kdig

Lookup the IP(s) associated with a hostname (A records)

$ kdig [example.com]

$ kdig [example.com] @[8.8.8.8]

$ kdig [example.com] [A|AAAA|NS|SOA|DNSKEY|ANY]

$ kdig -d @[8.8.8.8] +tls-ca +tls-host=[dns.google] [example.com]

$ kdig -d @[1.1.1.1] +https +tls-hostname=[1dot1dot1dot1.cloudflare-dns.com] [example.com]

kdig [@server] [name] [type] [class] [+options]

@server
    Specifies the IP address or hostname of the DNS server to query instead of the default configured server.

name
    The domain name, hostname, or IP address for which to perform the DNS lookup (e.g., example.com, _kerberos._tcp.example.com).

type
    The type of resource record to query (e.g., A for IPv4 address, AAAA for IPv6, MX for mail exchanger, SRV for service records, DNSKEY for DNSSEC keys, PTR for reverse lookups). Defaults to A if not specified.

class
    The query class (e.g., IN for Internet, CH for Chaosnet, HS for Hesiod). Defaults to IN.

+dnssec
    Enables DNSSEC processing, requesting DNSSEC records and validating responses if supported by the server. This is a key option for kdig's intended use in secure environments.

+trace
    Traces the delegation path from the root servers for the query, showing the full chain of DNS servers involved.

+short
    Provides a concise output, showing only the answer section. Useful for scripting or quick checks.

+tcp or +vc
    Forces queries to use TCP instead of UDP. Essential for larger responses (like DNSSEC records) or zone transfers.

+multi
    Allows multiple queries to be specified on the command line, processing each one sequentially.

-x
    Performs a reverse DNS lookup (PTR query) for the specified IP address, resolving it to a hostname.

kdig is not a standalone command in the same vein as dig or host. Instead, it is frequently provided as a symlink or wrapper script around the dig utility, specifically within environments heavily utilizing Kerberos authentication or DNSSEC. Its primary purpose is to simplify or pre-configure DNS lookups pertinent to Kerberos operations, such as resolving SRV records for KDCs (Key Distribution Centers) or validating DNSSEC records. While dig is a general-purpose DNS lookup utility, kdig often implies a context where DNS security (DNSSEC) and service discovery for Kerberos are critical. Users might find kdig bundled with MIT Kerberos packages or bind-utils, acting as a convenient alias for dig commands often invoked with specific options like +dnssec or when querying _kerberos._tcp SRV records. It leverages dig's powerful querying capabilities while subtly hinting at its intended use in secure, authenticated network environments.

kdig is commonly a symbolic link or a shell script wrapper for the dig command. As such, it generally does not possess unique command-line options beyond what dig provides. Its specific behavior and availability are often tied to the installation of Kerberos clients or bind-utils packages, where it serves as a convenient alias for dig invocations relevant to Kerberos-related DNS lookups and DNSSEC validation. Users should consult the dig(1) man page for a comprehensive list of available options and functionalities.

kdig is frequently used for:

• DNSSEC Validation: Verifying the authenticity and integrity of DNS responses by requesting and checking DNSSEC records (e.g., kdig +dnssec example.com DNSKEY).
• Kerberos Service Discovery: Locating Kerberos Key Distribution Centers (KDCs) and other services by querying SRV records (e.g., kdig _kerberos._tcp.example.com SRV).
• Troubleshooting DNS Issues in Secure Environments: Diagnosing DNS resolution problems where DNSSEC or Kerberos service location might be a factor.

kdig does not have an independent development history. Its existence is primarily as a specialized invocation or alias of the dig command, which has been a staple DNS lookup utility provided by the Internet Systems Consortium (ISC) as part of the BIND (Berkeley Internet Name Domain) tools since the early 1990s. The kdig alias gained prominence with the increased adoption of DNSSEC for secure DNS lookups and the reliance of Kerberos authentication systems on DNS SRV records for service discovery. Its role is to streamline the execution of dig commands pertinent to these security-critical functionalities, often pre-configuring dig for DNSSEC validation or specific SRV record queries relevant to Kerberos.

dig(1), host(1), nslookup(1), kinit(1)