Packages and Binaries:
bind9
The Berkeley Internet Name Domain (BIND 9) implements an Internet domain name server. BIND 9 is the most widely-used name server software on the Internet, and is supported by the Internet Software Consortium, www.isc.org.
This package provides the server and related configuration files.
Installed size: 1.10 MB
How to install: sudo apt install bind9
Dependencies:
- adduser
- bind9-libs
- bind9-utils
- debconf | debconf-2.0
- dns-root-data
- init-system-helpers
- iproute2
- libc6
- libcap2
- libfstrm0
- libjson-c5
- liblmdb0
- libmaxminddb0
- libnghttp2-14
- libprotobuf-c1
- libssl3
- libuv1
- libxml2
- lsb-base
- netbase
- zlib1g
arpaname
Translate IP addresses to the corresponding ARPA names
[email protected]:~# man arpaname
ARPANAME(1) BIND 9 ARPANAME(1)
NAME
arpaname - translate IP addresses to the corresponding ARPA names
SYNOPSIS
arpaname {ipaddress ...}
DESCRIPTION
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding
IN-ADDR.ARPA or IP6.ARPA names.
SEE ALSO
BIND 9 Administrator Reference Manual.
AUTHOR
Internet Systems Consortium
COPYRIGHT
2022, Internet Systems Consortium
9.18.8-1-Debian 2022-10-10 ARPANAME(1)
ddns-confgen
Ddns key generation tool
[email protected]:~# ddns-confgen -h
Usage:
ddns-confgen [-a alg] [-k keyname] [-q] [-s name | -z zone]
-a alg: algorithm (default hmac-sha256)
-k keyname: name of the key as it will be used in named.conf
-s name: domain name to be updated using the created key
-z zone: name of the zone as it will be used in named.conf
-q: quiet mode: print the key, with no explanatory text
dnssec-importkey
Import DNSKEY records from external systems so they can be managed
[email protected]:~# dnssec-importkey --help
dnssec-importkey: invalid argument --
Usage:
dnssec-importkey options [-K dir] keyfile
dnssec-importkey options -f file [keyname]
Version: 9.18.8-1-Debian
Options:
-f file: read key from zone file
-K <directory>: directory in which to store the key files
-L ttl: set default key TTL
-v <verbose level>
-V: print version information
-h: print usage and exit
Timing options:
-P date/[+-]offset/none: set/unset key publication date
-P sync date/[+-]offset/none: set/unset CDS and CDNSKEY publication date
-D date/[+-]offset/none: set/unset key deletion date
-D sync date/[+-]offset/none: set/unset CDS and CDNSKEY deletion date
named
Internet domain name server
[email protected]:~# man named
NAMED(8) BIND 9 NAMED(8)
NAME
named - Internet domain name server
SYNOPSIS
named [ [-4] | [-6] ] [-c config-file] [-C] [-d debug-level] [-D
string] [-E engine-name] [-f] [-g] [-L logfile] [-M option] [-m flag]
[-n #cpus] [-p port] [-s] [-t directory] [-U #listeners] [-u user] [-v]
[-V] [-X lock-file]
DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distri-
bution from ISC. For more information on the DNS, see RFC 1033, RFC
1034, and RFC 1035.
When invoked without arguments, named reads the default configuration
file /etc/bind/named.conf, reads any initial data, and listens for
queries.
OPTIONS
-4 This option tells named to use only IPv4, even if the host ma-
chine is capable of IPv6. -4 and -6 are mutually exclusive.
-6 This option tells named to use only IPv6, even if the host ma-
chine is capable of IPv4. -4 and -6 are mutually exclusive.
-c config-file
This option tells named to use config-file as its configuration
file instead of the default, /etc/bind/named.conf. To ensure
that the configuration file can be reloaded after the server has
changed its working directory due to to a possible directory op-
tion in the configuration file, config-file should be an abso-
lute pathname.
-C This option prints out the default built-in configuration and
exits.
NOTE: This is for debugging purposes only and is not an accurate
representation of the actual configuration used by named at run-
time.
-d debug-level
This option sets the daemon's debug level to debug-level. Debug-
ging traces from named become more verbose as the debug level
increases.
-D string
This option specifies a string that is used to identify a in-
stance of named in a process listing. The contents of string are
not examined.
-E engine-name
When applicable, this option specifies the hardware to use for
cryptographic operations, such as a secure key store used for
signing.
When BIND 9 is built with OpenSSL, this needs to be set to the
OpenSSL engine identifier that drives the cryptographic acceler-
ator or hardware service module (usually pkcs11).
-f This option runs the server in the foreground (i.e., do not dae-
monize).
-g This option runs the server in the foreground and forces all
logging to stderr.
-L logfile
This option sets the log to the file logfile by default, instead
of the system log.
-M option
This option sets the default (comma-separated) memory context
options. The possible flags are:
o fill: fill blocks of memory with tag values when they are al-
located or freed, to assist debugging of memory problems; this
is the implicit default if named has been compiled with --en-
able-developer.
o nofill: disable the behavior enabled by fill; this is the im-
plicit default unless named has been compiled with --en-
able-developer.
-m flag
This option turns on memory usage debugging flags. Possible
flags are usage, trace, record, size, and mctx. These correspond
to the ISC_MEM_DEBUGXXXX flags described in <isc/mem.h>.
-n #cpus
This option creates #cpus worker threads to take advantage of
multiple CPUs. If not specified, named tries to determine the
number of CPUs present and creates one thread per CPU. If it is
unable to determine the number of CPUs, a single worker thread
is created.
-p value
This option specifies the port(s) on which the server will lis-
ten for queries. If value is of the form <portnum> or dns=<port-
num>, the server will listen for DNS queries on portnum; if not
not specified, the default is port 53. If value is of the form
tls=<portnum>, the server will listen for TLS queries on port-
num; the default is 853. If value is of the form https=<port-
num>, the server will listen for HTTPS queries on portnum; the
default is 443. If value is of the form http=<portnum>, the
server will listen for HTTP queries on portnum; the default is
80.
