优麒麟技术论坛

 找回密码

kdig - Advanced DNS lookup utility [复制链接]

Desc
kdig是一款类似于dig的dns调试工具
而 knot-dns 官网描述其为高性能的开源性DNS server
这里着重看看kdig的功能
不同于dig,kdig自带了更多扩展性功能,如便捷地通过-p 选项指定DNS服务的端口(虽然dig也可以通过-p指定端口)
以及方便地通过选项直接调试DoT
更是支持edns \ TCP Fast Open \ TCP protocol \ dnssec 等DNS查询行为
#Ubuntu

  1. add-apt-repository ppa:cz.nic-labs/knot-dns-latest && apt update

  2. apt install knot-dnsutils
复制代码

Simple ExamplesDOT==DNS OVER TLS
  1. root@l:~# kdig -d @223.5.5.5 +tls-ca ubuntukylin.com
  2. ;; DEBUG: Querying for owner(ubuntukylin.com.), class(1), type(1), server(223.5.5.5), port(853), protocol(TCP)
  3. ;; DEBUG: TLS, imported 127 system certificates
  4. ;; DEBUG: TLS, received certificate hierarchy:
  5. ;; DEBUG:  #1, C=CN,ST=浙江省,L=杭州市,O=阿里巴巴(中国)网络技术有限公司,CN=*.alidns.com
  6. ;; DEBUG:      SHA-256 PIN: +ACy/80ww+XSVtadTogT+4L2XuYk9ZbigM6mnqmbgX8=
  7. ;; DEBUG:  #2, C=BE,O=GlobalSign nv-sa,CN=GlobalSign RSA OV SSL CA 2018
  8. ;; DEBUG:      SHA-256 PIN: hETpgVvaLC0bvcGG3t0cuqiHvr4XyP2MTwCiqhgRWwU=
  9. ;; DEBUG: TLS, skipping certificate PIN check
  10. ;; DEBUG: TLS, The certificate is trusted.
  11. ;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
  12. ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 30326
  13. ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

  14. ;; EDNS PSEUDOSECTION:
  15. ;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
  16. ;; PADDING: 80 B

  17. ;; QUESTION SECTION:
  18. ;; ubuntukylin.com.                    IN        A

  19. ;; ANSWER SECTION:
  20. ubuntukylin.com.            600        IN        A        120.79.211.60

  21. ;; Received 159 B
  22. ;; Time 2020-10-21 20:01:27 CST
  23. ;; From 223.5.5.5@853(TCP) in 86.4 ms
复制代码

#也可以这样
  1. root@l:~# kdig -d @223.5.5.5 +tls-ca +tls-host=dns.alidns.com ubuntukylin.com
  2. ;; DEBUG: Querying for owner(ubuntukylin.com.), class(1), type(1), server(223.5.5.5), port(853), protocol(TCP)
  3. ;; DEBUG: TLS, imported 127 system certificates
  4. ;; DEBUG: TLS, received certificate hierarchy:
  5. ;; DEBUG:  #1, C=CN,ST=浙江省,L=杭州市,O=阿里巴巴(中国)网络技术有限公司,CN=*.alidns.com
  6. ;; DEBUG:      SHA-256 PIN: +ACy/80ww+XSVtadTogT+4L2XuYk9ZbigM6mnqmbgX8=
  7. ;; DEBUG:  #2, C=BE,O=GlobalSign nv-sa,CN=GlobalSign RSA OV SSL CA 2018
  8. ;; DEBUG:      SHA-256 PIN: hETpgVvaLC0bvcGG3t0cuqiHvr4XyP2MTwCiqhgRWwU=
  9. ;; DEBUG: TLS, skipping certificate PIN check
  10. ;; DEBUG: TLS, The certificate is trusted.
  11. ;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
  12. ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 54217
  13. ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

  14. ;; EDNS PSEUDOSECTION:
  15. ;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
  16. ;; PADDING: 80 B

  17. ;; QUESTION SECTION:
  18. ;; ubuntukylin.com.                    IN        A

  19. ;; ANSWER SECTION:
  20. ubuntukylin.com.            489        IN        A        120.79.211.60

  21. ;; Received 159 B
  22. ;; Time 2020-10-21 20:03:18 CST
  23. ;; From 223.5.5.5@853(TCP) in 24.8 ms
复制代码
#支持手册页中的选项

  1. -4
  2.     Use the IPv4 protocol only.

  3. -6
  4.     Use the IPv6 protocol only.

  5. -b address
  6.     Set the source IP address of the query to address. The address must be a valid address for local interface or :: or 0.0.0.0. An optional port can be specified in the same format as the server value.

  7. -c class
  8.     An explicit query_class specification. See possible values above.

  9. -d
  10.     Enable debug messages.

  11. -h, –help
  12.     Print the program help.

  13. -k keyfile
  14.     Use the TSIG key stored in a file keyfile to authenticate the request. The file must contain the key in the same format as accepted by the -y option.

  15. -p port
  16.     Set the nameserver port number or service name to send a query to. The default port is 53.

