Lines Matching +full:per +full:- +full:port +full:- +full:set
13 #include-toplevel: "otherfile.conf"
23 # Set to "" or 0 to disable. Default is disabled.
24 # statistics-interval: 0
27 # statistics-interval, every time it also writes stats to the
28 # shared memory segment keyed with shm-key.
29 # shm-enable: no
32 # shm-key: 11777
35 # statistics-cumulative: no
38 # printed from unbound-control. Default off, because of speed.
39 # extended-statistics: no
42 # rpz-actions) from printing if their value is 0.
44 # statistics-inhibit-zero: yes
47 # num-threads: 1
49 # specify the interfaces to answer queries from by ip-address.
52 # specify every interface[@port] on a new 'interface:' labelled line.
62 # interface-automatic: no
64 # instead of the default port, open additional ports separated by
65 # spaces when interface-automatic is enabled, by listing them here.
66 # interface-automatic-ports: ""
68 # port to answer queries from
69 # port: 53
72 # server from by ip-address. If none, the default (all) interface
73 # is used. Specify every interface on a 'outgoing-interface:' line.
74 # outgoing-interface: 192.0.2.153
75 # outgoing-interface: 2001:DB8::5
76 # outgoing-interface: 2001:DB8::6
80 # outgoing-interface: 2001:DB8::/64
81 # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
82 # And: ip -6 route add local 2001:db8::/64 dev lo
83 # And set prefer-ip6: yes to use the ip6 randomness from a netblock.
84 # Set this to yes to prefer ipv6 upstream servers over ipv4.
85 # prefer-ip6: no
88 # prefer-ip4: no
90 # number of ports to allocate per thread, determines the size of the
91 # port range that can be open simultaneously. About double the
92 # num-queries-per-thread, or, use as many as the OS will allow you.
93 # outgoing-range: 4096
95 # permit Unbound to use this port number or port range for
97 # outgoing-port-permit: 32768
99 # deny Unbound the use this of port number or port range for
101 # Use this to make sure Unbound does not grab a UDP port that some
103 # IANA-assigned port numbers.
104 # If multiple outgoing-port-permit and outgoing-port-avoid options
106 # outgoing-port-avoid: "3200-3208"
108 # number of outgoing simultaneous tcp buffers to hold per thread.
109 # outgoing-num-tcp: 10
111 # number of incoming simultaneous tcp buffers to hold per thread.
112 # incoming-num-tcp: 10
114 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
116 # so-rcvbuf: 0
118 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
120 # so-sndbuf: 0
124 # so-reuseport: yes
126 # use IP_TRANSPARENT so the interface: addresses can be non-local
127 # and you can config non-existing IPs that are going to work later on
129 # ip-transparent: no
131 # use IP_FREEBIND so the interface: addresses can be non-local
133 # Linux only. On Linux you also have ip-transparent that is similar.
134 # ip-freebind: no
139 # ip-dscp: 0
142 # is set with msg-buffer-size).
143 # edns-buffer-size: 1232
147 # max-udp-size: 1232
150 # stream-wait-size: 4m
154 # msg-buffer-size: 65552
158 # msg-cache-size: 4m
163 # msg-cache-slabs: 4
166 # num-queries-per-thread: 1024
169 # jostle-timeout: 200
171 # msec to wait before close of port on timeout UDP. 0 disables.
172 # delay-close: 0
175 # udp-connect: yes
177 # The number of retries, per upstream nameserver in a delegation, when
179 # outbound-msg-retry: 5
184 # max-sent-count: 32
188 # max-query-restarts: 11
191 # iter-scrub-ns: 20
194 # iter-scrub-cname: 11
197 # max-global-quota: 128
201 # unknown-server-time-limit: 376
204 # discard-timeout: 1900
206 # Max number of replies waiting for recursion per IP address.
207 # wait-limit: 1000
210 # wait-limit-cookie: 10000
212 # Apart from the default, the wait limit can be set for a netblock.
