Provided by: knot-dnsutils_2.7.8-1_amd64 
NAME
kdig - Advanced DNS lookup utility
SYNOPSIS
kdig [common-settings] [query [settings]]...
kdig -h
DESCRIPTION
This utility sends one or more DNS queries to a nameserver. Each query can have individual
settings, or it can be specified globally via common-settings, which must precede query
specification.
Parameters
query name | -q name | -x address | -G tapfile
common-settings, settings
[query_class] [query_type] [@server]... [options]
name Is a domain name that is to be looked up.
server Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query to.
An additional port can be specified using address:port ([address]:port for IPv6
address), address@port, or address#port notation. If no server is specified, the
servers from /etc/resolv.conf are used.
If no arguments are provided, kdig sends NS query for the root zone.
Query classes
A query_class can be either a DNS class name (IN, CH) or generic class specification
CLASSXXXXX where XXXXX is a corresponding decimal class number. The default query class is
IN.
Query types
A query_type can be either a DNS resource record type (A, AAAA, NS, SOA, DNSKEY, ANY,
etc.) or one of the following:
TYPEXXXXX
Generic query type specification where XXXXX is a corresponding decimal type
number.
AXFR Full zone transfer request.
IXFR=serial
Incremental zone transfer request for specified starting SOA serial number.
NOTIFY=serial
Notify message with a SOA serial hint specified.
NOTIFY Notify message with a SOA serial hint unspecified.
The default query type is A.
Options
-4 Use the IPv4 protocol only.
-6 Use the IPv6 protocol only.
-b address
Set the source IP address of the query to address. The address must be a valid
address for local interface or :: or 0.0.0.0. An optional port can be specified in
the same format as the server value.
-c class
An explicit query_class specification. See possible values above.
-d Enable debug messages.
-h, --help
Print the program help.
-k keyfile
Use the TSIG key stored in a file keyfile to authenticate the request. The file
must contain the key in the same format as accepted by the -y option.
-p port
Set the nameserver port number or service name to send a query to. The default port
is 53.
-q name
Set the query name. An explicit variant of name specification. If no name is
provided, empty question section is set.
-t type
An explicit query_type specification. See possible values above.
-V, --version
Print the program version.
-x address
Send a reverse (PTR) query for IPv4 or IPv6 address. The correct name, class and
type is set automatically.
-y [alg:]name:key
Use the TSIG key named name to authenticate the request. The alg part specifies the
algorithm (the default is hmac-sha256) and key specifies the shared secret encoded
in Base64.
-E tapfile
Export a dnstap trace of the query and response messages received to the file
tapfile.
-G tapfile
Generate message output from a previously saved dnstap file tapfile.
+[no]multiline
Wrap long records to more lines and improve human readability.
+[no]short
Show record data only.
+[no]generic
Use the generic representation format when printing resource record types and data.
+[no]crypto
Display the DNSSEC keys and signatures values in base64, instead of omitting them.
+[no]aaflag
Set the AA flag.
+[no]tcflag
Set the TC flag.
+[no]rdflag
Set the RD flag.
+[no]recurse
Same as +[no]rdflag
+[no]raflag
Set the RA flag.
+[no]zflag
Set the zero flag bit.
+[no]adflag
Set the AD flag.
+[no]cdflag
Set the CD flag.
+[no]dnssec
Set the DO flag.
+[no]all
Show all packet sections.
+[no]qr
Show the query packet.
+[no]header
Show the packet header.
+[no]comments
Show commented section names.
+[no]opt
Show the EDNS pseudosection.
+[no]question
Show the question section.
+[no]answer
Show the answer section.
+[no]authority
Show the authority section.
+[no]additional
Show the additional section.
+[no]tsig
Show the TSIG pseudosection.
+[no]stats
Show trailing packet statistics.
+[no]class
Show the DNS class.
+[no]ttl
Show the TTL value.
+[no]tcp
Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).
+[no]fastopen
Use TCP Fast Open (default with TCP).
+[no]ignore
Don't use TCP automatically if a truncated reply is received.
+[no]tls
Use TLS with the Opportunistic privacy profile (RFC 7858#section-4.1).
+[no]tls-ca[=FILE]
Use TLS with a certificate validation. Certification authority certificates are
loaded from the specified PEM file (default is system certificate storage if no
argument is provided). Can be specified multiple times. If the +tls-hostname
option is not provided, the name of the target server (if specified) is used for
strict authentication.
+[no]tls-pin=BASE64
Use TLS with the Out-of-Band key-pinned privacy profile (RFC 7858#section-4.2).
The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo.
Can be specified multiple times.
+[no]tls-hostname=STR
Use TLS with a remote server hostname check.
+[no]tls-sni=STR
Use TLS with a Server Name Indication.
+[no]nsid
Request the nameserver identifier (NSID).
+[no]bufsize=B
Set EDNS buffer size in bytes (default is 512 bytes).
+[no]padding[=B]
Use EDNS(0) padding option to pad queries, optionally to a specific size. The
default is to pad queries with a sensible amount when using +tls, and not to pad at
all when queries are sent without TLS. With no argument (i.e., just +padding) pad
every query with a sensible amount regardless of the use of TLS. With +nopadding,
never pad.
+[no]alignment[=B]
Align the query to B-byte-block message using the EDNS(0) padding option (default
is no or 128 if no argument is specified).
+[no]subnet=SUBN
Set EDNS(0) client subnet SUBN=addr/prefix.
+[no]edns[=N]
Use EDNS version (default is 0).
+[no]timeout=T
Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout
applies to each query attempt.
+[no]retry=N
Set the number (>=0) of UDP retries (default is 2). This doesn't apply to
AXFR/IXFR.
+[no]cookie=HEX
Attach EDNS(0) cookie to the query.
+[no]badcookie
Repeat a query with the correct cookie.
+[no]ednsopt[=CODE[:HEX]]
Send custom EDNS option. The CODE is EDNS option code in decimal, HEX is an
optional hex encoded string to use as EDNS option value. This argument can be used
multiple times. +noednsopt clears all EDNS options specified by +ednsopt.
+noidn Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends on
libidn availability during project building!
NOTES
Options -k and -y can not be used simultaneously.
Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
EXAMPLES
1. Get A records for example.com:
$ kdig example.com A
2. Perform AXFR for zone example.com from the server 192.0.2.1:
$ kdig example.com -t AXFR @192.0.2.1
3. Get A records for example.com from 192.0.2.1 and reverse lookup for address 2001:DB8::1
from 192.0.2.2. Both using the TCP protocol:
$ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
4. Get SOA record for example.com, use TLS, use system certificates, check for specified
hostname, check for certificate pin, and print additional debug info:
$ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
+tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
FILES
/etc/resolv.conf
SEE ALSO
khost(1), knsupdate(1), keymgr(8).
AUTHOR
CZ.NIC Labs <https://www.knot-dns.cz>
COPYRIGHT
Copyright 2010–2019, CZ.NIC, z.s.p.o.