LinuxCommandLibrary

kdig

Query DNS servers

TLDR

Lookup the IP(s) associated with a hostname (A records)

$ kdig [example.com]
copy

Specify a specific DNS server to query (e.g. Google DNS)
$ kdig [example.com] @[8.8.8.8]
copy

Query a specific DNS record type associated with a given domain name
$ kdig [example.com] [A|AAAA|NS|SOA|DNSKEY|ANY]
copy

Lookup the IP(s) associated with a hostname (A records) using DNS over TLS (DoT)
$ kdig -d @[8.8.8.8] +tls-ca +tls-host=[dns.google] [example.com]
copy

Lookup the IP(s) associated with a hostname (A records) using DNS over HTTPS (DoH)
$ kdig -d @[1.1.1.1] +https +tls-hostname=[1dot1dot1dot1.cloudflare-dns.com] [example.com]
copy

SYNOPSIS

kdig [global-options] [@server] [query-options] {name} [qtype] [qclass]

PARAMETERS

-4
    Force IPv4 transport

-6
    Force IPv6 transport

-b address[#port]
    Bind to source address and port

-c class
    DNS query class (default IN)

-d level
    Set debug level (0-99)

-p port
    Specify source port

-q name
    Specify query name

-t type
    Specify query type (e.g. A, MX, ANY)

-T
    Always use TCP transport

-U
    Always use UDP transport

+[no]aaonly
    Set authoritative answer only

+[no]cd
    Set checking disabled (DNSSEC)

+[no]dnssec
    Request DNSSEC records

+[no]edns[=version]
    Use EDNS(version)

+[no]ignore
    Ignore trust anchors

+json
    Print result in JSON format

+multiline
    Print RRs in multiline format

+nocrypto
    Disable all crypto features

+noqr
    Omit printing query section

+qr
    Print query section

+short
    Print only short form answer

+stats
    Print statistics at end

+tcp
    Use TCP transport

+tls
    Use TLS (DoT)

+tls-ca=path
    Specify TLS CA file

+tls-hostname=name
    SNI hostname for TLS

+tls-no-verify
    Disable TLS certificate verification

DESCRIPTION

kdig is a powerful command-line DNS lookup utility from the Knot DNS project, developed by CZ.NIC. Designed as a modern alternative to BIND's dig, it supports comprehensive DNS queries for various record types, classes, and protocols including UDP, TCP, TLS (DoT), and HTTP/2 (DoH). Key features include DNSSEC validation, EDNS options, automatic retransmissions, and detailed output formatting.

It excels in troubleshooting DNS issues with options for strict ordering, multi-query support, and scripting-friendly outputs like +short or JSON. kdig handles internationalized domain names (IDN), chaos queries, and advanced features like DNS over QUIC previews. Unlike traditional tools, it integrates well with Knot Resolver for consistent behavior.

Ideal for network administrators, security analysts, and developers needing precise DNS diagnostics. Install via knot-dnsutils package on most Linux distributions.

CAVEATS

Requires knot-dnsutils package; some advanced features like DoQ are experimental. Output can be verbose by default.

BASIC USAGE EXAMPLES

kdig example.com
kdig @8.8.8.8 +short example.com A
kdig +tls-tls-hostname=dns.google +tls-ca=/etc/ssl/certs/ca-certificates.crt example.com

EXIT CODES

0: Success
1: Warning
2: Error
7: No answer
8: No authority
9: No additional

HISTORY

Developed by CZ.NIC starting with Knot DNS 2.0 (2017); kdig introduced in Knot Resolver 2.3 (2018) as a portable dig-like tool. Evolved with DoT/DoH support in later versions (Knot 3.x+). Actively maintained for modern DNS protocols.

SEE ALSO

dig(1), host(1), nslookup(1), drill(1), kresd(8)

Copied to clipboard