213 # wait-limit-netblock: 192.0.2.0/24 50000
216 # wait-limit-cookie-netblock: 192.0.2.0/24 50000
220 # rrset-cache-size: 4m
225 # rrset-cache-slabs: 4
229 # cache-min-ttl: 0
233 # cache-max-ttl: 86400
236 # cache-max-negative-ttl: 3600
240 # cache-min-ttl applies if configured.
241 # cache-min-negative-ttl: 0
245 # infra-host-ttl: 900
248 # infra-cache-min-rtt: 50
251 # infra-cache-max-rtt: 120000
254 # infra-keep-probing: no
259 # infra-cache-slabs: 4
262 # infra-cache-numhosts: 10000
264 # define a number of tags here, use with local-zone, access-control,
265 # interface-*.
266 # repeat the define-tag statement to add additional tags.
267 # define-tag: "tag1 tag2 tag3"
270 # do-ip4: yes
273 # do-ip6: yes
275 # If running unbound on an IPv6-only host, domains that only have
280 # Consider also enabling prefer-ip6 to prefer native IPv6 connections
282 # do-nat64: no
284 # NAT64 prefix. Defaults to using dns64-prefix value.
285 # nat64-prefix: 64:ff9b::0/96
288 # do-udp: yes
291 # do-tcp: yes
295 # tcp-upstream: no
297 # upstream connections also use UDP (even if do-udp is no).
299 # udp-upstream-without-downstream: no
303 # tcp-mss: 0
307 # outgoing-tcp-mss: 0
310 # tcp-idle-timeout: 30000
313 # edns-tcp-keepalive: no
315 # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
316 # if edns-tcp-keepalive is set.
317 # edns-tcp-keepalive-timeout: 120000
321 # sock-queue-timeout: 0
324 # use-systemd: no
327 # Set the value to "no" when Unbound runs as systemd service.
328 # do-daemonize: yes
337 # deny_non_local (drop queries unless can be answered from local-data)
339 # access-control: 127.0.0.0/8 allow
340 # access-control: ::1 allow
341 # access-control: ::ffff:127.0.0.1 allow
343 # tag access-control with list of tags (in "" with spaces between)
346 # access-control-tag: 192.0.2.0/24 "tag2 tag3"
348 # set action for particular tag for given access control element.
350 # is the first tag match between access-control-tag and local-zone-tag
351 # where "first" comes from the order of the define-tag values.
352 # access-control-tag-action: 192.0.2.0/24 tag3 refuse
354 # set redirect data for particular tag for access control element
355 # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
357 # Set view for access control element
358 # access-control-view: 192.0.2.0/24 viewname
360 # Similar to 'access-control:' but for interfaces.
365 # The actions are the same as 'access-control:' above.
367 # Note: any 'access-control*:' setting overrides all 'interface-*:'
369 # interface-action: 192.0.2.153 allow
370 # interface-action: 192.0.2.154 allow
371 # interface-action: 192.0.2.154@5003 allow
372 # interface-action: 2001:DB8::5 allow
373 # interface-action: eth0@5003 allow
375 # Similar to 'access-control-tag:' but for interfaces.
381 # Note: any 'access-control*:' setting overrides all 'interface-*:'
383 # interface-tag: eth0@5003 "tag2 tag3"
385 # Similar to 'access-control-tag-action:' but for interfaces.
386 # Set action for particular tag for a given interface element.
388 # is the first tag match between interface-tag and local-zone-tag
389 # where "first" comes from the order of the define-tag values.
392 # Note: any 'access-control*:' setting overrides all 'interface-*:'
394 # interface-tag-action: eth0@5003 tag3 refuse
396 # Similar to 'access-control-tag-data:' but for interfaces.
397 # Set redirect data for a particular tag for an interface element.
400 # Note: any 'access-control*:' setting overrides all 'interface-*:'
402 # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1"
404 # Similar to 'access-control-view:' but for interfaces.
405 # Set view for an interface element.
408 # Note: any 'access-control*:' setting overrides all 'interface-*:'
410 # interface-view: eth0@5003 viewname
437 # if given, user privileges are dropped (after binding port),
450 # Use of this option sets use-syslog to "no".
455 # use-syslog: yes
459 # log-identity: ""
462 # log-time-ascii: no
464 # log timestamp in ISO8601 format if also log-time-ascii is enabled.
