Lines Matching +full:per +full:- +full:port +full:- +full:set
3 .\" unbound.conf.5 -- unbound.conf manual
12 \- Unbound configuration file.
27 \fIunbound\-checkconf\fR(8)
34 $ unbound \-c /etc/unbound/unbound.conf
53 # mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom
54 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
62 access\-control: 10.0.0.0/8 allow
63 access\-control: 2001:DB8::/64 allow
82 .B include\-toplevel:
94 information including short information per query. Level 3 gives query level
95 information, output per query. Level 4 gives algorithm level information.
99 .B statistics\-interval: \fI<seconds>
106 .B statistics\-cumulative: \fI<yes or no>
110 .B extended\-statistics: \fI<yes or no>
111 If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
113 counters are listed in \fIunbound\-control\fR(8).
115 .B statistics\-inhibit\-zero: \fI<yes or no>
117 printing with \fIunbound\-control\fR(8).
123 .B num\-threads: \fI<number>
126 .B port: \fI<port number>
127 The port number, default 53, on which the server responds to queries.
129 .B interface: \fI<ip address or interface name [@port]>
135 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
136 A port number can be specified with @port (without spaces between
137 interface and port number), if not specified the default port (from
138 \fBport\fR) is used.
140 .B ip\-address: \fI<ip address or interface name [@port]>
143 .B interface\-automatic: \fI<yes or no>
146 ip\-transparent, but this option services all interfaces whilst with
147 ip\-transparent you can select which (future) interfaces Unbound provides
151 .B interface\-automatic\-ports: \fI<string>
152 List the port numbers that interface-automatic listens on. If empty, the
153 default port is listened on. The port numbers are separated by spaces in the
157 and listen on the normal port number, by including it in the list, and
158 also https or dns over tls port numbers by putting them in the list as well.
160 .B outgoing\-interface: \fI<ip address or ip6 netblock>
167 .B outgoing\-interface:
174 host running Unbound, and requires OS support for unprivileged non-local binds
177 .B outgoing\-interface:
180 .B prefer\-ip6: yes
184 ip \-6 addr add mynetblock/64 dev lo &&
185 ip \-6 route add local mynetblock/64 dev lo
187 .B outgoing\-range: \fI<number>
188 Number of ports to open. This number of file descriptors can be opened per
193 .B outgoing\-port\-permit: \fI<port number or range>
194 Permit Unbound to open this port or range of ports for use to send queries.
198 Give a port number or a range of the form "low\-high", without spaces.
200 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
202 and subtracting the avoided ports from the set of allowed ports. The
203 processing starts with the non IANA allocated ports above 1024 in the set
206 .B outgoing\-port\-avoid: \fI<port number or range>
207 Do not permit Unbound to open this port or range of ports for use to send
208 queries. Use this to make sure Unbound does not grab a port that another
209 daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
211 Give a port number or a range of the form "low\-high", without spaces.
213 .B outgoing\-num\-tcp: \fI<number>
214 Number of outgoing TCP buffers to allocate per thread. Default is 10. If
215 set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
218 .B incoming\-num\-tcp: \fI<number>
219 Number of incoming TCP buffers to allocate per thread. Default is
220 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
223 .B edns\-buffer\-size: \fI<number>
226 buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
227 not set higher than that value. Default is 1232 which is the DNS Flag Day 2020
233 .B max\-udp\-size: \fI<number>
237 same as the default for edns\-buffer\-size.
239 .B stream\-wait\-size: \fI<number>
246 that can be queued up per connection is also limited, with further requests
249 .B msg\-buffer\-size: \fI<number>
256 .B msg\-cache\-size: \fI<number>
261 .B msg\-cache\-slabs: \fI<number>
263 Must be set to a power of 2. Setting (close) to the number of cpus is a
266 .B num\-queries\-per\-thread: \fI<number>
269 (see \fIjostle\-timeout\fR), then the queries are dropped. This forces
273 .B jostle\-timeout: \fI<msec>
274 Timeout used when the server is very busy. Set to a value that usually
280 The effect is that the qps for long-lasting queries is about
283 / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
286 .B delay\-close: \fI<msec>
290 closed ports and setting off all sort of close-port counters, with
295 .B udp\-connect: \fI<yes or no>
299 .B unknown\-server\-time\-limit: \fI<msec>
302 That would then avoid re\-querying every initial query because it times out.
305 .B discard\-timeout: \fI<msec>
309 larger than serve\-expired\-client\-timeout if that is enabled.
313 .B wait\-limit: \fI<number>
315 This makes a ratelimit per IP address of waiting replies for recursion.
319 .B wait\-limit\-cookie: \fI<number>
324 .B wait\-limit\-netblock: \fI<netblock> <number>
325 The wait limit for the netblock. If not given the wait\-limit value is
328 The value -1 disables wait limits for the netblock.
330 .B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
332 If not given, the wait\-limit\-cookie value is used.
333 The value -1 disables wait limits for the netblock.
335 .B so\-rcvbuf: \fI<number>
336 If not 0, then set the SO_RCVBUF socket option to get more buffer
337 space on UDP port 53 incoming queries. So that short spikes on busy
338 servers do not drop packets (see counter in netstat \-su). Default is
343 On OpenBSD change header and recompile kernel. On Solaris ndd \-set
346 .B so\-sndbuf: \fI<number>
347 If not 0, then set the SO_SNDBUF socket option to get more buffer space on
348 UDP port 53 outgoing queries. This for very busy servers handles spikes
350 can get logged, the buffer overrun is also visible by netstat \-su.
355 to so\-rcvbuf.
357 .B so\-reuseport: \fI<yes or no>
359 thread and try to set the SO_REUSEPORT socket option on each socket. May
363 it then attempts to open the port and passes the option if it was available
369 .B ip\-transparent: \fI<yes or no>
372 non\-local interfaces. For example for non\-existent IP addresses that
374 a lot like interface\-automatic, but that one services all interfaces
380 .B ip\-freebind: \fI<yes or no>
385 ip\-transparent option is also available.
