shibari
Software
skarnet.org

The shibari-server-udp program

shibari-server-udp is a long-lived process. It binds to a UDP socket, then answers DNS queries it receives, until it is killed.

The goal of shibari-server-udp, at the moment, is to be a drop-in replacement for the tinydns program, while being more maintainable.

Interface 

     shibari-server-udp [ -U ] [ -v verbosity ] [ -d notif ] [ -f tdbfile ] [ -w wtimeout ] [ -i rulesdir ] [ -x rulesfile ] [ -p port ] ip

Exit codes

0
Clean exit. shibari-server-udp received a SIGTERM and exited.
100
Bad usage. shibari-server-udp was run in an incorrect way: typically bad command line options.
101
Cannot happen. This signals a bug in shibari-server-udp, and comes with an error message asking you to report the bug. Please do so, on the skaware mailing-list.
102
Misconfiguration. shibari-server-udp found something in its DNS data file that it does not like.
111
System call failed. This usually signals an issue with the underlying operating system.

Options

-U
Drop privileges. shibari-server-udp will expect the UID and GID environment variables to contain a suitable uid and gid, and will change to this uid and gid after binding its socket.
-v verbosity
Be more or less verbose. A verbosity of 0 means no warnings, no logs, only error messages. 1 means warnings and terse logs. 2 or more means more logs. Default is 1.
-d notif
Write a newline to file descriptor notif, then close it, when shibari-server-udp has bound its socket, opened its file, and is ready to serve. This is the s6 readiness notification mechanism. By default, when this option isn't given no readiness notification is sent.
-f tdbfile
Read DNS data from tdbfile. The default is data.cdb, in the current working directory of the shibari-server-udp process.
-w wtimeout
Write timeout. If shibari-server-udp is unable to send its answer in wtimeout milliseconds, which means the network is congested, give up and go back to listening to other queries. The default is 0, which means infinite: shibari-server-udp will wait forever until the network decongests in order to send its answer (which may prevent it from servicing other queries).
-i rulesdir
Use rulesdir as a filesystem-based access rules database: ignore any message whose originating IP address isn't explicitly allowed. The access rules database is also used to get client location information. If something in rulesdir changes while shibari-server-udp is running, it will immediately pick up the change.
-x rulesfile
Use rulesfile as a cdb access rules database, see description of -i above. -i and -x are equivalent; you can switch between rulesdir and rulesfile via the s6-accessrules-cdb-from-fs and s6-accessrules-fs-from-cdb programs. The cdb format is more efficient but more static than the filesystem format. If rulesfile changes while shibari-server-udp is running, it will continue to use the old data until it receives a SIGHUP.
-p port
Binds to port port. Default is 53.

Client location

shibari-server-udp ignores client location information given as %lo:ipprefix lines in the file created by tinydns-data. Instead, it reads client location information in LOC definitions present in the rulesdir or rulesfile access rules database. For instance, if you have a %lo:1.2.3 line in your text data file, meaning that clients whose IP address is in the 1.2.3.0/24 IPv4 range are identified with the lo location and that DNS data entries ending with :lo are visible to them, you need to translate this information into the accessrules format. Your rulesdir must contain the following files:

(To use the -x option instead, you'd do the same, then run s6-accessrules-cdb-from-fs rulesfile rulesdir to compile the information into rulesfile.)

Notes