465 # (y-m-dTh:m:s.msec[+-]tzhours:tzminutes)
466 # log-time-iso: no
469 # log-queries: no
471 # print one line per reply, with time, IP, name, type, class, rcode,
473 # log-replies: no
476 # filtering log-queries and log-replies from the log.
477 # log-tag-queryreply: no
479 # log with destination address, port and type for log-replies.
480 # log-destaddr: no
482 # log the local-zone actions, like local-zone type inform is enabled
484 # log-local-actions: no
487 # log-servfail: no
494 # root-hints: ""
497 # hide-identity: no
500 # hide-version: no
503 # hide-trustanchor: no
505 # enable to not set the User-Agent HTTP header.
506 # hide-http-user-agent: no
517 # User-Agent HTTP header to use. Leave "" or default to use package name
519 # http-user-agent: ""
522 # series of integers describing the policy per dependency depth.
525 # -1 : fetch all targets opportunistically,
529 # target-fetch-policy: "3 2 1 0 0"
532 # harden-short-bufsize: yes
535 # harden-large-queries: no
538 # harden-glue: yes
540 # Harden against unverified (outside-zone, including sibling zone) glue rrsets
541 # harden-unverified-glue: no
543 # Harden against receiving dnssec-stripped data. If you turn it
546 # Default on, which insists on dnssec data for trust-anchored zones.
547 # harden-dnssec-stripped: yes
549 # Harden against queries that fall under dnssec-signed nxdomain names.
550 # harden-below-nxdomain: yes
555 # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
556 # harden-referral-path: no
561 # harden-algo-downgrade: no
565 # harden-unknown-additional: no
568 # privacy. Only sent minimum required labels of the QNAME and set QTYPE
570 # qname-minimisation: yes
572 # QNAME minimisation in strict mode. Do not fall-back to sending full
575 # This option only has effect when qname-minimisation is enabled.
576 # qname-minimisation-strict: no
580 # aggressive-nsec: yes
582 # Use 0x20-encoded random bits in the query to foil spoof attempts.
583 # This feature is an experimental implementation of draft dns-0x20.
584 # use-caps-for-id: no
586 # Domains (and domains in them) without support for dns-0x20 and
588 # caps-exempt: "licdn.com"
589 # caps-exempt: "senderbase.org"
594 # Only 'private-domain' and 'local-data' names are allowed to have
596 # private-address: 10.0.0.0/8
597 # private-address: 172.16.0.0/12
598 # private-address: 192.168.0.0/16
599 # private-address: 169.254.0.0/16
600 # private-address: fd00::/8
601 # private-address: fe80::/10
602 # private-address: ::ffff:0:0/96
605 # local-data statements are allowed to contain private addresses too.
606 # private-domain: "example.com"
609 # but also a running total is kept per thread. If it reaches the
613 # unwanted-reply-threshold: 0
616 # List one address per entry. List classless netblocks with /size,
617 # do-not-query-address: 127.0.0.1/8
618 # do-not-query-address: ::1
620 # if yes, the above default do-not-query-address entries are present.
622 # do-not-query-localhost: yes
628 # prefetch-key: no
631 # deny-any: no
634 # rrset-roundrobin: yes
638 # minimal-responses: yes
641 # disable-dnssec-lame-check: no
648 # module-config: "validator iterator"
651 # initial file like trust-anchor-file, then it stores metadata.
652 # Use several entries, one per domain name, to track multiple zones.
654 # If you want to perform DNSSEC validation, run unbound-anchor before
656 # And then enable the auto-trust-anchor-file config item.
657 # Please note usage of unbound-anchor root anchor is at your own risk
659 # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
662 # trust-anchor-signaling: yes
664 # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
665 # root-key-sentinel: yes
668 # with several entries, one file per entry.
670 # Note this gets out of date, use auto-trust-anchor-file please.
671 # trust-anchor-file: ""
675 # Note this gets out of date, use auto-trust-anchor-file please.
677 …# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6…
678 # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
681 # with several entries, one file per entry. Like trust-anchor-file
682 # but has a different file format. Format is BIND-9 style format,
683 # the trusted-keys { name flag proto algo "key"; }; clauses are read.
