types
...........

A *query_type* can be either a DNS resource record type
(A, AAAA, NS, SOA, DNSKEY, ANY, etc.) or one of the following:

**TYPE**\ *XXXXX*
  Generic query type specification where *XXXXX* is a corresponding decimal
  type number.

**AXFR**
  Full zone transfer request.

**IXFR=**\ *serial*
  Incremental zone transfer request for specified starting SOA serial number.

**NOTIFY=**\ *serial*
  Notify message with a SOA serial hint specified.

**NOTIFY**
  Notify message with a SOA serial hint unspecified.

The default query type is A.

Jan Včelák's avatar
Jan Včelák committed
72
Options
Daniel Salzman's avatar
Daniel Salzman committed
73
.......
Jan Včelák's avatar
Jan Včelák committed
74

75
**-4**
76
  Use the IPv4 protocol only.
Jan Včelák's avatar
Jan Včelák committed
77

78
**-6**
79
  Use the IPv6 protocol only.
Jan Včelák's avatar
Jan Včelák committed
80

81 82
**-b** *address*
  Set the source IP address of the query to *address*. The address must be a
83 84
  valid address for local interface or :: or 0.0.0.0. An optional port
  can be specified in the same format as the *server* value.
Jan Včelák's avatar
Jan Včelák committed
85

86
**-c** *class*
Libor Peltan's avatar
Libor Peltan committed
87
  An explicit *query_class* specification. See possible values above.
Jan Včelák's avatar
Jan Včelák committed
88

89
**-d**
Daniel Salzman's avatar
Daniel Salzman committed
90
  Enable debug messages.
Jan Včelák's avatar
Jan Včelák committed
91

92
**-h**, **--help**
93
  Print the program help.
Jan Včelák's avatar
Jan Včelák committed
94

95
**-k** *keyfile*
96 97
  Use the TSIG key stored in a file *keyfile* to authenticate the request. The
  file must contain the key in the same format as accepted by the
98
  **-y** option.
Jan Včelák's avatar
Jan Včelák committed
99

100
**-p** *port*
101
  Set the nameserver port number or service name to send a query to. The default
Daniel Salzman's avatar
Daniel Salzman committed
102
  port is 53.
Jan Včelák's avatar
Jan Včelák committed
103

104
**-q** *name*
105
  Set the query name. An explicit variant of *name* specification.
Jan Včelák's avatar
Jan Včelák committed
106

107
**-t** *type*
Libor Peltan's avatar
Libor Peltan committed
108
  An explicit *query_type* specification. See possible values above.
Jan Včelák's avatar
Jan Včelák committed
109

110
**-V**, **--version**
111
  Print the program version.
Jan Včelák's avatar
Jan Včelák committed
112

113
**-x** *address*
114
  Send a reverse (PTR) query for IPv4 or IPv6 *address*. The correct name, class
115
  and type is set automatically.
Jan Včelák's avatar
Jan Včelák committed
116

Daniel Salzman's avatar
Daniel Salzman committed
117
**-y** [*alg*:]\ *name*:*key*
118
  Use the TSIG key named *name* to authenticate the request. The *alg*
119
  part specifies the algorithm (the default is hmac-sha256) and *key* specifies
120
  the shared secret encoded in Base64.
Jan Včelák's avatar
Jan Včelák committed
121

122
**-E** *tapfile*
Jan Včelák's avatar
Jan Včelák committed
123
  Export a dnstap trace of the query and response messages received to the
124
  file *tapfile*.
Jan Včelák's avatar
Jan Včelák committed
125

126 127
**-G** *tapfile*
  Generate message output from a previously saved dnstap file *tapfile*.
Jan Včelák's avatar
Jan Včelák committed
128

129
**+**\ [\ **no**\ ]\ **multiline**
Jan Včelák's avatar
Jan Včelák committed
130 131
  Wrap long records to more lines and improve human readability.

132
**+**\ [\ **no**\ ]\ **short**
Jan Včelák's avatar
Jan Včelák committed
133 134
  Show record data only.

135 136 137 138
**+**\ [\ **no**\ ]\ **generic**
  Use the generic representation format when printing resource record types
  and data.