387 .B ip-dscp: \fI<number>
390 The field replaces the outdated IPv4 Type-Of-Service field and the
393 .B rrset\-cache\-size: \fI<number>
398 .B rrset\-cache\-slabs: \fI<number>
400 Must be set to a power of 2.
402 .B cache\-max\-ttl: \fI<seconds>
405 Can be set lower to force the resolver to query for data often, and not
408 .B cache\-min\-ttl: \fI<seconds>
416 .B cache\-max\-negative\-ttl: \fI<seconds>
421 .B cache\-min\-negative\-ttl: \fI<seconds>
425 If this is disabled and \fBcache-min-ttl\fR is configured, it will take effect
427 In that case you can set this to 1 to honor the upstream TTL.
430 .B infra\-host\-ttl: \fI<seconds>
434 .B infra\-cache\-slabs: \fI<number>
436 by threads. Must be set to a power of 2.
438 .B infra\-cache\-numhosts: \fI<number>
441 .B infra\-cache\-min\-rtt: \fI<msec>
446 .B infra\-cache\-max\-rtt: \fI<msec>
450 .B infra\-keep\-probing: \fI<yes or no>
454 it may take \fBinfra\-host\-ttl\fR time to get probed again.
456 .B define\-tag: \fI<"list of tags">
457 Define the tags that can be used with local\-zone and access\-control.
460 .B do\-ip4: \fI<yes or no>
463 .B do\-ip6: \fI<yes or no>
470 .B prefer\-ip4: \fI<yes or no>
477 .B prefer\-ip6: \fI<yes or no>
481 .B do\-udp: \fI<yes or no>
484 .B do\-tcp: \fI<yes or no>
487 .B tcp\-mss: \fI<number>
491 Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
495 .B outgoing\-tcp\-mss: \fI<number>
499 Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
503 .B tcp-idle-timeout: \fI<msec>\fR
514 It will be overridden by \fBedns\-tcp\-keepalive\-timeout\fR if
515 \fBedns\-tcp\-keepalive\fR is enabled.
517 .B tcp-reuse-timeout: \fI<msec>\fR
521 .B max-reuse-tcp-queries: \fI<number>\fR
526 .B tcp-auth-query-timeout: \fI<number>\fR
530 .B edns-tcp-keepalive: \fI<yes or no>\fR
533 .B edns-tcp-keepalive-timeout: \fI<msec>\fR
534 Overrides \fBtcp\-idle\-timeout\fR when \fBedns\-tcp\-keepalive\fR is enabled.
540 .B sock\-queue\-timeout: \fI<sec>\fR
542 dropped. Default is 0, disabled. The time is set in seconds, 3 could be a
548 .B tcp\-upstream: \fI<yes or no>
550 Default is no. Useful in tunneling scenarios. If set to no you can specify
551 TCP transport only for selected forward or stub zones using forward-tcp-upstream
552 or stub-tcp-upstream respectively.
554 .B udp\-upstream\-without\-downstream: \fI<yes or no>
555 Enable udp upstream even if do-udp is no. Default is no, and this does not
559 .B tls\-upstream: \fI<yes or no>
563 \fBtls\-service\-key\fR).
564 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert or
565 tls\-system\-cert to load CA certs, otherwise the connections cannot be
566 authenticated. This option enables TLS for all of them, but if you do not set
568 forward\-tls\-upstream. And also with stub\-tls\-upstream.
569 If the tls\-upstream option is enabled, it is for all the forwards and stubs,
570 where the forward\-tls\-upstream and stub\-tls\-upstream options are ignored,
571 as if they had been set to yes.
573 .B ssl\-upstream: \fI<yes or no>
574 Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
577 .B tls\-service\-key: \fI<file>
578 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
579 TCP ports marked implicitly or explicitly for these services with tls\-port or
580 https\-port. The file must contain the private key for the TLS session, the
581 public certificate is in the tls\-service\-pem file and it must also be
582 specified if tls\-service\-key is specified. The default is "", turned off.
585 The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
586 \fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
587 compiled with libnghttp2 in order to provide DNS-over-HTTPS.
589 .B ssl\-service\-key: \fI<file>
590 Alternate syntax for \fBtls\-service\-key\fR.
592 .B tls\-service\-pem: \fI<file>
596 .B ssl\-service\-pem: \fI<file>
597 Alternate syntax for \fBtls\-service\-pem\fR.
599 .B tls\-port: \fI<number>
600 The port number on which to provide TCP TLS service, default 853, only
601 interfaces configured with that port number as @number get the TLS service.
603 .B ssl\-port: \fI<number>
604 Alternate syntax for \fBtls\-port\fR.
606 .B tls\-cert\-bundle: \fI<file>
607 If null or "", no file is used. Set it to the certificate bundle file,
608 for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used
609 for authenticating connections made to outside peers. For example auth\-zone
613 .B ssl\-cert\-bundle: \fI<file>
614 Alternate syntax for \fBtls\-cert\-bundle\fR.
616 .B tls\-win\-cert: \fI<yes or no>
620 the tls\-cert\-bundle option on other systems. On other systems, this option
623 .B tls\-system\-cert: \fI<yes or no>
624 This the same setting as the tls\-win\-cert setting, under a different name.
627 .B tls\-additional\-port: \fI<portnr>
628 List portnumbers as tls\-additional\-port, and when interfaces are defined,
629 eg. with the @port suffix, as this port number, they provide dns over TLS
632 .B tls-session-ticket-keys: \fI<file>
645 .B tls\-ciphers: \fI<string with cipher list>
649 .B tls\-ciphersuites: \fI<string with ciphersuites list>
653 .B pad\-responses: \fI<yes or no>
656 \fBpad\-responses\-block\-size\fR.
659 .B pad\-responses\-block\-size: \fI<number>
664 .B pad\-queries: \fI<yes or no>
666 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
669 .B pad\-queries\-block\-size: \fI<number>
673 .B tls\-use\-sni: \fI<yes or no>
678 .B https\-port: \fI<number>
679 The port number on which to provide DNS-over-HTTPS service, default 443, only
680 interfaces configured with that port number as @number get the HTTPS service.