685 # trusted-keys-file: ""
688 # domain-insecure: "example.com"
691 # Do not set this unless you are debugging signature inception
692 # and expiration. "" or "0" turns the feature off. -1 ignores date.
693 # val-override-date: ""
697 # val-bogus-ttl: 60
700 # by 10% of the signature lifetime (expir-incep) from our local clock.
702 # val-sig-skew-min: 3600
703 # val-sig-skew-max: 86400
707 # val-max-restart: 5
713 # val-clean-additional: yes
720 # val-permissive-mode: no
724 # that set CD but cannot validate themselves.
725 # ignore-cd-flag: no
730 # disable-edns-do: no
732 # Serve expired responses from cache, with serve-expired-reply-ttl in
734 # serve-expired: no
738 # serve-expired-ttl: 0
740 # Set the TTL of expired records to the serve-expired-ttl value after a
744 # serve-expired-ttl-reset: no
747 # serve-expired-reply-ttl: 30
750 # This essentially enables the serve-stale behavior as specified in
754 # serve-expired-client-timeout: 0
761 # serve-original-ttl: no
764 # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
765 # val-log-level: 0
767 # It is possible to configure NSEC3 maximum iteration counts per
771 # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
774 # zonemd-permissive-mode: no
776 # instruct the auto-trust-anchor-file probing to add anchors after ttl.
777 # add-holddown: 2592000 # 30 days
779 # instruct the auto-trust-anchor-file probing to del anchors after ttl.
780 # del-holddown: 2592000 # 30 days
782 # auto-trust-anchor-file probing removes missing anchors after ttl.
784 # keep-missing: 31622400 # 366 days
788 # permit-small-holddown: no
792 # key-cache-size: 4m
797 # key-cache-slabs: 4
801 # neg-cache-size: 1m
804 # reply is built-in. Query traffic is thus blocked. If you
807 # You may also have to use domain-insecure: zone to make DNSSEC work,
809 # local-zone: "localhost." nodefault
810 # local-zone: "127.in-addr.arpa." nodefault
811 # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
812 # local-zone: "home.arpa." nodefault
813 # local-zone: "onion." nodefault
814 # local-zone: "test." nodefault
815 # local-zone: "invalid." nodefault
816 # local-zone: "10.in-addr.arpa." nodefault
817 # local-zone: "16.172.in-addr.arpa." nodefault
818 # local-zone: "17.172.in-addr.arpa." nodefault
819 # local-zone: "18.172.in-addr.arpa." nodefault
820 # local-zone: "19.172.in-addr.arpa." nodefault
821 # local-zone: "20.172.in-addr.arpa." nodefault
822 # local-zone: "21.172.in-addr.arpa." nodefault
823 # local-zone: "22.172.in-addr.arpa." nodefault
824 # local-zone: "23.172.in-addr.arpa." nodefault
825 # local-zone: "24.172.in-addr.arpa." nodefault
826 # local-zone: "25.172.in-addr.arpa." nodefault
827 # local-zone: "26.172.in-addr.arpa." nodefault
828 # local-zone: "27.172.in-addr.arpa." nodefault
829 # local-zone: "28.172.in-addr.arpa." nodefault
830 # local-zone: "29.172.in-addr.arpa." nodefault
831 # local-zone: "30.172.in-addr.arpa." nodefault
832 # local-zone: "31.172.in-addr.arpa." nodefault
833 # local-zone: "168.192.in-addr.arpa." nodefault
834 # local-zone: "0.in-addr.arpa." nodefault
835 # local-zone: "254.169.in-addr.arpa." nodefault
836 # local-zone: "2.0.192.in-addr.arpa." nodefault
837 # local-zone: "100.51.198.in-addr.arpa." nodefault
838 # local-zone: "113.0.203.in-addr.arpa." nodefault
839 # local-zone: "255.255.255.255.in-addr.arpa." nodefault
840 # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
841 # local-zone: "d.f.ip6.arpa." nodefault
842 # local-zone: "8.e.f.ip6.arpa." nodefault
843 # local-zone: "9.e.f.ip6.arpa." nodefault
844 # local-zone: "a.e.f.ip6.arpa." nodefault
845 # local-zone: "b.e.f.ip6.arpa." nodefault
846 # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
847 # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
850 # local-zone: "example.com" ipset
853 # to perform lan-wide lookups to the upstream, and unblock the
854 # long list of local-zones above. If this Unbound is a dns server
857 # unblock-lan-zones: no
859 # The insecure-lan-zones option disables validation for
860 # these zones, as if they were all listed as domain-insecure.
