diff options
author | Laurent Bercot <ska-skaware@skarnet.org> | 2023-12-10 11:48:01 +0000 |
---|---|---|
committer | Laurent Bercot <ska@appnovation.com> | 2023-12-10 11:48:01 +0000 |
commit | b8d0f83e6cea9640a7ee4402c163ad812237355d (patch) | |
tree | 57a64ac8aa0e98c40db8c36e96e7379490e44dbf /doc | |
download | shibari-b8d0f83e6cea9640a7ee4402c163ad812237355d.tar.xz |
Initial commit
Signed-off-by: Laurent Bercot <ska@appnovation.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/index.html | 181 | ||||
-rw-r--r-- | doc/shibari-server-tcp.html | 213 | ||||
-rw-r--r-- | doc/shibari-server-udp.html | 163 | ||||
-rw-r--r-- | doc/upgrade.html | 28 |
4 files changed, 585 insertions, 0 deletions
diff --git a/doc/index.html b/doc/index.html new file mode 100644 index 0000000..fd59558 --- /dev/null +++ b/doc/index.html @@ -0,0 +1,181 @@ +<html> + <head> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>shibari - a collection of DNS tools </title> + <meta name="Description" content="shibari - a collection of DNS tools" /> + <meta name="Keywords" content="shibari s6-dns DNS resolution server unix linux laurent bercot ska skarnet" /> + <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="//skarnet.org/software/">Software</a><br /> +<a href="//skarnet.org/">skarnet.org</a> +</p> + +<h1> shibari </h1> + +<h2> What is it ? </h2> + +<p> + shibari is a collection of DNS tools for Unix systems, as an +alternative to BIND, Unbound, djbdns or other similar suites of +programs. +</p> + +<p> + It was previously named s6-dns. The name of the project was changed to +avoid confusion; despite being written by the same author and with the +same mindset, it is not part of the s6 project. +</p> + +<h3> Why "shibari"? </h3> + +<p> + There's a de facto tradition that DNS software has a name related to +binding. shibari aims to be the most pleasant of all DNS software. +</p> + +<hr /> + +<h2> Installation </h2> + +<h3> Requirements </h3> + +<ul> + <li> A POSIX-compliant system with a standard C development environment </li> + <li> GNU make, version 3.81 or later </li> + <li> <a href="//skarnet.org/software/skalibs/">skalibs</a> version +2.14.0.1 or later. It's a build-time requirement. It's also a run-time +requirement if you link against the shared version of the skalibs library. </li> + <li> <a href="//skarnet.org/software/s6/">s6</a> version +2.12.0.2 or later. It's a build-time requirement. It's also a run-time +requirement if you link against the shared version of the s6 library. That +library is used for the access control and client location features in +<a href="shibari-server-udp.html">shibari-server-udp</a>. </li> + <li> (for now) <a href="//skarnet.org/software/s6-dns/">s6-dns</a> version +2.3.7.0 or later. It's a build-time requirement. It's also a run-time +requirement if you link against the shared version of the s6-dns library. </li> +</ul> + +<h3> Licensing </h3> + +<p> + shibari is free software. It is available under the +<a href="https://opensource.org/licenses/ISC">ISC license</a>. +</p> + +<h3> Download </h3> + +<ul> + <li> The current released version of shibari is <a href="shibari-0.0.1.0.tar.gz">0.0.1.0</a>. +(That is a lie. shibari is currently unreleased, so that link does not work.) </li> + <li> You can checkout a copy of the +<a href="//git.skarnet.org/cgi-bin/cgit.cgi/shibari/">shibari +git repository</a>: +<pre> git clone git://git.skarnet.org/shibari </pre> </li> + <li> There's also a +<a href="https://github.com/skarnet/shibari">GitHub mirror</a> +of the shibari git repository. </li> +</ul> + +<h3> Build and installation </h3> + +<ul> + <li> See the enclosed