Lines Matching +full:default +full:- +full:on
3 .\" unbound.conf.5 -- unbound.conf manual
12 \- Unbound configuration file.
27 \fIunbound\-checkconf\fR(8)
34 $ unbound \-c /etc/unbound/unbound.conf
52 # e.g. on linux the use these commands (on BSD, devfs(8) is used):
53 # mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom
54 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
59 # listen on all interfaces, answer queries from the local subnet.
62 access\-control: 10.0.0.0/8 allow
63 access\-control: 2001:DB8::/64 allow
82 .B include\-toplevel:
96 Level 5 logs client identification for cache misses. Default is level 1.
99 .B statistics\-interval: \fI<seconds>
101 Disable with value 0 or "". Default is disabled. The histogram statistics
106 .B statistics\-cumulative: \fI<yes or no>
108 the statistics counters after logging the statistics. Default is no.
110 .B extended\-statistics: \fI<yes or no>
111 If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
112 Default is off, because keeping track of more statistics takes time. The
113 counters are listed in \fIunbound\-control\fR(8).
115 .B num\-threads: \fI<number>
119 The port number, default 53, on which the server responds to queries.
124 Can be given multiple times to work on several interfaces. If none are
125 given the default is to listen to localhost. If an interface name is used
126 instead of an ip address, the list of ip addresses on that interface are used.
127 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
129 interface and port number), if not specified the default port (from
132 .B ip\-address: \fI<ip address[@port]>
135 .B interface\-automatic: \fI<yes or no>
136 Listen on all addresses on all (current and future) interfaces, detect the
137 source interface on UDP queries and copy them to replies. This is a lot like
138 ip\-transparent, but this option services all interfaces whilst with
139 ip\-transparent you can select which (future) interfaces Unbound provides
140 service on. This feature is experimental, and needs support in your OS for
141 particular socket options. Default value is no.
143 .B outgoing\-interface: \fI<ip address or ip6 netblock>
146 multiple times to work on several interfaces. If none are given the
147 default (all) is used. You can specify the same interfaces in
150 .B outgoing\-interface:
157 host running Unbound, and requires OS support for unprivileged non-local binds
158 (currently only supported on Linux). Several netblocks may be specified with
160 .B outgoing\-interface:
163 .B prefer\-ip6: yes
167 ip \-6 addr add mynetblock/64 dev lo &&
168 ip \-6 route add local mynetblock/64 dev lo
170 .B outgoing\-range: \fI<number>
172 thread. Must be at least 1. Default depends on compile options. Larger
176 .B outgoing\-port\-permit: \fI<port number or range>
180 By default only ports above 1024 that have not been assigned by IANA are used.
181 Give a port number or a range of the form "low\-high", without spaces.
183 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
189 .B outgoing\-port\-avoid: \fI<port number or range>
192 daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
193 By default only ports above 1024 that have not been assigned by IANA are used.
194 Give a port number or a range of the form "low\-high", without spaces.
196 .B outgoing\-num\-tcp: \fI<number>
197 Number of outgoing TCP buffers to allocate per thread. Default is 10. If
198 set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
201 .B incoming\-num\-tcp: \fI<number>
202 Number of incoming TCP buffers to allocate per thread. Default is
203 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
206 .B edns\-buffer\-size: \fI<number>
209 buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
210 not set higher than that value. Default is 1232 which is the DNS Flag Day 2020
216 .B max\-udp\-size: \fI<number>
219 Suggested values are 512 to 4096. Default is 4096.
221 .B stream\-wait\-size: \fI<number>
222 Number of bytes size maximum to use for waiting stream buffers. Default is
231 .B msg\-buffer\-size: \fI<number>
232 Number of bytes size of the message buffers. Default is 65552 bytes, enough
238 .B msg\-cache\-size: \fI<number>
239 Number of bytes size of the message cache. Default is 4 megabytes.
243 .B msg\-cache\-slabs: \fI<number>
248 .B num\-queries\-per\-thread: \fI<number>
251 (see \fIjostle\-timeout\fR), then the queries are dropped. This forces
252 the client to resend after a timeout; allowing the server time to work on
253 the existing queries. Default depends on compile options, 512 or 1024.
255 .B jostle\-timeout: \fI<msec>
261 service by slow queries or high query rates. Default 200 milliseconds.
262 The effect is that the qps for long-lasting queries is about
266 qps by default.
268 .B delay\-close: \fI<msec>
270 Default is 0, and that disables it. This prevents very delayed answer
272 closed ports and setting off all sort of close-port counters, with
277 .B udp\-connect: \fI<yes or no>
279 Default is yes.
281 .B unknown\-server\-time\-limit: \fI<msec>
284 That would then avoid re\-querying every initial query because it times out.
285 Default is 376 msec.
287 .B so\-rcvbuf: \fI<number>
289 space on UDP port 53 incoming queries. So that short spikes on busy
290 servers do not drop packets (see counter in netstat \-su). Default is
292 "4m" on a busy server. The OS caps it at a maximum, on linux Unbound
294 net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
295 On OpenBSD change header and recompile kernel. On Solaris ndd \-set
298 .B so\-sndbuf: \fI<number>
299 If not 0, then set the SO_SNDBUF socket option to get more buffer space on
302 can get logged, the buffer overrun is also visible by netstat \-su.
303 Default is 0 (use system value). Specify the number of bytes to ask
304 for, try "4m" on a very busy server. The OS caps it at a maximum, on
306 can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
307 to so\-rcvbuf.
