.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "KADNODE" "1" "October 2024" "mwarning" "Kadnode Manual"
.
.SH "NAME"
\fBkadnode\fR \- P2P name resolver daemon
.
.SH "SYNOPSIS"
\fBkadnode\fR [\-\-announce \e\fIdomain\e\fR] [\-\-daemon] [\.\.\.]
.
.P
\fBkadnode\-ctl\fR [\.\.\.]
.
.SH "DESCRIPTION"
\fBKadNode\fR is a small P2P DNS resolver\. It supports authentication based on x509 certificates and public key queries as base32 and hexadecimal strings\.
.
.SH "JOIN THE SWARM"
KadNode needs to know at least one active peer to join / bootstrap into the swarm\. There are three ways to achieve this:
.
.IP "1." 4
Provide one or more peers to the command line arguments\. These could be public BitTorrent trackers, or other KadNode instances: \fBkadnode \-\-peer bttracker\.debian\.org \-\-peer 192\.168\.1\.1\fR
.
.IP "2." 4
Ping a peer using the KadNode console if present: \fBkadnode\-ctl dht\-ping bttracker\.debian\.org\fR
.
.IP "3." 4
Use the local peer discovery feature\. Just start KadNode and it will try to discover other KadNode nodes in the local network\.
.
.IP "" 0
.
.P
Also provide a \fB\-\-peerfile\fR argument to let KadNode load its peerlist on startup and store on every 24h and shutdown\. This ensures successful bootstrapping on next startup\.
.
.SH "AUTHENTICATION"
KadNode provides two authentication schemes\. One works via x509 certificates and TLS\. The other one uses raw secret/public keys and is hence called bob\.
.
.SS "Via TLS"
Typically there are two KadNode instances involved\.
.
.P
One node announces a domain, e\.g\. mynode\.p2p\. The other node looks for the IP address of the announcing node\. Authentication happens via TLS, which in turn uses X509 certificates\.
.
.IP "" 4
.
.nf

kadnode \-\-announce mynode\.p2p \-\-tls\-server\-cert mynode\.crt,mynode\.key
.
.fi
.
.IP "" 0
.
.P
As an alternative, ownership can be proven using an HTTPS server running on the same host\. In this case, KadNode itself does not need certificates, but needs to announce the HTTPS port:
.
.IP "" 4
.
.nf

kadnode \-\-announce mynode\.p2p:443
.
.fi
.
.IP "" 0
.
.P
The other node doing the lookup for mynode\.p2p needs to have access to the root certificate that has been used to sign mynode\.crt\. These can be a common web browsers certificates:
.
.IP "" 4
.
.nf

kadnode \-\-tls\-client\-cert /usr/share/ca\-certificates/mozilla
.
.fi
.
.IP "" 0
.
.P
Own certificates authorities can be created and used, of course\.
.
.P
Note: \fB\-\-announce\fR is optional in many cases as domains from certificate and key files are announced automatically\.
.
.SS "Via BOB"
First create an elliptic curve secret key file:
.
.IP "" 4
.
.nf