  17. -q name
  18.     Set the query name. An explicit variant of name specification.

  19. -t type
  20.     An explicit query_type specification. See possible values above.

  21. -V, –version
  22.     Print the program version.

  23. -x address
  24.     Send a reverse (PTR) query for IPv4 or IPv6 address. The correct name, class and type is set automatically.

  25. -y [alg:]name:key
  26.     Use the TSIG key named name to authenticate the request. The alg part specifies the algorithm (the default is hmac-sha256) and key specifies the shared secret encoded in Base64.

  27. -E tapfile
  28.     Export a dnstap trace of the query and response messages received to the file tapfile.

  29. -G tapfile
  30.     Generate message output from a previously saved dnstap file tapfile.

  31. +[no]multiline
  32.     Wrap long records to more lines and improve human readability.

  33. +[no]short
  34.     Show record data only.

  35. +[no]generic
  36.     Use the generic representation format when printing resource record types and data.

  37. +[no]crypto
  38.     Display the DNSSEC keys and signatures values in hexdump, instead of omitting them.

  39. +[no]aaflag
  40.     Set the AA flag.

  41. +[no]tcflag
  42.     Set the TC flag.

  43. +[no]rdflag
  44.     Set the RD flag.

  45. +[no]recurse
  46.     Same as +[no]rdflag

  47. +[no]raflag
  48.     Set the RA flag.

  49. +[no]zflag
  50.     Set the zero flag bit.

  51. +[no]adflag
  52.     Set the AD flag.

  53. +[no]cdflag
  54.     Set the CD flag.

  55. +[no]dnssec
  56.     Set the DO flag.

  57. +[no]all
  58.     Show all packet sections.

  59. +[no]qr
  60.     Show the query packet.

  61. +[no]header
  62.     Show the packet header.

  63. +[no]opt
  64.     Show the EDNS pseudosection.

  65. +[no]question
  66.     Show the question section.

  67. +[no]answer
  68.     Show the answer section.

  69. +[no]authority
  70.     Show the authority section.

  71. +[no]additional
  72.     Show the additional section.

  73. +[no]tsig
  74.     Show the TSIG pseudosection.

  75. +[no]stats
  76.     Show trailing packet statistics.

  77. +[no]class
  78.     Show the DNS class.

  79. +[no]ttl
  80.     Show the TTL value.

  81. +[no]tcp
  82.     Use the TCP protocol (default is UDP for standard query and TCP for AXFR/IXFR).

  83. +[no]fastopen
  84.     Use TCP Fast Open (default with TCP).

  85. +[no]ignore
  86.     Don’t use TCP automatically if a truncated reply is received.

  87. +[no]tls
  88.     Use TLS with the Opportunistic privacy profile (RFC 7858#section-4.1).

  89. +[no]tls-ca[=FILE]
  90.     Use TLS with a certificate validation. Certification authority certificates are loaded from the specified PEM file (default is system certificate storage if no argument is provided). Can be specified multiple times. If the +tls-hostname option is not provided, the name of the target server (if specified) is used for strict authentication.

  91. +[no]tls-pin=BASE64
  92.     Use TLS with the Out-of-Band key-pinned privacy profile (RFC 7858#section-4.2). The PIN must be a Base64 encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo. Can be specified multiple times.

  93. +[no]tls-hostname=STR
  94.     Use TLS with a remote server hostname check.

  95. +[no]nsid
  96.     Request the nameserver identifier (NSID).

  97. +[no]bufsize=B
  98.     Set EDNS buffer size in bytes (default is 512 bytes).

  99. +[no]padding[=B]
  100.     Use EDNS(0) padding option to pad queries, optionally to a specific size. The default is to pad queries with a sensible amount when using +tls, and not to pad at all when queries are sent without TLS. With no argument (i.e., just +padding) pad every query with a sensible amount regardless of the use of TLS. With +nopadding, never pad.

  101. +[no]alignment[=B]
  102.     Align the query to B-byte-block message using the EDNS(0) padding option (default is no or 128 if no argument is specified).

  103. +[no]subnet=SUBN
  104.     Set EDNS(0) client subnet SUBN=addr/prefix.

  105. +[no]edns[=N]
  106.     Use EDNS version (default is 0).

  107. +[no]time=T
  108.     Set the wait-for-reply interval in seconds (default is 5 seconds). This timeout applies to each query attempt.

  109. +[no]retry=N
  110.     Set the number (>=0) of UDP retries (default is 2). This doesn’t apply to AXFR/IXFR.

  111. +noidn
  112.     Disable the IDN transformation to ASCII and vice versa. IDNA2003 support depends on libidn availability during project building!
复制代码


















发表于 2020-10-21 20:09:16
回复

使用道具 举报

小黑屋|优麒麟    

GMT+8, 2022-1-20 15:26 , Processed in 0.018669 second(s), 21 queries .

Copyright ©2013-2022 Ubuntu Kylin. All Rights Reserved .

ICP No. 15002470-2 Tianjin

快速回复 返回顶部 返回列表