309 .B so\-reuseport: \fI<yes or no>
311 thread and try to set the SO_REUSEPORT socket option on each socket. May
312 distribute incoming queries to threads more evenly. Default is yes.
313 On Linux it is supported in kernels >= 3.9. On other systems, FreeBSD, OSX
314 it may also work. You can enable it (on any platform and kernel),
321 .B ip\-transparent: \fI<yes or no>
322 If yes, then use IP_TRANSPARENT socket option on sockets where Unbound
323 is listening for incoming traffic. Default no. Allows you to bind to
324 non\-local interfaces. For example for non\-existent IP addresses that
325 are going to exist later on, with host failover configuration. This is
326 a lot like interface\-automatic, but that one services all interfaces
328 provides service on. This option needs Unbound to be started with root
329 permissions on some systems. The option uses IP_BINDANY on FreeBSD systems
330 and SO_BINDANY on OpenBSD systems.
332 .B ip\-freebind: \fI<yes or no>
333 If yes, then use IP_FREEBIND socket option on sockets where Unbound
334 is listening to incoming traffic. Default no. Allows you to bind to
336 interface or IP address is down. Exists only on Linux, where the similar
337 ip\-transparent option is also available.
339 .B ip-dscp: \fI<number>
342 The field replaces the outdated IPv4 Type-Of-Service field and the
345 .B rrset\-cache\-size: \fI<number>
346 Number of bytes size of the RRset cache. Default is 4 megabytes.
350 .B rrset\-cache\-slabs: \fI<number>
354 .B cache\-max\-ttl: \fI<seconds>
355 Time to live maximum for RRsets and messages in the cache. Default is
360 .B cache\-min\-ttl: \fI<seconds>
361 Time to live minimum for RRsets and messages in the cache. Default is 0.
368 .B cache\-max\-negative\-ttl: \fI<seconds>
370 authority section that is limited in time. Default is 3600.
373 .B infra\-host\-ttl: \fI<seconds>
375 roundtrip timing, lameness and EDNS support information. Default is 900.
377 .B infra\-cache\-slabs: \fI<number>
381 .B infra\-cache\-numhosts: \fI<number>
382 Number of hosts for which information is cached. Default is 10000.
384 .B infra\-cache\-min\-rtt: \fI<msec>
386 cache. Default is 50 milliseconds. Increase this value if using forwarders
389 .B infra\-keep\-probing: \fI<yes or no>
391 at a time regime. Default is no. Hosts that are down, eg. they did
393 it may take \fBinfra\-host\-ttl\fR time to get probed again.
395 .B define\-tag: \fI<"list of tags">
396 Define the tags that can be used with local\-zone and access\-control.
399 .B do\-ip4: \fI<yes or no>
400 Enable or disable whether ip4 queries are answered or issued. Default is yes.
402 .B do\-ip6: \fI<yes or no>
403 Enable or disable whether ip6 queries are answered or issued. Default is yes.
404 If disabled, queries are not answered on IPv6, and queries are not sent on
409 .B prefer\-ip4: \fI<yes or no>
411 nameservers. Default is no. Useful if the IPv6 netblock the server has,
416 .B prefer\-ip6: \fI<yes or no>
418 nameservers. Default is no.
420 .B do\-udp: \fI<yes or no>
421 Enable or disable whether UDP queries are answered or issued. Default is yes.
423 .B do\-tcp: \fI<yes or no>
424 Enable or disable whether TCP queries are answered or issued. Default is yes.
426 .B tcp\-mss: \fI<number>
427 Maximum segment size (MSS) of TCP socket on which the server responds
428 to queries. Value lower than common MSS on Ethernet
431 Default is system default MSS determined by interface MTU and
434 .B outgoing\-tcp\-mss: \fI<number>
437 common MSS on Ethernet (1220 for example) will address path MTU problem.
439 Default is system default MSS determined by interface MTU and
442 .B tcp-idle-timeout: \fI<msec>\fR
443 The period Unbound will wait for a query on a TCP connection.
454 .B tcp-reuse-timeout: \fI<msec>\fR
458 .B max-reuse-tcp-queries: \fI<number>\fR
459 The maximum number of queries that can be sent on a persistent TCP
463 .B tcp-auth-query-timeout: \fI<number>\fR
467 .B edns-tcp-keepalive: \fI<yes or no>\fR
468 Enable or disable EDNS TCP Keepalive. Default is no.
470 .B edns-tcp-keepalive-timeout: \fI<msec>\fR
471 The period Unbound will wait for a query on a TCP connection when
486 .B tcp\-upstream: \fI<yes or no>
488 Default is no. Useful in tunneling scenarios. If set to no you can specify
489 TCP transport only for selected forward or stub zones using forward-tcp-upstream
490 or stub-tcp-upstream respectively.
492 .B udp\-upstream\-without\-downstream: \fI<yes or no>
493 Enable udp upstream even if do-udp is no. Default is no, and this does not
497 .B tls\-upstream: \fI<yes or no>
499 Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in
501 \fBtls\-service\-key\fR).
502 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
505 …e TLS specifically for some forward zones with forward\-tls\-upstream. And also with stub\-tls\-u…
507 .B ssl\-upstream: \fI<yes or no>
508 Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
511 .B tls\-service\-key: \fI<file>
512 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
513 TCP ports marked implicitly or explicitly for these services with tls\-port or
514 https\-port. The file must contain the private key for the TLS session, the
515 public certificate is in the tls\-service\-pem file and it must also be
516 specified if tls\-service\-key is specified. The default is "", turned off.