139 140 141
**+**\ [\ **no**\ ]\ **crypto**
  Display the DNSSEC keys and signatures values in hexdump, instead of omitting them.

142
**+**\ [\ **no**\ ]\ **aaflag**
143
  Set the AA flag.
Jan Včelák's avatar
Jan Včelák committed
144

145
**+**\ [\ **no**\ ]\ **tcflag**
146
  Set the TC flag.
Jan Včelák's avatar
Jan Včelák committed
147

148
**+**\ [\ **no**\ ]\ **rdflag**
149
  Set the RD flag.
Jan Včelák's avatar
Jan Včelák committed
150

151 152
**+**\ [\ **no**\ ]\ **recurse**
  Same as **+**\ [\ **no**\ ]\ **rdflag**
Jan Včelák's avatar
Jan Včelák committed
153

154
**+**\ [\ **no**\ ]\ **raflag**
155
  Set the RA flag.
Jan Včelák's avatar
Jan Včelák committed
156

157
**+**\ [\ **no**\ ]\ **zflag**
158
  Set the zero flag bit.
Jan Včelák's avatar
Jan Včelák committed
159

160
**+**\ [\ **no**\ ]\ **adflag**
161
  Set the AD flag.
Jan Včelák's avatar
Jan Včelák committed
162

163
**+**\ [\ **no**\ ]\ **cdflag**
164
  Set the CD flag.
Jan Včelák's avatar
Jan Včelák committed
165

166
**+**\ [\ **no**\ ]\ **dnssec**
167
  Set the DO flag.
Jan Včelák's avatar
Jan Včelák committed
168

169
**+**\ [\ **no**\ ]\ **all**
Jan Včelák's avatar
Jan Včelák committed
170 171
  Show all packet sections.

172
**+**\ [\ **no**\ ]\ **qr**
173
  Show the query packet.
Jan Včelák's avatar
Jan Včelák committed
174

175
**+**\ [\ **no**\ ]\ **header**
176
  Show the packet header.
Jan Včelák's avatar
Jan Včelák committed
177

178
**+**\ [\ **no**\ ]\ **opt**
179
  Show the EDNS pseudosection.
Jan Včelák's avatar
Jan Včelák committed
180

181
**+**\ [\ **no**\ ]\ **question**
182
  Show the question section.
Jan Včelák's avatar
Jan Včelák committed
183

184
**+**\ [\ **no**\ ]\ **answer**
185
  Show the answer section.
Jan Včelák's avatar
Jan Včelák committed
186

187
**+**\ [\ **no**\ ]\ **authority**
188
  Show the authority section.
Jan Včelák's avatar
Jan Včelák committed
189

190
**+**\ [\ **no**\ ]\ **additional**
191
  Show the additional section.
Jan Včelák's avatar
Jan Včelák committed
192

193
**+**\ [\ **no**\ ]\ **tsig**
194
  Show the TSIG pseudosection.
Jan Včelák's avatar
Jan Včelák committed
195

196
**+**\ [\ **no**\ ]\ **stats**
Jan Včelák's avatar
Jan Včelák committed
197 198
  Show trailing packet statistics.

199
**+**\ [\ **no**\ ]\ **class**
200
  Show the DNS class.
Jan Včelák's avatar
Jan Včelák committed
201

202
**+**\ [\ **no**\ ]\ **ttl**
203
  Show the TTL value.
Jan Včelák's avatar
Jan Včelák committed
204

205
**+**\ [\ **no**\ ]\ **tcp**
206
  Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).
Jan Včelák's avatar
Jan Včelák committed
207

208 209 210
**+**\ [\ **no**\ ]\ **fastopen**
  Use TCP Fast Open (default with TCP).

