Technical Features of adam:ONE (v3) anmgr

This article covers the technical features of the multi-platform binary anmgr, version 3.4.15 and up. See knowledge base article for (v4) anmuscle separately.

adam:ONE is software that runs on gateways, and in some instances as standalone. It features a web server as well as a fully-functional forwarding DNS server, designed for use on internal networks. It also interacts directly with the host’s firewall environment for the purposes of DTTS (Don’t Talk To Strangers) as a way of making DNS filtering leak-proof.

usage = ./anmgr [options]

block instead of remove private and non-routable IP addresses in DNS
responses, used for DNS rebinding attack protection

override automatic boxid detection, useful for specifying own GUID rather than system-generated one

controller DNS address override, default is

–config-file, -c
configuration file location

–daemon, -d
run in the background

disable automatic restart on error

disable controller communication module

disable CNAME flattening for black-listed / block-listed rulesets/policies

disable CNAME flattening for rainbow-listed / forward-listed rulesets/policies

disable CNAME flattening for white-listed / allow-listed rulesets/policies

disable all features affecting the host operating system

comma separated list of domains which are not subject to ipe/DTTS, useful when enterprise internal routing is preferably managed with manual/custom firewall rules rather than DTTS (recommended use with managed support only)

disable IP enforcement for requests for local FQDNs, used in combination with --disable-ipe-domains

disable IPv4

disable IPv6

disable ARP/NETBIOS/ND device discovery, useful if UDP port 137 on host is not desired and/or NETBIOS naming should not be adopted to the controller dashboard

disable packet monitor module, useful if feature not used and can reduce cpu overhead, but when enabled, can report on all IP connections, helpful for SIEM environments

disable blocking of private or non-routable IP addresses, used for DNS rebinding attack protection

disable automatic, repeat scheduled DNS resolution of

A record TTL for blocked answers

number of unique queries to be cached

dns history buffer size

–dns-listen-address, -a
comma separated list of IP addresses listening for DNS, e.g.,,

–dns-listen-iface, -i
comma separated list of interfaces listening for DNS

default DNS server listen port

SOA record TTL

request DNSSEC, note adam:ONE is a DNSSEC-aware DNS forwarder

local network domain name

Don’t Talk To Strangers dump file for persistent storage (deprecated use)

time in seconds before stranger becomes known, 0 = learning mode (deprecated use)

accept EDNS0 subnet information

append EDNS0 subnet information to DNS requests

scramble outbound ports for forwarded DNS queries

enable automatic creation of tuntap interfaces for non-existent
redirect-local (HTTP server) and listen-address (DNS server) addresses

semi-colon separated list of paths and parsing engines in the format
>path,engine<. Available options:
monitored files are parsed and used to offer friendly names on controller dashboard

force firewall management based on DNS resolution

force WAN access management, used for built-in policy of No Internet access

–help, -h
print this help message

–http-listen-address, -A
comma separated list of IP addresses listening for HTTP, e.g.,,

–http-listen-iface, -I
comma separated list of interfaces listening for HTTP for

fallback interface for providing block-page IP addresses

default HTTP server listen port

IP range for HTTP proxy (e.g.

how long a HTTP proxy tunnel lives for in seconds

poll period for critical IPE firewall entries

IPFW rule number for divert socket

divert socket port number

delay in milliseconds before responding to DNS requests, useful if kernel-space DTTS firewall rules creation take longer than DNS resolutions

type of engine for IPE (BSD: pf/ipfw)

extra time to add to IPE hole TTL in percent (custom use or modification recommended only with managed support)

maximum DNS record time-to-live in seconds for IP enforcement purposes (custom use or modification recommended only with managed support)

minimum DNS record time-to-live in seconds for IP enforcement purposes (custom use or modification recommended only with managed support)

IPE server TCP or UNIX address (IP or IP@port or /path)

IPv4 embedded in IPv6 prefix info as per rfc6052 (e.g. 64:ff9b::/96)

comma separeted list of interfaces used for ARP and NETBIOS scanning
(defaults to listen-iface)

lock filename

output log filename

log history buffer size

available levels are 0 through 6, level 4 optimized to be most useful to capture DNS queries, forwards, and answers

maximum log file size (in bytes)

–mybox-redirect full url redirect location

public NETBIOS listening port

NETBIOS broadcast reply-to port

disable default upstreaming until profiles are retrieved, helpful to eliminate traffic leakage during startup

packet monitor history buffer size

set monitored interfaces to promiscuous mode

file name to store a pid if running as a daemon

comma separated list of private or non-routable subnets, e.g.,::ffff:0:0/96

comma separated list of default DNS upstream servers which get also
appended to ISPs

comma separated list of ISP DNS upstreams servers, ISP DNS servers can often, but not always, be the fastest

comma separated list of last-resort DNS servers

comma separated list of partner DNS servers, useful in case entire bundles of domain names should be resolved by a partner third party (use only with managed support)

controller DNS address override for reporting purposes

drop root privileges to user

file containing the signature public key

file containing the signature secret key

file containing controller public key

timeout in ms for upstream DNS requests

–version, -v
binary version information

OpenVPN interface for future controller communication

wireless LAN interface usually bridged to wired LAN