-s This option writes memory usage statistics to stdout on exit.
NOTE:
This option is mainly of interest to BIND 9 developers and may be
removed or changed in a future release.
-S #max-socks
This option is deprecated and no longer has any function.
WARNING:
This option should be unnecessary for the vast majority of users.
The use of this option could even be harmful, because the specified
value may exceed the limitation of the underlying system API. It is
therefore set only when the default configuration causes exhaustion
of file descriptors and the operational environment is known to sup-
port the specified number of sockets. Note also that the actual max-
imum number is normally slightly fewer than the specified value, be-
cause named reserves some file descriptors for its internal use.
-t directory
This option tells named to chroot to directory after processing
the command-line arguments, but before reading the configuration
file.
WARNING:
This option should be used in conjunction with the -u option, as ch-
rooting a process running as root doesn't enhance security on most
systems; the way chroot is defined allows a process with root privi-
leges to escape a chroot jail.
-U #listeners
This option tells named the number of #listeners worker threads
to listen on, for incoming UDP packets on each address. If not
specified, named calculates a default value based on the number
of detected CPUs: 1 for 1 CPU, and the number of detected CPUs
minus one for machines with more than 1 CPU. This cannot be in-
creased to a value higher than the number of CPUs. If -n has
been set to a higher value than the number of detected CPUs,
then -U may be increased as high as that value, but no higher.
-u user
This option sets the setuid to user after completing privileged
operations, such as creating sockets that listen on privileged
ports.
NOTE:
On Linux, named uses the kernel's capability mechanism to drop all
root privileges except the ability to bind to a privileged port and
set process resource limits. Unfortunately, this means that the -u
option only works when named is run on kernel 2.2.18 or later, or
kernel 2.3.99-pre3 or later, since previous kernels did not allow
privileges to be retained after setuid.
-v This option reports the version number and exits.
-V This option reports the version number, build options, supported
cryptographics algorithms, and exits.
-X lock-file
This option acquires a lock on the specified file at runtime;
this helps to prevent duplicate named instances from running si-
multaneously. Use of this option overrides the lock-file option
in named.conf. If set to none, the lock file check is disabled.
SIGNALS
In routine operation, signals should not be used to control the name-
server; rndc should be used instead.
SIGHUP This signal forces a reload of the server.
SIGINT, SIGTERM
These signals shut down the server.
The result of sending any other signals to the server is undefined.
CONFIGURATION
The named configuration file is too complex to describe in detail here.
A complete description is provided in the BIND 9 Administrator Refer-
ence Manual.
named inherits the umask (file creation mode mask) from the parent
process. If files created by named, such as journal files, need to have
custom permissions, the umask should be set explicitly in the script
used to start the named process.
FILES
/etc/bind/named.conf
The default configuration file.
/run/named.pid
The default process-id file.
SEE ALSO
RFC 1033, RFC 1034, RFC 1035, named-checkconf(8), named-checkzone(8),
rndc(8), named.conf(5), BIND 9 Administrator Reference Manual.
AUTHOR
Internet Systems Consortium
COPYRIGHT
2022, Internet Systems Consortium
9.18.8-1-Debian 2022-10-10 NAMED(8)
named-journalprint
Print zone journal in human-readable form
[email protected]:~# named-journalprint -h
named-journalprint: illegal option -- h
Usage: named-journalprint [-dux] journal
named-nzd2nzf
Convert an NZD database to NZF text format
named-rrchecker
Syntax checker for individual DNS resource records
[email protected]:~# named-rrchecker --help
named-rrchecker: illegal option -- -
usage: named-rrchecker [-o origin] [-hpCPTu]
-h: print this help message
-o origin: set origin to be used when interpreting the record
-p: print the record in canonical format
-C: list the supported class names
-P: list the supported private type names
-T: list the supported standard type names
-u: print the record in unknown record format
nsec3hash
Generate NSEC3 hash
[email protected]:~# nsec3hash -h
nsec3hash: illegal option -- h
Usage: nsec3hash salt algorithm iterations domain
nsec3hash -r algorithm flags iterations salt domain
tsig-keygen
TSIG key generation tool
[email protected]:~# tsig-keygen -h
Usage:
tsig-keygen [-a alg] [keyname]
-a alg: algorithm (default hmac-sha256)
bind9-dev
The Berkeley Internet Name Domain (BIND 9) implements an Internet domain name server. BIND 9 is the most widely-used name server software on the Internet, and is supported by the Internet Software Consortium, www.isc.org.
This package contains a bundle of static libraries and header files used by BIND 9.
Please be aware that the BIND 9 libraries are considered private by upstream developers and the API and ABI might break at any time.
Installed size: 1.75 MB
How to install: sudo apt install bind9-dev
Dependencies:
- bind9-libs
bind9-dnsutils
The Berkeley Internet Name Domain (BIND 9) implements an Internet domain name server. BIND 9 is the most widely-used name server software on the Internet, and is supported by the Internet Software Consortium, www.isc.org.
This package delivers various client programs related to DNS that are derived from the BIND 9 source tree.
