Provided by: knot-dnsutils_2.7.6-2_amd64 bug


       kdig - Advanced DNS lookup utility


       kdig [common-settings] [query [settings]]...

       kdig -h


       This utility sends one or more DNS queries to a nameserver. Each query can have individual
       settings, or it can be specified globally via common-settings, which  must  precede  query

       query  name | -q name | -x address | -G tapfile

       common-settings, settings
              [query_class] [query_type] [@server]... [options]

       name   Is a domain name that is to be looked up.

       server Is  a  domain name or an IPv4 or IPv6 address of the nameserver to send a query to.
              An additional port can be specified using  address:port  ([address]:port  for  IPv6
              address),  address@port,  or  address#port notation. If no server is specified, the
              servers from /etc/resolv.conf are used.

       If no arguments are provided, kdig sends NS query for the root zone.

   Query classes
       A query_class can be either a DNS class name  (IN,  CH)  or  generic  class  specification
       CLASSXXXXX where XXXXX is a corresponding decimal class number. The default query class is

   Query types
       A query_type can be either a DNS resource record type (A,  AAAA,  NS,  SOA,  DNSKEY,  ANY,
       etc.) or one of the following:

              Generic  query  type  specification  where  XXXXX  is  a corresponding decimal type

       AXFR   Full zone transfer request.

              Incremental zone transfer request for specified starting SOA serial number.

              Notify message with a SOA serial hint specified.

       NOTIFY Notify message with a SOA serial hint unspecified.

       The default query type is A.

       -4     Use the IPv4 protocol only.

       -6     Use the IPv6 protocol only.

       -b address
              Set the source IP address of the query to address. The  address  must  be  a  valid
              address  for local interface or :: or An optional port can be specified in
              the same format as the server value.

       -c class
              An explicit query_class specification. See possible values above.

       -d     Enable debug messages.

       -h, --help
              Print the program help.

       -k keyfile
              Use the TSIG key stored in a file keyfile to authenticate  the  request.  The  file
              must contain the key in the same format as accepted by the -y option.

       -p port
              Set the nameserver port number or service name to send a query to. The default port
              is 53.

       -q name
              Set the query name. An explicit variant  of  name  specification.  If  no  name  is
              provided, empty question section is set.

       -t type
              An explicit query_type specification. See possible values above.

       -V, --version
              Print the program version.

       -x address
              Send  a  reverse  (PTR) query for IPv4 or IPv6 address. The correct name, class and
              type is set automatically.

       -y [alg:]name:key
              Use the TSIG key named name to authenticate the request. The alg part specifies the
              algorithm  (the default is hmac-sha256) and key specifies the shared secret encoded
              in Base64.

       -E tapfile
              Export a dnstap trace of the query and  response  messages  received  to  the  file

       -G tapfile
              Generate message output from a previously saved dnstap file tapfile.

              Wrap long records to more lines and improve human readability.

              Show record data only.

              Use the generic representation format when printing resource record types and data.

              Display the DNSSEC keys and signatures values in base64, instead of omitting them.

              Set the AA flag.

              Set the TC flag.

              Set the RD flag.

              Same as +[no]rdflag

              Set the RA flag.

              Set the zero flag bit.

              Set the AD flag.

              Set the CD flag.

              Set the DO flag.

              Show all packet sections.

              Show the query packet.

              Show the packet header.

              Show commented section names.

              Show the EDNS pseudosection.

              Show the question section.

              Show the answer section.

              Show the authority section.

              Show the additional section.

              Show the TSIG pseudosection.

              Show trailing packet statistics.

              Show the DNS class.

              Show the TTL value.

              Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).

              Use TCP Fast Open (default with TCP).

              Don't use TCP automatically if a truncated reply is received.

              Use TLS with the Opportunistic privacy profile (RFC 7858#section-4.1).

              Use  TLS  with  a  certificate validation. Certification authority certificates are
              loaded from the specified PEM file (default is system  certificate  storage  if  no
              argument  is  provided).   Can  be  specified  multiple times. If the +tls-hostname
              option is not provided, the name of the target server (if specified)  is  used  for
              strict authentication.

              Use  TLS  with  the  Out-of-Band key-pinned privacy profile (RFC 7858#section-4.2).
              The PIN must be a Base64 encoded SHA-256 hash of  the  X.509  SubjectPublicKeyInfo.
              Can be specified multiple times.

              Use TLS with a remote server hostname check.

              Use TLS with a Server Name Indication.

              Request the nameserver identifier (NSID).

              Set EDNS buffer size in bytes (default is 512 bytes).

              Use  EDNS(0)  padding  option  to  pad  queries, optionally to a specific size. The
              default is to pad queries with a sensible amount when using +tls, and not to pad at
              all  when queries are sent without TLS.  With no argument (i.e., just +padding) pad
              every query with a sensible amount regardless of the use of TLS.  With  +nopadding,
              never pad.

              Align  the  query to B-byte-block message using the EDNS(0) padding option (default
              is no or 128 if no argument is specified).

              Set EDNS(0) client subnet SUBN=addr/prefix.

              Use EDNS version (default is 0).

              Set the wait-for-reply interval in seconds (default is  5  seconds).  This  timeout
              applies to each query attempt.

              Set  the  number  (>=0)  of  UDP  retries  (default  is  2).  This doesn't apply to

              Attach EDNS(0) cookie to the query.

              Repeat a query with the correct cookie.

              Send custom EDNS option. The CODE is  EDNS  option  code  in  decimal,  HEX  is  an
              optional  hex encoded string to use as EDNS option value. This argument can be used
              multiple times. +noednsopt clears all EDNS options specified by +ednsopt.

       +noidn Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends on
              libidn availability during project building!


       Options -k and -y can not be used simultaneously.

       Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.


       1. Get A records for

             $ kdig A

       2. Perform AXFR for zone from the server

             $ kdig -t AXFR @

       3. Get A records for from and reverse lookup for address 2001:DB8::1
          from Both using the TCP protocol:

             $ kdig +tcp -t A @ -x 2001:DB8::1 @

       4. Get SOA record for, use TLS, use system certificates, check  for  specified
          hostname, check for certificate pin, and print additional debug info:

             $ kdig -d @ +tls-ca \
               +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa




       khost(1), knsupdate(1), keymgr(8).


       CZ.NIC Labs <>


       Copyright 2010–2019, CZ.NIC, z.s.p.o.