Dns debug tool kdig
kdig - Advanced DNS lookup utility
kdig - 高级DNS查询工具
Desc
kdig是一款类似于dig的dns调试工具
而 knot-dns 官网描述其为高性能的开源性DNS server
这里着重看看kdig的功能
不同于dig,kdig自带了更多扩展性功能,如便捷地通过-p 选项指定DNS服务的端口(虽然dig也可以通过-p指定端口)
以及方便地通过选项直接调试DoT
更是支持edns \ TCP Fast Open \ TCP protocol \ dnssec 等DNS查询行为
-- 不支持DoH噢 (DNS over Https)
Installation (https://www.knot-dns.cz/download)
- Knot DNS may already be included in your operating system distribution and therefore can be installed from packages (Linux), ports (BSD), or via Homebrew (macOS). This is always preferred unless you want to test the latest features, contribute to Knot development, or you just know what you are doing.
Latest installation information: https://www.knot-dns.cz/download
Ubuntu
add-apt-repository ppa:cz.nic-labs/knot-dns-latest && apt update
apt install knot-dnsutils
CentOS/Fedora/openSUSE current stable
https://copr.fedorainfracloud.org/coprs/g/cznic/knot-dns-latest/
Simple Examples
DOT == DNS Over Tls
root@vm_ubuntu16:/root ➤ kdig -d @223.5.5.5 +tls baidu.com ;; DEBUG: Querying for owner(baidu.com.), class(1), type(1), server(223.5.5.5), port(853), protocol(TCP) ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, C=CN,ST=浙江省,L=杭州市,O=阿里巴巴(中国)网络技术有限公司,CN=*.alidns.com ;; DEBUG: SHA-256 PIN: +ACy/80ww+XSVtadTogT+4L2XuYk9ZbigM6mnqmbgX8= ;; DEBUG: #2, C=BE,O=GlobalSign nv-sa,CN=GlobalSign RSA OV SSL CA 2018 ;; DEBUG: SHA-256 PIN: hETpgVvaLC0bvcGG3t0cuqiHvr4XyP2MTwCiqhgRWwU= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, skipping certificate verification ;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4316 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR ;; PADDING: 86 B ;; QUESTION SECTION: ;; baidu.com. IN A ;; ANSWER SECTION: baidu.com. 34 IN A 39.156.69.79 baidu.com. 34 IN A 220.181.38.148 ;; Received 178 B ;; Time 2020-07-08 22:41:36 CST ;; From 223.5.5.5@853(TCP) in 18.8 ms
Supports Options in manual page
-4 Use the IPv4 protocol only. -6 Use the IPv6 protocol only. -b address Set the source IP address of the query to address. The address must be a valid address for local interface or :: or 0.0.0.0. An optional port can be specified in the same format as the server value. -c class An explicit query_class specification. See possible values above. -d Enable debug messages. -h, –help Print the program help. -k keyfile Use the TSIG key stored in a file keyfile to authenticate the request. The file must contain the key in the same format as accepted by the -y option. -p port Set the nameserver port number or service name to send a query to. The default port is 53. -q name Set the query name. An explicit variant of name specification. -t type An explicit query_type specification. See possible values above. -V, –version Print the program version. -x address Send a reverse (PTR) query for IPv4 or IPv6 address. The correct name, class and type is set automatically. -y [alg:]name:key Use the TSIG key named name to authenticate the request. The alg part specifies the algorithm (the default is hmac-sha256) and key specifies the shared secret encoded in Base64. -E tapfile Export a dnstap trace of the query and response messages received to the file tapfile. -G tapfile Generate message output from a previously saved dnstap file tapfile. +[no]multiline Wrap long records to more lines and improve human readability. +[no]short Show record data only. +[no]generic Use the generic representation format when printing resource record types and data. +[no]crypto Display the DNSSEC keys and signatures values in hexdump, instead of omitting them. +[no]aaflag Set the AA flag. +[no]tcflag Set the TC flag. +[no]rdflag Set the RD flag. +[no]recurse Same as +[no]rdflag +[no]raflag Set the RA flag. +[no]zflag Set the zero flag bit. +[no]adflag Set the AD flag. +[no]cdflag Set the CD flag. +[no]dnssec Set the DO flag. +[no]all Show all packet sections. +[no]qr Show the query packet. +[no]header Show the packet header. +[no]opt Show the EDNS pseudosection. +[no]question Show the question section. +[no]answer Show the answer section. +[no]authority Show the authority section. +[no]additional Show the additional section. +[no]tsig Show the TSIG pseudosection. +[no]stats Show trailing packet statistics. +[no]class Show the DNS class. +[no]ttl Show the TTL value. +[no]tcp Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR). +[no]fastopen Use TCP Fast Open (default with TCP). +[no]ignore Don’t use TCP automatically if a truncated reply is received. +[no]tls Use TLS with the Opportunistic privacy profile (RFC 7858#section-4.1). +[no]tls-ca[=FILE] Use TLS with a certificate validation. Certification authority certificates are loaded from the specified PEM file (default is system certificate storage if no argument is provided). Can be specified multiple times. If the +tls-hostname option is not provided, the name of the target server (if specified) is used for strict authentication. +[no]tls-pin=BASE64 Use TLS with the Out-of-Band key-pinned privacy profile (RFC 7858#section-4.2). The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo. Can be specified multiple times. +[no]tls-hostname=STR Use TLS with a remote server hostname check. +[no]nsid Request the nameserver identifier (NSID). +[no]bufsize=B Set EDNS buffer size in bytes (default is 512 bytes). +[no]padding[=B] Use EDNS(0) padding option to pad queries, optionally to a specific size. The default is to pad queries with a sensible amount when using +tls, and not to pad at all when queries are sent without TLS. With no argument (i.e., just +padding) pad every query with a sensible amount regardless of the use of TLS. With +nopadding, never pad. +[no]alignment[=B] Align the query to B-byte-block message using the EDNS(0) padding option (default is no or 128 if no argument is specified). +[no]subnet=SUBN Set EDNS(0) client subnet SUBN=addr/prefix. +[no]edns[=N] Use EDNS version (default is 0). +[no]time=T Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout applies to each query attempt. +[no]retry=N Set the number (>=0) of UDP retries (default is 2). This doesn’t apply to AXFR/IXFR. +noidn Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends on libidn availability during project building!
PS
【转】支持5353端口的DNS服务器
208.67.222.222 OpenDNS 加拿大
208.67.220.220 OpenDNS 加拿大
202.141.162.123 中科大 电信 (推荐备用)
202.141.178.13 中科大 电信 (推荐备用)
202.38.93.153 中科大 教育网
101.6.6.6 清华大学 教育网
176.103.130.130 AdGuard DNS 广告钓鱼拦截 俄罗斯
176.103.130.131 AdGuard DNS 广告钓鱼拦截 俄罗斯
176.103.130.132 AdGuard DNS 色情拦截 俄罗斯
176.103.130.134 AdGuard DNS 色情拦截 俄罗斯
89.233.43.71 Uncensored DNS 丹麦
91.239.100.100 Uncensored DNS 丹麦
阿里DNS支持DoH和DoT
www.233py.com提供的DNS服务[转,仅供参考]
GeekDNS 相关简述 https://www.nextrt.com/s/dns
目前支持 DOT,DOH,DnsCrypt,TCP
DOH https://i.233py.com/dns-query
DOT dns.233py.com