This article covers the technical features of the multi-platform binary anmuscle, version 4.5.3 and up.
adam:ONE is software that runs on gateways, and in some instances as standalone. It features a web server as well as a fully-functional forwarding DNS server, designed for use on internal networks. It also interacts directly with the host’s firewall environment for the purposes of DTTS (Don’t Talk To Strangers) as a way of making DNS filtering leak-proof.
usage = ./adamnetmuscle [options]
–acme-account-private-key-file
the private key file (in PEM format) registered with the ACME service
provider–acme-external-renewal
an external service is responsible for renewing the certificate–acme-service-fqdn
the ACME service provider FQDN–acme-service-port
the ACME service provider port (default: 443)–acme-version
the ACME client version–admin-pk
base64 encoded public key for access to admin REST API–append-domain-name-to-arpa-answers
ARPA answers will be suffixed by a domain name–authenticated-clients
semi-colon separated list of client-id,client-pk–block-private
block private IP addresses in DNS responses as per RFC1918–box-id
override automatic box id detection–brain-address
override controller ipaddress@port–brain-fqdn, -b
override controller FQDN–brain-messages-file
file to store brain messages for when it cannot connect to the controller–brain-messages-max-filesize
maximum brain messages file size in bytes (default: 10485760, set to 0 to
disable this limit)–brain-port
override controller port–brain-read-timeout
override default brain read timeout (in seconds)–cerebrum-address
override cerebrum ipaddress@port–cerebrum-fqdn
override controller FQDN–cerebrum-port
override cerebrum port–cname-checking
specify a way to check cnames against lists: none, all, allowlistonly,
blocklistonly. This overrides a controller setting.–config-file, -c
file full of config options–critical-fqdns
comma separated list of critical fqdns which should always be accessible–disable-arp
disable ARP discovery (default: false)–disable-autorestart
disable automatic restart on an irrecoverable error–disable-brain
disable brain service–disable-captive-portal-handling
disable responding to some captive portal HTTP requests–disable-cerebrum
disable cerebrum service–disable-cname-flattening
disable CNAME flattening–disable-default-upstream
disable using of default upstream until profiles are retrieved–disable-environmental-features
disable all features affecting operating system–disable-nd
disable ND discovery (default: false)–disable-netbios
disable Netbios discovery (default: false)–disable-packet-monitor
disable packet monitoring–disable-private-subnets-blocking
disable blocking of private or non-routable IP addresses–disable-reporter
DEPRECATED: disable reporter service–disable-sd
disable SD (MDNS) discovery (default: false)–disable-strict-cname-flattening
DEPRECATED: not used at all–disable-test-resolution
DEPRECATED: disable automatic DNS resolution of the test domain–dns-a-ttl
TTL of A/AAAA records for blocked answers–dns-blocked-record-types
block resolution of enumerated record types (comma separated, uppercase
string or numerical value)–dns-cache-size, -d
number of unique DNS queries to cache–dns-default-blocks
semi-colon separated list of default DNS blocks in the format
[name,type,additional_data] where type can be subnet of nxdomain–dns-default-endpoints
semi-colon separated list of default DNS endpoints in the format
[%doh_fqdn@port,]ip1@port1+ip2@port2,block_name–dns-default-operation-mode
optimized (default) or harmonized–dns-enable-port-obfuscation
obfuscate ports for outgoing DNS requests–dns-history-size
DNS history buffer size for data logger–dns-listen-port
default listen port for DNS server–dns-listener
comma separated list of either interface names or ipaddress@port/prefix
groups (separated by a plus sign) for DNS server–dns-max-fastest-solo-uses
maximum number of times a fastest target will be chosen before others get
re-queried (default: 10)–dns-max-recursions
maximum number of recursions (default: 32)–dns-minimum-reduced-timeout
lowest reduced timeout in milliseconds (default: 200)–dns-query-limit-burst-factor
rate multiple for burst limiting (a measure of how many packets are allowed
hrough before limiting kicks in; default: 10)–dns-query-limit-forced
force query limit on all entities regardless their configuration–dns-query-limit-max-rate
maximum number of queries per second (upper bound guarantee on how quickly
can packets arrive)–dns-query-limit-rate
average number of queries per second–dns-reduced-timeout
percentage (0-99) to which to reduce a timeout of eachconsecutively dead
upstream endpoint (default: 50)–dns-soa-ttl
TTL of SOA records–dns-upstream-dead-threshold
a threshold of how many consecutively dead upstream endpoints are allowed
before they get reported–dns-upstream-timeout
imeout in milliseconds for upstream DNS requests–dns64-subnets
comma separated list of DNS64 subnets for (un)mapping of IPv4 addresses–dnssec-request
request DNSSEC–domain-name
domain name for the local network–dot-listen-port
default listen port for DoT server–dot-listener
comma separated list of either interface names or ipaddress@port/prefix
groups (separated by a plus sign) for DoT server–dtts-access-anchor-name
DEPRECATED: anchor name for DTTS WAN access rules–dtts-any-source
any source IP address will match for a given destination–dtts-base-anchor-name
base anchor name for all DTTS related rules–dtts-bypass-anchor-name