682 .B http\-endpoint: \fI<endpoint string>
683 The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
685 .B http\-max\-streams: \fI<number of streams>
687 SETTINGS frame for DNS-over-HTTPS connections. Default 100.
689 .B http\-query\-buffer\-size: \fI<size in bytes>
696 .B http\-response\-buffer\-size: \fI<size in bytes>
703 .B http\-nodelay: \fI<yes or no>
704 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
707 .B http\-notls\-downstream: \fI<yes or no>
708 Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
711 .B proxy\-protocol\-port: \fI<portnr>
712 List port numbers as proxy\-protocol\-port, and when interfaces are defined,
713 eg. with the @port suffix, as this port number, they support and expect PROXYv2.
722 .B quic\-port: \fI<number>
723 The port number on which to provide DNS-over-QUIC service, default 853, only
724 interfaces configured with that port number as @number get the QUIC service.
725 The interface uses QUIC for the UDP traffic on that port number.
727 .B quic\-size: \fI<size in bytes>
734 .B use\-systemd: \fI<yes or no>
738 .B do\-daemonize: \fI<yes or no>
740 a daemon. Set the value to \fIno\fR when Unbound runs as systemd service.
743 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
748 .B access\-control: \fI<IP netblock> <action>
760 The order of the access\-control statements therefore does not matter.
772 local\-data that is configured. The reason is that this does not involve
779 treats all requests as if the recursion desired bit is set. Note that this
796 \fBanswer\-cookie\fR option is enabled.
802 \fBanswer\-cookie\fR setting.
803 UDP queries without a DNS Cookie receive REFUSED responses with the TC flag set,
808 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
813 only allowed to query for the authoritative local\-data, they are not
818 .B access\-control\-tag: \fI<IP netblock> <"list of tags">
819 Assign tags to access-control elements. Clients using this access control
821 defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
822 spaces between tags. If access\-control\-tag is configured for a netblock that
823 does not have an access\-control, an access\-control element with action
826 .B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
829 between access\-control\-tag and local\-zone\-tag where "first" comes from the
830 order of the define-tag values.
832 .B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
835 .B access\-control\-view: \fI<IP netblock> <view name>
838 .B interface\-action: \fI<ip address or interface name [@port]> <action>
839 Similar to \fBaccess\-control:\fR but for interfaces.
841 The action is the same as the ones defined under \fBaccess\-control:\fR.
845 \fBaccess\-control:\fR behavior.
846 This also means that any attempt to use the \fBinterface-*:\fR options for the
848 default "\fBaccess\-control:\fR 127.0.0.0/8 allow" option.
851 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
854 .B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
855 Similar to \fBaccess\-control-tag:\fR but for interfaces.
858 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
861 .B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
862 Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
865 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
868 .B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
869 Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
872 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
875 .B interface\-view: \fI<ip address or interface name [@port]> <view name>
876 Similar to \fBaccess\-control-view:\fR but for interfaces.
879 and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
910 If given, after binding the port the user privileges are dropped. Default is
914 port, reloads (by signal HUP) will still retain the opened ports.
915 If you change the port number in the config file, and that new port number
931 If this option is given, the use\-syslog is option is set to "no".
935 .B use\-syslog: \fI<yes or no>
939 The logfile setting is overridden when use\-syslog is turned on.
942 .B log\-identity: \fI<string>
949 .B log\-time\-ascii: \fI<yes or no>
954 .B log\-time\-iso:\fR <yes or no>
955 Log time in ISO8601 format, if \fBlog\-time\-ascii:\fR yes is also set.
958 .B log\-queries: \fI<yes or no>
959 Prints one line per query to the log, with the log timestamp and IP address,
964 .B log\-replies: \fI<yes or no>
965 Prints one line per reply to the log, with the log timestamp and IP address,
971 .B log\-tag\-queryreply: \fI<yes or no>
972 Prints the word 'query' and 'reply' with log\-queries and log\-replies.
976 .B log\-destaddr: \fI<yes or no>
977 Prints the destination address, port and type in the log\-replies output.
979 port the traffic was sent to.
981 .B log\-local\-actions: \fI<yes or no>
983 local\-zone type inform prints out, but they are also printed for the other
986 .B log\-servfail: \fI<yes or no>
995 kill \-HUP `cat @UNBOUND_PIDFILE@`
999 kill \-TERM `cat @UNBOUND_PIDFILE@`
1003 .B root\-hints: \fI<filename>
1007 when servers change, therefore it is good practice to use a root\-hints file.
1009 .B hide\-identity: \fI<yes or no>
1013 Set the identity to report. If set to "", the default, then the hostname
1016 .B hide\-version: \fI<yes or no>
1020 Set the version to report. If set to "", the default, then the package
1023 .B hide\-http\-user\-agent: \fI<yes or no>
1024 If enabled the HTTP header User-Agent is not set. Use with caution as some
1026 If needed, it is better to explicitly set the
1027 .B http\-user\-agent
1030 .B http\-user\-agent: \fI<string>
1031 Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
1039 .B hide\-trustanchor: \fI<yes or no>
1042 .B target\-fetch\-policy: \fI<"list of numbers">
1044 nameserver target addresses opportunistically. The policy is described per
1049 A value of \-1 means to fetch all targets opportunistically for that dependency
1055 closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
1058 .B harden\-short\-bufsize: \fI<yes or no>
1062 .B harden\-large\-queries: \fI<yes or no>
1067 .B harden\-glue: \fI<yes or no>
1070 .B harden\-unverified\-glue: \fI<yes or no>
1071 Will trust only in-zone glue. Will try to resolve all out of zone
1075 .B harden\-dnssec\-stripped: \fI<yes or no>
1076 Require DNSSEC data for trust\-anchored zones, if such data is absent,
1085 .B harden\-below\-nxdomain: \fI<yes or no>
1092 this only DNSSEC-secure nxdomains are used, because the old software does not