kadnode \-\-bob\-create\-key mysecretkey\.pem
Generating secp256r1 key pair\.\.\.
Public key: c492192ac20144ed2a43d57e7239f5ef5f6bb418a51600980e55ff565cc916a4
Wrote secret key to mysecretkey\.pem
.
.fi
.
.IP "" 0
.
.P
Now make the secret key load on KadNode startup: \fBkadnode \-\-bob\-load\-key mysecretkey\.pem\fR
.
.P
Any reachable node can now resolve \fBc492192ac20144ed2a43d57e7239f5ef5f6bb418a51600980e55ff565cc916a4\.p2p\fR to the IP address of the announcing host\. There is no need to share any additional information beforehand\.
.
.SH "No Authentication"
KadNode also allows to just lookup a hexadecimal string and to get IP addresses as return\. This is the plain use of the DHT\. The hexadecimal string will be cut down or filled up with zeros internally to fit the size the DHT uses (currently 20 bytes)\.
.
.SH "OPTIONS"
.
.IP "\(bu" 4
\fB\-\-announce\fR \fIdomain[:port]\fR
.
.br
Announce a domain and an optional port via the DHT\.
.
.br
This option may occur multiple times\.
.
.IP "\(bu" 4
\fB\-\-peerfile\fR \fIfile\fR
.
.br
Import peers for bootstrapping and write good peers
.
.br
to this file every 24 hours and on shutdown\.
.
.IP "\(bu" 4
\fB\-\-user\fR \fIname\fR
.
.br
Change the UUID after start\.
.
.IP "\(bu" 4
\fB\-\-port\fR \fIport\fR
.
.br
Bind the DHT to this port\.
.
.br
Default: \fB6881\fR
.
.IP "\(bu" 4
\fB\-\-config\fR \fIfile\fR
.
.br
Provide a configuration file with one command line
.
.br
option on each line\. Comments start after \'#\'\.
.
.IP "\(bu" 4
\fB\-\-ifname\fR \fIinterface\fR
.
.br
Bind to this specific interface\.
.
.IP "\(bu" 4
\fB\-\-dht\-isolation\-prefix\fR \fIprefix\fR
.
.br
Only peer with nodes that use the same prefix (base16)\.
.
.br
This allows an isolated swarm of selected nodes\.
.
.IP "\(bu" 4
\fB\-\-fwd\-disable\fR
.
.br
Disable UPnP/NAT\-PMP to forward router ports\.
.
.IP "\(bu" 4
\fB\-\-daemon\fR
.
.br
Run in background\.
.
.IP "\(bu" 4
\fB\-\-query\-tld\fR \fIdomain\fR
.
.br
Top level domain used to filter queries to be resolved by KadNode\.
.
.br
Default: \fBp2p\fR
.
.IP "\(bu" 4
\fB\-\-verbosity\fR \fIlevel\fR
.
.br
Verbosity level quiet, verbose or debug\.
.
.br
Default: \fBverbose\fR
.
.IP "\(bu" 4
\fB\-\-pidfile\fR \fIfile\-path\fR
.
.br
Write process pid to a file\.
.
.IP "\(bu" 4
\fB\-\-lpd\-disable\fR
.
.br
Disable Local Peer Discovery (LPD)\.
.
.IP "\(bu" 4
\fB\-\-cmd\-disable\-stdin\fR
.
.br
Disable the local control interface\.
.
.IP "\(bu" 4
\fB\-\-cmd\-path\fR \fIpath\fR
.
.br
Bind the remote control interface to a unix socket\.
.
.br
Default: \fB/tmp/kadnode/kadnode_cmd\.sock\fR
.
.IP "\(bu" 4
\fB\-\-dns\-port\fR \fIport\fR
.
.br
Bind the DNS server interface to this local port\.
.
.br
Default: \fB3535\fR
.
.IP "\(bu" 4
\fB\-\-dns\-server\fR \fIaddress\fR
.
.br
IP address of an external DNS server\. Enables DNS proxy mode\.
.
.br
Default: disabled
.
.IP "\(bu" 4
\fB\-\-dns\-proxy\-enable\fR
.
.br
Enable DNS proxy mode\. Uses /etc/resolv\.conf by default\.
.
.IP "\(bu" 4
\fB\-\-dns\-proxy\-server\fR \fIip\-address\fR
.
.br
Use IP address of an external DNS server instead of /etc/resolv\.conf\.
.
.IP "\(bu" 4
\fB\-\-nss\-path\fR \fIpath\fR
.
.br
Bind the "Name Service Switch" to a unix socket\.
.
.br
Default: \fB/tmp/kadnode/kadnode_nss\.sock\fR
.
.IP "\(bu" 4
\fB\-\-tls\-client\-cert\fR \fIpath\fR
.
.br
Path to file or folder of CA root certificates\.
.
.br
This option may occur multiple times\.
.
.IP "\(bu" 4
\fB\-\-tls\-server\-cert\fR \fIpath\fR,\fIpath\fR
.
.br
Add a comma separated server certificate file path and key file path\.
.
.br
This option may occur multiple times\.
.
.br
Example: \fBkadnode\.crt,kadnode\.key\fR
.
.IP "\(bu" 4
\fB\-\-bob\-create\-key\fR \fIfile\fR
.
.br
Write a new secp256r1 secret key in PEM format to the file\.
.
.br
The public key will be printed to the terminal before exit\.
.
.IP "\(bu" 4
\fB\-\-bob\-load\-key\fR \fIfile\fR
.
.br
Read a secret key in PEM format and announce the public key\.
.
.br
This option may occur multiple times\.