519 The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
520 \fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
521 compiled with libnghttp2 in order to provide DNS-over-HTTPS.
523 .B ssl\-service\-key: \fI<file>
524 Alternate syntax for \fBtls\-service\-key\fR.
526 .B tls\-service\-pem: \fI<file>
527 The public key certificate pem file for the tls service. Default is "",
530 .B ssl\-service\-pem: \fI<file>
531 Alternate syntax for \fBtls\-service\-pem\fR.
533 .B tls\-port: \fI<number>
534 The port number on which to provide TCP TLS service, default 853, only
537 .B ssl\-port: \fI<number>
538 Alternate syntax for \fBtls\-port\fR.
540 .B tls\-cert\-bundle: \fI<file>
542 for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used
543 for authenticating connections made to outside peers. For example auth\-zone
547 .B ssl\-cert\-bundle: \fI<file>
548 Alternate syntax for \fBtls\-cert\-bundle\fR.
550 .B tls\-win\-cert: \fI<yes or no>
552 If no cert bundle, it uses only these certificates. Default is no.
554 the tls\-cert\-bundle option on other systems.
556 .B tls\-additional\-port: \fI<portnr>
557 List portnumbers as tls\-additional\-port, and when interfaces are defined,
559 service. Can list multiple, each on a new statement.
561 .B tls-session-ticket-keys: \fI<file>
574 .B tls\-ciphers: \fI<string with cipher list>
576 and that is the default.
578 .B tls\-ciphersuites: \fI<string with ciphersuites list>
580 TLS 1.3 connections. Use "" for defaults, and that is the default.
582 .B pad\-responses: \fI<yes or no>
585 \fBpad\-responses\-block\-size\fR.
586 Default is yes.
588 .B pad\-responses\-block\-size: \fI<number>
591 Default is 468.
593 .B pad\-queries: \fI<yes or no>
595 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
596 Default is yes.
598 .B pad\-queries\-block\-size: \fI<number>
600 Default is 128.
602 .B tls\-use\-sni: \fI<yes or no>
603 Enable or disable sending the SNI extension on TLS connections.
604 Default is yes.
607 .B https\-port: \fI<number>
608 The port number on which to provide DNS-over-HTTPS service, default 443, only
611 .B http\-endpoint: \fI<endpoint string>
612 The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
614 .B http\-max\-streams: \fI<number of streams>
616 SETTINGS frame for DNS-over-HTTPS connections. Default 100.
618 .B http\-query\-buffer\-size: \fI<size in bytes>
621 An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
625 .B http\-response\-buffer\-size: \fI<size in bytes>
628 An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
632 .B http\-nodelay: \fI<yes or no>
633 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
634 Ignored if the option is not available. Default is yes.
636 .B http\-notls\-downstream: \fI<yes or no>
637 Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
638 local back end servers. Default is no.
640 .B use\-systemd: \fI<yes or no>
642 Default is no.
644 .B do\-daemonize: \fI<yes or no>
647 Default is yes.
649 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
654 .B access\-control: \fI<IP netblock> <action>
660 The order of the access\-control statements therefore does not matter.
672 local\-data that is configured. The reason is that this does not involve
694 By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
695 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
700 only allowed to query for the authoritative local\-data, they are not
705 .B access\-control\-tag: \fI<IP netblock> <"list of tags">
706 Assign tags to access-control elements. Clients using this access control
708 defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
709 spaces between tags. If access\-control\-tag is configured for a netblock that
710 does not have an access\-control, an access\-control element with action
713 .B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
716 between access\-control\-tag and local\-zone\-tag where "first" comes from the
717 order of the define-tag values.
719 .B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
722 .B access\-control\-view: \fI<IP netblock> <view name>
748 If given a chroot is done to the given directory. By default chroot is
749 enabled and the default is "@UNBOUND_CHROOT_DIR@". If you give "" no
753 If given, after binding the port the user privileges are dropped. Default is
762 Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
774 If this option is given, the use\-syslog is option is set to "no".
775 The logfile is reopened (for append) when the config file is reread, on
778 .B use\-syslog: \fI<yes or no>
782 The logfile setting is overridden when use\-syslog is turned on.
783 The default is to log to syslog.
785 .B log\-identity: \fI<string>
786 If "" is given (default), then the name of the executable, usually "unbound"
788 with that, which is useful on systems that run more than one instance of
792 .B log\-time\-ascii: \fI<yes or no>
793 Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
797 .B log\-queries: \fI<yes or no>
799 name, type and class. Default is no. Note that it takes time to print these
803 .B log\-replies: \fI<yes or no>
806 Default is no. Note that it takes time to print these
810 .B log\-tag\-queryreply: \fI<yes or no>
811 Prints the word 'query' and 'reply' with log\-queries and log\-replies.
812 This makes filtering logs easier. The default is off (for backwards
815 .B log\-local\-actions: \fI<yes or no>
817 local\-zone type inform prints out, but they are also printed for the other
820 .B log\-servfail: \fI<yes or no>
826 The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
829 kill \-HUP `cat @UNBOUND_PIDFILE@`
833 kill \-TERM `cat @UNBOUND_PIDFILE@`
837 .B root\-hints: \fI<filename>
838 Read the root hints from this file. Default is nothing, using builtin hints
840 nameserver names and addresses only. The default may become outdated,
841 when servers change, therefore it is good practice to use a root\-hints file.
