Lines Matching +full:low +full:- +full:leakage

3 .\" unbound.conf.5 -- unbound.conf manual
12 \- Unbound configuration file.
27 \fIunbound\-checkconf\fR(8)
34 $ unbound \-c /etc/unbound/unbound.conf
53 # mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom
54 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
62 access\-control: 10.0.0.0/8 allow
63 access\-control: 2001:DB8::/64 allow
82 .B include\-toplevel:
99 .B statistics\-interval: \fI<seconds>
106 .B statistics\-cumulative: \fI<yes or no>
110 .B extended\-statistics: \fI<yes or no>
111 If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
113 counters are listed in \fIunbound\-control\fR(8).
115 .B statistics\-inhibit\-zero: \fI<yes or no>
117 printing with \fIunbound\-control\fR(8).
123 .B num\-threads: \fI<number>
135 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
140 .B ip\-address: \fI<ip address or interface name [@port]>
143 .B interface\-automatic: \fI<yes or no>
146 ip\-transparent, but this option services all interfaces whilst with
147 ip\-transparent you can select which (future) interfaces Unbound provides
151 .B interface\-automatic\-ports: \fI<string>
152 List the port numbers that interface-automatic listens on. If empty, the
160 .B outgoing\-interface: \fI<ip address or ip6 netblock>
167 .B outgoing\-interface:
174 host running Unbound, and requires OS support for unprivileged non-local binds
177 .B outgoing\-interface:
180 .B prefer\-ip6: yes
184 ip \-6 addr add mynetblock/64 dev lo &&
185 ip \-6 route add local mynetblock/64 dev lo
187 .B outgoing\-range: \fI<number>
193 .B outgoing\-port\-permit: \fI<port number or range>
198 Give a port number or a range of the form "low\-high", without spaces.
200 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
206 .B outgoing\-port\-avoid: \fI<port number or range>
211 Give a port number or a range of the form "low\-high", without spaces.
213 .B outgoing\-num\-tcp: \fI<number>
215 set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
218 .B incoming\-num\-tcp: \fI<number>
220 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
223 .B edns\-buffer\-size: \fI<number>
226 buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
233 .B max\-udp\-size: \fI<number>
237 same as the default for edns\-buffer\-size.
239 .B stream\-wait\-size: \fI<number>
249 .B msg\-buffer\-size: \fI<number>
256 .B msg\-cache\-size: \fI<number>
261 .B msg\-cache\-slabs: \fI<number>
266 .B num\-queries\-per\-thread: \fI<number>
269 (see \fIjostle\-timeout\fR), then the queries are dropped. This forces
273 .B jostle\-timeout: \fI<msec>
280 The effect is that the qps for long-lasting queries is about
286 .B delay\-close: \fI<msec>
290 closed ports and setting off all sort of close-port counters, with
295 .B udp\-connect: \fI<yes or no>
296 Perform connect for UDP sockets that mitigates ICMP side channel leakage.
299 .B unknown\-server\-time\-limit: \fI<msec>
302 That would then avoid re\-querying every initial query because it times out.
305 .B discard\-timeout: \fI<msec>
309 larger than serve\-expired\-client\-timeout if that is enabled.
313 .B wait\-limit: \fI<number>
319 .B wait\-limit\-cookie: \fI<number>
324 .B wait\-limit\-netblock: \fI<netblock> <number>
325 The wait limit for the netblock. If not given the wait\-limit value is
328 The value -1 disables wait limits for the netblock.
330 .B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
332 If not given, the wait\-limit\-cookie value is used.
333 The value -1 disables wait limits for the netblock.
335 .B so\-rcvbuf: \fI<number>
338 servers do not drop packets (see counter in netstat \-su). Default is
343 On OpenBSD change header and recompile kernel. On Solaris ndd \-set
346 .B so\-sndbuf: \fI<number>
350 can get logged, the buffer overrun is also visible by netstat \-su.
355 to so\-rcvbuf.
357 .B so\-reuseport: \fI<yes or no>
369 .B ip\-transparent: \fI<yes or no>
372 non\-local interfaces. For example for non\-existent IP addresses that
374 a lot like interface\-automatic, but that one services all interfaces
380 .B ip\-freebind: \fI<yes or no>
385 ip\-transparent option is also available.
387 .B ip-dscp: \fI<number>
390 The field replaces the outdated IPv4 Type-Of-Service field and the
393 .B rrset\-cache\-size: \fI<number>
398 .B rrset\-cache\-slabs: \fI<number>
402 .B cache\-max\-ttl: \fI<seconds>
408 .B cache\-min\-ttl: \fI<seconds>
416 .B cache\-max\-negative\-ttl: \fI<seconds>
421 .B cache\-min\-negative\-ttl: \fI<seconds>
425 If this is disabled and \fBcache-min-ttl\fR is configured, it will take effect
430 .B infra\-host\-ttl: \fI<seconds>
434 .B infra\-cache\-slabs: \fI<number>
438 .B infra\-cache\-numhosts: \fI<number>
441 .B infra\-cache\-min\-rtt: \fI<msec>
446 .B infra\-cache\-max\-rtt: \fI<msec>
450 .B infra\-keep\-probing: \fI<yes or no>
454 it may take \fBinfra\-host\-ttl\fR time to get probed again.
