This article covers the technical features of the multi-platform binary anmuscle, version 4.5.3 and up. See knowledge base article for (v3) anmgr separately.
adam:ONE is software that runs on gateways, and in some instances as standalone. It features a web server as well as a fully-functional forwarding DNS server, designed for use on internal networks. It also interacts directly with the host’s firewall environment for the purposes of DTTS (Don’t Talk To Strangers) as a way of making DNS filtering leak-proof.
usage = ./adamnetmuscle [options]
–authenticated-clients
semi-colon separated list of client-id,client-pk–block-private
block private IP addresses in DNS responses as per RFC1918–box-id
override automatic box id detection–brain-address
override controller ipaddress@port–brain-fqdn, -b
override controller FQDN–cname-checking
specify a way to check cnames against lists: none, all, allowlistonly,
blocklistonly. This overrides a controller setting.–config-file, -c
file full of config options–critical-fqdns
comma separated list of critical fqdns which should always be accessible–disable-arp
disable ARP discovery (default: false)–disable-autorestart
disable automatic restart on an irrecoverable error–disable-brain
disable brain service–disable-cname-flattening
disable CNAME flattening–disable-default-upstream
disable using of default upstream until profiles are retrieved–disable-environmental-features
disable all features affecting operating system–disable-nd
disable ND discovery (default: false)–disable-netbios
disable Netbios discovery (default: false)–disable-packet-monitor
disable packet monitoring–disable-private-subnets-blocking
disable blocking of private or non-routable IP addresses–disable-reporter
disable reporter service–disable-sd
disable SD (MDNS) discovery (default: false)–disable-test-resolution
disable automatic DNS resolution of the test domain–dns-a-ttl
TTL of A/AAAA records for blocked answers–dns-cache-size, -d
number of unique DNS queries to cache–dns-default-blocks
semi-colon separated list of default DNS blocks in the format
[name,type,additional_data] where type can be subnets of nxdomain–dns-default-endpoints
semi-colon separated list of default DNS endpoints in the format
[%doh_fqdn@port,]ip1@port1+ip2@port2,block_name–dns-default-operation-mode
optimized (default) or harmonized–dns-enable-port-obfuscation
obfuscate ports for outgoing DNS requests–dns-history-size
DNS history buffer size for data logger–dns-listen-port
default listen port for DNS server–dns-listener
comma separated list of either interface names or ipaddress@port pairs for
DNS server–dns-max-fastest-solo-uses
maximum number of times a fastest target will be chosen before others get
re-queried (default: 10)–dns-max-recursions
maximum number of recursions (default: 10)–dns-minimum-reduced-timeout
lowest reduced timeout in milliseconds (default: 20)–dns-query-limit-buckets
number of buckets to enable burst in rate limiter–dns-query-limit-rate
maximum number of queries per second–dns-reduced-timeout
percentage (0-99) to which to reduce a timeout of eachconsecutively dead
upstream endpoint (default: 50)–dns-soa-ttl
TTL of SOA records–dns-upstream-timeout
timeout in milliseconds for upstream DNS requests–dns64-subnets
comma separated list of DNS64 subnets for (un)mapping of IPv4 addresses–dnssec-request
request DNSSEC–doh-listen-port
default listen port for DoH server–doh-listener
comma separated list of either interface names or ipaddress@port pairs for
DoH server, supports HTTP2 (HTTP1.1 not supported)–domain-name
domain name for the local network–dot-listen-port
default listen port for DoT server–dot-listener
comma separated list of either interface names or ipaddress@port pairs for
DoT server–dtts-access-chain-name
chain name for DTTS access rules–dtts-access-dst-set-name
DTTS nftables set name for controller IP addresses lookup–dtts-access-ipset4-name
IPv4 ipset name for DTTS access rules–dtts-access-ipset6-name
IPv6 ipset name for DTTS access rules–dtts-access-src-set-name
DTTS nftables set name for blocked WAN access lookup–dtts-any-source
any source IP address will match for a given destination–dtts-block-chain-name
