Lines Matching +full:per +full:- +full:port +full:- +full:set
13 #include-toplevel: "otherfile.conf"
23 # Set to "" or 0 to disable. Default is disabled.
24 # statistics-interval: 0
27 # statistics-interval, every time it also writes stats to the
28 # shared memory segment keyed with shm-key.
29 # shm-enable: no
32 # shm-key: 11777
35 # statistics-cumulative: no
38 # printed from unbound-control. default off, because of speed.
39 # extended-statistics: no
42 # num-threads: 1
44 # specify the interfaces to answer queries from by ip-address.
47 # specify every interface[@port] on a new 'interface:' labelled line.
56 # interface-automatic: no
58 # port to answer queries from
59 # port: 53
62 # server from by ip-address. If none, the default (all) interface
63 # is used. Specify every interface on a 'outgoing-interface:' line.
64 # outgoing-interface: 192.0.2.153
65 # outgoing-interface: 2001:DB8::5
66 # outgoing-interface: 2001:DB8::6
70 # outgoing-interface: 2001:DB8::/64
71 # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
72 # And: ip -6 route add local 2001:db8::/64 dev lo
73 # And set prefer-ip6: yes to use the ip6 randomness from a netblock.
74 # Set this to yes to prefer ipv6 upstream servers over ipv4.
75 # prefer-ip6: no
78 # prefer-ip4: no
80 # number of ports to allocate per thread, determines the size of the
81 # port range that can be open simultaneously. About double the
82 # num-queries-per-thread, or, use as many as the OS will allow you.
83 # outgoing-range: 4096
85 # permit Unbound to use this port number or port range for
87 # outgoing-port-permit: 32768
89 # deny Unbound the use this of port number or port range for
91 # Use this to make sure Unbound does not grab a UDP port that some
93 # IANA-assigned port numbers.
94 # If multiple outgoing-port-permit and outgoing-port-avoid options
96 # outgoing-port-avoid: "3200-3208"
98 # number of outgoing simultaneous tcp buffers to hold per thread.
99 # outgoing-num-tcp: 10
101 # number of incoming simultaneous tcp buffers to hold per thread.
102 # incoming-num-tcp: 10
104 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
106 # so-rcvbuf: 0
108 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
110 # so-sndbuf: 0
114 # so-reuseport: yes
116 # use IP_TRANSPARENT so the interface: addresses can be non-local
117 # and you can config non-existing IPs that are going to work later on
119 # ip-transparent: no
121 # use IP_FREEBIND so the interface: addresses can be non-local
123 # Linux only. On Linux you also have ip-transparent that is similar.
124 # ip-freebind: no
129 # ip-dscp: 0
132 # is set with msg-buffer-size).
133 # edns-buffer-size: 1232
137 # max-udp-size: 4096
140 # stream-wait-size: 4m
144 # msg-buffer-size: 65552
148 # msg-cache-size: 4m
153 # msg-cache-slabs: 4
156 # num-queries-per-thread: 1024
159 # jostle-timeout: 200
161 # msec to wait before close of port on timeout UDP. 0 disables.
162 # delay-close: 0
165 # udp-connect: yes
167 # The number of retries when a non-positive response is received.
168 # outbound-msg-retry: 5
172 # unknown-server-time-limit: 376
176 # rrset-cache-size: 4m
181 # rrset-cache-slabs: 4
185 # cache-min-ttl: 0
189 # cache-max-ttl: 86400
192 # cache-max-negative-ttl: 3600
196 # infra-host-ttl: 900
199 # infra-cache-min-rtt: 50
202 # infra-keep-probing: no
207 # infra-cache-slabs: 4
210 # infra-cache-numhosts: 10000
212 # define a number of tags here, use with local-zone, access-control.
213 # repeat the define-tag statement to add additional tags.
214 # define-tag: "tag1 tag2 tag3"
217 # do-ip4: yes
220 # do-ip6: yes
223 # do-udp: yes
226 # do-tcp: yes
230 # tcp-upstream: no
232 # upstream connections also use UDP (even if do-udp is no).