456 .B define\-tag: \fI<"list of tags">
457 Define the tags that can be used with local\-zone and access\-control.
460 .B do\-ip4: \fI<yes or no>
463 .B do\-ip6: \fI<yes or no>
470 .B prefer\-ip4: \fI<yes or no>
477 .B prefer\-ip6: \fI<yes or no>
481 .B do\-udp: \fI<yes or no>
484 .B do\-tcp: \fI<yes or no>
487 .B tcp\-mss: \fI<number>
495 .B outgoing\-tcp\-mss: \fI<number>
503 .B tcp-idle-timeout: \fI<msec>\fR
514 It will be overridden by \fBedns\-tcp\-keepalive\-timeout\fR if
515 \fBedns\-tcp\-keepalive\fR is enabled.
517 .B tcp-reuse-timeout: \fI<msec>\fR
521 .B max-reuse-tcp-queries: \fI<number>\fR
526 .B tcp-auth-query-timeout: \fI<number>\fR
530 .B edns-tcp-keepalive: \fI<yes or no>\fR
533 .B edns-tcp-keepalive-timeout: \fI<msec>\fR
534 Overrides \fBtcp\-idle\-timeout\fR when \fBedns\-tcp\-keepalive\fR is enabled.
540 .B sock\-queue\-timeout: \fI<sec>\fR
548 .B tcp\-upstream: \fI<yes or no>
551 TCP transport only for selected forward or stub zones using forward-tcp-upstream
552 or stub-tcp-upstream respectively.
554 .B udp\-upstream\-without\-downstream: \fI<yes or no>
555 Enable udp upstream even if do-udp is no. Default is no, and this does not
559 .B tls\-upstream: \fI<yes or no>
563 \fBtls\-service\-key\fR).
564 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert or
565 tls\-system\-cert to load CA certs, otherwise the connections cannot be
568 forward\-tls\-upstream. And also with stub\-tls\-upstream.
569 If the tls\-upstream option is enabled, it is for all the forwards and stubs,
570 where the forward\-tls\-upstream and stub\-tls\-upstream options are ignored,
573 .B ssl\-upstream: \fI<yes or no>
574 Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
577 .B tls\-service\-key: \fI<file>
578 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
579 TCP ports marked implicitly or explicitly for these services with tls\-port or
580 https\-port. The file must contain the private key for the TLS session, the
581 public certificate is in the tls\-service\-pem file and it must also be
582 specified if tls\-service\-key is specified. The default is "", turned off.
585 The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
586 \fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
587 compiled with libnghttp2 in order to provide DNS-over-HTTPS.
589 .B ssl\-service\-key: \fI<file>
590 Alternate syntax for \fBtls\-service\-key\fR.
592 .B tls\-service\-pem: \fI<file>
596 .B ssl\-service\-pem: \fI<file>
597 Alternate syntax for \fBtls\-service\-pem\fR.
599 .B tls\-port: \fI<number>
603 .B ssl\-port: \fI<number>
604 Alternate syntax for \fBtls\-port\fR.
606 .B tls\-cert\-bundle: \fI<file>
608 for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used
609 for authenticating connections made to outside peers. For example auth\-zone
613 .B ssl\-cert\-bundle: \fI<file>
614 Alternate syntax for \fBtls\-cert\-bundle\fR.
616 .B tls\-win\-cert: \fI<yes or no>
620 the tls\-cert\-bundle option on other systems. On other systems, this option
623 .B tls\-system\-cert: \fI<yes or no>
624 This the same setting as the tls\-win\-cert setting, under a different name.
627 .B tls\-additional\-port: \fI<portnr>
628 List portnumbers as tls\-additional\-port, and when interfaces are defined,
632 .B tls-session-ticket-keys: \fI<file>
645 .B tls\-ciphers: \fI<string with cipher list>
649 .B tls\-ciphersuites: \fI<string with ciphersuites list>
653 .B pad\-responses: \fI<yes or no>
656 \fBpad\-responses\-block\-size\fR.
659 .B pad\-responses\-block\-size: \fI<number>
664 .B pad\-queries: \fI<yes or no>
666 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
669 .B pad\-queries\-block\-size: \fI<number>
673 .B tls\-use\-sni: \fI<yes or no>
678 .B https\-port: \fI<number>
679 The port number on which to provide DNS-over-HTTPS service, default 443, only
682 .B http\-endpoint: \fI<endpoint string>
683 The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
685 .B http\-max\-streams: \fI<number of streams>
687 SETTINGS frame for DNS-over-HTTPS connections. Default 100.
689 .B http\-query\-buffer\-size: \fI<size in bytes>
696 .B http\-response\-buffer\-size: \fI<size in bytes>
703 .B http\-nodelay: \fI<yes or no>
704 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
707 .B http\-notls\-downstream: \fI<yes or no>
708 Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
711 .B proxy\-protocol\-port: \fI<portnr>
712 List port numbers as proxy\-protocol\-port, and when interfaces are defined,
722 .B quic\-port: \fI<number>
723 The port number on which to provide DNS-over-QUIC service, default 853, only
727 .B quic\-size: \fI<size in bytes>
734 .B use\-systemd: \fI<yes or no>
738 .B do\-daemonize: \fI<yes or no>
743 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
748 .B access\-control: \fI<IP netblock> <action>
760 The order of the access\-control statements therefore does not matter.
772 local\-data that is configured. The reason is that this does not involve
796 \fBanswer\-cookie\fR option is enabled.