chain name for DTTS block rules–dtts-check-period
poll period in seconds to ensure critical DTTS firewall entries are in place–dtts-dns-response-delay
delay in milliseconds before responding to DNS request after hole has been
created–dtts-engine
engine to power DTTS (default: iptables)–dtts-establish-chain-name
chain name for DTTS establish rules–dtts-extra-ttl
extra DTTS hole TTL in percents–dtts-max-ttl
maximum DNS record TTL in seconds for DTTS purposes–dtts-min-ttl
minimum DNS record TTL in seconds for DTTS purposes–dtts-nfqueue-id
DTTS NFQUEUE id–dtts-reject-chain-name
chain name for DTTS reject rules–dtts-server-address
ipaddress@port (TCP) or path (UNIX) of DTTS server–dtts-table-name
table name for DTTS nftables–dtts-use-inet-table
use nftables inet table type, if enabled, access set names will be postfixed
with _v4 and _v6 respectively–edns0-subnet-accept
accept EDNS0 subnet information–edns0-subnet-append
append EDNS0 subnet information to DNS requests–enable-dns64
enable DNS64 handling of DNS requests/responses–enable-tuntap
enable automatic creation of tuntap interfaces for non-existent
redirect-local (HTTP server) and listen-address (DNS server) addresses–files-to-monitor
semi-colon separated list of paths and parsing engines in the format
[path,engine]. Available options:
dhcpd_leases,dnsmasq_leases,hosts,resolv,unbound_leases,unbound_entries–help, -h
print help message–http-fallback-always-match
match against fallback interface even if IP address does not fall under any
of its subnets–http-fallback-interface
fallback interface for providing block page IP addresses–http-listen-port
default listen port for HTTP server–http-listener
comma separated list of either interface names or ipaddress@port pairs for
HTTP server–http-proxy-subnet
subnet range for HTTP proxy (10.0.0.0/24)–http-proxy-tunnel-lifetime
lifetime of HTTP proxy tunnel in seconds–in-band-mac
pair this MAC address with IP address in DNS resolution for the purpose of
device tracking–ip4-purge-lifetime
how many seconds are IPv4 addresses attached to a device considered active–ip4-purge-recent-keep
number of most recently active IPv4 addresses to exclude from purging–ip6-purge-lifetime
how many seconds are IPv6 addresses attached to a device considered active–ip6-purge-recent-keep
number of most recently active IPv6 addresses to exclude from purging–lan-interfaces
comma separated list of interfaces used by neighbour discovery–lock-file
one instance check lock file name–log-file
logging sink file name–log-files-rotate
number of log files to rotate each with same max file size–log-level
available logging levels range from 0 to 6–log-max-filesize
maximum log file size in bytes–mybox-redirect
your router’s full URL redirect location (https://mybox.management:8080)–netbios-listen-port
public NETBIOS listening port–netbios-reply-port
NETBIOS broadcast reply-to port–packet-monitor-history-size
packet monitor history buffer size for reporting purposes–packet-monitor-promiscuous
set monitored interfaces to promiscuous mode–pid-file, -p
file name to store a process id if running as a service–prefer-ipv6
prefer IPv6 in certain scenarios–private-subnets
comma separated list of private or non-routable subnets
(10.0.0.0/8,::ffff:0:0/96)–reporter-fqdn, -r
override controller FQDN for reporting purposes–run-as-user
name of local user to drop privileges to–service, -s
run as a service in the background–signature-pk-file
file containing the signature public key–signature-sk-file
file containing the signature secret key–ssl-ca-file
file containing brain public key in PEM format–ssl-cert-file
file containing certificate for relevant SSL/TLS operations in PEM format–ssl-dh-file
file containing DH for relevant SSL/TLS operations in PEM format–ssl-domain-name
domain name for relevant SSL/TLS operations in PEM format–ssl-key-file
file containing private key for relevant SSL/TLS operations in PEM format–ssl-key-password
password for supplied private key for relevant SSL/TLS operations–ssl-system-ca-file
file containing system certificates in PEM format–tools-fqdn
tools page FQDN–version, -v
print version information–vpn-interface
VPN interface for some controller communication