Dns debug tool kdig

来自三线的随记

kdig - Advanced DNS lookup utility

kdig - 高级DNS查询工具

Desc

kdig是一款类似于dig的dns调试工具

而 knot-dns 官网描述其为高性能的开源性DNS server

这里着重看看kdig的功能

不同于dig,kdig自带了更多扩展性功能,如便捷地通过-p 选项指定DNS服务的端口(虽然dig也可以通过-p指定端口)

以及方便地通过选项直接调试DoT

更是支持edns \ TCP Fast Open \ TCP protocol \ dnssec 等DNS查询行为

-- 不支持DoH噢 (DNS over Https)


Installation (https://www.knot-dns.cz/download)

  • Knot DNS may already be included in your operating system distribution and therefore can be installed from packages (Linux), ports (BSD), or via Homebrew (macOS). This is always preferred unless you want to test the latest features, contribute to Knot development, or you just know what you are doing.

Latest installation information: https://www.knot-dns.cz/download

Ubuntu

add-apt-repository ppa:cz.nic-labs/knot-dns-latest && apt update
apt install knot-dnsutils

CentOS/Fedora/openSUSE current stable

https://copr.fedorainfracloud.org/coprs/g/cznic/knot-dns-latest/

Simple Examples

DOT == DNS Over Tls

root@vm_ubuntu16:/root                                                                                                                                             
➤ kdig -d @223.5.5.5 +tls baidu.com
;; DEBUG: Querying for owner(baidu.com.), class(1), type(1), server(223.5.5.5), port(853), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=CN,ST=浙江省,L=杭州市,O=阿里巴巴(中国)网络技术有限公司,CN=*.alidns.com
;; DEBUG:      SHA-256 PIN: +ACy/80ww+XSVtadTogT+4L2XuYk9ZbigM6mnqmbgX8=
;; DEBUG:  #2, C=BE,O=GlobalSign nv-sa,CN=GlobalSign RSA OV SSL CA 2018
;; DEBUG:      SHA-256 PIN: hETpgVvaLC0bvcGG3t0cuqiHvr4XyP2MTwCiqhgRWwU=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4316
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 86 B

;; QUESTION SECTION:
;; baidu.com.          		IN	A

;; ANSWER SECTION:
baidu.com.          	34	IN	A	39.156.69.79
baidu.com.          	34	IN	A	220.181.38.148

;; Received 178 B
;; Time 2020-07-08 22:41:36 CST
;; From 223.5.5.5@853(TCP) in 18.8 ms


Supports Options in manual page

-4
    Use the IPv4 protocol only.

-6
    Use the IPv6 protocol only.

-b address
    Set the source IP address of the query to address. The address must be a valid address for local interface or :: or 0.0.0.0. An optional port can be specified in the same format as the server value.

-c class
    An explicit query_class specification. See possible values above.

-d
    Enable debug messages.

-h, –help
    Print the program help.

-k keyfile
    Use the TSIG key stored in a file keyfile to authenticate the request. The file must contain the key in the same format as accepted by the -y option.

-p port
    Set the nameserver port number or service name to send a query to. The default port is 53.

-q name
    Set the query name. An explicit variant of name specification.

-t type
    An explicit query_type specification. See possible values above.

-V, –version
    Print the program version.

-x address
    Send a reverse (PTR) query for IPv4 or IPv6 address. The correct name, class and type is set automatically.

-y [alg:]name:key
    Use the TSIG key named name to authenticate the request. The alg part specifies the algorithm (the default is hmac-sha256) and key specifies the shared secret encoded in Base64.

-E tapfile
    Export a dnstap trace of the query and response messages received to the file tapfile.

-G tapfile
    Generate message output from a previously saved dnstap file tapfile.

+[no]multiline
    Wrap long records to more lines and improve human readability.

+[no]short
    Show record data only.

+[no]generic
    Use the generic representation format when printing resource record types and data.

+[no]crypto
    Display the DNSSEC keys and signatures values in hexdump, instead of omitting them.

+[no]aaflag
    Set the AA flag.

