kdig man page

kdig — Advanced DNS lookup utility


kdig [common-settings] [query [settings]]...

kdig -h


This utility sends one or more DNS queries to a nameserver. Each query can have individual settings, or it can be specified globally via common-settings, which must precede query specification.


name | -q name | -x address | -G tapfile
common-settings, settings
[class] [type] [@server]... [options]
Is a domain name that is to be looked up.
Is a domain name or an IPv4 or IPv6 address of the nameserver to send a query to. An additional port can be specified using address:port ([address]:port for IPv6 address), address@port, or address#port notation. If no server is specified, the servers from /etc/resolv.conf are used.

If no arguments are provided, kdig sends NS query for the root zone.


Use the IPv4 protocol only.
Use the IPv6 protocol only.
-b address
Set the source IP address of the query to address. The address must be a valid address for local interface or :: or An optional port can be specified in the same format as the server value.
-c class
Set the query class (e.g. CH, CLASS4). An explicit variant of class specification. The default class is IN.
Enable debug messages.
-h, --help
Print the program help.
-k keyfile
Use the TSIG key stored in a file keyfile to authenticate the request. The file must contain the key in the same format as accepted by the -y option.
-p port
Set the nameserver port number or service name to send a query to. The default port is 53.
-q name
Set the query name. An explicit variant of name specification.
-t type
Set the query type (e.g. NS, IXFR=12345, TYPE65535, NOTIFY). An explicit variant of type specification. The default type is A. IXFR type requires SOA serial parameter. NOTIFY type without SOA serial parameter causes pure NOTIFY message without any SOA hint.
-V, --version
Print the program version.
-x address
Send a reverse (PTR) query for IPv4 or IPv6 address. The correct name, class and type is set automatically.
-y [alg:]name:key
Use the TSIG key named name to authenticate the request. The alg part specifies the algorithm (the default is hmac-md5) and key specifies the shared secret encoded in Base64.
-E tapfile
Export a dnstap trace of the query and response messages received to the file tapfile.
-G tapfile
Generate message output from a previously saved dnstap file tapfile.
Wrap long records to more lines and improve human readability.
Show record data only.
Use the generic representation format when printing resource record types and data.
Set the AA flag.
Set the TC flag.
Set the RD flag.
Same as +[no]rdflag
Set the RA flag.
Set the zero flag bit.
Set the AD flag.
Set the CD flag.
Set the DO flag.
Show all packet sections.
Show the query packet.
Show the packet header.
Show the EDNS pseudosection.
Show the question section.
Show the answer section.
Show the authority section.
Show the additional section.
Show the TSIG pseudosection.
Show trailing packet statistics.
Show the DNS class.
Show the TTL value.
Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).
Don't use TCP automatically if a truncated reply is received.
Use TLS with the Opportunistic privacy profile.
Use TLS with the Out-Of-Band privacy profile, use a specified PEM file (default is system certificate storage if no argument is provided). Can be specified multiple times.
Use TLS with a pinned certificate check. The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo. Can be specified multiple times.
Use TLS with a remote server hostname check.
Request the nameserver identifier (NSID).
Set the EDNS buffer size in bytes (default is 512 bytes).
Set EDNS(0) padding option data length (default is no).
Align the query to B-byte-block message using the EDNS(0) padding option (default is no or 128 if no argument is specified).
Set the EDNS client subnet SUBN=IP/prefix.
Use EDNS version (default is 0).
Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout applies to each query attempt.
Set the number (>=0) of UDP retries (default is 2). This doesn't apply to AXFR/IXFR.
Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends on libidn availability during project building!


Options -k and -y can not be used simultaneously.

Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.



Get A records for example.com:

$ kdig example.com A

Perform AXFR for zone example.com from the server

$ kdig example.com -t AXFR @

Get A records for example.com from and reverse lookup for address 2001:DB8::1 from Both using the TCP protocol:

$ kdig +tcp example.com -t A @ -x 2001:DB8::1 @

Get SOA record for example.com, use TLS, use system certificates, check for specified hostname, check for certificate pin, and print additional debug info:

$ kdig -d @ +tls-ca +tls-host=getdnsapi.net \
  +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com



See Also

khost(1), knsupdate(1), keymgr(8).


CZ.NIC Labs <http://www.knot-dns.cz>

Referenced By

khost(1), knsupdate(1).

Explore man page connections for kdig(1).

Knot DNS 2.3.0 2016-08-09