861 # insecure-lan-zones: no
864 # local-zone: <zone> <type>
865 # local-data: "<resource record string>"
882 # o noview breaks out of that view towards global local-zones.
888 # If you configure local-data without specifying local-zone, by
889 # default a transparent local-zone is created for the data.
892 # local-zone: "local." static
893 # local-data: "mycomputer.local. IN A 192.0.2.51"
894 # local-data: 'mytext.local TXT "content of text record"'
897 # local-data: "adserver.example.com A 127.0.0.1"
901 # local-zone: "example.com" redirect
902 # local-data: "example.com A 192.0.2.3"
905 # You can also add PTR records using local-data directly, but then
907 # local-data-ptr: "192.0.2.3 www.example.com"
910 # local-zone-tag: "example.com" "tag2 tag3"
913 # local-zone-override: "example.com" 192.0.2.0/24 refuse
919 # tls-service-key: "path/to/privatekeyfile.key"
920 # tls-service-pem: "path/to/publiccertfile.pem"
921 # tls-port: 853
922 # https-port: 443
923 # quic-port: 853
926 …-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-R…
928 …# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AE…
931 # pad-responses: yes
934 # pad-responses-block-size: 468
938 # tls-use-sni: yes
945 # tls-session-ticket-keys: "path/to/secret_file1"
946 # tls-session-ticket-keys: "path/to/secret_file2"
949 # Default is no. Can be turned on and off with unbound-control.
950 # tls-upstream: no
953 # tls-cert-bundle: ""
956 # tls-win-cert: no
958 # tls-system-cert: no
961 # pad-queries: yes
964 # pad-queries-block-size: 128
966 # Also serve tls on these port numbers (eg. 443, ...), by listing
967 # tls-additional-port: portno for each of the port numbers.
969 # HTTP endpoint to provide DNS-over-HTTPS service on.
970 # http-endpoint: "/dns-query"
973 # http-max-streams: 100
976 # http-query-buffer-size: 4m
979 # http-response-buffer-size: 4m
981 # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
983 # http-nodelay: yes
985 # Disable TLS for DNS-over-HTTP downstream service.
986 # http-notls-downstream: no
989 # quic-size: 8m
991 # The interfaces that use these listed port numbers will support and
993 # proxy-protocol-port: portno for each of the port numbers.
996 # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
997 # dns64-prefix: 64:ff9b::0/96
1000 # dns64-ignore-aaaa: "example.com"
1004 # if 0(default) it is disabled, otherwise state qps allowed per zone.
1008 # ratelimit-size: 4m
1010 # ratelimit-slabs: 4
1013 # ratelimit-factor: 10
1017 # ratelimit-backoff: no
1021 # ratelimit-for-domain: example.com 1000
1024 # ratelimit-below-domain: com 1000
1028 # if 0(default) it is disabled, otherwise states qps allowed per ip address
1029 # ip-ratelimit: 0
1033 # if 0(default) it is disabled, otherwise states qps allowed per ip address
1035 # If used, suggested to be higher than ip-ratelimit, tenfold.
1036 # ip-ratelimit-cookie: 0
1039 # ip-ratelimit-size: 4m
1041 # ip-ratelimit-slabs: 4
1044 # ip-ratelimit-factor: 10
1048 # ip-ratelimit-backoff: no
1051 # tcp-connection-limit: 192.0.2.0/24 12
1055 # fast-server-permil: 0
1057 # fast-server-num: 3
1060 # answer-cookie: no
1065 # cookie-secret: <128 bit random hex string>
1067 # File with cookie secrets, the 'cookie-secret:' option is ignored
1070 # cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt"
1075 # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
1078 # ede-serve-expired: no
1081 # --enable-ipsecmod for these to take effect.