802 \fBanswer\-cookie\fR setting.
808 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
813 only allowed to query for the authoritative local\-data, they are not
818 .B access\-control\-tag: \fI<IP netblock> <"list of tags">
819 Assign tags to access-control elements. Clients using this access control
821 defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
822 spaces between tags. If access\-control\-tag is configured for a netblock that
823 does not have an access\-control, an access\-control element with action
826 .B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
829 between access\-control\-tag and local\-zone\-tag where "first" comes from the
830 order of the define-tag values.
832 .B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
835 .B access\-control\-view: \fI<IP netblock> <view name>
838 .B interface\-action: \fI<ip address or interface name [@port]> <action>
839 Similar to \fBaccess\-control:\fR but for interfaces.
841 The action is the same as the ones defined under \fBaccess\-control:\fR.
845 \fBaccess\-control:\fR behavior.
846 This also means that any attempt to use the \fBinterface-*:\fR options for the
848 default "\fBaccess\-control:\fR 127.0.0.0/8 allow" option.
851 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
854 .B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
855 Similar to \fBaccess\-control-tag:\fR but for interfaces.
858 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
861 .B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
862 Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
865 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
868 .B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
869 Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
872 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
875 .B interface\-view: \fI<ip address or interface name [@port]> <view name>
876 Similar to \fBaccess\-control-view:\fR but for interfaces.
879 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
931 If this option is given, the use\-syslog is option is set to "no".
935 .B use\-syslog: \fI<yes or no>
939 The logfile setting is overridden when use\-syslog is turned on.
942 .B log\-identity: \fI<string>
949 .B log\-time\-ascii: \fI<yes or no>
954 .B log\-time\-iso:\fR <yes or no>
955 Log time in ISO8601 format, if \fBlog\-time\-ascii:\fR yes is also set.
958 .B log\-queries: \fI<yes or no>
964 .B log\-replies: \fI<yes or no>
971 .B log\-tag\-queryreply: \fI<yes or no>
972 Prints the word 'query' and 'reply' with log\-queries and log\-replies.
976 .B log\-destaddr: \fI<yes or no>
977 Prints the destination address, port and type in the log\-replies output.
981 .B log\-local\-actions: \fI<yes or no>
983 local\-zone type inform prints out, but they are also printed for the other
986 .B log\-servfail: \fI<yes or no>
995 kill \-HUP `cat @UNBOUND_PIDFILE@`
999 kill \-TERM `cat @UNBOUND_PIDFILE@`
1003 .B root\-hints: \fI<filename>
1007 when servers change, therefore it is good practice to use a root\-hints file.
1009 .B hide\-identity: \fI<yes or no>
1016 .B hide\-version: \fI<yes or no>
1023 .B hide\-http\-user\-agent: \fI<yes or no>
1024 If enabled the HTTP header User-Agent is not set. Use with caution as some
1027 .B http\-user\-agent
1030 .B http\-user\-agent: \fI<string>
1031 Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
1039 .B hide\-trustanchor: \fI<yes or no>
1042 .B target\-fetch\-policy: \fI<"list of numbers">
1049 A value of \-1 means to fetch all targets opportunistically for that dependency
1055 closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
1058 .B harden\-short\-bufsize: \fI<yes or no>
1062 .B harden\-large\-queries: \fI<yes or no>
1067 .B harden\-glue: \fI<yes or no>
1070 .B harden\-unverified\-glue: \fI<yes or no>
1071 Will trust only in-zone glue. Will try to resolve all out of zone
1075 .B harden\-dnssec\-stripped: \fI<yes or no>
1076 Require DNSSEC data for trust\-anchored zones, if such data is absent,
1085 .B harden\-below\-nxdomain: \fI<yes or no>
1092 this only DNSSEC-secure nxdomains are used, because the old software does not
1096 .B harden\-referral\-path: \fI<yes or no>
1105 If you enable it consider adding more numbers after the target\-fetch\-policy
1108 .B harden\-algo\-downgrade: \fI<yes or no>
1115 .B harden\-unknown\-additional: \fI<yes or no>
1121 .B use\-caps\-for\-id: \fI<yes or no>
1122 Use 0x20\-encoded random bits in the query to foil spoof attempts.
1126 This feature is an experimental implementation of draft dns\-0x20.
1128 .B caps\-exempt: \fI<domain>
1129 Exempt the domain so that it does not receive caps\-for\-id perturbed
1134 .B caps\-whitelist: \fI<yes or no>
1135 Alternate syntax for \fBcaps\-exempt\fR.
1137 .B qname\-minimisation: \fI<yes or no>
1144 .B qname\-minimisation\-strict: \fI<yes or no>
1145 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
1148 This option only has effect when qname-minimisation is enabled. Default is no.
1150 .B aggressive\-nsec: \fI<yes or no>
1156 .B private\-address: \fI<IP address or subnet>
1161 answers bogus. This protects against so\-called DNS Rebinding, where
1165 \fBlocal\-data\fR that you configured is allowed to, and you can specify
1166 additional names using \fBprivate\-domain\fR. No private addresses are
1173 stops IPv4-mapped IPv6 addresses from bypassing the filter.