INSTALL file for build and installation details. </li> +</ul> + +<h3> Upgrade notes </h3> + +<ul> + <li> <a href="upgrade.html">This page</a> lists the differences to be aware of between +the previous versions of shibari and the current one. </li> +</ul> + +<hr /> + +<h2> Reference </h2> + +<h3> Commands </h3> + +<p> + All these commands exit 111 if they encounter a temporary error or +hardware error, and +100 if they encounter a permanent error - such as a misuse. Short-lived +commands exit 0 on success. Other exit codes are documented in the +relevant page. +</p> + +<h4> Command-line DNS clients programs </h4> + +<ul> +</ul> + +<h4> Caches </h4> + +<ul> +</ul> + +<h4> Servers </h4> + +<ul> + <li> The <a href="shibari-server-tcp.html">shibari-server-tcp</a> program </li> + <li> The <a href="shibari-server-udp.html">shibari-server-udp</a> program </li> +</ul> + +<h4> Filtering tools </h4> + +<ul> +</ul> + +<h4> Command-line qualification </h4> + +<ul> +</ul> + +<h4> DNS analysis and debug tools </h4> + +<ul> +</ul> + +<h4> Miscellaneous utilities </h4> + +<h3> Libraries </h3> + +<h4> Protocol implementation and synchronous resolution </h4> + +<ul> +</ul> + +<h4> Asynchronous resolution </h4> + +<ul> +</ul> + +<hr /> + +<a name="related"> +<h2> Related resources </h2> +</a> + +<h3> shibari discussion </h3> + +<ul> + <li> <tt>shibari</tt> is discussed on the +<a href="//skarnet.org/lists/#skaware">skaware</a> mailing-list. </li> + <li> It can also be discussed on the +<a href="https://cr.yp.to/lists.html#dns">cr.yp.to dns mailing-list</a>. </li> +</ul> + +<h3> Similar work </h3> + +<ul> + <li> <a href="https://www.isc.org/software/bind">BIND</a> </li> + <li> <a href="https://nlnetlabs.nl/projects/unbound/about/">Unbound</a> </li> + <li> <a href="https://cr.yp.to/djbdns.html">djbdns</a> </li> +</ul> + +</body> +</html> diff --git a/doc/shibari-server-tcp.html b/doc/shibari-server-tcp.html new file mode 100644 index 0000000..5f36087 --- /dev/null +++ b/doc/shibari-server-tcp.html @@ -0,0 +1,213 @@ +<html> + <head> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>shibari: the shibari-server-tcp program</title> + <meta name="Description" content="shibari: the shibari-server-tcp program" /> + <meta name="Keywords" content="shibari DNS s6-dns server database authoritative TCP s6-networking ucspi" /> + <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">shibari</a><br /> +<a href="//skarnet.org/software/">Software</a><br /> +<a href="//skarnet.org/">skarnet.org</a> +</p> + +<h1> The shibari-server-tcp program </h1> + +<p> + shibari-server-tcp reads DNS queries on its standard input, and answers them +on its standard output. +</p> + +<div id="interface"> +<h2> Interface </h2> +</div> + +<pre> + shibari-server-tcp [ -v <em>verbosity</em> [ -f <em>tdbfile</em> ] [ -r <em>rtimeout</em> ] [ -w <em>wtimeout</em> ] +</pre> + +<ul> + <li> shibari-server-tcp reads a stream of DNS queries on its stdin (encoded +in the TCP DNS way, i.e. 2 bytes of length then the payload), and tries to fulfill them, +sending answers to stdout. It logs its actions to stderr. </li> + <li> It supports normal queries and AXFR queries. </li> + <li> It reads DNS data information from a +<a href="https://en.wikipedia.org/wiki/Cdb_(software)">cdb</a> database; the +database must use the output format from +<a href="https://cr.yp.to/djbdns/tinydns-data.html">tinydns-data</a>. </li> +</ul> + +<div id="commonusage"> +<h2> Common usage </h2> +</div> + +<p> + shibari-server-tcp is intended to be run under a TCP super-server such as +<a href="//skarnet.org/software/s6-networking/s6-tcpserver.html">s6-tcpserver</a>. +It