843 .B hide\-identity: \fI<yes or no>
847 Set the identity to report. If set to "", the default, then the hostname
850 .B hide\-version: \fI<yes or no>
854 Set the version to report. If set to "", the default, then the package
857 .B hide\-http\-user\-agent: \fI<yes or no>
858 If enabled the HTTP header User-Agent is not set. Use with caution as some
861 .B http\-user\-agent
864 .B http\-user\-agent: \fI<string>
865 Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
866 the default, then the package name and version are used.
873 .B hide\-trustanchor: \fI<yes or no>
876 .B target\-fetch\-policy: \fI<"list of numbers">
883 A value of \-1 means to fetch all targets opportunistically for that dependency
884 depth. A value of 0 means to fetch on demand only. A positive value fetches
888 The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
889 closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
892 .B harden\-short\-bufsize: \fI<yes or no>
893 Very small EDNS buffer sizes from queries are ignored. Default is on, as
896 .B harden\-large\-queries: \fI<yes or no>
897 Very large queries are ignored. Default is off, since it is legal protocol
901 .B harden\-glue: \fI<yes or no>
902 Will trust glue only if it is within the servers authority. Default is yes.
904 .B harden\-dnssec\-stripped: \fI<yes or no>
905 Require DNSSEC data for trust\-anchored zones, if such data is absent,
912 downgrade attack that disables security for a zone. Default is yes.
914 .B harden\-below\-nxdomain: \fI<yes or no>
921 this only DNSSEC-secure nxdomains are used, because the old software does not
922 have DNSSEC. Default is yes.
925 .B harden\-referral\-path: \fI<yes or no>
928 and the zones are signed. This enforces DNSSEC validation on nameserver
929 NS sets and the nameserver addresses that are encountered on the referral
931 Default no, because it burdens the authority servers, and it is
934 If you enable it consider adding more numbers after the target\-fetch\-policy
937 .B harden\-algo\-downgrade: \fI<yes or no>
940 validate the zone. Default is no. Zone signers must produce zones
944 .B use\-caps\-for\-id: \fI<yes or no>
945 Use 0x20\-encoded random bits in the query to foil spoof attempts.
948 Disabled by default.
949 This feature is an experimental implementation of draft dns\-0x20.
951 .B caps\-exempt: \fI<domain>
952 Exempt the domain so that it does not receive caps\-for\-id perturbed
957 .B caps\-whitelist: \fI<yes or no>
958 Alternate syntax for \fBcaps\-exempt\fR.
960 .B qname\-minimisation: \fI<yes or no>
965 NXDOMAIN from a DNSSEC signed zone. Default is yes.
967 .B qname\-minimisation\-strict: \fI<yes or no>
968 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
971 This option only has effect when qname-minimisation is enabled. Default is no.
973 .B aggressive\-nsec: \fI<yes or no>
976 Default is yes. It helps to reduce the query rate towards targets that get
979 .B private\-address: \fI<IP address or subnet>
984 answers bogus. This protects against so\-called DNS Rebinding, where
987 can be allowed to contain your private addresses, by default all the
988 \fBlocal\-data\fR that you configured is allowed to, and you can specify
989 additional names using \fBprivate\-domain\fR. No private addresses are
990 enabled by default. We consider to enable this for the RFC1918 private
991 IP address space by default in later releases. That would enable private
994 should not be visible on the public internet. Turning on 127.0.0.0/8
996 stops IPv4-mapped IPv6 addresses from bypassing the filter.
998 .B private\-domain: \fI<domain name>
1001 addresses. Default is none.
1003 .B unwanted\-reply\-threshold: \fI<number>
1008 is suggested. Default is 0 (turned off).
1010 .B do\-not\-query\-address: \fI<IP address>
1015 .B do\-not\-query\-localhost: \fI<yes or no>
1016 If yes, localhost is added to the do\-not\-query\-address entries, both
1018 queries to. Default is yes.
1022 keep the cache up to date. Default is no. Turning it on gives about
1023 10 percent more traffic and load on the machine, but popular items do
1026 .B prefetch\-key: \fI<yes or no>
1029 a little more CPU. Also if the cache is set to 0, it is no use. Default is no.
1031 .B deny\-any: \fI<yes or no>
1032 If yes, deny queries of type ANY with an empty response. Default is no.
1037 .B rrset\-roundrobin: \fI<yes or no>
1039 from the query ID, for speed and thread safety). Default is yes.
1041 .B minimal-responses: \fI<yes or no>
1045 This may cause a slight speedup. The default is yes, even though the DNS
1051 .B disable-dnssec-lame-check: \fI<yes or no>
1058 .B module\-config: \fI<"module names">
1062 Setting this to just "\fIiterator\fR" will result in a non\-validating
1064 Setting this to "\fIvalidator iterator\fR" will turn on DNSSEC validation.
1067 You must also set \fItrust\-anchors\fR for validation to be useful.
1068 Adding \fIrespip\fR to the front will cause RPZ processing to be done on
1070 The default is "\fIvalidator iterator\fR".
1073 EDNS client subnet support the default is "\fIsubnetcache validator
1083 .B trust\-anchor\-file: \fI<filename>
1086 Default is "", or no trust anchor file.
1088 .B auto\-trust\-anchor\-file: \fI<filename>
1092 \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
1098 .B trust\-anchor: \fI<"Resource Record">
1100 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
1102 them, the same format as in the zone file. Has to be on a single line, with
1104 A class can be specified, but class IN is default.
1106 .B trusted\-keys\-file: \fI<filename>
1108 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
1109 but has a different file format. Format is BIND\-9 style format,
1110 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
1112 expanded on start and on reload.
