-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpfresolved.8
140 lines (140 loc) · 4.2 KB
/
pfresolved.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
.\" $OpenBSD$
.\"
.\" Copyright (c) 2024 genua GmbH <[email protected]>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate$
.Dt PFRESOLVED 8
.Os
.Sh NAME
.Nm pfresolved
.Nd resolve hostnames using DNS and update pf tables
.Sh SYNOPSIS
.Nm
.Op Fl dnTv
.Op Fl A Ar trust_anchor_file
.Op Fl C Ar cert_bundle_file
.Op Fl f Ar file
.Op Fl h Ar hints_file
.Op Fl i Ar outbound_ip
.Op Fl M Ar seconds
.Op Fl m Ar seconds
.Op Fl r Ar resolver
.Op Fl S Ar dnssec_level
.Op Fl s Ar socket
.Sh DESCRIPTION
.Nm pfresolved
is a daemon which resolves hostnames using DNS and updates
.Xr pf 4
tables with the result.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl A Ar trust_anchor_file
Path to a file containing the trust anchors used for DNSSEC validation.
The file can contain both DS and DNSKEY entries in the standard DNS
zone file format.
.It Fl C Ar cert_bundle_file
Path to a file containing certificates that are used to authenticate
resolvers if DNS-over-TLS is enabled.
.It Fl d
Do not daemonize and log to
.Em stderr .
.It Fl f Ar file
The config file to use.
Default is
.Pa /etc/pfresolved.conf .
.It Fl h Ar hints_file
Path to a file that is filled with the latest resolve results.
The file is written when
.Nm
receives a
.Dv SIGHUP ,
.Dv SIGUSR1 ,
.Dv SIGINT ,
or
.Dv SIGTERM .
.It Fl i Ar outbound_ip
IP address that is used to connect to resolvers.
.It Fl M Ar seconds
Minimum time in seconds to wait between consecutive successful
resolve requests for a host.
Default is 10 seconds.
.It Fl m Ar seconds
Maximum time in seconds to wait between consecutive successful
resolve requests for a host.
Default is 86400 seconds.
.It Fl n
Only check the configuration file for validity and then exit.
.It Fl r Ar resolver
IP address of the recursive resolver that DNS requests should be
forwarded to.
To use a port other than 53 append '@' and the port number.
If DNS-over-TLS is used a '#' and a name can be appended, then the
certificate will be authenticated with the given name.
Using '#' requires first specifying the port with '@'.
.Pp
This option can be given multiple times to configure multiple
resolvers.
.It Fl S Ar dnssec_level
Used to configure DNSSEC.
Levels above 0 require that a valid trust anchor is
configured with
.Fl A .
.Pp
Possible levels are:
.Bl -tag -width 0
.It 0
DNSSEC is disabled.
.It 1
DNSSEC is enabled but validation failures are only warned about and
otherwise ignored.
.Pp
Note: This option can actually be less restrictive than disabling
DNSSEC if the configured resolvers do DNSSEC validation themselves.
If validation fails on the resolver and DNSSEC is disabled the
queries will be answered with SERVFAIL causing the resolve to just
fail.
If DNSSEC is enabled the queries would be sent again, this time
asking the resolver to disable DNSSEC validation.
This gives
.Nm
the option to do the DNSSEC validation itself and allows ignoring
validation failures.
.It 2
DNSSEC is enabled and validation failures cause the query result
to be discarded.
Results from zones that are not signed with DNSSEC are still allowed.
.It 3
DNSSEC is enabled and required for every zone.
Unsigned query results will be discarded.
.El
.It Fl s Ar socket
The control socket to use.
Default is
.Pa /var/run/pfresolved.sock .
.It Fl T
Enable DNS-over-TLS.
The system certificates will be automatically included and used for
authentication unless a certificate bundle is specified using
.Fl C .
.It Fl v
Produce more verbose output.
Can be specified multiple times to increase the verbosity.
.El
.Sh SEE ALSO
.Xr pf 4 ,
.Xr pfresolved.conf 5
.Sh AUTHORS
.An Carsten Beckmann