delegates to the super-server the job of binding and listening to +the socket, accepting connections, and spawning a separate process to handle a +given connection. +</p> + +<p> + As such, a command line for shibari-server-tcp, running as user <tt>dns</tt>, listening +on address <tt>${ip}</tt>, would typically look like this: +</p> + +<pre> + s6-envuidgid dns s6-tcpserver -U -- ${ip} 53 s6-tcpserver-access -x rules.cdb -- shibari-server-tcp +</pre> + +<p> + Most users will want to run these command lines as <em>services</em>, i.e. daemons +run in the background when the machine starts. The <tt>examples/</tt> subdirectory +of the shibari package provides service templates to help you run shibari-server-tcp under +<a href="https://wiki.gentoo.org/wiki/OpenRC">OpenRC</a>, +<a href="//skarnet.org/software/s6/">s6</a> and +<a href="//skarnet.org/software/s6-rc/">s6-rc</a>. +</p> + +<div id="exitcodes"> +<h2> Exit codes </h2> +</div> + +<dl> + <dt> 0 </dt> <dd> Clean exit. There was a successful series of DNS exchanges +and tipideed received EOF, or timed out while the client was idle. </dd> + <dt> 1 </dt> <dd> Invalid DNS query. The client spoke garbage. </dd> + <dt> 100 </dt> <dd> Bad usage. shibari-server-tcp was run in an incorrect way: bad command +line options, or missing environment variables, etc. </dd> + <dt> 101 </dt> <dd> Cannot happen. This signals a bug in shibari-server-tcp, and comes with an +error message asking you to report the bug. Please do so, on the +<a href="//skarnet.org/lists/#skaware">skaware mailing-list</a>. </dd> + <dt> 102 </dt> <dd> Misconfiguration. shibari-server-tcp found something in its DNS data file +that it does not like. </dd> + <dt> 111 </dt> <dd> System call failed. This usually signals an issue with the +underlying operating system. </dd> +</dl> + +<div id="environment"> +<h2> Environment variables </h2> +</div> + +<p> + shibari-server-tcp expects the following variables in its environment, and will exit +with an error message if they are undefined. When run under +<a href="//skarnet.org/software/s6-networking/s6-tcpserver.html">s6-tcpserver</a>, +these variables are automatically set by the super-server. This is the way +shibari-server-tcp gets its network information without having to perform network +operations itself. +</p> + +<dl> + <dt> TCPLOCALIP </dt> + <dd> The local IP address that the super-server is listening on. </dd> + + <dt> TCPLOCALPORT </dt> + <dd> The local port that the super-server is listening on. In normal usage +this will be 53. </dd> + + <dt> TCPREMOTEIP </dt> + <dd> The IP address of the client. </dd> + + <dt> TCPREMOTEPORT </dt> + <dd> The remote port that the client is connecting from. </dd> +</dl> + +<p> + The following variables are optional, but will inform shibari-server-tcp's +behaviour. They are typically set by +<a href="//skarnet.org/software/s6-networking/s6-tcpserver-access.html">s6-tcpserver-access</a> +with the <tt>-i</tt> or <tt>-x</tt> option, when the access rules database +defines environment variables depending on client IP ranges. +</p> + +<dl> + <dt> AXFR </dt> + <dd> If this variable is set, it controls what zones the client is allowed +to make AXFR queries for. A value of <tt>*</tt> (star) means the client is +allowed to make AXFR queries for any zone, same as when the variable is not +defined. Else, the value needs to be a space-, comma-, semicolon-, or +slash-separated list of zones; these are the allowed zones. </dd> + + <dt> LOC </dt> + <dd> If this variable is set, it defines a client location that is used to +implement views. A client location is at most two charaters; if the