1114 .B trust\-anchor\-signaling: \fI<yes or no>
1115 Send RFC8145 key tag query after trust anchor priming. Default is yes.
1117 .B root\-key\-sentinel: \fI<yes or no>
1118 Root key trust anchor sentinel. Default is yes.
1120 .B domain\-insecure: \fI<domain name>
1133 .B val\-override\-date: \fI<rrsig\-style date spec>
1134 Default is "" or "0", which disables this debugging feature. If enabled by
1137 you are debugging signature inception and expiration. The value \-1 ignores
1140 .B val\-sig\-skew\-min: \fI<seconds>
1142 A value of 10% of the signature lifetime (expiration \- inception) is
1143 used, capped by this setting. Default is 3600 (1 hour) which allows for
1147 .B val\-sig\-skew\-max: \fI<seconds>
1149 A value of 10% of the signature lifetime (expiration \- inception)
1150 is used, capped by this setting. Default is 86400 (24 hours) which
1156 .B val\-max\-restart: \fI<number>
1158 another authority in case of failed validation. Default is 5.
1160 .B val\-bogus\-ttl: \fI<number>
1163 trusted, and this value is used instead. The value is in seconds, default 60.
1166 .B val\-clean\-additional: \fI<yes or no>
1169 indeterminate or unchecked are not affected. Default is yes. Use this setting
1170 to protect the users that rely on this validator for authentication from
1173 .B val\-log\-level: \fI<number>
1175 the verbosity setting. Default is 0, off. At 1, for every user query
1182 .B val\-permissive\-mode: \fI<yes or no>
1188 The default value is "no".
1190 .B ignore\-cd\-flag: \fI<yes or no>
1196 The default value is "no".
1198 .B serve\-expired: \fI<yes or no>
1200 TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
1202 later on. Default is "no".
1204 .B serve\-expired\-ttl: \fI<seconds>
1206 disables the limit. This option only applies when \fBserve\-expired\fR is
1208 86400 (1 day) and 259200 (3 days). The default is 0.
1210 .B serve\-expired\-ttl\-reset: \fI<yes or no>
1211 Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
1213 expired records will be served as long as there are queries for it. Default is
1216 .B serve\-expired\-reply\-ttl: \fI<seconds>
1218 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
1219 use 30 as the value (RFC 8767). The default is 30.
1221 .B serve\-expired\-client\-timeout: \fI<msec>
1223 essentially enables the serve-stale behavior as specified in
1227 behavior. Default is 0.
1229 .B serve\-original\-ttl: \fI<yes or no>
1233 front-end to a hidden authoritative name server. Enabling this feature does
1238 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
1240 Default is "no".
1242 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
1244 by quotes. Default is "1024 150 2048 150 4096 150". This determines the
1251 .B zonemd\-permissive\-mode: \fI<yes or no>
1255 disrupting service. Default is no.
1257 .B add\-holddown: \fI<seconds>
1258 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1260 visible for this time. Default is 30 days as per the RFC.
1262 .B del\-holddown: \fI<seconds>
1263 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1265 kept in the revoked list for this long. Default is 30 days as per
1268 .B keep\-missing: \fI<seconds>
1269 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1273 mechanism work with zones that perform regular (non\-5011) rollovers.
1274 The default is 366 days. The value 0 does not remove missing anchors,
1277 .B permit\-small\-holddown: \fI<yes or no>
1279 very small values. Default is no.
1281 .B key\-cache\-size: \fI<number>
1282 Number of bytes size of the key cache. Default is 4 megabytes.
1286 .B key\-cache\-slabs: \fI<number>
1291 .B neg\-cache\-size: \fI<number>
1292 Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
1296 .B unblock\-lan\-zones: \fI<yes or no>
1297 Default is disabled. If enabled, then for private address space,
1299 running as dns service on a host where it provides service for that host,
1302 with default local zones. Disable the option when Unbound is running
1303 as a (DHCP-) DNS network resolver for a group of machines, where such
1307 .B insecure\-lan\-zones: \fI<yes or no>
1308 Default is disabled. If enabled, then reverse lookups in private
1310 \fIunblock\-lan\-zones\fR is used.
1312 .B local\-zone: \fI<zone> <type>
1314 there is no match from local\-data. The types are deny, refuse, static,
1317 and are explained below. After that the default settings are listed. Use
1318 local\-data: to enter data into the local zone. Answers for local zones
1319 are authoritative DNS answers. By default the zones are class IN.
1322 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1337 as local\-data for the zone apex domain.
1344 If no local\-zone is given local\-data causes a transparent zone
1345 to be created by default.
1361 local\-zone: "example.com." redirect and
1362 local\-data: "example.com. A 127.0.0.1"
1369 timestamp, unbound-pid, info: zonename inform IP@port queryname type
1371 looking up infected names are logged, eg. to run antivirus on them.