211
**+**\ [\ **no**\ ]\ **ignore**
212
  Don't use TCP automatically if a truncated reply is received.
Jan Včelák's avatar
Jan Včelák committed
213

214
**+**\ [\ **no**\ ]\ **tls**
215
  Use TLS with the Opportunistic privacy profile (:rfc:`7858#section-4.1`).
216 217

**+**\ [\ **no**\ ]\ **tls-ca**\[\ =\ *FILE*\]
218 219 220
  Use TLS with a certificate validation. Certification authority certificates
  are loaded from the specified PEM file (default is system certificate storage
  if no argument is provided).
221 222
  Can be specified multiple times. If the +tls-hostname option is not provided,
  the name of the target server (if specified) is used for strict authentication.
223 224

**+**\ [\ **no**\ ]\ **tls-pin**\ =\ *BASE64*
225 226 227
  Use TLS with the Out-of-Band key-pinned privacy profile (:rfc:`7858#section-4.2`).
  The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo.
  Can be specified multiple times.
228 229 230 231

**+**\ [\ **no**\ ]\ **tls-hostname**\ =\ *STR*
  Use TLS with a remote server hostname check.

232
**+**\ [\ **no**\ ]\ **nsid**
233
  Request the nameserver identifier (NSID).
Jan Včelák's avatar
Jan Včelák committed
234

235
**+**\ [\ **no**\ ]\ **bufsize**\ =\ *B*
236
  Set EDNS buffer size in bytes (default is 512 bytes).
Jan Včelák's avatar
Jan Včelák committed
237

238 239 240 241 242 243
**+**\ [\ **no**\ ]\ **padding**\[\ =\ *B*\]
  Use EDNS(0) padding option to pad queries, optionally to a specific
  size. The default is to pad queries with a sensible amount when using
  +tls, and not to pad at all when queries are sent without TLS.  With
  no argument (i.e., just +padding) pad every query with a sensible
  amount regardless of the use of TLS. With +nopadding, never pad.
244 245 246 247 248

**+**\ [\ **no**\ ]\ **alignment**\[\ =\ *B*\]
  Align the query to B\-byte-block message using the EDNS(0) padding option
  (default is no or 128 if no argument is specified).

249 250
**+**\ [\ **no**\ ]\ **subnet**\ =\ *SUBN*
  Set EDNS(0) client subnet SUBN=addr/prefix.
Jan Včelák's avatar
Jan Včelák committed
251

252 253 254 255
**+**\ [\ **no**\ ]\ **edns**\[\ =\ *N*\]
  Use EDNS version (default is 0).

**+**\ [\ **no**\ ]\ **time**\ =\ *T*
256 257
  Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout
  applies to each query attempt.
Jan Včelák's avatar
Jan Včelák committed
258

259
**+**\ [\ **no**\ ]\ **retry**\ =\ *N*
260
  Set the number (>=0) of UDP retries (default is 2). This doesn't apply to
Jan Včelák's avatar
Jan Včelák committed
261 262
  AXFR/IXFR.

263 264 265
**+noidn**
  Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends
  on libidn availability during project building!
Jan Včelák's avatar
Jan Včelák committed
266 267 268 269

Notes
-----

270
Options **-k** and **-y** can not be used simultaneously.
Jan Včelák's avatar
Jan Včelák committed
271

272 273
Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead.

Jan Včelák's avatar
Jan Včelák committed
274 275 276
Examples
--------

277
1. Get A records for example.com::
Jan Včelák's avatar
Jan Včelák committed
278

279
     $ kdig example.com A
Jan Včelák's avatar
Jan Včelák committed
280

281
2. Perform AXFR for zone example.com from the server 192.0.2.1::
Jan Včelák's avatar
Jan Včelák committed
282

283
     $ kdig example.com -t AXFR @192.0.2.1
Jan Včelák's avatar
Jan Včelák committed
284

285 286
3. Get A records for example.com from 192.0.2.1 and reverse lookup for address
   2001:DB8::1 from 192.0.2.2. Both using the TCP protocol::
Jan Včelák's avatar
Jan Včelák committed
287

288
     $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
Jan Včelák's avatar
Jan Včelák committed
289

290 291 292 293 294 295 296
4. Get SOA record for example.com, use TLS, use system certificates, check
   for specified hostname, check for certificate pin, and print additional
   debug info::

     $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
       +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com

Jan Včelák's avatar
Jan Včelák committed
297 298 299 300 301 302 303 304
Files
-----

:file:`/etc/resolv.conf`

See Also
--------

305
:manpage:`khost(1)`, :manpage:`knsupdate(1)`, :manpage:`keymgr(8)`.