234 # udp-upstream-without-downstream: no
238 # tcp-mss: 0
242 # outgoing-tcp-mss: 0
245 # tcp-idle-timeout: 30000
248 # edns-tcp-keepalive: no
251 # edns-tcp-keepalive-timeout: 120000
254 # use-systemd: no
257 # Set the value to "no" when Unbound runs as systemd service.
258 # do-daemonize: yes
266 # deny_non_local (drop queries unless can be answered from local-data)
268 # access-control: 0.0.0.0/0 refuse
269 # access-control: 127.0.0.0/8 allow
270 # access-control: ::0/0 refuse
271 # access-control: ::1 allow
272 # access-control: ::ffff:127.0.0.1 allow
274 # tag access-control with list of tags (in "" with spaces between)
277 # access-control-tag: 192.0.2.0/24 "tag2 tag3"
279 # set action for particular tag for given access control element
281 # is the first tag match between access-control-tag and local-zone-tag
282 # where "first" comes from the order of the define-tag values.
283 # access-control-tag-action: 192.0.2.0/24 tag3 refuse
285 # set redirect data for particular tag for access control element
286 # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
288 # Set view for access control element
289 # access-control-view: 192.0.2.0/24 viewname
316 # if given, user privileges are dropped (after binding port),
329 # Use of this option sets use-syslog to "no".
334 # use-syslog: yes
338 # log-identity: ""
341 # log-time-ascii: no
344 # log-queries: no
346 # print one line per reply, with time, IP, name, type, class, rcode,
348 # log-replies: no
351 # filtering log-queries and log-replies from the log.
352 # log-tag-queryreply: no
354 # log the local-zone actions, like local-zone type inform is enabled
356 # log-local-actions: no
359 # log-servfail: no
366 # root-hints: ""
369 # hide-identity: no
372 # hide-version: no
375 # hide-trustanchor: no
377 # enable to not set the User-Agent HTTP header.
378 # hide-http-user-agent: no
389 # User-Agent HTTP header to use. Leave "" or default to use package name
391 # http-user-agent: ""
394 # series of integers describing the policy per dependency depth.
397 # -1 : fetch all targets opportunistically,
401 # target-fetch-policy: "3 2 1 0 0"
404 # harden-short-bufsize: yes
407 # harden-large-queries: no
410 # harden-glue: yes
412 # Harden against receiving dnssec-stripped data. If you turn it
415 # Default on, which insists on dnssec data for trust-anchored zones.
416 # harden-dnssec-stripped: yes
418 # Harden against queries that fall under dnssec-signed nxdomain names.
419 # harden-below-nxdomain: yes
424 # implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
425 # harden-referral-path: no
430 # harden-algo-downgrade: no
433 # privacy. Only sent minimum required labels of the QNAME and set QTYPE
435 # qname-minimisation: yes
437 # QNAME minimisation in strict mode. Do not fall-back to sending full
440 # This option only has effect when qname-minimisation is enabled.
441 # qname-minimisation-strict: no
445 # aggressive-nsec: yes
447 # Use 0x20-encoded random bits in the query to foil spoof attempts.
448 # This feature is an experimental implementation of draft dns-0x20.
449 # use-caps-for-id: no
451 # Domains (and domains in them) without support for dns-0x20 and
453 # caps-exempt: "licdn.com"
454 # caps-exempt: "senderbase.org"
459 # Only 'private-domain' and 'local-data' names are allowed to have
461 # private-address: 10.0.0.0/8
462 # private-address: 172.16.0.0/12
463 # private-address: 192.168.0.0/16
464 # private-address: 169.254.0.0/16
465 # private-address: fd00::/8
466 # private-address: fe80::/10
467 # private-address: ::ffff:0:0/96
470 # local-data statements are allowed to contain private addresses too.
471 # private-domain: "example.com"
474 # but also a running total is kept per thread. If it reaches the
478 # unwanted-reply-threshold: 0
481 # List one address per entry. List classless netblocks with /size,
482 # do-not-query-address: 127.0.0.1/8
483 # do-not-query-address: ::1
485 # if yes, the above default do-not-query-address entries are present.