- dig - query the DNS in various ways
- nslookup - the older way to do it
- nsupdate - perform dynamic updates (See RFC2136)
Installed size: 718 KB
How to install: sudo apt install bind9-dnsutils
Dependencies:
- bind9-host | host
- bind9-libs
- libc6
- libedit2
- libidn2-0
- libkrb5-3
- libprotobuf-c1
delv
DNS lookup and validation utility
[email protected]:~# delv --help
Invalid option: --help
Usage: delv [@server] {q-opt} {d-opt} [domain] [q-type] [q-class]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,...) [default: in]
q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
q-opt is one of:
-4 (use IPv4 query transport only)
-6 (use IPv6 query transport only)
-a anchor-file (specify root trust anchor)
-b address[#port] (bind to source address/port)
-c class (option included for compatibility;
-d level (set debugging level)
-h (print help and exit)
-i (disable DNSSEC validation)
-m (enable memory usage debugging)
-p port (specify port number)
-q name (specify query name)
-t type (specify query type)
only IN is supported)
-v (print version and exit)
-x dot-notation (shortcut for reverse lookups)
d-opt is of the form +keyword[=value], where keyword is:
+[no]all (Set or clear all display flags)
+[no]class (Control display of class)
+[no]comments (Control display of comment lines)
+[no]crypto (Control display of cryptographic
fields in records)
+[no]dlv (Obsolete)
+[no]dnssec (Display DNSSEC records)
+[no]mtrace (Trace messages received)
+[no]multiline (Print records in an expanded format)
+[no]root (DNSSEC validation trust anchor)
+[no]rrcomments (Control display of per-record comments)
+[no]rtrace (Trace resolver fetches)
+[no]short (Short form answer)
+[no]split=## (Split hex/base64 fields into chunks)
+[no]tcp (TCP mode)
+[no]ttl (Control display of ttls in records)
+[no]trust (Control display of trust level)
+[no]unknownformat (Print RDATA in RFC 3597 "unknown" format)
+[no]vtrace (Trace validation process)
+[no]yaml (Present the results as YAML)
dig
DNS lookup utility
[email protected]:~# dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} [...]]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,...) [default: in]
q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
(Use ixfr=version for type ixfr)
q-opt is one of:
-4 (use IPv4 query transport only)
-6 (use IPv6 query transport only)
-b address[#port] (bind to source address/port)
-c class (specify query class)
-f filename (batch mode)
-k keyfile (specify tsig key file)
-m (enable memory usage debugging)
-p port (specify port number)
-q name (specify query name)
-r (do not read ~/.digrc)
-t type (specify query type)
-u (display times in usec instead of msec)
-x dot-notation (shortcut for reverse lookups)
-y [hmac:]name:key (specify named base64 tsig key)
d-opt is of the form +keyword[=value], where keyword is:
+[no]aaflag (Set AA flag in query (+[no]aaflag))
+[no]aaonly (Set AA flag in query (+[no]aaflag))
+[no]additional (Control display of additional section)
+[no]adflag (Set AD flag in query (default on))
+[no]all (Set or clear all display flags)
+[no]answer (Control display of answer section)
+[no]authority (Control display of authority section)
+[no]badcookie (Retry BADCOOKIE responses)
+[no]besteffort (Try to parse even illegal messages)
+bufsize[=###] (Set EDNS0 Max UDP packet size)
+[no]cdflag (Set checking disabled flag in query)
+[no]class (Control display of class in records)
+[no]cmd (Control display of command line -
global option)
+[no]comments (Control display of packet header
and section name comments)
+[no]cookie (Add a COOKIE option to the request)
+[no]crypto (Control display of cryptographic
fields in records)
+[no]defname (Use search list (+[no]search))
+[no]dns64prefix (Get the DNS64 prefixes from ipv4only.arpa)
+[no]dnssec (Request DNSSEC records)
+domain=### (Set default domainname)
+[no]dscp[=###] (Set the DSCP value to ### [0..63])
+[no]edns[=###] (Set EDNS version) [0]
+ednsflags=### (Set EDNS flag bits)
+[no]ednsnegotiation (Set EDNS version negotiation)
+ednsopt=###[:value] (Send specified EDNS option)
+noednsopt (Clear list of +ednsopt options)
+[no]expandaaaa (Expand AAAA records)
+[no]expire (Request time to expire)
+[no]fail (Don't try next server on SERVFAIL)
+[no]header-only (Send query without a question section)
+[no]https[=###] (DNS-over-HTTPS mode) [/]
+[no]https-get (Use GET instead of default POST method while using HTTPS)
+[no]http-plain[=###] (DNS over plain HTTP mode) [/]
+[no]https-plain-get (Use GET instead of default POST method while using plain HTTP)
+[no]identify (ID responders in short answers)
+[no]idnin (Parse IDN names [default=on on tty])
+[no]idnout (Convert IDN response [default=on on tty])
+[no]ignore (Don't revert to TCP for TC responses.)
+[no]keepalive (Request EDNS TCP keepalive)
+[no]keepopen (Keep the TCP socket open between queries)
+[no]multiline (Print records in an expanded format)
+ndots=### (Set search NDOTS value)
+[no]nsid (Request Name Server ID)
+[no]nssearch (Search all authoritative nameservers)
+[no]onesoa (AXFR prints only one soa record)
+[no]opcode=### (Set the opcode of the request)
+padding=### (Set padding block size [0])
+qid=### (Specify the query ID to use when sending queries)
+[no]qr (Print question before sending)
+[no]question (Control display of question section)
+[no]raflag (Set RA flag in query (+[no]raflag))
+[no]rdflag (Recursive mode (+[no]recurse))
+[no]recurse (Recursive mode (+[no]rdflag))
+retry=### (Set number of UDP retries) [2]
+[no]rrcomments (Control display of per-record comments)
+[no]search (Set whether to use searchlist)
+[no]short (Display nothing except short
form of answers - global option)
+[no]showbadcookie (Show BADCOOKIE message)
+[no]showsearch (Search with intermediate results)
+[no]split=## (Split hex/base64 fields into chunks)
+[no]stats (Control display of statistics)
+subnet=addr (Set edns-client-subnet option)
+[no]tcflag (Set TC flag in query (+[no]tcflag))
+[no]tcp (TCP mode (+[no]vc))
+timeout=### (Set query timeout) [5]
+[no]tls (DNS-over-TLS mode)
+[no]tls-ca[=file] (Enable remote server's TLS certificate validation)
+[no]tls-hostname=hostname (Explicitly set the expected TLS hostname)
+[no]tls-certfile=file (Load client TLS certificate chain from file)
+[no]tls-keyfile=file (Load client TLS private key from file)
+[no]trace (Trace delegation down from root [+dnssec])
+tries=### (Set number of UDP attempts) [3]
+[no]ttlid (Control display of ttls in records)
+[no]ttlunits (Display TTLs in human-readable units)
+[no]unknownformat (Print RDATA in RFC 3597 "unknown" format)
+[no]vc (TCP mode (+[no]tcp))
+[no]yaml (Present the results as YAML)
+[no]zflag (Set Z flag in query)
global d-opts and servers (before host name) affect all queries.
local d-opts and servers (after host name) affect only that lookup.