1084 # module-config above). Can be used when ipsecmod needs to be
1085 # enabled/disabled via remote-control(below).
1086 # ipsecmod-enabled: yes
1089 # listed in module-config (above).
1090 # ipsecmod-hook: "./my_executable"
1093 # the ipsecmod-hook is not 0.
1094 # ipsecmod-strict: no
1097 # ipsecmod-max-ttl: 3600
1101 # ipsecmod-ignore-bogus: no
1105 # ipsecmod-allow: "example.com"
1106 # ipsecmod-allow: "nlnetlabs.nl"
1109 # tcp-reuse-timeout: 60000
1111 # max-reuse-tcp-queries: 200
1113 # tcp-auth-query-timeout: 3000
1117 # o use --with-pythonmodule to configure before compiling.
1118 # o list python in the module-config string (above) to enable.
1121 # o and give a python-script to run.
1124 # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
1127 # o use --with-dynlibmodule to configure before compiling.
1128 # o list dynlib in the module-config string (above) to enable.
1131 # o and give a dynlib-file to run. If more than one dynlib entry is listed in
1132 # the module-config then you need one dynlib-file per instance.
1135 # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
1138 remote-control:
1139 # Enable remote control with unbound-control(8) here.
1140 # set up the keys and certificates with unbound-control-setup.
1141 # control-enable: no
1145 # set to an absolute path to use a unix local name pipe, certificates
1147 # control-interface: 127.0.0.1
1148 # control-interface: ::1
1150 # port number for remote control operations.
1151 # control-port: 8953
1155 # control-use-cert: "yes"
1158 # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
1161 # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
1163 # unbound-control key file.
1164 # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
1166 # unbound-control certificate file.
1167 # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
1172 # nameservers by hostname or by ipaddress. If you set stub-prime to yes,
1174 # With stub-first yes, it attempts without the stub if it fails.
1175 # Consider adding domain-insecure: name and local-zone: name nodefault
1177 # stub-zone:
1179 # stub-addr: 192.0.2.68
1180 # stub-prime: no
1181 # stub-first: no
1182 # stub-tcp-upstream: no
1183 # stub-tls-upstream: no
1184 # stub-no-cache: no
1185 # stub-zone:
1187 # stub-host: ns.example.com.
1194 # If you enable forward-first, it attempts without the forward if it fails.
1195 # forward-zone:
1197 # forward-addr: 192.0.2.68
1198 # forward-addr: 192.0.2.73@5355 # forward to port 5355.
1199 # forward-first: no
1200 # forward-tcp-upstream: no
1201 # forward-tls-upstream: no
1202 # forward-no-cache: no
1203 # forward-zone:
1205 # forward-host: fwd.example.com
1214 # With allow-notify: you can give additional (apart from primaries and urls)
1216 # auth-zone:
1218 # primary: 170.247.170.2 # b.root-servers.net
1219 # primary: 192.33.4.12 # c.root-servers.net
1220 # primary: 199.7.91.13 # d.root-servers.net
1221 # primary: 192.5.5.241 # f.root-servers.net
1222 # primary: 192.112.36.4 # g.root-servers.net
1223 # primary: 193.0.14.129 # k.root-servers.net
1226 # primary: 2801:1b8:10::b # b.root-servers.net
1227 # primary: 2001:500:2::c # c.root-servers.net
1228 # primary: 2001:500:2d::d # d.root-servers.net
1229 # primary: 2001:500:2f::f # f.root-servers.net
1230 # primary: 2001:500:12::d0d # g.root-servers.net
1231 # primary: 2001:7fd::1 # k.root-servers.net
1234 # fallback-enabled: yes
1235 # for-downstream: no
1236 # for-upstream: yes
1237 # auth-zone:
1239 # for-downstream: yes
1240 # for-upstream: yes
1241 # zonemd-check: no
1242 # zonemd-reject-absence: no
1247 # the access-control-view option. Views can contain zero or more local-zone
1248 # and local-data options. Options from matching views will override global
1250 # With view-first yes, it will try to answer using the global local-zone and
1251 # local-data elements if there is no view specific match.