1175 .B private\-domain: \fI<domain name>
1180 .B unwanted\-reply\-threshold: \fI<number>
1187 .B do\-not\-query\-address: \fI<IP address>
1192 .B do\-not\-query\-localhost: \fI<yes or no>
1193 If yes, localhost is added to the do\-not\-query\-address entries, both
1204 .B prefetch\-key: \fI<yes or no>
1209 .B deny\-any: \fI<yes or no>
1215 .B rrset\-roundrobin: \fI<yes or no>
1219 .B minimal-responses: \fI<yes or no>
1230 .B disable-dnssec-lame-check: \fI<yes or no>
1237 .B module\-config: \fI<"module names">
1241 Setting this to just "\fIiterator\fR" will result in a non\-validating
1246 You must also set \fItrust\-anchors\fR for validation to be useful.
1262 .B trust\-anchor\-file: \fI<filename>
1267 .B auto\-trust\-anchor\-file: \fI<filename>
1271 \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
1277 .B trust\-anchor: \fI<"Resource Record">
1279 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
1285 .B trusted\-keys\-file: \fI<filename>
1287 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
1288 but has a different file format. Format is BIND\-9 style format,
1289 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
1293 .B trust\-anchor\-signaling: \fI<yes or no>
1296 .B root\-key\-sentinel: \fI<yes or no>
1299 .B domain\-insecure: \fI<domain name>
1312 .B val\-override\-date: \fI<rrsig\-style date spec>
1316 you are debugging signature inception and expiration. The value \-1 ignores
1319 .B val\-sig\-skew\-min: \fI<seconds>
1321 A value of 10% of the signature lifetime (expiration \- inception) is
1326 .B val\-sig\-skew\-max: \fI<seconds>
1328 A value of 10% of the signature lifetime (expiration \- inception)
1331 min and max very low disables the clock skew allowances. Setting both
1335 .B val\-max\-restart: \fI<number>
1339 .B val\-bogus\-ttl: \fI<number>
1345 .B val\-clean\-additional: \fI<yes or no>
1352 .B val\-log\-level: \fI<number>
1361 .B val\-permissive\-mode: \fI<yes or no>
1369 .B ignore\-cd\-flag: \fI<yes or no>
1377 .B disable\-edns\-do: \fI<yes or no>
1391 .B serve\-expired: \fI<yes or no>
1393 TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
1397 .B serve\-expired\-ttl: \fI<seconds>
1399 disables the limit. This option only applies when \fBserve\-expired\fR is
1403 .B serve\-expired\-ttl\-reset: \fI<yes or no>
1404 Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
1409 .B serve\-expired\-reply\-ttl: \fI<seconds>
1411 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
1414 .B serve\-expired\-client\-timeout: \fI<msec>
1416 essentially enables the serve-stale behavior as specified in
1422 .B serve\-original\-ttl: \fI<yes or no>
1426 front-end to a hidden authoritative name server. Enabling this feature does
1431 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
1435 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
1444 .B zonemd\-permissive\-mode: \fI<yes or no>
1450 .B add\-holddown: \fI<seconds>
1451 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1455 .B del\-holddown: \fI<seconds>
1456 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1461 .B keep\-missing: \fI<seconds>
1462 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1466 mechanism work with zones that perform regular (non\-5011) rollovers.
1470 .B permit\-small\-holddown: \fI<yes or no>
1474 .B key\-cache\-size: \fI<number>
1479 .B key\-cache\-slabs: \fI<number>
1484 .B neg\-cache\-size: \fI<number>
1489 .B unblock\-lan\-zones: \fI<yes or no>
1496 as a (DHCP-) DNS network resolver for a group of machines, where such
1498 data leakage about the local network to the upstream DNS servers.
1500 .B insecure\-lan\-zones: \fI<yes or no>
1503 \fIunblock\-lan\-zones\fR is used.
1505 .B local\-zone: \fI<zone> <type>
1507 there is no match from local\-data. The types are deny, refuse, static,
1511 are listed. Use local\-data: to enter data into the local zone. Answers for
1515 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1516 it as detailed in the stub zone section below. A stub\-zone can be used to
1518 fetch the information. With a forward\-zone, unbound sends queries to a server
1519 that is a recursive server to fetch the information. With an auth\-zone a
1520 zone can be loaded from file and used, it can be used like a local\-zone
1521 for users downstream, or the auth\-zone information can be used to fetch
1523 forward\-zone and auth\-zone options are described in their sections below.
1525 the local\-zone and local\-data statements allow for this, but also the
1540 as local\-data for the zone apex domain.
1547 If no local\-zone is given local\-data causes a transparent zone
1564 local\-zone: "example.com." redirect and
1565 local\-data: "example.com. A 127.0.0.1"
1572 timestamp, unbound-pid, info: zonename inform IP@port queryname type
1629 can be turned off by specifying your own local\-zone of that name, or
1636 local\-zone: "localhost." redirect
1637 local\-data: "localhost. 10800 IN NS localhost."
