54 lines
2.4 KiB
Plaintext
54 lines
2.4 KiB
Plaintext
ADNS
|
|
|
|
From the Homepage:
|
|
|
|
Advanced, easy to use, asynchronous-capable DNS client library and utilities.
|
|
adns is a resolver library for C (and C++) programs, and a collection of useful
|
|
DNS resolver utilities.
|
|
|
|
I'm (Ian) afraid there is no manual yet. However, competent C programmers should
|
|
be able to use the library based on the commented adns.h header file, and
|
|
the usage messages for the programs should be sufficient.
|
|
|
|
adns also comes with a number of utility programs for use from the command
|
|
line and in scripts:
|
|
|
|
* adnslogres is a much faster version of Apache's logresolv program.
|
|
|
|
* adnsresfilter is a filter which copies its input to its output,
|
|
replacing IP addresses by the corresponding names, without unduly
|
|
delaying the output. For example, you can usefully pipe the
|
|
output of netstat -n, tcpdump -ln, and the like, into it.
|
|
|
|
* adnshost is a general-purpose DNS lookup utility which can be used easily
|
|
in from the command line and from shell scripts to do simple lookups.
|
|
In a more advanced mode it can be used as a general-purpose DNS helper
|
|
program for scripting languages which can invoke and communicate with
|
|
subprocesses. See the adnshost usage message for a summary of its capabilities.
|
|
|
|
From the INSTALL file:
|
|
|
|
SECURITY AND PERFORMANCE - AN IMPORTANT NOTE
|
|
|
|
adns is not a `full-service resolver': it does no caching of responses
|
|
at all, and has no defence against bad nameservers or fake packets
|
|
which appear to come from your real nameservers. It relies on the
|
|
full-service resolvers listed in resolv.conf to handle these tasks.
|
|
|
|
For secure and reasonable operation you MUST run a full-service
|
|
nameserver on the same system as your adns applications, or on the
|
|
same local, fully trusted network. You MUST only list such
|
|
nameservers in the adns configuration (eg resolv.conf).
|
|
|
|
You MUST use a firewall or other means to block packets which appear
|
|
to come from these nameservers, but which were actually sent by other,
|
|
untrusted, entities.
|
|
|
|
Furthermore, adns is not DNSSEC-aware in this version; it doesn't
|
|
understand even how to ask a DNSSEC-aware nameserver to perform the
|
|
DNSSEC cryptographic signature checking.
|
|
|
|
In particular, adns does not randomize the query source port or transaction ID;
|
|
relevant advisories are CVE-2008-1447 and CVE-2008-4100. Since adns is a stub
|
|
resolver, the workarounds listed in DSA-1605-1 for glibc also apply to adns.
|