.
.IP "\(bu" 4
\fB\-\-ipv4, \-4\fR
.
.br
Enable IPv4 only mode for the DHT\.
.
.IP "\(bu" 4
\fB\-\-ipv6, \-6\fR
.
.br
Enable IPv6 only mode for the DHT\.
.
.IP "\(bu" 4
\fB\-h\fR, \fB\-\-help\fR
.
.br
Print the list of accepted options\.
.
.IP "\(bu" 4
\fB\-v\fR, \fB\-\-version\fR
.
.br
Print program version and included features\.
.
.IP "" 0
.
.SS "KadNode Console Commands"
When not started in background, KadNode accepts a variety of commands from standard input\.
.
.IP "\(bu" 4
\fBstatus\fR
.
.br
Print various status information\. This includes DHT identifier,
.
.br
uptime, traffic, number of searches and announcements\.
.
.IP "\(bu" 4
\fBlookup\fR \fIquery\fR
.
.br
Lookup a domain, base16 or base32 string\.
.
.br
The \.p2p TLD is optional\.
.
.IP "\(bu" 4
\fBannounce\-start\fR \fIquery\fR[\fI:\fIport\fR\fR]
.
.br
Start to announce a query\.
.
.IP "\(bu" 4
\fBannounce\-stop\fR \fIquery\fR
.
.br
Remove an announcement\.
.
.IP "\(bu" 4
\fBannouncements\fR
.
.br
List all announcements\.
.
.IP "\(bu" 4
\fBsearches\fR
.
.br
List all searches\.
.
.IP "\(bu" 4
\fBbob\-keys\fR
.
.br
List bob keys\.
.
.IP "\(bu" 4
\fBhelp\fR
.
.br
Print detailed help\.
.
.IP "" 0
.
.P
Internal commands:
.
.IP "\(bu" 4
\fBport\-forwardings\fR
.
.br
List the port forwardings
.
.IP "\(bu" 4
\fBconstants\fR
.
.br
List internal constants\.
.
.IP "" 0
.
.P
DHT specific commands:
.
.IP "\(bu" 4
\fBdht\-ping\fR \fIip\-address\fR[\fI:\fIport\fR\fR]
.
.br
Ping another DHT peer\. Can be used to bootstrap\.
.
.IP "\(bu" 4
\fBdht\-blocklist\fR
.
.br
List blocked IP addresses\.
.
.IP "\(bu" 4
\fBdht\-peers\fR
.
.br
Print IP addresses of all peers\.
.
.IP "\(bu" 4
\fBdht\-buckets\fR|\fBdht\-searches\fR|\fBdht\-storage\fR
.
.br
Print various DHT internal data structures\.
.
.IP "" 0
.
.SH "KadNode External Console"
KadNode allows a limited set of commands to be sent from any user from other consoles\.
.
.P
\fBkadnode\-ctl\fR [\-p path] [status|lookup|\.\.\.]
.
.IP "\(bu" 4
\fB\-p\fR \fIpath\fR
.
.br
Unix socket used to connect to the command shell of a local KadNode instance (Default: /tmp/kadnode\.sock)\.
.
.IP "\(bu" 4
\fB\-h\fR
.
.br
Print this help\.
.
.IP "" 0
.
.SH "Name Service Switch (NSS)"
Kadnode can intercept system\-wide DNS lookups via NSS\. This is need to be able to use kadnode links in the web browser or for command line tools like ssh\. For this, \fB/etc/nsswitch\.conf\fR need to be configured:
.
.IP "\(bu" 4
Copy libnss_kadnode\.so\.2 to /lib/\. Other libnss_*\.so files are likely to be there as well\.
.
.IP "\(bu" 4
Edit \fB/etc/nsswitch\.conf\fR to include \fBkadnode\fR in the \fBhosts:\fR line before entry \fBdns\fR: \fBhosts: kadnode dns\fR
.
.IP "" 0
.
.SH "Automatic Port Forwarding"
If KadNode runs on a computer in a private network, it will try to establish a port forwarding for the DHT port and ports used for announcements\. Port forwarding only works if UPnP/NAT\-PMP is compiled into KadNode (features "natpmp" and "upnp") and it is enabled by the gateway/router\. This is useful to make a local service (e\.g\. a web server) reachable from the Internet without the need to configure port forwardings manually\.
.
.SH "Compile Time Features"
The KadNode version is followed by a list of the features that were compiled in\. E\.g\.:
.
.IP "" 4
.
.nf

$ kadnode \-v
kadnode 2\.4\.0 ( bob cmd debug dns lpd nss tls )
.
.fi
.
.IP "" 0
.
.IP "\(bu" 4
\fBbob\fR: Support for simple public key authentication (secp256r1)\.
.
.IP "\(bu" 4
\fBcmd\fR: Remote command line support (\fBkadnode\-ctl\fR)\.
.
.IP "\(bu" 4
\fBdebug\fR: Enable debug support\. For development only\.
.
.IP "\(bu" 4
\fBdns\fR: KadNode offers a local DNS server interfaces\.
.
.IP "\(bu" 4
\fBlpd\fR: Local Peer Discovery\. Find DHT clients on the local network\.
.
.IP "\(bu" 4
\fBnss\fR: Name Service Switch\. Needed to intercept queries on the system level\.
.
.IP "\(bu" 4
\fBtls\fR: Transport Layer Security support\. Authenticate via HTTPS\.
.
.IP "" 0
.
.SH "LICENSE"
MIT/X11
