|
Bernhard M. Wiedemann |
3f44a3 |
ADNS
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
From the Homepage:
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
Advanced, easy to use, asynchronous-capable DNS client library and utilities.
|
|
Bernhard M. Wiedemann |
3f44a3 |
adns is a resolver library for C (and C++) programs, and a collection of useful
|
|
Bernhard M. Wiedemann |
3f44a3 |
DNS resolver utilities.
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
I'm (Ian) afraid there is no manual yet. However, competent C programmers should
|
|
Bernhard M. Wiedemann |
3f44a3 |
be able to use the library based on the commented adns.h header file, and
|
|
Bernhard M. Wiedemann |
3f44a3 |
the usage messages for the programs should be sufficient.
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
adns also comes with a number of utility programs for use from the command
|
|
Bernhard M. Wiedemann |
3f44a3 |
line and in scripts:
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
* adnslogres is a much faster version of Apache's logresolv program.
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
* adnsresfilter is a filter which copies its input to its output,
|
|
Bernhard M. Wiedemann |
3f44a3 |
replacing IP addresses by the corresponding names, without unduly
|
|
Bernhard M. Wiedemann |
3f44a3 |
delaying the output. For example, you can usefully pipe the
|
|
Bernhard M. Wiedemann |
3f44a3 |
output of netstat -n, tcpdump -ln, and the like, into it.
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
* adnshost is a general-purpose DNS lookup utility which can be used easily
|
|
Bernhard M. Wiedemann |
3f44a3 |
in from the command line and from shell scripts to do simple lookups.
|
|
Bernhard M. Wiedemann |
3f44a3 |
In a more advanced mode it can be used as a general-purpose DNS helper
|
|
Bernhard M. Wiedemann |
3f44a3 |
program for scripting languages which can invoke and communicate with
|
|
Bernhard M. Wiedemann |
3f44a3 |
subprocesses. See the adnshost usage message for a summary of its capabilities.
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
From the INSTALL file:
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
SECURITY AND PERFORMANCE - AN IMPORTANT NOTE
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
adns is not a `full-service resolver': it does no caching of responses
|
|
Bernhard M. Wiedemann |
3f44a3 |
at all, and has no defence against bad nameservers or fake packets
|
|
Bernhard M. Wiedemann |
3f44a3 |
which appear to come from your real nameservers. It relies on the
|
|
Bernhard M. Wiedemann |
3f44a3 |
full-service resolvers listed in resolv.conf to handle these tasks.
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
For secure and reasonable operation you MUST run a full-service
|
|
Bernhard M. Wiedemann |
3f44a3 |
nameserver on the same system as your adns applications, or on the
|
|
Bernhard M. Wiedemann |
3f44a3 |
same local, fully trusted network. You MUST only list such
|
|
Bernhard M. Wiedemann |
3f44a3 |
nameservers in the adns configuration (eg resolv.conf).
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
You MUST use a firewall or other means to block packets which appear
|
|
Bernhard M. Wiedemann |
3f44a3 |
to come from these nameservers, but which were actually sent by other,
|
|
Bernhard M. Wiedemann |
3f44a3 |
untrusted, entities.
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
Furthermore, adns is not DNSSEC-aware in this version; it doesn't
|
|
Bernhard M. Wiedemann |
3f44a3 |
understand even how to ask a DNSSEC-aware nameserver to perform the
|
|
Bernhard M. Wiedemann |
3f44a3 |
DNSSEC cryptographic signature checking.
|
|
Bernhard M. Wiedemann |
3f44a3 |
|
|
Bernhard M. Wiedemann |
3f44a3 |
In particular, adns does not randomize the query source port or transaction ID;
|
|
Bernhard M. Wiedemann |
3f44a3 |
relevant advisories are CVE-2008-1447 and CVE-2008-4100. Since adns is a stub
|
|
Bernhard M. Wiedemann |
3f44a3 |
resolver, the workarounds listed in DSA-1605-1 for glibc also apply to adns.
|