value +is <tt>lo</tt>, then the client will be granted access to DNS data guarded +by a <tt>%lo</tt> location indicator in the +<a href="https://cr.yp.to/djbdns/tinydns-data.html">tinydns-data</a> file. +Note that shibari-server-tcp ignores client IP prefix matching compiled in +the database via <tt>%lo:ipprefix</tt> lines: it only takes its location +information from the LOC variable, and will use the contents of LOC to match +lines ending with <tt>:%lo</tt>. The idea is to only have one place centralizing +what clients are authorized to do depending on their IP, and that place is the +<a href="//skarnet.org/software/s6-networking/s6-tcpserver-access.html">s6-tcpserver-access</a> +rules database. </dd> +</dl> + +<div id="options"> +<h2> Options </h2> +</div> + +<dl> + <dt> -v <em>verbosity</em> </dt> + <dd> Be more or less verbose. +A <em>verbosity</em> of 0 means no warnings, no logs, only error messages. 1 +means warnings and terse logs. 2 or more means more logs. +Default is <strong>1</strong>. </dd> + + <dt> -f <em>tdbfile</em> </dt> + <dd> Read DNS data from <em>tdbfile</em>. +The default is <strong><tt>data.cdb</tt></strong>, in the current working +directory of the shibari-server-tcp process. </dd> + + <dt> -r <em>rtimeout</em> </dt> + <dd> Read timeout. If <em>rtimeout</em> milliseconds +elapse while shibari-server-tcp is waiting for a DNS query, just exit. +The default is <strong>0</strong>, meaning infinite: shibari-server-tcp +will never close the connection until it receives EOF. </dd> + + <dt> -w <em>wtimeout</em> </dt> + <dd> Write timeout. If shibari-server-tcp is unable +to send its answer in <em>wtimeout</em> milliseconds, which means the network is +congested, give up and close the connection. The default is <strong>0</strong>, which +means infinite: shibari-server-tcp will wait forever until the network decongests in +order to send its answer. </dd> +</dl> + +<div id="notes"> +<h2> Notes </h2> +</div> + +<ul> + <li> The DNS database can be changed at any time via an invocation of +<a href="https://cr.yp.to/djbdns/tinydns-data.html">tinydns-data</a>. +shibari-server-tcp will keep using the old data until its current stream +ends and it exits. The next instance of shibari-server-tcp, +spawned by the super-server, will use the new data. </li> + <li> shibari-server-tcp is a drop-in replacement for +<a href="https://cr.yp.to/djbdns/axfrdns.html">axfrdns</a>, with one +caveat: client location information needs to be migrated from the DNS +database to LOC definitions in the TCP access rules database. For instance, +if you have a <tt>%lo:1.2.3</tt> line in your text data file, you need to +add the following entries to your TCP access rules database: + <ul> + <li> <tt>ip4/1.2.3.0_24/allow</tt> (may be empty) </li> + <li> <tt>ip4/1.2.3.0_24/env/LOC</tt> containing <tt>lo</tt> </li> + </ul> </li> + <li> If you are using such an access rules database via a +<a href="//skarnet.org/software/s6-networking/s6-tcpserver-access.html">s6-tcpserver-access</a> +invocation, make sure your +<a href="shibari-server-udp.html">shibari-server-udp</a> service is using the +same database via the <tt>-i</tt> or <tt>-x</tt> option. You +don't want to give different permissions, or different location information, +depending on whether a query is made over TCP or UDP. </li> +</ul> + +</body> +</html> diff --git a/doc/shibari-server-udp.html b/doc/shibari-server-udp.html new file mode 100644 index 0000000..c8e46f8 --- /dev/null +++ b/doc/shibari-server-udp.html @@ -0,0 +1,163 @@ +<html> + <head> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>shibari: the shibari-server-udp