dnsfunnel
Software
skarnet.org
The dnsfunnel-daemon program
dnsfunnel-daemon binds to a local UDP socket, drops its
privileges, then executes into dnsfunneld.
It is the high-level entry point to invoke in scripts that want to launch
dnsfunneld.
Interface
dnsfunnel-daemon [ -v verbosity ] [ -d notif ] [ -U | -u uid -g gid ] [ -i ip:port ] [ -R root ] [ -b bufsize ] [ -f cachelist ] [ -T | -t ] [ -N | -n ]
- dnsfunnel-daemon creates a UDP inet domain socket and binds it
to IPv4 address ip (normally 127.0.0.1) and port port
(normally 53).
- Depending on the options it has been given, it may chroot and lose
privileges on its gid and uid.
- It execs into dnsfunneld with the
UDP socket as its standard input.
The point of dnsfunnel-daemon is to separate the administrative
operations of starting a daemon from the actual serving part, which is
handled by dnsfunneld.
Exit codes
- 100: wrong usage
- 111: system call failed
- 126: failed to exec dnsfunneld
- 127: could not find the dnsfunneld executable
Options
- -v verbosity : verbosity of the
dnsfunneld program. This option is passed as is
to dnsfunneld. Default is 1. 0 suppresses warning
messages. Higher values may give more informational messages.
- -d notif : readiness notification. This option
is passed as is to dnsfunneld, which will print a
newline to descriptor notif when it is ready. Default is no readiness
notification.
- -U : read an uid in the UID environment variable and a gid
in the GID environment variable, and drop privileges to that uid/gid.
- -u uid : drop privileges to numerical uid
uid.
- -g gid : drop privileges to numerical gid
gid.
- -i ip:port : bind the socket to
IPv4 ip and port port. Default for ip is
127.0.0.1; default for port is 53.
- -R root : chroot to root. Note that
this option only increases security if you also drop privileges.
- -b bufsize : try and reserve a kernel buffer
size of bufsize bytes for the socket. Default is 131072. If the given
bufsize is 0, then dnsfunnel-daemon will use whatever the
default is for your kernel.
- -f cachelist : Use cachelist as the
file that dnsfunneld reads its cache addresses
from. Default is /run/dnsfunnel-caches, or file
if the --with-cachelist=file option has been given to the
configure script at build time.
The other options control the activation or deactivation of various
dnsfunneld features:
-T : Do not activate truncation of responses. This is
the default.
-t : If a DNS response is bigger than 510 bytes,
truncate its last resource records until it fits into 510 bytes and can
be sent in a UDP packet.
-N : Do not activate nxdomain workaround. This is the
default.
-n : Activate nxdomain workaround. When receiving an A
(resp. AAAA) query to forward, also make an AAAA (resp. A) query, and adjust
the response accordingly. Some DNS servers incorrectly answer NXDOMAIN when
they should just answer NODATA, and querying for another, existing, record
type for the same domain allows dnsfunneld to tell the difference between a
real NXDOMAIN (in which case that response is forwarded to the client) and
an incorrect one (in which case NODATA is answered to the client instead).
Other options may be added in the future.