| utils | ||
| .gitignore | ||
| daned.service | ||
| go.mod | ||
| go.sum | ||
| image.png | ||
| main.go | ||
| Makefile | ||
| notify-agent-daned | ||
| notify-agent-daned.service | ||
| README.md | ||
daned
this is a linux daemon to check if website TLSA record are valid.
how it works
OS dns queries are being captured, passed to DANE verification func and then, if verification fails, program shows a warning using notify-send
why?
nothing supported DANE directly, and I wanted to create a toy to play with
installation & dependencies
install go 1.25.x, libpcap and socat, possibly notify-send; your DNS resolver must support DNSSEC
git clone https://git.chadpug.org/arthur/daned
make && make install && make install-systemd # don't worry, make uninstall is avaliable; files are installed in /etc/systemd/system and /usr/local/bin
configuration
daned uses enviroment variables to get configuration values. avaliable ones:
mandatory:
USERNAME - user who will receive notifications
INTERFACE - interface on which program should intercept DNS requests
optional:
CACHETTL - cache "time to live"; default 15 mins
you can edit these values in daned.service, or pass directly to the program
example:
USERNAME=bob INTERFACE=eth0 CACHETTL=5 ./daned
starting the program
systemctl enable --user --now notify-agent-daned # as regular user who will receive notifications
systemctl enable --now daned # as root, through its possible to use CAP_NET_ADMIN
and you're good to go :)
note: this probably creates new security vulnerabilities instead of fixing existing, so please don't consider using this seriously
credits:
- https://www.huque.com/ for his great DANE go library
- https://github.com/google/gopacket for packet capturing capabilities