1254 # local-zone: "example.com" redirect
1255 # local-data: "example.com A 192.0.2.3"
1256 # local-data-ptr: "192.0.2.3 www.example.com"
1257 # view-first: no
1260 # local-zone: "example.com" refuse
1263 # To enable, use --enable-dnscrypt to configure before compiling.
1265 # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
1266 # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
1267 # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
1268 # listen on `dnscrypt-port` with the follo0wing snippet:
1275 # dnscrypt-enable: yes
1276 # dnscrypt-port: 443
1277 # dnscrypt-provider: 2.dnscrypt-cert.example.com.
1278 # dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
1279 # dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
1280 # dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
1281 # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
1285 # To enable, use --enable-cachedb to configure before compiling.
1288 # testing) and backend-specific options. The 'cachedb' module must be
1289 # included in module-config, just before the iterator module.
1293 # secret-seed: "default"
1295 # cachedb-no-store: no
1296 # # if the cachedb should be checked before a serve-expired response is
1297 # # given, when serve-expired is enabled.
1298 # cachedb-check-when-serve-expired: yes
1301 # # (to enable, use --with-libhiredis to configure before compiling)
1303 # redis-server-host: 127.0.0.1
1304 # # redis server's TCP port
1305 # redis-server-port: 6379
1306 # # if the server uses a unix socket, set its path, or "" when not used.
1307 # # redis-server-path: "/var/lib/redis/redis-server.sock"
1309 # # redis-server-password: ""
1311 # redis-timeout: 100
1312 # # timeout (in ms) for commands, if 0, uses redis-timeout.
1313 # redis-command-timeout: 0
1314 # # timeout (in ms) for connection set up, if 0, uses redis-timeout.
1315 # redis-connect-timeout: 0
1316 # # set timeout on redis records based on DNS response TTL
1317 # redis-expire-records: no
1319 # redis-logical-db: 0
1322 # Add specify domain into set via ipset.
1324 # o use --enable-ipset to configure before compiling;
1327 # # set name for ip v4 addresses
1328 # name-v4: "list-v4"
1329 # # set name for ip v6 addresses
1330 # name-v6: "list-v6"
1333 # Dnstap logging support, if compiled in by using --enable-dnstap to configure.
1334 # To enable, set the dnstap-enable to yes and also some of
1335 # dnstap-log-..-messages to yes. And select an upstream log destination, by
1338 # dnstap-enable: no
1339 # # if set to yes frame streams will be used in bidirectional mode
1340 # dnstap-bidirectional: yes
1341 # dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
1342 # # if "" use the unix socket in dnstap-socket-path, otherwise,
1343 # # set it to "IPaddress[@port]" of the destination.
1344 # dnstap-ip: ""
1345 # # if set to yes if you want to use TLS to dnstap-ip, no for TCP.
1346 # dnstap-tls: yes
1348 # dnstap-tls-server-name: ""
1350 # dnstap-tls-cert-bundle: ""
1352 # dnstap-tls-client-key-file: ""
1354 # dnstap-tls-client-cert-file: ""
1355 # dnstap-send-identity: no
1356 # dnstap-send-version: no
1358 # dnstap-identity: ""
1360 # dnstap-version: ""
1362 # dnstap-sample-rate: 0
1363 # dnstap-log-resolver-query-messages: no
1364 # dnstap-log-resolver-response-messages: no
1365 # dnstap-log-client-query-messages: no
1366 # dnstap-log-client-response-messages: no
1367 # dnstap-log-forwarder-query-messages: no
1368 # dnstap-log-forwarder-response-messages: no
1374 # actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
1377 # to the module-config, e.g.: module-config: "respip validator iterator".
1382 # allow-notify: 192.0.2.0/32
1384 # rpz-action-override: cname
1385 # rpz-cname-override: www.example.org
1386 # rpz-log: yes
1387 # rpz-log-name: "example policy"
1388 # rpz-signal-nxdomain-ra: no
1389 # for-downstream: no