487 # do-not-query-localhost: yes
493 # prefetch-key: no
496 # deny-any: no
499 # rrset-roundrobin: yes
503 # minimal-responses: yes
506 # disable-dnssec-lame-check: no
513 # module-config: "validator iterator"
516 # initial file like trust-anchor-file, then it stores metadata.
517 # Use several entries, one per domain name, to track multiple zones.
519 # If you want to perform DNSSEC validation, run unbound-anchor before
521 # And then enable the auto-trust-anchor-file config item.
522 # Please note usage of unbound-anchor root anchor is at your own risk
524 # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
527 # trust-anchor-signaling: yes
529 # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
530 # root-key-sentinel: yes
533 # with several entries, one file per entry.
535 # Note this gets out of date, use auto-trust-anchor-file please.
536 # trust-anchor-file: ""
540 # Note this gets out of date, use auto-trust-anchor-file please.
542 …# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6…
543 # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
546 # with several entries, one file per entry. Like trust-anchor-file
547 # but has a different file format. Format is BIND-9 style format,
548 # the trusted-keys { name flag proto algo "key"; }; clauses are read.
550 # trusted-keys-file: ""
553 # domain-insecure: "example.com"
556 # Do not set this unless you are debugging signature inception
557 # and expiration. "" or "0" turns the feature off. -1 ignores date.
558 # val-override-date: ""
562 # val-bogus-ttl: 60
565 # by 10% of the signature lifetime (expir-incep) from our local clock.
567 # val-sig-skew-min: 3600
568 # val-sig-skew-max: 86400
572 # val-max-restart: 5
578 # val-clean-additional: yes
585 # val-permissive-mode: no
589 # that set CD but cannot validate themselves.
590 # ignore-cd-flag: no
592 # Serve expired responses from cache, with serve-expired-reply-ttl in
594 # serve-expired: no
598 # serve-expired-ttl: 0
600 # Set the TTL of expired records to the serve-expired-ttl value after a
604 # serve-expired-ttl-reset: no
607 # serve-expired-reply-ttl: 30
610 # This essentially enables the serve-stale behavior as specified in
614 # serve-expired-client-timeout: 0
621 # serve-original-ttl: no
624 # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
625 # val-log-level: 0
627 # It is possible to configure NSEC3 maximum iteration counts per
631 # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
634 # zonemd-permissive-mode: no
636 # instruct the auto-trust-anchor-file probing to add anchors after ttl.
637 # add-holddown: 2592000 # 30 days
639 # instruct the auto-trust-anchor-file probing to del anchors after ttl.
640 # del-holddown: 2592000 # 30 days
642 # auto-trust-anchor-file probing removes missing anchors after ttl.
