This article covers the technical features of the multi-platform binary anmgr, version 3.4.15 and up. See knowledge base article for (v4) anmuscle separately.
adam:ONE is software that runs on gateways, and in some instances as standalone. It features a web server as well as a fully-functional forwarding DNS server, designed for use on internal networks. It also interacts directly with the host’s firewall environment for the purposes of DTTS (Don’t Talk To Strangers) as a way of making DNS filtering leak-proof.
usage = ./anmgr [options]
options:
–block-private-addresses
block instead of remove private and non-routable IP addresses in DNS
responses, used for DNS rebinding attack protection–boxid
override automatic boxid detection, useful for specifying own GUID rather than system-generated one–brain-fqdn
controller DNS address override, default is controller.adamnet.works–config-file, -c
configuration file location–daemon, -d
run in the background–disable-autorestart
disable automatic restart on error–disable-brain-module
disable controller communication module–disable-cname-flattening-on-blacklist
disable CNAME flattening for black-listed / block-listed rulesets/policies–disable-cname-flattening-on-rainbowlist
disable CNAME flattening for rainbow-listed / forward-listed rulesets/policies–disable-cname-flattening-on-whitelist
disable CNAME flattening for white-listed / allow-listed rulesets/policies–disable-environmental-features
disable all features affecting the host operating system–disable-ipe-domains
comma separated list of domains which are not subject to ipe/DTTS, useful when enterprise internal routing is preferably managed with manual/custom firewall rules rather than DTTS (recommended use with managed support only)–disable-ipe-for-local-domain
disable IP enforcement for requests for local FQDNs, used in combination with --disable-ipe-domains–disable-ipv4
disable IPv4–disable-ipv6
disable IPv6–disable-neighbour-discovery
disable ARP/NETBIOS/ND device discovery, useful if UDP port 137 on host is not desired and/or NETBIOS naming should not be adopted to the controller dashboard–disable-packet-monitor-module
disable packet monitor module, useful if feature not used and can reduce cpu overhead, but when enabled, can report on all IP connections, helpful for SIEM environments–disable-private-subnets
disable blocking of private or non-routable IP addresses, used for DNS rebinding attack protection–disable-test-resolution
disable automatic, repeat scheduled DNS resolution of test.dnsthingy.com–dns-a-ttl
A record TTL for blocked answers–dns-cache-size
number of unique queries to be cached–dns-history-size
dns history buffer size–dns-listen-address, -a
comma separated list of IP addresses listening for DNS, e.g.
192.168.0.1@53053,192.168.0.1@5353,0.0.0.0–dns-listen-iface, -i
comma separated list of interfaces listening for DNS–dns-listen-port
default DNS server listen port–dns-soa-ttl
SOA record TTL–dnssec
request DNSSEC, note adam:ONE is a DNSSEC-aware DNS forwarder–domain-name
local network domain name–dtts-dumpfile
Don’t Talk To Strangers dump file for persistent storage (deprecated use)–dtts-minage
time in seconds before stranger becomes known, 0 = learning mode (deprecated use)–edns0-accept
accept EDNS0 subnet information–edns0-append
append EDNS0 subnet information to DNS requests–enable-port-obfuscation
scramble outbound ports for forwarded DNS queries–enable-tuntap
enable automatic creation of tuntap interfaces for non-existent
redirect-local (HTTP server) and listen-address (DNS server) addresses–files-to-monitor
semi-colon separated list of paths and parsing engines in the format
>path,engine<. Available options:
dnsmasq_leases,hosts,resolv,unbound_leases,unbound_entries.
monitored files are parsed and used to offer friendly names on controller dashboard–force-ipe
force firewall management based on DNS resolution–force-wa
force WAN access management, used for built-in policy of No Internet access–help, -h
print this help message–http-listen-address, -A
comma separated list of IP addresses listening for HTTP, e.g.
192.168.0.1@53053,192.168.0.1@5353,0.0.0.0–http-listen-iface, -I
comma separated list of interfaces listening for HTTP for mytools.management–http-listen-iface-fallback
fallback interface for providing block-page IP addresses–http-listen-port
default HTTP server listen port–http-proxy-subnet
IP range for HTTP proxy (e.g. 10.0.0.0/24)–http-proxy-tunnel-lifetime
how long a HTTP proxy tunnel lives for in seconds–ipe-check-period
poll period for critical IPE firewall entries–ipe-divert-ifpw-rule-number
IPFW rule number for divert socket–ipe-divert-port
divert socket port number–ipe-dns-response-delay
delay in milliseconds before responding to DNS requests, useful if kernel-space DTTS firewall rules creation take longer than DNS resolutions–ipe-engine
type of engine for IPE (BSD: pf/ipfw)–ipe-extra-ttl
extra time to add to IPE hole TTL in percent (custom use or modification recommended only with managed support)–ipe-max-ttl
maximum DNS record time-to-live in seconds for IP enforcement purposes (custom use or modification recommended only with managed support)–ipe-min-ttl
minimum DNS record time-to-live in seconds for IP enforcement purposes (custom use or modification recommended only with managed support)–ipe-server-address
IPE server TCP or UNIX address (IP or IP@port or /path)–ipv6-embedded-prefix
IPv4 embedded in IPv6 prefix info as per rfc6052 (e.g. 64:ff9b::/96)–lan-iface
comma separeted list of interfaces used for ARP and NETBIOS scanning
(defaults to listen-iface)–lock-file
lock filename–log-file
output log filename–log-history-size
log history buffer size–log-level
available levels are 0 through 6, level 4 optimized to be most useful to capture DNS queries, forwards, and answers–log-max-filesize
maximum log file size (in bytes)–mybox-redirect
mybox.management full url redirect location–netbios-listen-port
public NETBIOS listening port–netbios-reply-port
NETBIOS broadcast reply-to port–no-default-redirect
disable default upstreaming until profiles are retrieved, helpful to eliminate traffic leakage during startup–packet-monitor-history-size
packet monitor history buffer size–packet-monitor-promiscuous
set monitored interfaces to promiscuous mode–pid-file
file name to store a pid if running as a daemon–private-subnets
comma separated list of private or non-routable subnets, e.g.
10.0.0.0/8,::ffff:0:0/96–redirect-default
comma separated list of default DNS upstream servers which get also
appended to ISPs–redirect-isp
comma separated list of ISP DNS upstreams servers, ISP DNS servers can often, but not always, be the fastest–redirect-lastresort
comma separated list of last-resort DNS servers–redirect-partner
comma separated list of partner DNS servers, useful in case entire bundles of domain names should be resolved by a partner third party (use only with managed support)–reporter-fqdn
controller DNS address override for reporting purposes–run-as-user
drop root privileges to user–signature-pk-file
file containing the signature public key–signature-sk-file
file containing the signature secret key–ssl-ca-file
file containing controller public key–upstream-timeout-ms
timeout in ms for upstream DNS requests–version, -v
binary version information–vpn-iface
OpenVPN interface for future controller communication–wlan-iface
wireless LAN interface usually bridged to wired LAN