about summary refs log tree commit diff
path: root/doc/dnsfunnel-daemon.html
blob: d93d46352328c2a004dc5652c98c63d738585b67 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
<html>
  <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <meta http-equiv="Content-Language" content="en" />
    <title>dnsfunnel: the dnsfunnel-daemon program</title>
    <meta name="Description" content="dnsfunnel: the dnsfunnel-daemon program" />
    <meta name="Keywords" content="dnsfunnel daemon /etc/resolv.conf local cache resolver 127.0.0.1" />
    <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
  </head>
<body>

<p>
<a href="index.html">dnsfunnel</a><br />
<a href="//skarnet.org/software/">Software</a><br />
<a href="//skarnet.org/">skarnet.org</a>
</p>

<h1> The <tt>dnsfunnel-daemon</tt> program </h1>

<p>
<tt>dnsfunnel-daemon</tt> binds to a local UDP socket, drops its
privileges, then executes into <a href="dnsfunneld.html">dnsfunneld</a>.
</p>

<h2> Interface </h2>

<pre>
     dnsfunnel-daemon [ -v verbosity ] [ -d notif ] [ -U | -u uid -g gid ] [ -i ip:port ] [ -R root ] [ -b bufsize ] [ -f cachelist ] [ -T | -t ] [ -N | -n ]
</pre>

<ul>
 <li> dnsfunnel-daemon creates a UDP inet domain socket and binds it
to IPv4 address <em>ip</em> (normally 127.0.0.1) and port <em>port</em>
(normally 53). </li>
 <li> Depending on the options it has been given, it may chroot and lose
privileges on its gid and uid. </li>
 <li> It execs into <a href="dnsfunneld.html">dnsfunneld</a> with the
UDP socket as its standard input. </li>
</ul>

<p>
 The point of <tt>dnsfunnel-daemon</tt> is to separate the administrative
operations of starting a daemon from the actual serving part, which is
handled by <a href="dnsfunneld.html">dnsfunneld</a>.
</p>

<h2> Exit codes </h2>

<ul>
 <li> 100: wrong usage </li>
 <li> 111: system call failed </li>
 <li> 126: failed to exec <a href="dnsfunneld.html">dnsfunneld</a> </li>
 <li> 127: could not find the <a href="dnsfunneld.html">dnsfunneld</a> executable </li>
</ul>

<h2> Options </h2>

<ul>
 <li> <tt>-v&nbsp;<em>verbosity</em></tt>&nbsp;: verbosity of the
<a href="dnsfunneld.html">dnsfunneld</a> program. This option is passed as is
to <a href="dnsfunneld.html">dnsfunneld</a>. Default is 1. 0 suppresses warning
messages. Higher values may give more informational messages. </li>
 <li> <tt>-d&nbsp;<em>notif</em></tt>&nbsp;: readiness notification. This option
is passed as is to <a href="dnsfunneld.html">dnsfunneld</a>, which will print a
newline to descriptor <em>notif</em> when it is ready. Default is no readiness
notification. </li>
 <li> <tt>-U</tt>&nbsp;: read an uid in the UID environment variable and a gid
in the GID environment variable, and drop privileges to that uid/gid. </li>
 <li> <tt>-u&nbsp;<em>uid</em></tt>&nbsp;: drop privileges to numerical uid
<em>uid</em>. </li>
 <li> <tt>-g&nbsp;<em>gid</em></tt>&nbsp;: drop privileges to numerical gid
<em>gid</em>. </li>
 <li> <tt>-i&nbsp;<em>ip</em>:<em>port</em></tt>&nbsp;: bind the socket to
IPv4 <em>ip</em> and port <em>port</em>. Default for <em>ip</em> is
<tt>127.0.0.1</tt>; default for <em>port</em> is 53. </li>
 <li> <tt>-R&nbsp;<em>root</em></tt>&nbsp;: chroot to <em>root</em>. Note that
this option only increases security if you also drop privileges. </li>
 <li> <tt>-b&nbsp;<em>bufsize</em></tt>&nbsp;: try and reserve a kernel buffer
size of <em>bufsize</em> bytes for the socket. Default is 131072. If the given
<em>bufsize</em> is 0, then <tt>dnsfunnel-daemon</tt> will use whatever the
default is for your kernel. </li>
 <li> <tt>-f&nbsp;<em>cachelist</em></tt>&nbsp;: Use <em>cachelist</em> as the
file that <a href="dnsfunneld.html">dnsfunneld</a> reads its cache addresses
from. Default is <tt>/run/dnsfunnel-caches</tt>, or <em>file</em>
if the <tt>--with-cachelist=<em>file</em></tt> option has been given to the
configure script at build time. </li>
</ul>

<p>
 The other options control the activation or deactivation of various
<a href="dnsfunneld.html">dnsfunneld</a> features:
</p>
 <li> <tt>-T</tt>&nbsp;: Do not activate truncation of responses. This is
the default. </li>
 <li> <tt>-t</tt>&nbsp;: If a DNS response is bigger than 510 bytes,
truncate its last resource records until it fits into 510 bytes and can
be sent in a UDP packet. </li>
 <li> <tt>-N</tt>&nbsp;: Do not activate nxdomain workaround. This is the
default. </li>
 <li> <tt>-n</tt>&nbsp;: Activate nxdomain workaround. When receiving an A
(resp. AAAA) query to forward, also make an AAAA (resp. A) query, and adjust
the response accordingly. Some DNS servers incorrectly answer NXDOMAIN when
they should just answer NODATA, and querying for another, existing, record
type for the same domain allows dnsfunneld to tell the difference between a
real NXDOMAIN (in which case that response is forwarded to the client) and
an incorrect one (in which case NODATA is answered to the client instead). </li>
 <li> Other options may be added in the future. </li>
</ul>

</body>
</html>