644 # keep-missing: 31622400 # 366 days
648 # permit-small-holddown: no
652 # key-cache-size: 4m
657 # key-cache-slabs: 4
661 # neg-cache-size: 1m
664 # reply is built-in. Query traffic is thus blocked. If you
667 # You may also have to use domain-insecure: zone to make DNSSEC work,
669 # local-zone: "localhost." nodefault
670 # local-zone: "127.in-addr.arpa." nodefault
671 # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
672 # local-zone: "home.arpa." nodefault
673 # local-zone: "onion." nodefault
674 # local-zone: "test." nodefault
675 # local-zone: "invalid." nodefault
676 # local-zone: "10.in-addr.arpa." nodefault
677 # local-zone: "16.172.in-addr.arpa." nodefault
678 # local-zone: "17.172.in-addr.arpa." nodefault
679 # local-zone: "18.172.in-addr.arpa." nodefault
680 # local-zone: "19.172.in-addr.arpa." nodefault
681 # local-zone: "20.172.in-addr.arpa." nodefault
682 # local-zone: "21.172.in-addr.arpa." nodefault
683 # local-zone: "22.172.in-addr.arpa." nodefault
684 # local-zone: "23.172.in-addr.arpa." nodefault
685 # local-zone: "24.172.in-addr.arpa." nodefault
686 # local-zone: "25.172.in-addr.arpa." nodefault
687 # local-zone: "26.172.in-addr.arpa." nodefault
688 # local-zone: "27.172.in-addr.arpa." nodefault
689 # local-zone: "28.172.in-addr.arpa." nodefault
690 # local-zone: "29.172.in-addr.arpa." nodefault
691 # local-zone: "30.172.in-addr.arpa." nodefault
692 # local-zone: "31.172.in-addr.arpa." nodefault
693 # local-zone: "168.192.in-addr.arpa." nodefault
694 # local-zone: "0.in-addr.arpa." nodefault
695 # local-zone: "254.169.in-addr.arpa." nodefault
696 # local-zone: "2.0.192.in-addr.arpa." nodefault
697 # local-zone: "100.51.198.in-addr.arpa." nodefault
698 # local-zone: "113.0.203.in-addr.arpa." nodefault
699 # local-zone: "255.255.255.255.in-addr.arpa." nodefault
700 # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
701 # local-zone: "d.f.ip6.arpa." nodefault
702 # local-zone: "8.e.f.ip6.arpa." nodefault
703 # local-zone: "9.e.f.ip6.arpa." nodefault
704 # local-zone: "a.e.f.ip6.arpa." nodefault
705 # local-zone: "b.e.f.ip6.arpa." nodefault
706 # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
707 # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
710 # local-zone: "example.com" ipset
713 # to perform lan-wide lookups to the upstream, and unblock the
714 # long list of local-zones above. If this Unbound is a dns server
717 # unblock-lan-zones: no
719 # The insecure-lan-zones option disables validation for
720 # these zones, as if they were all listed as domain-insecure.
721 # insecure-lan-zones: no
724 # local-zone: <zone> <type>
725 # local-data: "<resource record string>"
740 # o noview breaks out of that view towards global local-zones.
746 # If you configure local-data without specifying local-zone, by
747 # default a transparent local-zone is created for the data.
750 # local-zone: "local." static
751 # local-data: "mycomputer.local. IN A 192.0.2.51"
752 # local-data: 'mytext.local TXT "content of text record"'
755 # local-data: "adserver.example.com A 127.0.0.1"
759 # local-zone: "example.com" redirect
760 # local-data: "example.com A 192.0.2.3"
763 # You can also add PTR records using local-data directly, but then
765 # local-data-ptr: "192.0.2.3 www.example.com"
768 # local-zone-tag: "example.com" "tag2 tag3"
771 # local-zone-override: "example.com" 192.0.2.0/24 refuse
777 # tls-service-key: "path/to/privatekeyfile.key"
778 # tls-service-pem: "path/to/publiccertfile.pem"
779 # tls-port: 853
780 # https-port: 443
783 …-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-R…
785 …# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AE…
788 # pad-responses: yes
791 # pad-responses-block-size: 468
795 # tls-use-sni: yes
802 # tls-session-ticket-keys: "path/to/secret_file1"
803 # tls-session-ticket-keys: "path/to/secret_file2"
806 # Default is no. Can be turned on and off with unbound-control.
807 # tls-upstream: no
810 # tls-cert-bundle: ""
813 # tls-win-cert: no
816 # pad-queries: yes
819 # pad-queries-block-size: 128
821 # Also serve tls on these port numbers (eg. 443, ...), by listing
822 # tls-additional-port: portno for each of the port numbers.
824 # HTTP endpoint to provide DNS-over-HTTPS service on.
825 # http-endpoint: "/dns-query"
828 # http-max-streams: 100
831 # http-query-buffer-size: 4m
834 # http-response-buffer-size: 4m
836 # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
838 # http-nodelay: yes
840 # Disable TLS for DNS-over-HTTP downstream service.
841 # http-notls-downstream: no
844 # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
845 # dns64-prefix: 64:ff9b::0/96
848 # dns64-ignore-aaaa: "example.com"
852 # if 0(default) it is disabled, otherwise state qps allowed per zone.