1409 Used to turn off default contents for AS112 zones. The other types
1410 also turn off default contents for the zone. The 'nodefault' option
1411 has no other effect than turning off default contents for the
1415 The default zones are localhost, reverse 127.0.0.1 and ::1, the home.arpa,
1419 default to give nxdomain (no reverse information) answers. The defaults
1420 can be turned off by specifying your own local\-zone of that name, or
1421 using the 'nodefault' type. Below is a list of the default zone contents.
1425 for completeness and to satisfy some DNS update tools. Default content:
1427 local\-zone: "localhost." redirect
1428 local\-data: "localhost. 10800 IN NS localhost."
1429 local\-data: "localhost. 10800 IN
1431 local\-data: "localhost. 10800 IN A 127.0.0.1"
1432 local\-data: "localhost. 10800 IN AAAA ::1"
1436 Default content:
1438 local\-zone: "127.in\-addr.arpa." static
1439 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
1440 local\-data: "127.in\-addr.arpa. 10800 IN
1442 local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
1447 Default content:
1449 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1451 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1454 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1457 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1463 Default content:
1465 local\-zone: "home.arpa." static
1466 local\-data: "home.arpa. 10800 IN NS localhost."
1467 local\-data: "home.arpa. 10800 IN
1472 Default content:
1474 local\-zone: "onion." static
1475 local\-data: "onion. 10800 IN NS localhost."
1476 local\-data: "onion. 10800 IN
1481 Default content:
1483 local\-zone: "test." static
1484 local\-data: "test. 10800 IN NS localhost."
1485 local\-data: "test. 10800 IN
1490 Default content:
1492 local\-zone: "invalid." static
1493 local\-data: "invalid. 10800 IN NS localhost."
1494 local\-data: "invalid. 10800 IN
1499 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
1500 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
1501 The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
1504 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
1505 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
1506 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
1507 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
1508 And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
1525 tutorials and examples. You can remove the block on this zone with:
1527 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
1530 transparent with a local\-zone statement.
1531 This also works with the other default zones.
1532 .\" End of local-zone listing.
1534 .B local\-data: \fI"<resource record string>"
1536 The query has to match exactly unless you configure the local\-zone as
1537 redirect. If not matched exactly, the local\-zone type determines
1538 further processing. If local\-data is configured that is not a subdomain of
1539 a local\-zone, a transparent local\-zone is configured.
1541 local\-data: 'example. TXT "text"'.
1544 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1547 .B local\-data\-ptr: \fI"IPaddr name"
1552 .B local\-zone\-tag: \fI<zone> <"list of tags">
1554 used access-control element has a matching tag. Tags must be defined in
1555 \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
1557 list of tags for the query and local\-zone\-tag is non-empty.
1559 .B local\-zone\-override: \fI<zone> <IP netblock> <type>
1561 Use this localzone type, regardless the type configured for the local-zone
1563 access\-control\-tag\-action.
1565 .B response\-ip: \fI<IP-netblock> <action>
1572 \fIaccess-control-tag-action\fR, but there are some exceptions.
1574 Actions for \fIresponse-ip\fR are different from those for
1575 \fIlocal-zone\fR in that in case of the former there is no point of
1577 Because of this difference, the semantics of \fIresponse-ip\fR actions
1580 invalid for \fIresponse-ip\fR.
1582 faulty. The \fIdeny\fR action is non-conditional, i.e. it always
1587 .B response-ip-data: \fI<IP-netblock> <"resource record string">
1590 This specifies the action data for \fIresponse-ip\fR with action being
1592 record string" is similar to that of \fIaccess-control-tag-action\fR,
1594 If the IP-netblock is an IPv6/IPV4 prefix, the record
1597 more than one \fIresponse-ip-data\fR for the same IP-netblock.
1599 IP-netblock, following the normal rules for CNAME records.
1604 .B response-ip-tag: \fI<IP-netblock> <"list of tags">
1607 Assign tags to response IP-netblocks. If the IP address in an AAAA or
1609 IP-netblock, the specified tags are assigned to the IP address.
1610 Then, if an \fIaccess-control-tag\fR is defined for the client and it
1612 \fIaccess-control-tag-action\fR will apply.
1613 Tag matching rule is the same as that for \fIaccess-control-tag\fR and
1614 \fIlocal-zones\fR.
1615 Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
1616 an IP-netblock even if no \fIresponse-ip\fR is defined for that
1618 If multiple \fIresponse-ip-tag\fR options are specified for the same
1619 IP-netblock in different statements, all but the first will be
1625 \fIaccess-control-tag-action\fR that has a matching tag with
1626 \fIresponse-ip-tag\fR can be those that are "invalid" for
1627 \fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
1629 For these actions, if they behave differently depending on whether
1631 \fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
1632 of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
1633 specific, and non-existence of data does not indicate anything about
1634 the existence or non-existence of the qname itself.
1636 no data for the corresponding \fIresponse-ip\fR configuration, then
1643 If 0, the default, it is disabled. This option is experimental at this time.
1654 .B ratelimit\-size: \fI<memory size>
1656 kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
1660 .B ratelimit\-slabs: \fI<number>
1665 .B ratelimit\-factor: \fI<number>
1669 to complete. Default is 10, allowing 1/10 traffic to flow normally.
1674 .B ratelimit\-backoff: \fI<yes or no>
1675 If enabled, the ratelimit is treated as a hard failure instead of the default
1678 window. No traffic is allowed, except for ratelimit\-factor, until demand
1681 traffic. Default is off.