1096 .B harden\-referral\-path: \fI<yes or no>
1105 If you enable it consider adding more numbers after the target\-fetch\-policy
1108 .B harden\-algo\-downgrade: \fI<yes or no>
1115 .B harden\-unknown\-additional: \fI<yes or no>
1121 .B use\-caps\-for\-id: \fI<yes or no>
1122 Use 0x20\-encoded random bits in the query to foil spoof attempts.
1126 This feature is an experimental implementation of draft dns\-0x20.
1128 .B caps\-exempt: \fI<domain>
1129 Exempt the domain so that it does not receive caps\-for\-id perturbed
1134 .B caps\-whitelist: \fI<yes or no>
1135 Alternate syntax for \fBcaps\-exempt\fR.
1137 .B qname\-minimisation: \fI<yes or no>
1139 Only send minimum required labels of the QNAME and set QTYPE to A when
1144 .B qname\-minimisation\-strict: \fI<yes or no>
1145 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
1148 This option only has effect when qname-minimisation is enabled. Default is no.
1150 .B aggressive\-nsec: \fI<yes or no>
1156 .B private\-address: \fI<IP address or subnet>
1161 answers bogus. This protects against so\-called DNS Rebinding, where
1165 \fBlocal\-data\fR that you configured is allowed to, and you can specify
1166 additional names using \fBprivate\-domain\fR. No private addresses are
1173 stops IPv4-mapped IPv6 addresses from bypassing the filter.
1175 .B private\-domain: \fI<domain name>
1180 .B unwanted\-reply\-threshold: \fI<number>
1181 If set, a total number of unwanted replies is kept track of in every thread.
1187 .B do\-not\-query\-address: \fI<IP address>
1192 .B do\-not\-query\-localhost: \fI<yes or no>
1193 If yes, localhost is added to the do\-not\-query\-address entries, both
1204 .B prefetch\-key: \fI<yes or no>
1207 a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
1209 .B deny\-any: \fI<yes or no>
1215 .B rrset\-roundrobin: \fI<yes or no>
1219 .B minimal-responses: \fI<yes or no>
1230 .B disable-dnssec-lame-check: \fI<yes or no>
1237 .B module\-config: \fI<"module names">
1241 Setting this to just "\fIiterator\fR" will result in a non\-validating
1246 You must also set \fItrust\-anchors\fR for validation to be useful.
1262 .B trust\-anchor\-file: \fI<filename>
1267 .B auto\-trust\-anchor\-file: \fI<filename>
1269 The probes are run several times per month, thus the machine must be online
1271 \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
1277 .B trust\-anchor: \fI<"Resource Record">
1279 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
1285 .B trusted\-keys\-file: \fI<filename>
1287 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
1288 but has a different file format. Format is BIND\-9 style format,
1289 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
1293 .B trust\-anchor\-signaling: \fI<yes or no>
1296 .B root\-key\-sentinel: \fI<yes or no>
1299 .B domain\-insecure: \fI<domain name>
1304 to specify multiple domains that are treated as if unsigned. If you set
1312 .B val\-override\-date: \fI<rrsig\-style date spec>
1315 and expiration dates, instead of the current date. Do not set this unless
1316 you are debugging signature inception and expiration. The value \-1 ignores
1319 .B val\-sig\-skew\-min: \fI<seconds>
1321 A value of 10% of the signature lifetime (expiration \- inception) is
1326 .B val\-sig\-skew\-max: \fI<seconds>
1328 A value of 10% of the signature lifetime (expiration \- inception)
1335 .B val\-max\-restart: \fI<number>
1339 .B val\-bogus\-ttl: \fI<number>
1345 .B val\-clean\-additional: \fI<yes or no>
1352 .B val\-log\-level: \fI<number>
1361 .B val\-permissive\-mode: \fI<yes or no>
1366 is set in replies. Also logging is performed as for full validation.
1369 .B ignore\-cd\-flag: \fI<yes or no>
1373 servers that set the CD flag but cannot validate DNSSEC themselves are
1377 .B disable\-edns\-do: \fI<yes or no>
1383 When the option is enabled, clients that set the DO flag receive no EDNS
1391 .B serve\-expired: \fI<yes or no>
1393 TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
1397 .B serve\-expired\-ttl: \fI<seconds>
1399 disables the limit. This option only applies when \fBserve\-expired\fR is
1400 enabled. A suggested value per RFC 8767 is between
1403 .B serve\-expired\-ttl\-reset: \fI<yes or no>
1404 Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
1409 .B serve\-expired\-reply\-ttl: \fI<seconds>
1411 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
1414 .B serve\-expired\-client\-timeout: \fI<msec>
1416 essentially enables the serve-stale behavior as specified in
1418 responding with expired data. A recommended value per
1422 .B serve\-original\-ttl: \fI<yes or no>
1426 front-end to a hidden authoritative name server. Enabling this feature does
1431 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
1435 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
1440 be in ascending order and have at least one entry. If you set it to
1444 .B zonemd\-permissive\-mode: \fI<yes or no>
1450 .B add\-holddown: \fI<seconds>
1451 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1453 visible for this time. Default is 30 days as per the RFC.
1455 .B del\-holddown: \fI<seconds>
1456 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1458 kept in the revoked list for this long. Default is 30 days as per
1461 .B keep\-missing: \fI<seconds>
1462 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1466 mechanism work with zones that perform regular (non\-5011) rollovers.
1468 as per the RFC.
1470 .B permit\-small\-holddown: \fI<yes or no>
1474 .B key\-cache\-size: \fI<number>
1479 .B key\-cache\-slabs: \fI<number>
1481 Must be set to a power of 2. Setting (close) to the number of cpus is a
1484 .B neg\-cache\-size: \fI<number>
1489 .B unblock\-lan\-zones: \fI<yes or no>
1496 as a (DHCP-) DNS network resolver for a group of machines, where such
1500 .B insecure\-lan\-zones: \fI<yes or no>
1503 \fIunblock\-lan\-zones\fR is used.
1505 .B local\-zone: \fI<zone> <type>
1507 there is no match from local\-data. The types are deny, refuse, static,
1511 are listed. Use local\-data: to enter data into the local zone. Answers for
1515 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1516 it as detailed in the stub zone section below. A stub\-zone can be used to
1518 fetch the information. With a forward\-zone, unbound sends queries to a server
1519 that is a recursive server to fetch the information. With an auth\-zone a
1520 zone can be loaded from file and used, it can be used like a local\-zone
1521 for users downstream, or the auth\-zone information can be used to fetch
1523 forward\-zone and auth\-zone options are described in their sections below.