856 # ratelimit-size: 4m
858 # ratelimit-slabs: 4
861 # ratelimit-factor: 10
865 # ratelimit-backoff: no
869 # ratelimit-for-domain: example.com 1000
872 # ratelimit-below-domain: com 1000
876 # if 0(default) it is disabled, otherwise states qps allowed per ip address
877 # ip-ratelimit: 0
880 # ip-ratelimit-size: 4m
882 # ip-ratelimit-slabs: 4
885 # ip-ratelimit-factor: 10
889 # ip-ratelimit-backoff: no
892 # tcp-connection-limit: 192.0.2.0/24 12
896 # fast-server-permil: 0
898 # fast-server-num: 3
901 # --enable-ipsecmod for these to take effect.
904 # module-config above). Can be used when ipsecmod needs to be
905 # enabled/disabled via remote-control(below).
906 # ipsecmod-enabled: yes
909 # listed in module-config (above).
910 # ipsecmod-hook: "./my_executable"
913 # the ipsecmod-hook is not 0.
914 # ipsecmod-strict: no
917 # ipsecmod-max-ttl: 3600
921 # ipsecmod-ignore-bogus: no
925 # ipsecmod-allow: "example.com"
926 # ipsecmod-allow: "nlnetlabs.nl"
929 # tcp-reuse-timeout: 60000
931 # max-reuse-tcp-queries: 200
933 # tcp-auth-query-timeout: 3000
937 # o use --with-pythonmodule to configure before compiling.
938 # o list python in the module-config string (above) to enable.
941 # o and give a python-script to run.
944 # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
947 # o use --with-dynlibmodule to configure before compiling.
948 # o list dynlib in the module-config string (above) to enable.
951 # o and give a dynlib-file to run. If more than one dynlib entry is listed in
952 # the module-config then you need one dynlib-file per instance.
955 # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
958 remote-control:
959 # Enable remote control with unbound-control(8) here.
960 # set up the keys and certificates with unbound-control-setup.
961 # control-enable: no
965 # set to an absolute path to use a unix local name pipe, certificates
967 # control-interface: 127.0.0.1
968 # control-interface: ::1
970 # port number for remote control operations.
971 # control-port: 8953
975 # control-use-cert: "yes"
978 # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
981 # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
983 # unbound-control key file.
984 # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
986 # unbound-control certificate file.
987 # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
992 # nameservers by hostname or by ipaddress. If you set stub-prime to yes,
994 # With stub-first yes, it attempts without the stub if it fails.
995 # Consider adding domain-insecure: name and local-zone: name nodefault
997 # stub-zone:
999 # stub-addr: 192.0.2.68
1000 # stub-prime: no
1001 # stub-first: no
1002 # stub-tcp-upstream: no
1003 # stub-tls-upstream: no
1004 # stub-no-cache: no
1005 # stub-zone:
1007 # stub-host: ns.example.com.
1014 # If you enable forward-first, it attempts without the forward if it fails.
1015 # forward-zone:
1017 # forward-addr: 192.0.2.68
1018 # forward-addr: 192.0.2.73@5355 # forward to port 5355.
1019 # forward-first: no
1020 # forward-tcp-upstream: no
1021 # forward-tls-upstream: no
1022 # forward-no-cache: no
1023 # forward-zone:
1025 # forward-host: fwd.example.com
1034 # With allow-notify: you can give additional (apart from primaries) sources of
1036 # auth-zone:
1038 # primary: 199.9.14.201 # b.root-servers.net
1039 # primary: 192.33.4.12 # c.root-servers.net
1040 # primary: 199.7.91.13 # d.root-servers.net
1041 # primary: 192.5.5.241 # f.root-servers.net
1042 # primary: 192.112.36.4 # g.root-servers.net
1043 # primary: 193.0.14.129 # k.root-servers.net
1046 # primary: 2001:500:200::b # b.root-servers.net
1047 # primary: 2001:500:2::c # c.root-servers.net
1048 # primary: 2001:500:2d::d # d.root-servers.net
1049 # primary: 2001:500:2f::f # f.root-servers.net
1050 # primary: 2001:500:12::d0d # g.root-servers.net
1051 # primary: 2001:7fd::1 # k.root-servers.net
1054 # fallback-enabled: yes
1055 # for-downstream: no
1056 # for-upstream: yes
1057 # auth-zone:
1059 # for-downstream: yes
1060 # for-upstream: yes
1061 # zonemd-check: no
1062 # zonemd-reject-absence: no
1067 # the access-control-view option. Views can contain zero or more local-zone
1068 # and local-data options. Options from matching views will override global
1070 # With view-first yes, it will try to answer using the global local-zone and
1071 # local-data elements if there is no view specific match.