-h (print help and exit)
-v (print version and exit)
dnstap-read
Print dnstap data in human-readable form
[email protected]:~# man dnstap-read
DNSTAP-READ(1) BIND 9 DNSTAP-READ(1)
NAME
dnstap-read - print dnstap data in human-readable form
SYNOPSIS
dnstap-read [-m] [-p] [-x] [-y] {file}
DESCRIPTION
dnstap-read reads dnstap data from a specified file and prints it in a
human-readable format. By default, dnstap data is printed in a short
summary format, but if the -y option is specified, a longer and more
detailed YAML format is used.
OPTIONS
-m This option indicates trace memory allocations, and is used for
debugging memory leaks.
-p This option prints the text form of the DNS message that was en-
capsulated in the dnstap frame, after printing the dnstap data.
-x This option prints a hex dump of the wire form of the DNS mes-
sage that was encapsulated in the dnstap frame, after printing
the dnstap data.
-y This option prints dnstap data in a detailed YAML format.
SEE ALSO
named(8), rndc(8), BIND 9 Administrator Reference Manual.
AUTHOR
Internet Systems Consortium
COPYRIGHT
2022, Internet Systems Consortium
9.18.8-1-Debian 2022-10-10 DNSTAP-READ(1)
mdig
DNS pipelined lookup utility
[email protected]:~# mdig -h
Usage: mdig @server {global-opt} host
{local-opt} [ host {local-opt} [...]]
Where:
anywhere opt is one of:
-f filename (batch mode)
-h (print help and exit)
-v (print version and exit)
global opt is one of:
-4 (use IPv4 query transport only)
-6 (use IPv6 query transport only)
-b address[#port] (bind to source address/port)
-p port (specify port number)
-m (enable memory usage debugging)
+[no]dscp[=###] (Set the DSCP value to ### [0..63])
+[no]vc (TCP mode)
+[no]tcp (TCP mode, alternate syntax)
+[no]besteffort (Try to parse even illegal messages)
+[no]cl (Control display of class in records)
+[no]comments (Control display of comment lines)
+[no]rrcomments (Control display of per-record comments)
+[no]crypto (Control display of cryptographic fields in records)
+[no]question (Control display of question)
+[no]answer (Control display of answer)
+[no]authority (Control display of authority)
+[no]additional (Control display of additional)
+[no]short (Disable everything except short
form of answer)
+[no]ttlid (Control display of ttls in records)
+[no]ttlunits (Display TTLs in human-readable units)
+[no]unknownformat (Print RDATA in RFC 3597 "unknown" format)
+[no]all (Set or clear all display flags)
+[no]multiline (Print records in an expanded format)
+[no]split=## (Split hex/base64 fields into chunks)
local opt is one of:
-c class (specify query class)
-t type (specify query type)
-x dot-notation (shortcut for reverse lookups)
+timeout=### (Set query timeout) [UDP=5,TCP=10]
+udptimeout=### (Set timeout before UDP retry)
+tries=### (Set number of UDP attempts) [3]
+retry=### (Set number of UDP retries) [2]
+bufsize=### (Set EDNS0 Max UDP packet size)
+subnet=addr (Set edns-client-subnet option)
+[no]edns[=###] (Set EDNS version) [0]
+ednsflags=### (Set EDNS flag bits)
+ednsopt=###[:value] (Send specified EDNS option)
+noednsopt (Clear list of +ednsopt options)
+[no]recurse (Recursive mode)
+[no]aaonly (Set AA flag in query (+[no]aaflag))
+[no]adflag (Set AD flag in query)
+[no]cdflag (Set CD flag in query)
+[no]zflag (Set Z flag in query)
+[no]dnssec (Request DNSSEC records)
+[no]expire (Request time to expire)
+[no]cookie[=###] (Send a COOKIE option)
+[no]nsid (Request Name Server ID)
nslookup
Query Internet name servers interactively
[email protected]:~# man nslookup
NSLOOKUP(1) BIND 9 NSLOOKUP(1)
NAME
nslookup - query Internet name servers interactively
SYNOPSIS
nslookup [-option] [name | -] [server]
DESCRIPTION
nslookup is a program to query Internet domain name servers. nslookup
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
prints just the name and requested information for a host or domain.
ARGUMENTS
Interactive mode is entered in the following cases:
a. when no arguments are given (the default name server is used);
b. when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional sec-
ond argument specifies the host name or address of a name server.
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to change the
default query type to host information, with an initial timeout of 10
seconds, type:
nslookup -query=hinfo -timeout=10
The -version option causes nslookup to print the version number and im-
mediately exit.
INTERACTIVE COMMANDS
host [server]
This command looks up information for host using the current de-
fault server or using server, if specified. If host is an Inter-
net address and the query type is A or PTR, the name of the host
is returned. If host is a name and does not have a trailing pe-
riod (.), the search list is used to qualify the name.
To look up a host not in the current domain, append a period to
the name.
server domain | lserver domain
These commands change the default server to domain; lserver uses
the initial server to look up information about domain, while
server uses the current default server. If an authoritative an-
swer cannot be found, the names of servers that might have the
answer are returned.
root This command is not implemented.
finger This command is not implemented.
ls This command is not implemented.
view This command is not implemented.
help This command is not implemented.