1525 the local\-zone and local\-data statements allow for this, but also the
1540 as local\-data for the zone apex domain.
1547 If no local\-zone is given local\-data causes a transparent zone
1564 local\-zone: "example.com." redirect and
1565 local\-data: "example.com. A 127.0.0.1"
1572 timestamp, unbound-pid, info: zonename inform IP@port queryname type
1629 can be turned off by specifying your own local\-zone of that name, or
1636 local\-zone: "localhost." redirect
1637 local\-data: "localhost. 10800 IN NS localhost."
1638 local\-data: "localhost. 10800 IN
1640 local\-data: "localhost. 10800 IN A 127.0.0.1"
1641 local\-data: "localhost. 10800 IN AAAA ::1"
1647 local\-zone: "127.in\-addr.arpa." static
1648 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
1649 local\-data: "127.in\-addr.arpa. 10800 IN
1651 local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
1658 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1660 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1663 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1666 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1674 local\-zone: "home.arpa." static
1675 local\-data: "home.arpa. 10800 IN NS localhost."
1676 local\-data: "home.arpa. 10800 IN
1683 local\-zone: "onion." static
1684 local\-data: "onion. 10800 IN NS localhost."
1685 local\-data: "onion. 10800 IN
1692 local\-zone: "test." static
1693 local\-data: "test. 10800 IN NS localhost."
1694 local\-data: "test. 10800 IN
1701 local\-zone: "invalid." static
1702 local\-data: "invalid. 10800 IN NS localhost."
1703 local\-data: "invalid. 10800 IN
1708 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
1709 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
1710 The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
1713 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
1714 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
1715 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
1716 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
1717 And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
1736 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
1739 transparent with a local\-zone statement.
1741 .\" End of local-zone listing.
1743 .B local\-data: \fI"<resource record string>"
1745 The query has to match exactly unless you configure the local\-zone as
1746 redirect. If not matched exactly, the local\-zone type determines
1747 further processing. If local\-data is configured that is not a subdomain of
1748 a local\-zone, a transparent local\-zone is configured.
1750 local\-data: 'example. TXT "text"'.
1753 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1756 .B local\-data\-ptr: \fI"IPaddr name"
1761 .B local\-zone\-tag: \fI<zone> <"list of tags">
1763 used access-control element has a matching tag. Tags must be defined in
1764 \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
1766 list of tags for the query and local\-zone\-tag is non-empty.
1768 .B local\-zone\-override: \fI<zone> <IP netblock> <type>
1770 Use this localzone type, regardless the type configured for the local-zone
1772 access\-control\-tag\-action.
1774 .B response\-ip: \fI<IP-netblock> <action>
1781 \fIaccess-control-tag-action\fR, but there are some exceptions.
1783 Actions for \fIresponse-ip\fR are different from those for
1784 \fIlocal-zone\fR in that in case of the former there is no point of
1786 Because of this difference, the semantics of \fIresponse-ip\fR actions
1789 invalid for \fIresponse-ip\fR.
1791 faulty. The \fIdeny\fR action is non-conditional, i.e. it always
1796 .B response-ip-data: \fI<IP-netblock> <"resource record string">
1799 This specifies the action data for \fIresponse-ip\fR with action being
1801 record string" is similar to that of \fIaccess-control-tag-action\fR,
1803 If the IP-netblock is an IPv6/IPv4 prefix, the record
1806 more than one \fIresponse-ip-data\fR for the same IP-netblock.
1808 IP-netblock, following the normal rules for CNAME records.
1813 .B response-ip-tag: \fI<IP-netblock> <"list of tags">
1816 Assign tags to response IP-netblocks. If the IP address in an AAAA or
1818 IP-netblock, the specified tags are assigned to the IP address.
1819 Then, if an \fIaccess-control-tag\fR is defined for the client and it
1821 \fIaccess-control-tag-action\fR will apply.
1822 Tag matching rule is the same as that for \fIaccess-control-tag\fR and
1823 \fIlocal-zones\fR.
1824 Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
1825 an IP-netblock even if no \fIresponse-ip\fR is defined for that
1827 If multiple \fIresponse-ip-tag\fR options are specified for the same
1828 IP-netblock in different statements, all but the first will be
1834 \fIaccess-control-tag-action\fR that has a matching tag with
1835 \fIresponse-ip-tag\fR can be those that are "invalid" for
1836 \fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
1840 \fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
1841 of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
1842 specific, and non-existence of data does not indicate anything about
1843 the existence or non-existence of the qname itself.
1845 no data for the corresponding \fIresponse-ip\fR configuration, then
1853 The ratelimit is in queries per second that are allowed. More queries are
1863 .B ratelimit\-size: \fI<memory size>
1869 .B ratelimit\-slabs: \fI<number>
1874 .B ratelimit\-factor: \fI<number>
1876 If set to 0, all queries are dropped for domains where the limit is
1877 exceeded. If set to another value, 1 in that number is allowed through
1883 .B ratelimit\-backoff: \fI<yes or no>
1887 window. No traffic is allowed, except for ratelimit\-factor, until demand
1892 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
1895 a top\-level\-domain you may want to have a higher limit than other names.
1898 .B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
1903 is not changed, use ratelimit\-for\-domain to set that, you might want
1904 to use different settings for a top\-level\-domain and subdomains.