1638 local\-data: "localhost. 10800 IN
1640 local\-data: "localhost. 10800 IN A 127.0.0.1"
1641 local\-data: "localhost. 10800 IN AAAA ::1"
1647 local\-zone: "127.in\-addr.arpa." static
1648 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
1649 local\-data: "127.in\-addr.arpa. 10800 IN
1651 local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
1658 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1660 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1663 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1666 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1674 local\-zone: "home.arpa." static
1675 local\-data: "home.arpa. 10800 IN NS localhost."
1676 local\-data: "home.arpa. 10800 IN
1683 local\-zone: "onion." static
1684 local\-data: "onion. 10800 IN NS localhost."
1685 local\-data: "onion. 10800 IN
1692 local\-zone: "test." static
1693 local\-data: "test. 10800 IN NS localhost."
1694 local\-data: "test. 10800 IN
1701 local\-zone: "invalid." static
1702 local\-data: "invalid. 10800 IN NS localhost."
1703 local\-data: "invalid. 10800 IN
1708 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
1709 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
1710 The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
1713 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
1714 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
1715 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
1716 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
1717 And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
1736 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
1739 transparent with a local\-zone statement.
1741 .\" End of local-zone listing.
1743 .B local\-data: \fI"<resource record string>"
1745 The query has to match exactly unless you configure the local\-zone as
1746 redirect. If not matched exactly, the local\-zone type determines
1747 further processing. If local\-data is configured that is not a subdomain of
1748 a local\-zone, a transparent local\-zone is configured.
1750 local\-data: 'example. TXT "text"'.
1753 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1756 .B local\-data\-ptr: \fI"IPaddr name"
1761 .B local\-zone\-tag: \fI<zone> <"list of tags">
1763 used access-control element has a matching tag. Tags must be defined in
1764 \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
1766 list of tags for the query and local\-zone\-tag is non-empty.
1768 .B local\-zone\-override: \fI<zone> <IP netblock> <type>
1770 Use this localzone type, regardless the type configured for the local-zone
1772 access\-control\-tag\-action.
1774 .B response\-ip: \fI<IP-netblock> <action>
1781 \fIaccess-control-tag-action\fR, but there are some exceptions.
1783 Actions for \fIresponse-ip\fR are different from those for
1784 \fIlocal-zone\fR in that in case of the former there is no point of
1786 Because of this difference, the semantics of \fIresponse-ip\fR actions
1789 invalid for \fIresponse-ip\fR.
1791 faulty. The \fIdeny\fR action is non-conditional, i.e. it always
1796 .B response-ip-data: \fI<IP-netblock> <"resource record string">
1799 This specifies the action data for \fIresponse-ip\fR with action being
1801 record string" is similar to that of \fIaccess-control-tag-action\fR,
1803 If the IP-netblock is an IPv6/IPv4 prefix, the record
1806 more than one \fIresponse-ip-data\fR for the same IP-netblock.
1808 IP-netblock, following the normal rules for CNAME records.
1813 .B response-ip-tag: \fI<IP-netblock> <"list of tags">
1816 Assign tags to response IP-netblocks. If the IP address in an AAAA or
1818 IP-netblock, the specified tags are assigned to the IP address.
1819 Then, if an \fIaccess-control-tag\fR is defined for the client and it
1821 \fIaccess-control-tag-action\fR will apply.
1822 Tag matching rule is the same as that for \fIaccess-control-tag\fR and
1823 \fIlocal-zones\fR.
1824 Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
1825 an IP-netblock even if no \fIresponse-ip\fR is defined for that
1827 If multiple \fIresponse-ip-tag\fR options are specified for the same
1828 IP-netblock in different statements, all but the first will be
1834 \fIaccess-control-tag-action\fR that has a matching tag with
1835 \fIresponse-ip-tag\fR can be those that are "invalid" for
1836 \fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
1840 \fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
1841 of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
1842 specific, and non-existence of data does not indicate anything about
1843 the existence or non-existence of the qname itself.
1845 no data for the corresponding \fIresponse-ip\fR configuration, then
1863 .B ratelimit\-size: \fI<memory size>
1869 .B ratelimit\-slabs: \fI<number>
1874 .B ratelimit\-factor: \fI<number>
1883 .B ratelimit\-backoff: \fI<yes or no>
1887 window. No traffic is allowed, except for ratelimit\-factor, until demand
1892 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
1895 a top\-level\-domain you may want to have a higher limit than other names.
1898 .B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
1903 is not changed, use ratelimit\-for\-domain to set that, you might want
1904 to use different settings for a top\-level\-domain and subdomains.