1074 # local-zone: "example.com" redirect
1075 # local-data: "example.com A 192.0.2.3"
1076 # local-data-ptr: "192.0.2.3 www.example.com"
1077 # view-first: no
1080 # local-zone: "example.com" refuse
1083 # To enable, use --enable-dnscrypt to configure before compiling.
1085 # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
1086 # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
1087 # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
1088 # listen on `dnscrypt-port` with the follo0wing snippet:
1095 # dnscrypt-enable: yes
1096 # dnscrypt-port: 443
1097 # dnscrypt-provider: 2.dnscrypt-cert.example.com.
1098 # dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
1099 # dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
1100 # dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
1101 # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
1105 # To enable, use --enable-cachedb to configure before compiling.
1108 # testing) and backend-specific options. The 'cachedb' module must be
1109 # included in module-config, just before the iterator module.
1113 # secret-seed: "default"
1116 # # (to enable, use --with-libhiredis to configure before compiling)
1118 # redis-server-host: 127.0.0.1
1119 # # redis server's TCP port
1120 # redis-server-port: 6379
1122 # redis-timeout: 100
1123 # # set timeout on redis records based on DNS response TTL
1124 # redis-expire-records: no
1127 # Add specify domain into set via ipset.
1129 # o use --enable-ipset to configure before compiling;
1132 # # set name for ip v4 addresses
1133 # name-v4: "list-v4"
1134 # # set name for ip v6 addresses
1135 # name-v6: "list-v6"
1138 # Dnstap logging support, if compiled in by using --enable-dnstap to configure.
1139 # To enable, set the dnstap-enable to yes and also some of
1140 # dnstap-log-..-messages to yes. And select an upstream log destination, by
1143 # dnstap-enable: no
1144 # # if set to yes frame streams will be used in bidirectional mode
1145 # dnstap-bidirectional: yes
1146 # dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
1147 # # if "" use the unix socket in dnstap-socket-path, otherwise,
1148 # # set it to "IPaddress[@port]" of the destination.
1149 # dnstap-ip: ""
1150 # # if set to yes if you want to use TLS to dnstap-ip, no for TCP.
1151 # dnstap-tls: yes
1153 # dnstap-tls-server-name: ""
1155 # dnstap-tls-cert-bundle: ""
1157 # dnstap-tls-client-key-file: ""
1159 # dnstap-tls-client-cert-file: ""
1160 # dnstap-send-identity: no
1161 # dnstap-send-version: no
1163 # dnstap-identity: ""
1165 # dnstap-version: ""
1166 # dnstap-log-resolver-query-messages: no
1167 # dnstap-log-resolver-response-messages: no
1168 # dnstap-log-client-query-messages: no
1169 # dnstap-log-client-response-messages: no
1170 # dnstap-log-forwarder-query-messages: no
1171 # dnstap-log-forwarder-response-messages: no
1176 # actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
1179 # to the module-config, e.g.: module-config: "respip validator iterator".
1184 # allow-notify: 192.0.2.0/32
1186 # rpz-action-override: cname
1187 # rpz-cname-override: www.example.org
1188 # rpz-log: yes
1189 # rpz-log-name: "example policy"
1190 # rpz-signal-nxdomain-ra: no
1191 # for-downstream: no