? This command is not implemented.
exit This command exits the program.
set keyword[=value]
This command is used to change state information that affects
the lookups. Valid keywords are:
all This keyword prints the current values of the frequently
used options to set. Information about the current de-
fault server and host is also printed.
class=value
This keyword changes the query class to one of:
IN the Internet class
CH the Chaos class
HS the Hesiod class
ANY wildcard
The class specifies the protocol group of the informa-
tion. The default is IN; the abbreviation for this key-
word is cl.
nodebug
This keyword turns on or off the display of the full re-
sponse packet, and any intermediate response packets,
when searching. The default for this keyword is nodebug;
the abbreviation for this keyword is [no]deb.
nod2 This keyword turns debugging mode on or off. This dis-
plays more about what nslookup is doing. The default is
nod2.
domain=name
This keyword sets the search list to name.
nosearch
If the lookup request contains at least one period, but
does not end with a trailing period, this keyword appends
the domain names in the domain search list to the request
until an answer is received. The default is search.
port=value
This keyword changes the default TCP/UDP name server port
to value from its default, port 53. The abbreviation for
this keyword is po.
querytype=value | type=value
This keyword changes the type of the information query to
value. The defaults are A and then AAAA; the abbrevia-
tions for these keywords are q and ty.
Please note that it is only possible to specify one query
type. Only the default behavior looks up both when an al-
ternative is not specified.
norecurse
This keyword tells the name server to query other servers
if it does not have the information. The default is re-
curse; the abbreviation for this keyword is [no]rec.
ndots=number
This keyword sets the number of dots (label separators)
in a domain that disables searching. Absolute names al-
ways stop searching.
retry=number
This keyword sets the number of retries to number.
timeout=number
This keyword changes the initial timeout interval to wait
for a reply to number, in seconds.
novc This keyword indicates that a virtual circuit should al-
ways be used when sending requests to the server. novc
is the default.
nofail This keyword tries the next nameserver if a nameserver
responds with SERVFAIL or a referral (nofail), or termi-
nates the query (fail) on such a response. The default is
nofail.
RETURN VALUES
nslookup returns with an exit status of 1 if any query failed, and 0
otherwise.
IDN SUPPORT
If nslookup has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. nslookup ap-
propriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server. To
turn off IDN support, define the IDN_DISABLE environment variable. IDN
support is disabled if the variable is set when nslookup runs, or when
the standard output is not a tty.
FILES
/etc/resolv.conf
SEE ALSO
dig(1), host(1), named(8).
AUTHOR
Internet Systems Consortium
COPYRIGHT
2022, Internet Systems Consortium
9.18.8-1-Debian 2022-10-10 NSLOOKUP(1)
nsupdate
Dynamic DNS update utility
[email protected]:~# nsupdate --help
nsupdate: illegal option -- -
nsupdate: invalid argument --
usage: nsupdate [-CdDi] [-L level] [-l] [-g | -o | -y keyname:secret | -k keyfile] [-p port] [-v] [-V] [-P] [-T] [-4 | -6] [filename]
bind9-doc
This package provides various documents that are useful for maintaining a working BIND 9 installation.
Installed size: 7.30 MB
How to install: sudo apt install bind9-doc
bind9-host
This package provides the ‘host’ DNS lookup utility in the form that is bundled with the BIND 9 sources.
Installed size: 374 KB
How to install: sudo apt install bind9-host
Dependencies:
- bind9-libs
- libc6
- libidn2-0
host
DNS lookup utility
[email protected]:~# host -h
host: illegal option -- h
Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
[-R number] [-m flag] [-p port] hostname [server]
-a is equivalent to -v -t ANY
-A is like -a but omits RRSIG, NSEC, NSEC3
-c specifies query class for non-IN data
-C compares SOA records on authoritative nameservers
-d is equivalent to -v
-l lists all hosts in a domain, using AXFR
-m set memory debugging flag (trace|record|usage)
-N changes the number of dots allowed before root lookup is done
-p specifies the port on the server to query
-r disables recursive processing
-R specifies number of retries for UDP packets
-s a SERVFAIL response should stop query
-t specifies the query type
-T enables TCP/IP mode
-U enables UDP mode
-v enables verbose output
-V print version number and exit
-w specifies to wait forever for a reply
-W specifies how long to wait for a reply
-4 use IPv4 query transport only
-6 use IPv6 query transport only
bind9-libs
The Berkeley Internet Name Domain (BIND 9) implements an Internet domain name server. BIND 9 is the most widely-used name server software on the Internet, and is supported by the Internet Software Consortium, www.isc.org.
This package contains a bundle of shared libraries used by BIND 9.
Installed size: 8.51 MB
How to install: sudo apt install bind9-libs
Dependencies:
- libc6
- libfstrm0
- libgssapi-krb5-2
- libjemalloc2
- libjson-c5
- libkrb5-3
- liblmdb0
- libmaxminddb0
- libnghttp2-14
- libprotobuf-c1
- libssl3
- libuv1
- libxml2
- zlib1g
bind9-utils
This package provides various utilities that are useful for maintaining a working BIND 9 installation.