1907 .B ip\-ratelimit: \fI<number or 0>
1915 If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
1919 .B ip\-ratelimit\-cookie: \fI<number or 0>
1930 If used, the value is suggested to be higher than \fBip\-ratelimit\fR e.g.,
1934 .B ip\-ratelimit\-size: \fI<memory size>
1940 .B ip\-ratelimit\-slabs: \fI<number>
1945 .B ip\-ratelimit\-factor: \fI<number>
1954 .B ip\-ratelimit\-backoff: \fI<yes or no>
1958 window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
1960 set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
1963 .B outbound\-msg\-retry: \fI<number>
1971 .B max\-sent\-count: \fI<number>
1978 .B max\-query\-restarts: \fI<number>
1986 .B iter\-scrub\-ns: \fI<number>
1991 .B iter\-scrub\-cname: \fI<number>
1997 .B max\-global\-quota: \fI<number>
2003 .B fast\-server\-permil: \fI<number>
2007 servers for the remaining time. When prefetch is enabled (or serve\-expired),
2010 \fBfast\-server\-num\fR option can be used to specify the size of the fastest
2011 servers set. The default for fast\-server\-permil is 0.
2013 .B fast\-server\-num: \fI<number>
2015 use the fastest specified number of servers with the fast\-server\-permil
2018 .B answer\-cookie: \fI<yes or no>
2023 .B cookie\-secret: \fI<128 bit hex string>
2029 This option is ignored if a \fBcookie\-secret\-file\fR is
2033 .B cookie\-secret\-file: \fI<filename>
2036 \fBcookie-secret\fR option is ignored.
2040 \fIunbound\-control\fR(8) tool. Please see that manpage on how to perform a
2044 .B edns\-client\-string: \fI<IP netblock> <string>
2049 .B edns\-client\-string\-opcode: \fI<opcode>
2050 EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
2051 A value from the `Reserved for Local/Experimental` range (65001-65534) should
2059 When the \fBval-log-level\fR option is also set to \fB2\fR, responses with
2063 .B ede\-serve\-expired: \fI<yes or no>
2064 If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale
2070 .B remote\-control:
2072 enabled, the \fIunbound\-control\fR(8) utility can be used to send
2075 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
2076 section for options. To setup the correct self\-signed certificates use the
2077 \fIunbound\-control\-setup\fR(8) utility.
2079 .B control\-enable: \fI<yes or no>
2083 .B control\-interface: \fI<ip address or interface name or path>
2101 .B control\-port: \fI<port number>
2107 .B control\-use\-cert: \fI<yes or no>
2108 For localhost control-interface you can disable the use of TLS by setting
2112 .B server\-key\-file: \fI<private key file>
2114 This file is generated by the \fIunbound\-control\-setup\fR utility.
2115 This file is used by the Unbound server, but not by \fIunbound\-control\fR.
2117 .B server\-cert\-file: \fI<certificate file.pem>
2119 This file is generated by the \fIunbound\-control\-setup\fR utility.
2120 This file is used by the Unbound server, and also by \fIunbound\-control\fR.
2122 .B control\-key\-file: \fI<private key file>
2124 This file is generated by the \fIunbound\-control\-setup\fR utility.
2125 This file is used by \fIunbound\-control\fR.
2127 .B control\-cert\-file: \fI<certificate file.pem>
2130 This file is generated by the \fIunbound\-control\-setup\fR utility.
2131 This file is used by \fIunbound\-control\fR.
2135 .B stub\-zone:
2143 This is useful for company\-local data or private zones. Setup an
2146 .B stub\-addr:
2159 Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
2160 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
2163 (reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
2168 .B stub\-host: \fI<domain name>
2174 configured tls\-port.
2176 .B stub\-addr: \fI<IP address>
2182 configured tls\-port.
2184 .B stub\-prime: \fI<yes or no>
2190 .B stub\-first: \fI<yes or no>
2196 .B stub\-tls\-upstream: \fI<yes or no>
2200 .B stub\-ssl\-upstream: \fI<yes or no>
2201 Alternate syntax for \fBstub\-tls\-upstream\fR.
2203 .B stub\-tcp\-upstream: \fI<yes or no>
2204 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
2207 .B stub\-no\-cache: \fI<yes or no>
2213 .B forward\-zone:
2216 forward the queries to. The servers listed as \fBforward\-host:\fR and
2217 \fBforward\-addr:\fR have to handle further recursion for the query. Thus,
2224 A forward\-zone entry with name "." and a forward\-addr target will
2231 .B forward\-host: \fI<domain name>
2237 configured tls\-port.
2239 .B forward\-addr: \fI<IP address>
2245 configured tls\-port.
2248 If you leave out the '#' and auth name from the forward\-addr, any
2249 name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
2251 .B forward\-first: \fI<yes or no>
2256 .B forward\-tls\-upstream: \fI<yes or no>
2259 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
2262 .B forward\-ssl\-upstream: \fI<yes or no>
2263 Alternate syntax for \fBforward\-tls\-upstream\fR.
2265 .B forward\-tcp\-upstream: \fI<yes or no>
2266 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
2269 .B forward\-no\-cache: \fI<yes or no>
2274 Authority zones are configured with \fBauth\-zone:\fR, and each one must
2275 have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with …
2277 Authority zones can be processed on two distinct, non-exclusive, configurable
2280 With \fBfor\-downstream:\fR \fIyes\fR (default), authority zones are processed
2281 after \fBlocal\-zones\fR and before cache.
2287 With \fBfor\-upstream:\fR \fIyes\fR (default), authority zones are processed
2298 An interesting configuration is \fBfor\-downstream:\fR \fIno\fR,
2299 \fBfor\-upstream:\fR \fIyes\fR that allows for hyperlocal behavior where both
2342 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2348 "http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
2350 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2351 With allow\-notify you can specify additional sources of notifies.