program</title> + <meta name="Description" content="shibari: the shibari-server-udp program" /> + <meta name="Keywords" content="shibari DNS s6-dns server database authoritative UDP s6-networking tinydns" /> + <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">shibari</a><br /> +<a href="//skarnet.org/software/">Software</a><br /> +<a href="//skarnet.org/">skarnet.org</a> +</p> + +<h1> The shibari-server-udp program </h1> + +<p> + shibari-server-udp is a long-lived process. It binds to a UDP socket, then +answers DNS queries it receives, until it is killed. +</p> + +<div id="interface"> +<h2> Interface </h2> +</div> + +<pre> + shibari-server-udp [ -v <em>verbosity</em> ] [ -d <em>notif</em> ] [ -f <em>tdbfile</em> ] [ -i <em>rulesdir</em> ] [ -x <em>rulesfile</em> ] [ -p <em>port</em> ] <em>ip</em> +</pre> + +<ul> + <li> shibari-server-udp creates a UDP socket and binds it to address <em>ip</em> +on port 53. <em>ip</em> can be IPv4 or IPv6. </li> + <li> It listens to non-recursive DNS queries, sent by DNS caches, and, if +appropriate, answers with data it reads from its data file. </li> + <li> It reloads its data file on SIGHUP, and exits 0 on SIGTERM. </li> + <li> The data file is a +<a href="https://en.wikipedia.org/wiki/Cdb_(software)">cdb</a> database; it +must use the output format from +<a href="https://cr.yp.to/djbdns/tinydns-data.html">tinydns-data</a>. </li> +</ul> + +<div id="exitcodes"> +<h2> Exit codes </h2> +</div> + +<dl> + <dt> 0 </dt> <dd> Clean exit. shibari-server-udp received a SIGTERM and exited. <dd> + <dt> 100 </dt> <dd> Bad usage. shibari-server-udp was run in an incorrect way: +typically bad command line options. </dd> + <dt> 101 </dt> <dd> Cannot happen. This signals a bug in shibari-server-udp, and comes with an +error message asking you to report the bug. Please do so, on the +<a href="//skarnet.org/lists/#skaware">skaware mailing-list</a>. </dd> + <dt> 102 </dt> <dd> Misconfiguration. shibari-server-udp found something in its DNS data file +that it does not like. </dd> + <dt> 111 </dt> <dd> System call failed. This usually signals an issue with the +underlying operating system. </dd> +</dl> + +<div id="options"> +<h2> Options </h2> +</div> + +<dl> + <dt> -v <em>verbosity</em> </dt> + <dd> Be more or less verbose. +A <em>verbosity</em> of 0 means no warnings, no logs, only error messages. 1 +means warnings and terse logs. 2 or more means more logs. +Default is <strong>1</strong>. </dd> + + <dt> -d <em>notif</em> </dt> + <dd> Write a newline to file descriptor <em>notif</em>, then close it, when +shibari-server-udp has bound its socket, opened its file, and is ready to serve. +This is the <a href="https://skarnet.org/software/s6/notifywhenup.html">s6 +readiness notification</a> mechanism. By default, when this option isn't given +no readiness notification is sent. </dd> + + <dt> -f <em>tdbfile</em> </dt> + <dd> Read DNS data from <em>tdbfile</em>. +The default is <strong><tt>data.cdb</tt></strong>, in the current working +directory of the shibari-server-udp process. </dd> + + <dt> -i <em>rulesdir</em> </dt> + <dd> Use <em>rulesdir</em> as a filesystem-based +<a href="//skarnet.org/software/s6/libs6/accessrules.html">access rules +database</a>: ignore any message whose originating IP address isn't +explicitly allowed. The access rules database is also used to get +<a href="#clientlocation">client location information</a>. +If something in <em>rulesdir</em> changes while shibari-server-udp is +running, it will immediately pick up the change. </dd> + + <dt> -x <em>rulesfile</em> </dt> + <dd> Use <em>rulesfile</em> as a cdb +<a