Installed size: 837 KB
How to install: sudo apt install bind9-utils
Dependencies:
- bind9-libs
- libc6
dnssec-cds
Change DS records for a child zone based on CDS/CDNSKEY
[email protected]:~# dnssec-cds -h
Usage:
dnssec-cds options [options] -f <file> -d <path> <domain>
Version: 9.18.8-1-Debian
Options:
-a <algorithm> digest algorithm (SHA-1 / SHA-256 / SHA-384)
-c <class> of domain (default IN)
-D prefer CDNSKEY records instead of CDS
-d <file|dir> where to find parent dsset- file
-f <file> child DNSKEY+CDNSKEY+CDS+RRSIG records
-i[extension] update dsset- file in place
-s <start-time> oldest permitted child signatures
-u emit nsupdate script
-T <ttl> TTL of DS records
-V print version
-v <verbosity>
dnssec-dsfromkey
DNSSEC DS RR generation tool
[email protected]:~# dnssec-dsfromkey --help
dnssec-dsfromkey: invalid argument --
Usage:
dnssec-dsfromkey [options] keyfile
dnssec-dsfromkey [options] -f zonefile [zonename]
dnssec-dsfromkey [options] -s dnsname
dnssec-dsfromkey [-h|-V]
Version: 9.18.8-1-Debian
Options:
-1: digest algorithm SHA-1
-2: digest algorithm SHA-256
-a algorithm: digest algorithm (SHA-1, SHA-256 or SHA-384)
-A: include all keys in DS set, not just KSKs (-f only)
-c class: rdata class for DS set (default IN) (-f or -s only)
-C: print CDS records
-f zonefile: read keys from a zone file
-h: print help information
-K directory: where to find key or keyset files
-s: read keys from keyset-<dnsname> file
-T: TTL of output records (omitted by default)
-v level: verbosity
-V: print version information
Output: DS or CDS RRs
dnssec-keyfromlabel
DNSSEC key generation tool
[email protected]:~# dnssec-keyfromlabel --help
dnssec-keyfromlabel: invalid argument --
Usage:
dnssec-keyfromlabel -l label [options] name
Version: 9.18.8-1-Debian
Required options:
-l label: label of the key pair
name: owner of the key
Other options:
-a algorithm:
DH | RSASHA1 |
NSEC3RSASHA1 |
RSASHA256 | RSASHA512 |
ECDSAP256SHA256 | ECDSAP384SHA384 |
ED25519 | ED448
-3: use NSEC3-capable algorithm
-c class (default: IN)
-E <engine>:
name of an OpenSSL engine to use
-f keyflag: KSK | REVOKE
-K directory: directory in which to place key files
-k: generate a TYPE=KEY key
-L ttl: default key TTL
-n nametype: ZONE | HOST | ENTITY | USER | OTHER
(DNSKEY generation defaults to ZONE
-p protocol: default: 3 [dnssec]
-t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
-y: permit keys that might collide
-v verbose level
-V: print version information
Date options:
-P date/[+-]offset: set key publication date
-P sync date/[+-]offset: set CDS and CDNSKEY publication date
-A date/[+-]offset: set key activation date
-R date/[+-]offset: set key revocation date
-I date/[+-]offset: set key inactivation date
-D date/[+-]offset: set key deletion date
-D sync date/[+-]offset: set CDS and CDNSKEY deletion date
-G: generate key only; do not set -P or -A
-C: generate a backward-compatible key, omitting all dates
-S <key>: generate a successor to an existing key
-i <interval>: prepublication interval for successor key (default: 30 days)
Output:
K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private
dnssec-keygen
DNSSEC key generation tool
[email protected]:~# dnssec-keygen --help
dnssec-keygen: invalid argument --
Usage:
dnssec-keygen [options] name
Version: 9.18.8-1-Debian
name: owner of the key
Options:
-K <directory>: write keys into directory
-k <policy>: generate keys for dnssec-policy
-l <file>: configuration file with dnssec-policy statement
-a <algorithm>:
RSASHA1 | NSEC3RSASHA1 |
RSASHA256 | RSASHA512 |
ECDSAP256SHA256 | ECDSAP384SHA384 |
ED25519 | ED448 | DH
-3: use NSEC3-capable algorithm
-b <key size in bits>:
RSASHA1: [1024..4096]
NSEC3RSASHA1: [1024..4096]
RSASHA256: [1024..4096]
RSASHA512: [1024..4096]
DH: [128..4096]
ECDSAP256SHA256: ignored
ECDSAP384SHA384: ignored
ED25519: ignored
ED448: ignored
(key size defaults are set according to
algorithm and usage (ZSK or KSK)
-n <nametype>: ZONE | HOST | ENTITY | USER | OTHER
(DNSKEY generation defaults to ZONE)
-c <class>: (default: IN)
-d <digest bits> (0 => max, default)
-E <engine>:
name of an OpenSSL engine to use
-f <keyflag>: KSK | REVOKE
-g <generator>: use specified generator (DH only)
-L <ttl>: default key TTL
-p <protocol>: (default: 3 [dnssec])
-s <strength>: strength value this key signs DNS records with (default: 0)
-T <rrtype>: DNSKEY | KEY (default: DNSKEY; use KEY for SIG(0))
-t <type>: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
-h: print usage and exit
-m <memory debugging mode>:
usage | trace | record | size | mctx
-v <level>: set verbosity level (0 - 10)
-V: print version information
Timing options:
-P date/[+-]offset/none: set key publication date (default: now)
-P sync date/[+-]offset/none: set CDS and CDNSKEY publication date
-A date/[+-]offset/none: set key activation date (default: now)
-R date/[+-]offset/none: set key revocation date
-I date/[+-]offset/none: set key inactivation date
-D date/[+-]offset/none: set key deletion date
-D sync date/[+-]offset/none: set CDS and CDNSKEY deletion date
-G: generate key only; do not set -P or -A
-C: generate a backward-compatible key, omitting all dates
-S <key>: generate a successor to an existing key
-i <interval>: prepublication interval for successor key (default: 30 days)
Output:
K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private
dnssec-revoke
Set the REVOKED bit on a DNSSEC key
[email protected]:~# dnssec-revoke --help
dnssec-revoke: invalid argument --
Usage:
dnssec-revoke [options] keyfile
Version: 9.18.8-1-Debian
-E engine: specify OpenSSL engine
-f: force overwrite
-h: help
-K directory: use directory for key files
-r: remove old keyfiles after creating revoked version
-v level: set level of verbosity
-V: print version information
Output:
K<name>+<alg>+<new id>.key, K<name>+<alg>+<new id>.private
dnssec-settime