2358 .B fallback\-enabled: \fI<yes or no>
2363 .B for\-downstream: \fI<yes or no>
2368 zone but have a local copy of zone data. If for\-downstream is no and
2369 for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
2373 .B for\-upstream: \fI<yes or no>
2380 .B zonemd\-check: \fI<yes or no>
2386 .B zonemd\-reject\-absence: \fI<yes or no>
2391 failure is controlled by the \fBzonemd\-permissive\-mode\fR option, for
2407 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
2408 \fBlocal\-data\fR elements. Views can also contain view\-first,
2409 response\-ip, response\-ip\-data and local\-data\-ptr elements.
2411 view name in an \fBaccess\-control\-view\fR element. Options from matching
2416 Name of the view. Must be unique. This name is used in access\-control\-view
2419 .B local\-zone: \fI<zone> <type>
2420 View specific local\-zone elements. Has the same types and behaviour as the
2421 global local\-zone elements. When there is at least one local\-zone specified
2422 and view\-first is no, the default local-zones will be added to this view.
2423 Defaults can be disabled using the nodefault type. When view\-first is yes or
2424 when a view does not have a local\-zone, the global local\-zone will be used
2427 .B local\-data: \fI"<resource record string>"
2428 View specific local\-data elements. Has the same behaviour as the global
2429 local\-data elements.
2431 .B local\-data\-ptr: \fI"IPaddr name"
2432 View specific local\-data\-ptr elements. Has the same behaviour as the global
2433 local\-data\-ptr elements.
2435 .B view\-first: \fI<yes or no>
2436 If enabled, it attempts to use the global local\-zone and local\-data if there
2446 and the word "python" has to be put in the \fBmodule\-config:\fR option
2452 \fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
2456 .B python\-script: \fI<python file>\fR
2458 added to the \fBmodule\-config:\fR option.
2467 \fBmodule\-config:\fR option. Multiple instances of dynamic libraries are
2470 The \fBdynlib\-file:\fR path should be specified as an absolute path relative
2474 .B dynlib\-file: \fI<dynlib file>\fR
2476 instance added to the \fBmodule\-config:\fR option.
2479 The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
2483 .B dns64\-prefix: \fI<IPv6 prefix>\fR
2487 .B dns64\-synthall: \fI<yes or no>\fR
2491 .B dns64\-ignore\-aaaa: \fI<name>\fR
2498 NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4-only
2501 .B do\-nat64: \fI<yes or no>\fR
2502 Use NAT64 to reach IPv4-only servers.
2503 Consider also enabling \fBprefer\-ip6\fR to prefer native IPv6 connections to
2507 .B nat64\-prefix: \fI<IPv6 prefix>\fR
2508 Use a specific NAT64 prefix to reach IPv4-only servers. Defaults to using
2509 the prefix configured in \fBdns64\-prefix\fR, which in turn defaults to
2517 \fB\-\-enable\-dnscrypt\fR.
2519 You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
2520 dnscrypt-wrapper/blob/master/README.md#usage
2522 .B dnscrypt\-enable: \fI<yes or no>\fR
2527 .B dnscrypt\-port: \fI<port number>
2532 .B dnscrypt\-provider: \fI<provider name>\fR
2534 \fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
2536 .B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
2540 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
2541 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
2544 .B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
2546 but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
2557 .B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
2563 .B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
2568 .B dnscrypt\-nonce\-cache\-size: \fI<memory size>
2574 .B dnscrypt\-nonce\-cache\-slabs: \fI<number>
2580 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
2592 allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
2594 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
2597 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
2602 This module does not interact with the \fBserve\-expired*\fR and
2605 .B send\-client\-subnet: \fI<IP address>\fR
2608 be given multiple times. Authorities not listed will not receive edns-subnet
2609 information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
2611 .B client\-subnet\-zone: \fI<domain>\fR
2613 given multiple times. Zones not listed will not receive edns-subnet information,
2614 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
2616 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
2618 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
2625 .B max\-client\-subnet\-ipv6: \fI<number>\fR
2629 .B max\-client\-subnet\-ipv4: \fI<number>\fR
2633 .B min\-client\-subnet\-ipv6: \fI<number>\fR
2638 .B min\-client\-subnet\-ipv4: \fI<number>\fR
2643 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
2647 .B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
2652 The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
2654 \fB\-\-enable\-ipsecmod\fR to be enabled.
2678 \fBipsecmod-max-ttl\fR.
2682 \fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
2685 .B ipsecmod-enabled: \fI<yes or no>\fR
2687 needs to be defined in the \fBmodule\-config:\fR directive. This option
2691 .B ipsecmod\-hook: \fI<filename>\fR
2695 must be present when the IPsec module is defined in the \fBmodule\-config:\fR
2698 .B ipsecmod-strict: \fI<yes or no>\fR
2703 .B ipsecmod\-max-ttl: \fI<seconds>\fR
2707 .B ipsecmod-ignore-bogus: \fI<yes or no>\fR
2713 .B ipsecmod\-allow: \fI<domain>\fR
2718 .B ipsecmod\-whitelist: \fI<yes or no>
2719 Alternate syntax for \fBipsecmod\-allow\fR.
2722 The Cache DB module must be configured in the \fBmodule\-config:\fR
2724 with \fB\-\-enable\-cachedb\fR.