+[no]tcflag
    Set the TC flag.

+[no]rdflag
    Set the RD flag.

+[no]recurse
    Same as +[no]rdflag

+[no]raflag
    Set the RA flag.

+[no]zflag
    Set the zero flag bit.

+[no]adflag
    Set the AD flag.

+[no]cdflag
    Set the CD flag.

+[no]dnssec
    Set the DO flag.

+[no]all
    Show all packet sections.

+[no]qr
    Show the query packet.

+[no]header
    Show the packet header.

+[no]opt
    Show the EDNS pseudosection.

+[no]question
    Show the question section.

+[no]answer
    Show the answer section.

+[no]authority
    Show the authority section.

+[no]additional
    Show the additional section.

+[no]tsig
    Show the TSIG pseudosection.

+[no]stats
    Show trailing packet statistics.

+[no]class
    Show the DNS class.

+[no]ttl
    Show the TTL value.

+[no]tcp
    Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).

+[no]fastopen
    Use TCP Fast Open (default with TCP).

+[no]ignore
    Don’t use TCP automatically if a truncated reply is received.

+[no]tls
    Use TLS with the Opportunistic privacy profile (RFC 7858#section-4.1).

+[no]tls-ca[=FILE]
    Use TLS with a certificate validation. Certification authority certificates are loaded from the specified PEM file (default is system certificate storage if no argument is provided). Can be specified multiple times. If the +tls-hostname option is not provided, the name of the target server (if specified) is used for strict authentication.

+[no]tls-pin=BASE64
    Use TLS with the Out-of-Band key-pinned privacy profile (RFC 7858#section-4.2). The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo. Can be specified multiple times.

+[no]tls-hostname=STR
    Use TLS with a remote server hostname check.

+[no]nsid
    Request the nameserver identifier (NSID).

+[no]bufsize=B
    Set EDNS buffer size in bytes (default is 512 bytes).

+[no]padding[=B]
    Use EDNS(0) padding option to pad queries, optionally to a specific size. The default is to pad queries with a sensible amount when using +tls, and not to pad at all when queries are sent without TLS. With no argument (i.e., just +padding) pad every query with a sensible amount regardless of the use of TLS. With +nopadding, never pad.

+[no]alignment[=B]
    Align the query to B-byte-block message using the EDNS(0) padding option (default is no or 128 if no argument is specified).

+[no]subnet=SUBN
    Set EDNS(0) client subnet SUBN=addr/prefix.

+[no]edns[=N]
    Use EDNS version (default is 0).

+[no]time=T
    Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout applies to each query attempt.

+[no]retry=N
    Set the number (>=0) of UDP retries (default is 2). This doesn’t apply to AXFR/IXFR.

+noidn
    Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends on libidn availability during project building!


PS

【转】支持5353端口的DNS服务器

208.67.222.222          OpenDNS 加拿大

208.67.220.220         OpenDNS 加拿大

202.141.162.123       中科大    电信    (推荐备用)

202.141.178.13         中科大    电信    (推荐备用)

202.38.93.153          中科大    教育网  

101.6.6.6               清华大学  教育网

176.103.130.130     AdGuard DNS  广告钓鱼拦截 俄罗斯

176.103.130.131     AdGuard DNS  广告钓鱼拦截 俄罗斯

176.103.130.132     AdGuard DNS  色情拦截 俄罗斯

176.103.130.134     AdGuard DNS  色情拦截 俄罗斯

89.233.43.71         Uncensored DNS   丹麦

91.239.100.100      Uncensored DNS   丹麦


阿里DNS支持DoH和DoT

www.233py.com提供的DNS服务[转,仅供参考]

GeekDNS 相关简述 https://www.nextrt.com/s/dns

官网 https://www.233py.com

目前支持 DOT,DOH,DnsCrypt,TCP

DOH https://i.233py.com/dns-query

DOT dns.233py.com


Documentations

Official Manual Page: https://www.knot-dns.cz/docs/2.6/html/man_kdig.html

https://www.knot-dns.cz/docs/2.6/html/index.html