Set the key timing metadata for a DNSSEC key
[email protected]:~# dnssec-settime --help
dnssec-settime: invalid argument --
Usage:
dnssec-settime [options] keyfile
Version: 9.18.8-1-Debian
General options:
-E engine: specify OpenSSL engine
-f: force update of old-style keys
-K directory: set key file location
-L ttl: set default key TTL
-v level: set level of verbosity
-V: print version information
-h: help
Timing options:
-P date/[+-]offset/none: set/unset key publication date
-P ds date/[+-]offset/none: set/unset DS publication date
-P sync date/[+-]offset/none: set/unset CDS and CDNSKEY publication date
-A date/[+-]offset/none: set/unset key activation date
-R date/[+-]offset/none: set/unset key revocation date
-I date/[+-]offset/none: set/unset key inactivation date
-D date/[+-]offset/none: set/unset key deletion date
-D ds date/[+-]offset/none: set/unset DS deletion date
-D sync date/[+-]offset/none: set/unset CDS and CDNSKEY deletion date
-S <key>: generate a successor to an existing key
-i <interval>: prepublication interval for successor key (default: 30 days)
Key state options:
-s: update key state file (default no)
-g state: set the goal state for this key
-d state date/[+-]offset: set the DS state
-k state date/[+-]offset: set the DNSKEY state
-r state date/[+-]offset: set the RRSIG (KSK) state
-z state date/[+-]offset: set the RRSIG (ZSK) state
Printing options:
-p C/P/Psync/A/R/I/D/Dsync/all: print a particular time value or values
-u: print times in unix epoch format
Output:
K<name>+<alg>+<new id>.key, K<name>+<alg>+<new id>.private
dnssec-signzone
DNSSEC zone signing tool
[email protected]:~# dnssec-signzone --help
dnssec-signzone: illegal option -- -
dnssec-signzone: invalid argument --
Usage:
dnssec-signzone [options] zonefile [keys]
Version: 9.18.8-1-Debian
Options: (default value in parenthesis)
-S: smart signing: automatically finds key files
for the zone and determines how they are to be used
-K directory:
directory to find key files (.)
-d directory:
directory to find dsset-* files (.)
-g: update DS records based on child zones' dsset-* files
-s [YYYYMMDDHHMMSS|+offset]:
RRSIG start time - absolute|offset (now - 1 hour)
-e [YYYYMMDDHHMMSS|+offset|"now"+offset]:
RRSIG end time - absolute|from start|from now (now + 30 days)
-X [YYYYMMDDHHMMSS|+offset|"now"+offset]:
DNSKEY RRSIG end - absolute|from start|from now (matches -e)
-i interval:
cycle interval - resign if < interval from end ( (end-start)/4 )
-j jitter:
randomize signature end time up to jitter seconds
-v debuglevel (0)
-q quiet
-V: print version information
-o origin:
zone origin (name of zonefile)
-f outfile:
file the signed zone is written in (zonefile + .signed)
-I format:
file format of input zonefile (text)
-O format:
file format of signed zone file (text)
-N format:
soa serial format of signed zone file (keep)
-D:
output only DNSSEC-related records
-a: verify generated signatures
-c class (IN)
-E engine:
name of an OpenSSL engine to use
-P: disable post-sign verification
-Q: remove signatures from keys that are no longer active
-R: remove signatures from keys that no longer exist
-T TTL: TTL for newly added DNSKEYs
-t: print statistics
-u: update or replace an existing NSEC/NSEC3 chain
-x: sign DNSKEY record with KSKs only, not ZSKs
-z: sign all records with KSKs
-C: generate a keyset file, for compatibility
with older versions of dnssec-signzone -g
-n ncpus (number of cpus present)
-k key_signing_key
-3 NSEC3 salt
-H NSEC3 iterations (10)
-A NSEC3 optout
Signing Keys: (default: all zone keys that have private keys)
keyfile (Kname+alg+tag)
dnssec-verify
DNSSEC zone verification tool
[email protected]:~# dnssec-verify --help
dnssec-verify: illegal option -- -
dnssec-verify: illegal option -- e
dnssec-verify: illegal option -- l
dnssec-verify: illegal option -- p
dnssec-verify: invalid argument --
Usage:
dnssec-verify [options] zonefile [keys]
Version: 9.18.8-1-Debian
Options: (default value in parenthesis)
-v debuglevel (0)
-q quiet
-V: print version information
-o origin:
zone origin (name of zonefile)
-I format:
file format of input zonefile (text)
-c class (IN)
-E engine:
name of an OpenSSL engine to use
-x: DNSKEY record signed with KSKs only, not ZSKs
-z: All records signed with KSKs
named-checkconf
Named configuration file syntax checking tool
[email protected]:~# named-checkconf --help
named-checkconf: invalid argument --
usage: named-checkconf [-chijlvz] [-p [-x]] [-t directory] [named.conf]
named-checkzone
Zone file validity checking or converting tool
[email protected]:~# named-checkzone --help
named-checkzone: invalid argument --
usage: named-checkzone [-djqvD] [-c class] [-f inputformat] [-F outputformat] [-J filename] [-s (full|relative)] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-m (ignore|warn|fail)] [-n (ignore|warn|fail)] [-r (ignore|warn|fail)] [-i (full|full-sibling|local|local-sibling|none)] [-M (ignore|warn|fail)] [-S (ignore|warn|fail)] [-W (ignore|warn)] [-o filename] zonename [ (filename|-) ]
named-compilezone
Zone file validity checking or converting tool
[email protected]:~# named-compilezone --help
named-compilezone: invalid argument --
usage: named-compilezone [-djqvD] [-c class] [-f inputformat] [-F outputformat] [-J filename] [-s (full|relative)] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-m (ignore|warn|fail)] [-n (ignore|warn|fail)] [-r (ignore|warn|fail)] [-i (full|full-sibling|local|local-sibling|none)] [-M (ignore|warn|fail)] [-S (ignore|warn|fail)] [-W (ignore|warn)] -o filename zonename [ (filename|-) ]
rndc
Name server control utility
[email protected]:~# rndc -h
Usage: rndc [-b address] [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-r] [-V] [-4 | -6] command
command is one of the following:
addzone zone [class [view]] { zone-options }
Add zone to given view. Requires allow-new-zones option.
