ADNS

From the Homepage:

Advanced, easy to use, asynchronous-capable DNS client library and utilities.

adns is a resolver library for C (and C++) programs, and a collection of useful 

DNS resolver utilities.

I'm (Ian) afraid there is no manual yet. However, competent C programmers should

be able to use the library based on the commented adns.h header file, and

the usage messages for the programs should be sufficient.

adns also comes with a number of utility programs for use from the command

line and in scripts:

    * adnslogres is a much faster version of Apache's logresolv program.

    * adnsresfilter is a filter which copies its input to its output,

      replacing IP addresses by the corresponding names, without unduly

      delaying the output. For example, you can usefully pipe the

      output of netstat -n, tcpdump -ln, and the like, into it.

    * adnshost is a general-purpose DNS lookup utility which can be used easily

      in from the command line and from shell scripts to do simple lookups.

      In a more advanced mode it can be used as a general-purpose DNS helper

      program for scripting languages which can invoke and communicate with

      subprocesses. See the adnshost usage message for a summary of its capabilities.

From the INSTALL file:

    SECURITY AND PERFORMANCE - AN IMPORTANT NOTE

    adns is not a `full-service resolver': it does no caching of responses

    at all, and has no defence against bad nameservers or fake packets

    which appear to come from your real nameservers.  It relies on the

    full-service resolvers listed in resolv.conf to handle these tasks.

    For secure and reasonable operation you MUST run a full-service

    nameserver on the same system as your adns applications, or on the

    same local, fully trusted network.  You MUST only list such

    nameservers in the adns configuration (eg resolv.conf).

    You MUST use a firewall or other means to block packets which appear

    to come from these nameservers, but which were actually sent by other,

    untrusted, entities.

    Furthermore, adns is not DNSSEC-aware in this version; it doesn't

    understand even how to ask a DNSSEC-aware nameserver to perform the

    DNSSEC cryptographic signature checking.

In particular, adns does not randomize the query source port or transaction ID;

relevant advisories are CVE-2008-1447 and CVE-2008-4100.  Since adns is a stub

resolver, the workarounds listed in DSA-1605-1 for glibc also apply to adns.