1683 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
1686 a top\-level\-domain you may want to have a higher limit than other names.
1689 .B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
1694 is not changed, use ratelimit\-for\-domain to set that, you might want
1695 to use different settings for a top\-level\-domain and subdomains.
1698 .B ip\-ratelimit: \fI<number or 0>
1700 If 0, the default, it is disabled. This option is experimental at this time.
1706 .B ip\-ratelimit\-size: \fI<memory size>
1708 kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
1712 .B ip\-ratelimit\-slabs: \fI<number>
1717 .B ip\-ratelimit\-factor: \fI<number>
1721 to complete. Default is 10, allowing 1/10 traffic to flow normally.
1726 .B ip\-ratelimit\-backoff: \fI<yes or no>
1727 If enabled, the ratelimit is treated as a hard failure instead of the default
1730 window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
1732 set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
1733 traffic. Default is off.
1735 .B outbound\-msg\-retry: \fI<number>
1740 .B fast\-server\-permil: \fI<number>
1744 servers for the remaining time. When prefetch is enabled (or serve\-expired),
1747 \fBfast\-server\-num\fR option can be used to specify the size of the fastest
1748 servers set. The default for fast\-server\-permil is 0.
1750 .B fast\-server\-num: \fI<number>
1752 use the fastest specified number of servers with the fast\-server\-permil
1753 option, that turns this on or off. The default is to use the fastest 3 servers.
1755 .B edns\-client\-string: \fI<IP netblock> <string>
1760 .B edns\-client\-string\-opcode: \fI<opcode>
1761 EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
1762 A value from the `Reserved for Local/Experimental` range (65001-65534) should
1763 be used. Default is 65001.
1766 .B remote\-control:
1768 enabled, the \fIunbound\-control\fR(8) utility can be used to send
1771 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
1772 section for options. To setup the correct self\-signed certificates use the
1773 \fIunbound\-control\-setup\fR(8) utility.
1775 .B control\-enable: \fI<yes or no>
1776 The option is used to enable remote control, default is "no".
1779 .B control\-interface: \fI<ip address or path>
1780 Give IPv4 or IPv6 addresses or local socket path to listen on for
1782 By default localhost (127.0.0.1 and ::1) is listened to.
1789 To restrict access, Unbound sets permissions on the file to the user and
1795 .B control\-port: \fI<port number>
1796 The port number to listen on for IPv4 or IPv6 control interfaces,
1797 default is 8953.
1801 .B control\-use\-cert: \fI<yes or no>
1802 For localhost control-interface you can disable the use of TLS by setting
1803 this option to "no", default is "yes". For local sockets, TLS is disabled
1806 .B server\-key\-file: \fI<private key file>
1807 Path to the server private key, by default unbound_server.key.
1808 This file is generated by the \fIunbound\-control\-setup\fR utility.
1809 This file is used by the Unbound server, but not by \fIunbound\-control\fR.
1811 .B server\-cert\-file: \fI<certificate file.pem>
1812 Path to the server self signed certificate, by default unbound_server.pem.
1813 This file is generated by the \fIunbound\-control\-setup\fR utility.
1814 This file is used by the Unbound server, and also by \fIunbound\-control\fR.
1816 .B control\-key\-file: \fI<private key file>
1817 Path to the control client private key, by default unbound_control.key.
1818 This file is generated by the \fIunbound\-control\-setup\fR utility.
1819 This file is used by \fIunbound\-control\fR.
1821 .B control\-cert\-file: \fI<certificate file.pem>
1822 Path to the control client certificate, by default unbound_control.pem.
1824 This file is generated by the \fIunbound\-control\-setup\fR utility.
1825 This file is used by \fIunbound\-control\fR.
1829 .B stub\-zone:
1837 This is useful for company\-local data or private zones. Setup an
1838 authoritative server on a different host (or different port). Enter a config
1840 .B stub\-addr:
1848 bit on replies for the private zone (authoritative servers do not set the
1851 ('authoritative') bit is not set on these replies.
1853 Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
1854 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
1857 (reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
1862 .B stub\-host: \fI<domain name>
1867 and '#', the '@' comes first. If only '#' is used the default port is the
1868 configured tls\-port.
1870 .B stub\-addr: \fI<IP address>
1875 and '#', the '@' comes first. If only '#' is used the default port is the
1876 configured tls\-port.
1878 .B stub\-prime: \fI<yes or no>
1879 This option is by default no. If enabled it performs NS set priming,
1884 .B stub\-first: \fI<yes or no>
1888 The default is no.
1890 .B stub\-tls\-upstream: \fI<yes or no>
1892 Default is no.
1894 .B stub\-ssl\-upstream: \fI<yes or no>
1895 Alternate syntax for \fBstub\-tls\-upstream\fR.
1897 .B stub\-tcp\-upstream: \fI<yes or no>
1898 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
1899 Default is no.
1901 .B stub\-no\-cache: \fI<yes or no>
1902 Default is no. If enabled, data inside the stub is not cached. This is
1907 .B forward\-zone:
1910 forward the queries to. The servers listed as \fBforward\-host:\fR and
1911 \fBforward\-addr:\fR have to handle further recursion for the query. Thus,
1918 A forward\-zone entry with name "." and a forward\-addr target will
1925 .B forward\-host: \fI<domain name>
1930 and '#', the '@' comes first. If only '#' is used the default port is the
1931 configured tls\-port.