1907 .B ip\-ratelimit: \fI<number or 0>
1908 Enable global ratelimiting of queries accepted per IP address.
1910 The ratelimit is in queries per second that are allowed. More queries are
1915 If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
1919 .B ip\-ratelimit\-cookie: \fI<number or 0>
1920 Enable global ratelimiting of queries accepted per IP address with a valid DNS
1923 The ratelimit is in queries per second that are allowed.
1930 If used, the value is suggested to be higher than \fBip\-ratelimit\fR e.g.,
1934 .B ip\-ratelimit\-size: \fI<memory size>
1940 .B ip\-ratelimit\-slabs: \fI<number>
1945 .B ip\-ratelimit\-factor: \fI<number>
1947 If set to 0, all queries are dropped for addresses where the limit is
1948 exceeded. If set to another value, 1 in that number is allowed through
1954 .B ip\-ratelimit\-backoff: \fI<yes or no>
1958 window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
1960 set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
1963 .B outbound\-msg\-retry: \fI<number>
1964 The number of retries, per upstream nameserver in a delegation, that Unbound
1967 If a forward/stub zone is used, this is the number of retries per nameserver in
1971 .B max\-sent\-count: \fI<number>
1978 .B max\-query\-restarts: \fI<number>
1986 .B iter\-scrub\-ns: \fI<number>
1991 .B iter\-scrub\-cname: \fI<number>
1997 .B max\-global\-quota: \fI<number>
2003 .B fast\-server\-permil: \fI<number>
2004 Specify how many times out of 1000 to pick from the set of fastest servers.
2007 servers for the remaining time. When prefetch is enabled (or serve\-expired),
2010 \fBfast\-server\-num\fR option can be used to specify the size of the fastest
2011 servers set. The default for fast\-server\-permil is 0.
2013 .B fast\-server\-num: \fI<number>
2015 use the fastest specified number of servers with the fast\-server\-permil
2018 .B answer\-cookie: \fI<yes or no>
2023 .B cookie\-secret: \fI<128 bit hex string>
2025 Useful to explicitly set for servers in an anycast deployment that need to
2029 This option is ignored if a \fBcookie\-secret\-file\fR is
2033 .B cookie\-secret\-file: \fI<filename>
2036 \fBcookie-secret\fR option is ignored.
2040 \fIunbound\-control\fR(8) tool. Please see that manpage on how to perform a
2044 .B edns\-client\-string: \fI<IP netblock> <string>
2049 .B edns\-client\-string\-opcode: \fI<opcode>
2050 EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
2051 A value from the `Reserved for Local/Experimental` range (65001-65534) should
2059 When the \fBval-log-level\fR option is also set to \fB2\fR, responses with
2063 .B ede\-serve\-expired: \fI<yes or no>
2064 If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale
2070 .B remote\-control:
2072 enabled, the \fIunbound\-control\fR(8) utility can be used to send
2075 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
2076 section for options. To setup the correct self\-signed certificates use the
2077 \fIunbound\-control\-setup\fR(8) utility.
2079 .B control\-enable: \fI<yes or no>
2083 .B control\-interface: \fI<ip address or interface name or path>
2093 If you set it to an absolute path, a unix domain socket is used. This socket
2096 group that is configured, the access bits are set to allow the group members
2101 .B control\-port: \fI<port number>
2102 The port number to listen on for IPv4 or IPv6 control interfaces,
2107 .B control\-use\-cert: \fI<yes or no>
2108 For localhost control-interface you can disable the use of TLS by setting
2112 .B server\-key\-file: \fI<private key file>
2114 This file is generated by the \fIunbound\-control\-setup\fR utility.
2115 This file is used by the Unbound server, but not by \fIunbound\-control\fR.
2117 .B server\-cert\-file: \fI<certificate file.pem>
2119 This file is generated by the \fIunbound\-control\-setup\fR utility.
2120 This file is used by the Unbound server, and also by \fIunbound\-control\fR.
2122 .B control\-key\-file: \fI<private key file>
2124 This file is generated by the \fIunbound\-control\-setup\fR utility.
2125 This file is used by \fIunbound\-control\fR.
2127 .B control\-cert\-file: \fI<certificate file.pem>
2130 This file is generated by the \fIunbound\-control\-setup\fR utility.
2131 This file is used by \fIunbound\-control\fR.
2135 .B stub\-zone:
2143 This is useful for company\-local data or private zones. Setup an
2144 authoritative server on a different host (or different port). Enter a config
2146 .B stub\-addr:
2147 <ip address of host[@port]>.
2153 can be put in config, so that Unbound can validate the data and set the AD
2154 bit on replies for the private zone (authoritative servers do not set the
2156 private zone, and can even set the AD bit ('authentic'), but the AA
2157 ('authoritative') bit is not set on these replies.
2159 Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
2160 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
2163 (reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
2168 .B stub\-host: \fI<domain name>
2170 To use a nondefault port for DNS communication append '@' with the port number.
2173 and '#', the '@' comes first. If only '#' is used the default port is the
2174 configured tls\-port.
2176 .B stub\-addr: \fI<IP address>
2178 To use a nondefault port for DNS communication append '@' with the port number.
2181 and '#', the '@' comes first. If only '#' is used the default port is the
2182 configured tls\-port.
2184 .B stub\-prime: \fI<yes or no>
2185 This option is by default no. If enabled it performs NS set priming,
2190 .B stub\-first: \fI<yes or no>
2196 .B stub\-tls\-upstream: \fI<yes or no>
2200 .B stub\-ssl\-upstream: \fI<yes or no>
2201 Alternate syntax for \fBstub\-tls\-upstream\fR.
2203 .B stub\-tcp\-upstream: \fI<yes or no>
2204 If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tc…
2207 .B stub\-no\-cache: \fI<yes or no>
2213 .B forward\-zone:
2216 forward the queries to. The servers listed as \fBforward\-host:\fR and
2217 \fBforward\-addr:\fR have to handle further recursion for the query. Thus,
2224 A forward\-zone entry with name "." and a forward\-addr target will
2231 .B forward\-host: \fI<domain name>
2233 To use a nondefault port for DNS communication append '@' with the port number.
2236 and '#', the '@' comes first. If only '#' is used the default port is the
2237 configured tls\-port.
2239 .B forward\-addr: \fI<IP address>
2241 To use a nondefault port for DNS communication append '@' with the port number.
2244 and '#', the '@' comes first. If only '#' is used the default port is the
2245 configured tls\-port.