DEPRECATED: anchor name for DTTS permanent bypass rules–dtts-check-period
poll period in seconds to ensure critical DTTS firewall entries are in place–dtts-default-block-traffic
block all traffic until authoritative information is received–dtts-dns-response-delay
delay in milliseconds before responding to DNS request after hole has been
created–dtts-enabler-lookup-type
enabler lookup type for DTTS (0…slow, 1…medium, 2…fast, default: 0)–dtts-enablers-anchor-name
anchor name for where DTTS enablers are stored–dtts-engine
engine to power DTTS (default: pftables)–dtts-extra-ttl
extra DTTS hole TTL (as percentage by default)–dtts-extra-ttl-absolute
makes extra DTTS hole TTL value absolute in seconds–dtts-keep-holes-around
number of seconds to keep DTTS holes around after they expire (holes stay
closed)–dtts-max-ttl
maximum DNS record TTL in seconds for DTTS purposes–dtts-min-ttl
minimum DNS record TTL in seconds for DTTS purposes–dtts-pseudo-external-subnets
comma separated list of subnets to be treated as external by DTTS–dtts-route-advice
comma separated list of a route failover information to be appended to every
hole rule in the format: <ip_address>@<interface_name>,…–dtts-rules-anchor-name
anchor name for where DTTS rules are stored–dtts-tag-name
ag name to append to DTTS rules–edns0-subnet-accept
accept EDNS0 subnet information–edns0-subnet-append
append EDNS0 subnet information to DNS requests–enable-dns64
enable DNS64 handling of DNS requests/responses–enable-tuntap
enable automatic creation of tuntap interfaces for non-existent
redirect-local (HTTP server) and listen-address (DNS server) addresses–files-to-monitor
semi-colon separated list of paths and parsing engines in the format
[path,engine]. Available options:
dhcpd_leases,dnsmasq_leases,hosts,resolv,unbound_leases,unbound_entries–help, -h
print help message–http-fallback-always-match
match against fallback interface even if IP address does not fall under any
of its subnets (default: true)–http-fallback-interface
fallback interface for providing block page IP addresses–http-listen-port
listen port for HTTP server (default: 80)–http-listener
comma separated list of either interface names or ipaddress@port/prefix
groups (separated by a plus sign) for HTTP server–http-proxy-subnet
subnet range for HTTP proxy (10.0.0.0/24)–http-proxy-tunnel-lifetime
lifetime of HTTP proxy tunnel in seconds–https-listen-port
listen port for HTTPS server (default: 443)–https-listener
DEPRECATED: usehttp-listenerinstead–in-band-mac
pair this MAC address with IP address in DNS resolution for the purpose of
device tracking–ip4-purge-lifetime
how many seconds are IPv4 addresses attached to a device considered active–ip4-purge-recent-keep
number of most recently active IPv4 addresses to exclude from purging–ip6-purge-lifetime
how many seconds are IPv6 addresses attached to a device considered active–ip6-purge-recent-keep
number of most recently active IPv6 addresses to exclude from purging–lan-interfaces
comma separated list of interfaces used by neighbour discovery–lock-file
one instance check lock file name–log-file
logging sink file name–log-files-rotate
number of log files to rotate each with same max file size–log-level
available logging levels range from 0 to 6–log-max-filesize
maximum log file size in bytes–mybox-redirect
your router’s full URL redirect location (https://mybox.management:8080)–netbios-listen-port
public NETBIOS listening port–netbios-reply-port
NETBIOS broadcast reply-to port–packet-always-monitor-subnets
comma separated list of subnets to always packet monitor–packet-monitor-buffer-size
set the size of the zerocopy buffer in bytes–packet-monitor-excluded-discovery-subnets
comma separated list of subnets excluded from consideration for device
discovery–packet-monitor-history-size
packet monitor history buffer size for reporting purposes–packet-monitor-promiscuous
set monitored interfaces to promiscuous mode–packet-monitor-subnets
comma separated list of extra LAN subnets for packet monitoring–pid-file, -p
file name to store a process id if running as a service–prefer-ipv6
prefer IPv6 in certain scenarios–private-subnets
comma separated list of private or non-routable subnets
(10.0.0.0/8,::ffff:0:0/96)–profile-id-doh-path-map
comma separated list of profile ID to DoH path
mappings(ID1:<doh_path1>,ID2:<doh_path2>,…)–report-period
send a packet or query report at regular intervals (in seconds, default: 15)–report-when-history-full
send a packet or query report when the history is full–reporter-fqdn, -r
DEPRECATED: override controller FQDN for reporting purposes–run-as-user
name of local user to drop privileges to–service, -s
run as a service in the background–signature-pk-file
file containing the signature public key–signature-sk-file
file containing the signature secret key–ssl-ca-file
file containing brain public key in PEM format–ssl-cert-file
file containing certificate for relevant SSL/TLS operations in PEM format–ssl-dh-file
file containing DH for relevant SSL/TLS operations in PEM format–ssl-fqdn-file
file containing fqdn for relevant SSL/TLS operations–ssl-key-file
file containing private key for relevant SSL/TLS operations in PEM format–ssl-key-password-file
file containing password for supplied private key for relevant SSL/TLS
operations–ssl-system-ca-file
file containing system certificates in PEM format–syslog-level
available syslog levels range from 0 to 6–tools-fqdns
ools page FQDNs–version, -v
print version information