2727 When Unbound cannot find an answer to a query in its built-in in-memory
2734 This module interacts with the \fBserve\-expired\-*\fR options and will reply
2738 \fB\-\-with\-libhiredis\fR
2748 preferably with some kind of least-recently-used eviction policy.
2749 Additionally, the \fBredis\-expire\-records\fR option can be used in order to
2773 The default database is the in-memory backend named "testframe", which,
2775 Depending on the build-time configuration, "redis" backend may also be
2778 .B secret-seed: \fI<"secret string">\fR
2787 .B cachedb-no-store: \fI<yes or no>\fR
2792 .B cachedb-check-when-serve-expired: \fI<yes or no>\fR
2794 When \fBserve\-expired\fR is enabled, without \fBserve\-expired\-client\-timeout\fR, it then
2798 If also \fBserve\-expired\-client\-timeout\fR is enabled, the expired response
2806 .B redis-server-host: \fI<server address or name>\fR
2813 .B redis-server-port: \fI<port number>\fR
2817 .B redis-server-path: \fI<unix socket path>\fR
2822 .B redis-server-password: \fI"<password>"\fR
2827 .B redis-timeout: \fI<msec>\fR
2831 re-establish a new connection later.
2834 .B redis-command-timeout: \fI<msec>\fR
2836 redis\-timeout value. The default is 0.
2838 .B redis-connect-timeout: \fI<msec>\fR
2840 uses the redis\-timeout value. The default is 0.
2842 .B redis-expire-records: \fI<yes or no>
2845 Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
2850 .B redis-logical-db: \fI<logical database index>
2861 DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
2865 threading it does not spawn a thread, but connects per-process to the
2868 .B dnstap-enable: \fI<yes or no>
2870 and if any of the dnstap-log-..-messages options is enabled it sends logs
2873 .B dnstap-bidirectional: \fI<yes or no>
2877 .B dnstap-socket-path: \fI<file name>
2881 .B dnstap-ip: \fI<IPaddress[@port]>
2885 .B dnstap-tls: \fI<yes or no>
2886 Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
2889 .B dnstap-tls-server-name: \fI<name of TLS authentication>
2890 The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If ""…
2892 .B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
2897 .B dnstap-tls-client-key-file: \fI<file name>
2901 .B dnstap-tls-client-cert-file: \fI<file name>
2904 .B dnstap-send-identity: \fI<yes or no>
2908 .B dnstap-send-version: \fI<yes or no>
2912 .B dnstap-identity: \fI<string>
2916 .B dnstap-version: \fI<string>
2920 .B dnstap-sample-rate: \fI<number>
2927 .B dnstap-log-resolver-query-messages: \fI<yes or no>
2931 .B dnstap-log-resolver-response-messages: \fI<yes or no>
2935 .B dnstap-log-client-query-messages: \fI<yes or no>
2939 .B dnstap-log-client-response-messages: \fI<yes or no>
2943 .B dnstap-log-forwarder-query-messages: \fI<yes or no>
2946 .B dnstap-log-forwarder-response-messages: \fI<yes or no>
2955 The \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
2956 \fBmodule-config: "respip validator iterator"\fR.
2959 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
2960 and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
2961 before \fBauth\-zones\fR.
2979 netblock.rpz-client-ip client IP address
2980 netblock.rpz-ip response IP address in the answer
2981 name.rpz-nsdname nameserver name
2982 netblock.rpz-nsip nameserver IP address
2986 of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
2987 32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
2993 CNAME rpz-passthru. do nothing, allow to continue
2994 CNAME rpz-drop. the query is dropped
2995 CNAME rpz-tcp-only. answer over TCP
2998 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
3030 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
3033 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
3034 With allow\-notify you can specify additional sources of notifies.
3046 .B rpz\-action\-override: \fI<action>
3050 .B rpz\-cname\-override: \fI<domain>
3052 \fBrpz\-action\-override\fR.
3054 .B rpz\-log: \fI<yes or no>
3057 .B rpz\-log\-name: \fI<name>
3060 .B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
3065 .B for\-downstream: \fI<yes or no>
3073 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
3074 using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
3084 which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
3089 num\-threads: 1
3090 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
3091 incoming\-num\-tcp: 1
3092 outgoing\-range: 60 # uses less memory, but less performance.
3093 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
3094 msg\-cache\-size: 100k
3095 msg\-cache\-slabs: 1
3096 rrset\-cache\-size: 100k
3097 rrset\-cache\-slabs: 1
3098 infra\-cache\-numhosts: 200
3099 infra\-cache\-slabs: 1
3100 key\-cache\-size: 100k
3101 key\-cache\-slabs: 1
3102 neg\-cache\-size: 10k
3103 num\-queries\-per\-thread: 30
3104 target\-fetch\-policy: "2 1 0 0 0 0"
3105 harden\-large\-queries: "yes"
3106 harden\-short\-bufsize: "yes"
3129 \fIunbound\-checkconf\fR(8).