2248 If you leave out the '#' and auth name from the forward\-addr, any
2249 name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
2251 .B forward\-first: \fI<yes or no>
2256 .B forward\-tls\-upstream: \fI<yes or no>
2259 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
2262 .B forward\-ssl\-upstream: \fI<yes or no>
2263 Alternate syntax for \fBforward\-tls\-upstream\fR.
2265 .B forward\-tcp\-upstream: \fI<yes or no>
2266 If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tc…
2269 .B forward\-no\-cache: \fI<yes or no>
2274 Authority zones are configured with \fBauth\-zone:\fR, and each one must
2275 have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with …
2277 Authority zones can be processed on two distinct, non-exclusive, configurable
2280 With \fBfor\-downstream:\fR \fIyes\fR (default), authority zones are processed
2281 after \fBlocal\-zones\fR and before cache.
2287 With \fBfor\-upstream:\fR \fIyes\fR (default), authority zones are processed
2298 An interesting configuration is \fBfor\-downstream:\fR \fIno\fR,
2299 \fBfor\-upstream:\fR \fIyes\fR that allows for hyperlocal behavior where both
2321 To use a nondefault port for DNS communication append '@' with the port number.
2342 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2348 "http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
2350 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2351 With allow\-notify you can specify additional sources of notifies.
2358 .B fallback\-enabled: \fI<yes or no>
2363 .B for\-downstream: \fI<yes or no>
2368 zone but have a local copy of zone data. If for\-downstream is no and
2369 for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
2373 .B for\-upstream: \fI<yes or no>
2380 .B zonemd\-check: \fI<yes or no>
2386 .B zonemd\-reject\-absence: \fI<yes or no>
2391 failure is controlled by the \fBzonemd\-permissive\-mode\fR option, for
2407 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
2408 \fBlocal\-data\fR elements. Views can also contain view\-first,
2409 response\-ip, response\-ip\-data and local\-data\-ptr elements.
2411 view name in an \fBaccess\-control\-view\fR element. Options from matching
2416 Name of the view. Must be unique. This name is used in access\-control\-view
2419 .B local\-zone: \fI<zone> <type>
2420 View specific local\-zone elements. Has the same types and behaviour as the
2421 global local\-zone elements. When there is at least one local\-zone specified
2422 and view\-first is no, the default local-zones will be added to this view.
2423 Defaults can be disabled using the nodefault type. When view\-first is yes or
2424 when a view does not have a local\-zone, the global local\-zone will be used
2427 .B local\-data: \fI"<resource record string>"
2428 View specific local\-data elements. Has the same behaviour as the global
2429 local\-data elements.
2431 .B local\-data\-ptr: \fI"IPaddr name"
2432 View specific local\-data\-ptr elements. Has the same behaviour as the global
2433 local\-data\-ptr elements.
2435 .B view\-first: \fI<yes or no>
2436 If enabled, it attempts to use the global local\-zone and local\-data if there
2446 and the word "python" has to be put in the \fBmodule\-config:\fR option
2452 \fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
2456 .B python\-script: \fI<python file>\fR
2458 added to the \fBmodule\-config:\fR option.
2467 \fBmodule\-config:\fR option. Multiple instances of dynamic libraries are
2470 The \fBdynlib\-file:\fR path should be specified as an absolute path relative
2471 to the new path set by \fBchroot:\fR option, or as a relative path to the
2474 .B dynlib\-file: \fI<dynlib file>\fR
2476 instance added to the \fBmodule\-config:\fR option.
2479 The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
2483 .B dns64\-prefix: \fI<IPv6 prefix>\fR
2487 .B dns64\-synthall: \fI<yes or no>\fR
2491 .B dns64\-ignore\-aaaa: \fI<name>\fR
2494 new domain for which it applies, one per line. Applies also to names
2498 NAT64 operation allows using a NAT64 prefix for outbound requests to IPv4-only
2501 .B do\-nat64: \fI<yes or no>\fR
2502 Use NAT64 to reach IPv4-only servers.
2503 Consider also enabling \fBprefer\-ip6\fR to prefer native IPv6 connections to
2507 .B nat64\-prefix: \fI<IPv6 prefix>\fR
2508 Use a specific NAT64 prefix to reach IPv4-only servers. Defaults to using
2509 the prefix configured in \fBdns64\-prefix\fR, which in turn defaults to
2517 \fB\-\-enable\-dnscrypt\fR.
2519 You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
2520 dnscrypt-wrapper/blob/master/README.md#usage
2522 .B dnscrypt\-enable: \fI<yes or no>\fR
2527 .B dnscrypt\-port: \fI<port number>
2528 On which port should \fBdnscrypt\fR should be activated. Note that you should
2530 this port.
2532 .B dnscrypt\-provider: \fI<provider name>\fR
2534 \fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
2536 .B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
2540 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
2541 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
2544 .B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
2546 but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
2557 .B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
2563 .B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
2568 .B dnscrypt\-nonce\-cache\-size: \fI<memory size>
2574 .B dnscrypt\-nonce\-cache\-slabs: \fI<number>
2580 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
2592 allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
2594 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
2597 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
2602 This module does not interact with the \fBserve\-expired*\fR and
2605 .B send\-client\-subnet: \fI<IP address>\fR
2608 be given multiple times. Authorities not listed will not receive edns-subnet
2609 information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
2611 .B client\-subnet\-zone: \fI<domain>\fR
2613 given multiple times. Zones not listed will not receive edns-subnet information,
2614 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
2616 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
2618 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
2625 .B max\-client\-subnet\-ipv6: \fI<number>\fR
2629 .B max\-client\-subnet\-ipv4: \fI<number>\fR
2633 .B min\-client\-subnet\-ipv6: \fI<number>\fR
2638 .B min\-client\-subnet\-ipv4: \fI<number>\fR
2643 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
2647 .B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
2652 The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
2654 \fB\-\-enable\-ipsecmod\fR to be enabled.
2678 \fBipsecmod-max-ttl\fR.