href="//skarnet.org/software/s6/libs6/accessrules.html">access rules +database</a>, see description of <tt>-i</tt> above. <tt>-i</tt> and +<tt>-x</tt> are equivalent; you can switch between <em>rulesdir</em> +and <em>rulesfile</em> via the +<a href="//skarnet.org/software/s6/s6-accessrules-cdb-from-fs.html">s6-accessrules-cdb-from-fs</a> and +<a href="//skarnet.org/software/s6/s6-accessrules-fs-from-cdb.html">s6-accessrules-fs-from-cdb</a> +programs. The cdb format is more efficient but more static than the +filesystem format. If <em>rulesfile</em> changes while shibari-server-udp +is running, it will continue to use the old data until it receives a SIGHUP. </dd> + + <dt> -p <em>port</em> </dt> + <dd> Binds to port <em>port</em>. Default is <strong>53</strong>. </dd> +</dl> + +<div id="clientlocation"> +<h2> Client location </h2> +</div> + +<p> + shibari-server-udp ignores client location information given as +<tt>%lo:ipprefix</tt> lines in the file created by +<a href="https://cr.yp.to/djbdns/tinydns-data.html">tinydns-data</a>. +Instead, it reads client location information in LOC definitions +present in the <em>rulesdir</em> or <em>rulesfile</em> +access rules database. For instance, +if you have a <tt>%lo:1.2.3</tt> line in your text data file, meaning +that clients whose IP address is in the <tt>1.2.3.0/24</tt> IPv4 +range are identified with the <tt>lo</tt> location and that DNS data +entries ending with <tt>:lo</tt> are visible to them, you need to +translate this information into the accessrules format. Your +<em>rulesdir</em> must contain the following files: +</p> + +<ul> + <li> <tt>ip4/1.2.3.0_24/allow</tt> (may be empty) </li> + <li> <tt>ip4/1.2.3.0_24/env/LOC</tt> containing <tt>lo</tt> </li> +</ul> + +<p> + (To use the <tt>-x</tt> option instead, you'd do the same, then run +<tt>s6-accessrules-cdb-from-fs <em>rulesfile</em> <em>rulesdir</em></tt> +to compile the information into <em>rulesfile</em>.) +</p> + +<div id="notes"> +<h2> Notes </h2> +</div> + +<ul> + <li> The DNS database can be changed at any time via an invocation of +<a href="https://cr.yp.to/djbdns/tinydns-data.html">tinydns-data</a>. +shibari-server-udp will keep using the old data until it receives a +SIGHUP, at which point it will reopen its database. </li> + <li> shibari-server-udp is a drop-in replacement for +<a href="https://cr.yp.to/djbdns/tinydns.html">tinydns</a>, with the +caveat of the <a href="#clientlocation">client location mechanism</a>. </li> + <li> If you are using the <tt>-i<tt> or <tt>-x</tt> option, the +access rules database can, and should, be the same one that is used by the +<a href="//skarnet.org/software/s6-networking/s6-tcpserver-access.html">s6-tcpserver-access</a> +program in your +<a href="shibari-server-tcp.html">shibari-server-tcp</a> service. You +don't want to give different permissions, or different location information, +depending on whether a query is made over TCP or UDP. </li> +</ul> + +</body> +</html> diff --git a/doc/upgrade.html b/doc/upgrade.html new file mode 100644 index 0000000..52eeaa5 --- /dev/null +++ b/doc/upgrade.html @@ -0,0 +1,28 @@ +<html> + <head> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>shibari: how to upgrade</title> + <meta name="Description" content="shibari: how to upgrade" /> + <meta name="Keywords" content="shibari installation upgrade" /> + <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">shibari</a><br /> +<a href="//skarnet.org/software/">Software</a> <br> +<a href="//skarnet.org/">skarnet.org</a> +</p> + +<h1> What has changed in shibari </h1> + +<h2> in 0.0.1.0 </h2> + +<ul> + <li> Initial release. </li> +</ul> + +</body> +</html> |