File README.SUSE of Package adns.15332

ADNS

From the Homepage:

Advanced, easy to use, asynchronous-capable DNS client library and utilities.
adns is a resolver library for C (and C++) programs, and a collection of useful 
DNS resolver utilities.

I'm (Ian) afraid there is no manual yet. However, competent C programmers should
be able to use the library based on the commented adns.h header file, and
the usage messages for the programs should be sufficient.

adns also comes with a number of utility programs for use from the command
line and in scripts:

    * adnslogres is a much faster version of Apache's logresolv program.

    * adnsresfilter is a filter which copies its input to its output,
      replacing IP addresses by the corresponding names, without unduly
      delaying the output. For example, you can usefully pipe the
      output of netstat -n, tcpdump -ln, and the like, into it.

    * adnshost is a general-purpose DNS lookup utility which can be used easily
      in from the command line and from shell scripts to do simple lookups.
      In a more advanced mode it can be used as a general-purpose DNS helper
      program for scripting languages which can invoke and communicate with
      subprocesses. See the adnshost usage message for a summary of its capabilities.

From the INSTALL file:

    SECURITY AND PERFORMANCE - AN IMPORTANT NOTE

    adns is not a `full-service resolver': it does no caching of responses
    at all, and has no defence against bad nameservers or fake packets
    which appear to come from your real nameservers.  It relies on the
    full-service resolvers listed in resolv.conf to handle these tasks.

    For secure and reasonable operation you MUST run a full-service
    nameserver on the same system as your adns applications, or on the
    same local, fully trusted network.  You MUST only list such
    nameservers in the adns configuration (eg resolv.conf).

    You MUST use a firewall or other means to block packets which appear
    to come from these nameservers, but which were actually sent by other,
    untrusted, entities.

    Furthermore, adns is not DNSSEC-aware in this version; it doesn't
    understand even how to ask a DNSSEC-aware nameserver to perform the
    DNSSEC cryptographic signature checking.

In particular, adns does not randomize the query source port or transaction ID;
relevant advisories are CVE-2008-1447 and CVE-2008-4100.  Since adns is a stub
resolver, the workarounds listed in DSA-1605-1 for glibc also apply to adns.
openSUSE Build Service is sponsored by