2682 \fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
2685 .B ipsecmod-enabled: \fI<yes or no>\fR
2687 needs to be defined in the \fBmodule\-config:\fR directive. This option
2691 .B ipsecmod\-hook: \fI<filename>\fR
2695 must be present when the IPsec module is defined in the \fBmodule\-config:\fR
2698 .B ipsecmod-strict: \fI<yes or no>\fR
2703 .B ipsecmod\-max-ttl: \fI<seconds>\fR
2707 .B ipsecmod-ignore-bogus: \fI<yes or no>\fR
2708 Specifies the behaviour of Unbound when the IPSECKEY answer is bogus. If set
2710 client. If set to no, the hook will not be called and the answer to the
2713 .B ipsecmod\-allow: \fI<domain>\fR
2718 .B ipsecmod\-whitelist: \fI<yes or no>
2719 Alternate syntax for \fBipsecmod\-allow\fR.
2722 The Cache DB module must be configured in the \fBmodule\-config:\fR
2724 with \fB\-\-enable\-cachedb\fR.
2727 When Unbound cannot find an answer to a query in its built-in in-memory
2734 This module interacts with the \fBserve\-expired\-*\fR options and will reply
2738 \fB\-\-with\-libhiredis\fR
2748 preferably with some kind of least-recently-used eviction policy.
2749 Additionally, the \fBredis\-expire\-records\fR option can be used in order to
2751 in mind that some additional memory is used per key and that the expire
2773 The default database is the in-memory backend named "testframe", which,
2775 Depending on the build-time configuration, "redis" backend may also be
2778 .B secret-seed: \fI<"secret string">\fR
2787 .B cachedb-no-store: \fI<yes or no>\fR
2792 .B cachedb-check-when-serve-expired: \fI<yes or no>\fR
2794 When \fBserve\-expired\fR is enabled, without \fBserve\-expired\-client\-timeout\fR, it then
2798 If also \fBserve\-expired\-client\-timeout\fR is enabled, the expired response
2806 .B redis-server-host: \fI<server address or name>\fR
2813 .B redis-server-port: \fI<port number>\fR
2814 The TCP port number of the Redis server.
2817 .B redis-server-path: \fI<unix socket path>\fR
2819 can be set to "" to turn this off. Unix sockets may have better throughput
2822 .B redis-server-password: \fI"<password>"\fR
2825 Off by default, and it can be set to "" to turn this off.
2827 .B redis-timeout: \fI<msec>\fR
2831 re-establish a new connection later.
2834 .B redis-command-timeout: \fI<msec>\fR
2836 redis\-timeout value. The default is 0.
2838 .B redis-connect-timeout: \fI<msec>\fR
2839 The timeout to use for redis connection set up, in milliseconds. If 0, it
2840 uses the redis\-timeout value. The default is 0.
2842 .B redis-expire-records: \fI<yes or no>
2845 Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
2850 .B redis-logical-db: \fI<logical database index>
2861 DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
2865 threading it does not spawn a thread, but connects per-process to the
2868 .B dnstap-enable: \fI<yes or no>
2870 and if any of the dnstap-log-..-messages options is enabled it sends logs
2873 .B dnstap-bidirectional: \fI<yes or no>
2877 .B dnstap-socket-path: \fI<file name>
2881 .B dnstap-ip: \fI<IPaddress[@port]>
2882 If "", the unix socket is used, if set with an IP address (IPv4 or IPv6)
2885 .B dnstap-tls: \fI<yes or no>
2886 Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
2887 The default is yes. If set to no, TCP is used to connect to the server.
2889 .B dnstap-tls-server-name: \fI<name of TLS authentication>
2890 The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If ""…
2892 .B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
2897 .B dnstap-tls-client-key-file: \fI<file name>
2901 .B dnstap-tls-client-cert-file: \fI<file name>
2904 .B dnstap-send-identity: \fI<yes or no>
2908 .B dnstap-send-version: \fI<yes or no>
2912 .B dnstap-identity: \fI<string>
2916 .B dnstap-version: \fI<string>
2920 .B dnstap-sample-rate: \fI<number>
2927 .B dnstap-log-resolver-query-messages: \fI<yes or no>
2931 .B dnstap-log-resolver-response-messages: \fI<yes or no>
2935 .B dnstap-log-client-query-messages: \fI<yes or no>
2939 .B dnstap-log-client-response-messages: \fI<yes or no>
2943 .B dnstap-log-forwarder-query-messages: \fI<yes or no>
2946 .B dnstap-log-forwarder-response-messages: \fI<yes or no>
2955 The \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
2956 \fBmodule-config: "respip validator iterator"\fR.
2959 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
2960 and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
2961 before \fBauth\-zones\fR.
2979 netblock.rpz-client-ip client IP address
2980 netblock.rpz-ip response IP address in the answer
2981 name.rpz-nsdname nameserver name
2982 netblock.rpz-nsip nameserver IP address
2986 of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
2987 32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
2993 CNAME rpz-passthru. do nothing, allow to continue
2994 CNAME rpz-drop. the query is dropped
2995 CNAME rpz-tcp-only. answer over TCP
2998 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
3009 To use a nondefault port for DNS communication append '@' with the port number.
3030 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
3033 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
3034 With allow\-notify you can specify additional sources of notifies.
3046 .B rpz\-action\-override: \fI<action>
3050 .B rpz\-cname\-override: \fI<domain>
3052 \fBrpz\-action\-override\fR.
3054 .B rpz\-log: \fI<yes or no>
3057 .B rpz\-log\-name: \fI<name>
3060 .B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
3065 .B for\-downstream: \fI<yes or no>
3073 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
3074 using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
3084 which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
3089 num\-threads: 1
3090 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
3091 incoming\-num\-tcp: 1
3092 outgoing\-range: 60 # uses less memory, but less performance.
3093 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
3094 msg\-cache\-size: 100k
3095 msg\-cache\-slabs: 1
3096 rrset\-cache\-size: 100k
3097 rrset\-cache\-slabs: 1
3098 infra\-cache\-numhosts: 200
3099 infra\-cache\-slabs: 1
3100 key\-cache\-size: 100k
3101 key\-cache\-slabs: 1
3102 neg\-cache\-size: 10k
3103 num\-queries\-per\-thread: 30
3104 target\-fetch\-policy: "2 1 0 0 0 0"
3105 harden\-large\-queries: "yes"
3106 harden\-short\-bufsize: "yes"
3129 \fIunbound\-checkconf\fR(8).