CommonOptions:-v Print version info and exit.
-h Print usage info and exit.
-f Keep running in foreground.
-uuser
Drop privileges and run as user 'user' after setting up tunnel.
-tchrootdir
Chroot to 'chrootdir' after setting up tunnel.
-ddevice
Use the TUN device 'device' instead of the normal one, which is dnsX on Linux and otherwise tunX.
-Ppassword
Use 'password' to authenticate. If not used, stdin will be used as input. Only the first 32
characters will be used.
-zcontext
Apply SELinux 'context' after initialization.
-Fpidfile
Create 'pidfile' and write process id in it.
ClientOptions:-4 Force IPv4 DNS queries
-6 Force IPv6 DNS queries
-r Skip raw UDP mode. If not used, iodine will try getting the public IP address of the iodined host
and test if it is reachable directly. If it is, traffic will be sent to the server instead of the
DNS relay.
-Rrdomain
Use OpenBSD routing domain 'rdomain' for the DNS connection.
-mfragsize
Force maximum downstream fragment size. Not setting this will cause the client to automatically
probe the maximum accepted downstream fragment size.
-Mnamelen
Maximum length of upstream hostnames, default 255. Usable range ca. 100 to 255. Use this option
to scale back upstream bandwidth in favor of downstream bandwidth. Also useful for DNS servers
that perform unreliably when using full-length hostnames, noticeable when fragment size autoprobe
returns very different results each time.
-Tdnstype
DNS request type override. By default, autodetection will probe for working DNS request types,
and will select the request type that is expected to provide the most bandwidth. However, it may
turn out that a DNS relay imposes limits that skew the picture, which may lead to an "unexpected"
DNS request type providing more bandwidth. In that case, use this option to override the
autodetection. In (expected) decreasing bandwidth order, the supported DNS request types are:
NULL, PRIVATE, TXT, SRV, MX, CNAME and A (returning CNAME). Note that SRV, MX and A may/will
cause additional lookups by "smart" caching nameservers to get an actual IP address, which may
either slow down or fail completely. The PRIVATE type uses value 65399 (in the 'private use'
range) and requires servers implementing RFC 3597.
-Odownenc
Force downstream encoding type for all query type responses except NULL. Default is autodetected,
but may not spot all problems for the more advanced codecs. Use this option to override the
autodetection. Base32 is the lowest-grade codec and should always work; this is used when
autodetection fails. Base64 provides more bandwidth, but may not work on all nameservers.
Base64u is equal to Base64 except in using underscore ('_') instead of plus sign ('+'), possibly
working where Base64 does not. Base128 uses high byte values (mostly accented letters in
iso8859-1), which might work with some nameservers. For TXT queries, Raw will provide maximum
performance, but this will only work if the nameserver path is fully 8-bit-clean for responses
that are assumed to be "legible text".
-L0|1 Lazy-mode switch. -L1 (default): Use lazy mode for improved performance and decreased latency. A
very small minority of DNS relays appears to be unable to handle the lazy mode traffic pattern,
resulting in no or very little data coming through. The iodine client will detect this and try to
switch back to legacy mode, but this may not always work. In these situations use -L0 to force
running in legacy mode (implies -I1).
-Iinterval
Maximum interval between requests (pings) so that intermediate DNS servers will not time out.
Default is 4 in lazy mode, which will work fine in most cases. When too many SERVFAIL errors
occur, iodine will automatically reduce this to 1. To get absolute minimum DNS traffic, increase
well above 4, but not so high that SERVFAIL errors start to occur. There are some DNS relays with
very small timeouts, notably dnsadvantage.com (ultradns), that will give SERVFAIL errors even with
-I1; data will still get trough, and these errors can be ignored. Maximum useful value is 59,
since iodined will close a client's connection after 60 seconds of inactivity.
ServerOptions:-c Disable checking the client IP address on all incoming requests. By default, requests originating
from non-matching IP addresses will be rejected, however this will cause problems when requests
are routed via a cluster of DNS servers.
-s Don't try to configure IP address or MTU. This should only be used if you have already configured
the device that will be used.
-D Increase debug level. Level 1 prints info about each RX/TX packet. Implies the -f option. On
level 2 (-DD) or higher, DNS queries will be printed literally. When using Base128 upstream
encoding, this is best viewed as ISO Latin-1 text instead of (illegal) UTF-8. This is easily done
with : "LC_ALL=C luit iodined -DD ..." (see luit(1)).
-mmtu Set 'mtu' as mtu size for the tun device. This will be sent to the client on login, and the
client will use the same mtu for its tun device. Default 1130. Note that the DNS traffic will be
automatically fragmented when needed.
-llisten_ip
Make the server listen only on 'listen_ip' for incoming requests. By default, incoming requests
are accepted from all interfaces.
-pport
Make the server listen on 'port' instead of 53 for traffic. If 'listen_ip' does not include
localhost, this 'port' can be the same as 'dnsport'. Note: You must make sure the dns requests
are forwarded to this port yourself.
-nauto|external_ip
The IP address to return in NS responses. Default is to return the address used as destination in
the query. If external_ip is 'auto', iodined will use externalip.net web service to retrieve the
external IP of the host and use that for NS responses.
-bdnsport
If this port is specified, all incoming requests not inside the tunnel domain will be forwarded to
this port on localhost, to be handled by a real dns. If 'listen_ip' does not include localhost,
this 'dnsport' can be the same as 'port'. Note: The forwarding is not fully transparent, and not
advised for use in production environments.
-imax_idle_time
Make the server stop itself after max_idle_time seconds if no traffic have been received. This
should be combined with systemd or upstart on demand activation for being effective.
ClientArguments:nameserver
The nameserver to use to relay the dns traffic. This can be any relaying nameserver or the server
running iodined if reachable. This field can be given as an IPv4/IPv6 address or as a hostname.
This argument is optional, and if not specified a nameserver will be read from the
/etc/resolv.conf file.
topdomain
The dns traffic will be sent as queries for subdomains under ´topdomain'. This is normally a
subdomain to a domain you own. Use a short domain name to get better throughput. If nameserver is
the iodined server, then the topdomain can be chosen freely. This argument must be the same on
both the client and the server.
ServerArguments:tunnel_ip[/netmask]
This is the server's ip address on the tun interface. The client will be given the next ip number
in the range. It is recommended to use the 10.0.0.0 or 172.16.0.0 ranges. The default netmask is
/27, can be overridden by specifying it here. Using a smaller network will limit the number of
concurrent users.
topdomain
The dns traffic is expected to arrive as queries for subdomains under 'topdomain'. This is
normally a subdomain to a domain you own. Use a short domain name to get better throughput. This
argument must be the same on both the client and the server. Queries for domains other than
'topdomain' will be forwarded when the -b option is given, otherwise they will be dropped.
Install Now
PNG Icons
Emojis