delzone [-clean] zone [class [view]]
Removes zone from given view.
dnssec -checkds [-key id [-alg algorithm]] [-when time] (published|withdrawn) zone [class [view]]
Mark the DS record for the KSK of the given zone as seen
in the parent. If the zone has multiple KSKs, select a
specific key by providing the keytag with -key id and
optionally the key's algorithm with -alg algorithm.
Requires the zone to have a dnssec-policy.
dnssec -rollover -key id [-alg algorithm] [-when time] zone [class [view]]
Rollover key with id of the given zone. Requires the zone
to have a dnssec-policy.
dnssec -status zone [class [view]]
Show the DNSSEC signing state for the specified zone.
Requires the zone to have a dnssec-policy.
dnstap -reopen
Close, truncate and re-open the DNSTAP output file.
dnstap -roll count
Close, rename and re-open the DNSTAP output file(s).
dumpdb [-all|-cache|-zones|-adb|-bad|-expired|-fail] [view ...]
Dump cache(s) to the dump file (named_dump.db).
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
flushtree name [view]
Flush all names under the given name from the server's cache(s)
freeze Suspend updates to all dynamic zones.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
loadkeys zone [class [view]]
Update keys without signing immediately.
managed-keys refresh [class [view]]
Check trust anchor for RFC 5011 key changes
managed-keys status [class [view]]
Display RFC 5011 managed keys information
managed-keys sync [class [view]]
Write RFC 5011 managed keys to disk
modzone zone [class [view]] { zone-options }
Modify a zone's configuration.
Requires allow-new-zones option.
notify zone [class [view]]
Resend NOTIFY messages for the zone.
notrace Set debugging level to 0.
nta -dump
List all negative trust anchors.
nta [-lifetime duration] [-force] domain [view]
Set a negative trust anchor, disabling DNSSEC validation
for the given domain.
Using -lifetime specifies the duration of the NTA, up
to one week.
Using -force prevents the NTA from expiring before its
full lifetime, even if the domain can validate sooner.
nta -remove domain [view]
Remove a negative trust anchor, re-enabling validation
for the given domain.
querylog [ on | off ]
Enable / disable query logging.
reconfig Reload configuration file and new zones only.
recursing Dump the queries that are currently recursing (named.recursing)
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
scan Scan available network interfaces for changes.
secroots [view ...]
Write security roots to the secroots file.
serve-stale [ on | off | reset | status ] [class [view]]
Control whether stale answers are returned
showzone zone [class [view]]
Print a zone's configuration.
sign zone [class [view]]
Update zone keys, and sign as needed.
signing -clear all zone [class [view]]
Remove the private records for all keys that have
finished signing the given zone.
signing -clear <keyid>/<algorithm> zone [class [view]]
Remove the private record that indicating the given key
has finished signing the given zone.
signing -list zone [class [view]]
List the private records showing the state of DNSSEC
signing in the given zone.
signing -nsec3param hash flags iterations salt zone [class [view]]
Add NSEC3 chain to zone if already signed.
Prime zone with NSEC3 chain if not yet signed.
signing -nsec3param none zone [class [view]]
Remove NSEC3 chains from zone.
signing -serial <value> zone [class [view]]
Set the zones's serial to <value>.
stats Write server statistics to the statistics file.
status Display status of the server.
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
sync [-clean] Dump changes to all dynamic zones to disk, and optionally
remove their journal files.
sync [-clean] zone [class [view]]
Dump a single zone's changes to disk, and optionally
remove its journal file.
tcp-timeouts Display the tcp-*-timeout option values
tcp-timeouts initial idle keepalive advertised
Update the tcp-*-timeout option values
thaw Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
trace Increment debugging level by one.
trace level Change the debugging level.
tsig-delete keyname [view]
Delete a TKEY-negotiated TSIG key.
tsig-list List all currently active TSIG keys, including both statically
configured and TKEY-negotiated keys.
validation [ on | off | status ] [view]
Enable / disable DNSSEC validation.
zonestatus zone [class [view]]
Display the current status of a zone.
Version: 9.18.8-1-Debian
rndc-confgen
Rndc key generation tool
[email protected]:~# rndc-confgen -h
Usage:
rndc-confgen [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-s addr] [-t chrootdir] [-u user]
-a: generate just the key clause and write it to keyfile (/etc/bind/rndc.key)
-A alg: algorithm (default hmac-sha256)
-b bits: from 1 through 512, default 256; total length of the secret
-c keyfile: specify an alternate key file (requires -a)
-k keyname: the name as it will be used in named.conf and rndc.conf
-p port: the port named will listen on and rndc will connect to
-q: suppress printing written key path
-s addr: the address to which rndc should connect
-t chrootdir: write a keyfile in chrootdir as well (requires -a)
-u user: set the keyfile owner to "user" (requires -a)
bind9utils
This is a transitional package. It can safely be removed.
Installed size: 257 KB
How to install: sudo apt install bind9utils
Dependencies:
- bind9-utils
dnsutils
This is a transitional package. It can safely be removed.
Installed size: 257 KB
How to install: sudo apt install dnsutils
Dependencies:
- bind9-dnsutils
Updated on: 2022-Nov-28