1933 .B forward\-addr: \fI<IP address>
1938 and '#', the '@' comes first. If only '#' is used the default port is the
1939 configured tls\-port.
1942 If you leave out the '#' and auth name from the forward\-addr, any
1943 name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
1945 .B forward\-first: \fI<yes or no>
1948 query as if no query forwarding had been specified. The default is "no".
1950 .B forward\-tls\-upstream: \fI<yes or no>
1952 Default is no.
1953 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
1956 .B forward\-ssl\-upstream: \fI<yes or no>
1957 Alternate syntax for \fBforward\-tls\-upstream\fR.
1959 .B forward\-tcp\-upstream: \fI<yes or no>
1960 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
1961 Default is no.
1963 .B forward\-no\-cache: \fI<yes or no>
1964 Default is no. If enabled, data inside the forward is not cached. This is
1968 Authority zones are configured with \fBauth\-zone:\fR, and each one must
1969 have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with …
1971 Authority zones are processed after \fBlocal\-zones\fR and before
1972 cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
1975 information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
2004 IP address to avoid a circular dependency on retrieving that IP address.
2017 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2021 use a plain IP address to avoid a circular dependency on retrieving that IP
2022 address. Avoid dependencies on name lookups by using a notation like
2023 "http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
2025 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2026 With allow\-notify you can specify additional sources of notifies.
2031 allowed notify by default.
2033 .B fallback\-enabled: \fI<yes or no>
2034 Default no. If enabled, Unbound falls back to querying the internet as
2038 .B for\-downstream: \fI<yes or no>
2039 Default yes. If enabled, Unbound serves authority responses to
2043 zone but have a local copy of zone data. If for\-downstream is no and
2044 for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
2048 .B for\-upstream: \fI<yes or no>
2049 Default yes. If enabled, Unbound fetches data from this data collection
2052 the zone data. Turn it on when you want Unbound to provide recursion for
2055 .B zonemd\-check: \fI<yes or no>
2056 Enable this option to check ZONEMD records in the zone. Default is disabled.
2061 .B zonemd\-reject\-absence: \fI<yes or no>
2066 failure is controlled by the \fBzonemd\-permissive\-mode\fR option, for
2067 log only or also block the zone. The default is no.
2082 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
2083 \fBlocal\-data\fR elements. Views can also contain view\-first,
2084 response\-ip, response\-ip\-data and local\-data\-ptr elements.
2086 view name in an \fBaccess\-control\-view\fR element. Options from matching
2091 Name of the view. Must be unique. This name is used in access\-control\-view
2094 .B local\-zone: \fI<zone> <type>
2095 View specific local\-zone elements. Has the same types and behaviour as the
2096 global local\-zone elements. When there is at least one local\-zone specified
2097 and view\-first is no, the default local-zones will be added to this view.
2098 Defaults can be disabled using the nodefault type. When view\-first is yes or
2099 when a view does not have a local\-zone, the global local\-zone will be used
2100 including it's default zones.
2102 .B local\-data: \fI"<resource record string>"
2103 View specific local\-data elements. Has the same behaviour as the global
2104 local\-data elements.
2106 .B local\-data\-ptr: \fI"IPaddr name"
2107 View specific local\-data\-ptr elements. Has the same behaviour as the global
2108 local\-data\-ptr elements.
2110 .B view\-first: \fI<yes or no>
2111 If enabled, it attempts to use the global local\-zone and local\-data if there
2113 The default is no.
2119 acts like the iterator and validator modules do, on queries and answers.
2121 and the word "python" has to be put in the \fBmodule\-config:\fR option
2127 \fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
2131 .B python\-script: \fI<python file>\fR
2133 added to the \fBmodule\-config:\fR option.
2139 a very small wrapper that allows dynamic modules to be loaded on runtime
2142 \fBmodule\-config:\fR option. Multiple instances of dynamic libraries are
2145 The \fBdynlib\-file:\fR path should be specified as an absolute path relative
2149 .B dynlib\-file: \fI<dynlib file>\fR
2151 instance added to the \fBmodule\-config:\fR option.
2154 The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
2158 .B dns64\-prefix: \fI<IPv6 prefix>\fR
2160 It must be /96 or shorter. The default prefix is 64:ff9b::/96.
2162 .B dns64\-synthall: \fI<yes or no>\fR
2163 Debug option, default no. If enabled, synthesize all AAAA records
2166 .B dns64\-ignore\-aaaa: \fI<name>\fR
2177 \fB\-\-enable\-dnscrypt\fR.
2179 You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
2180 dnscrypt-wrapper/blob/master/README.md#usage
2182 .B dnscrypt\-enable: \fI<yes or no>\fR
2185 The default is no.
2187 .B dnscrypt\-port: \fI<port number>
2192 .B dnscrypt\-provider: \fI<provider name>\fR
2194 \fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
2196 .B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
2200 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
2201 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
2204 .B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
2206 but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
2212 servers using anycast and on which the configuration may not get updated at the
2217 .B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
2219 in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
2223 .B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
2228 .B dnscrypt\-nonce\-cache\-size: \fI<memory size>
2230 Default 4m. In bytes or use m(mega), k(kilo), g(giga).
2234 .B dnscrypt\-nonce\-cache\-slabs: \fI<number>
2240 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
2252 allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
2254 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
2257 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
2258 configuration file. On top of that, for each query only 100 different subnets
2262 .B send\-client\-subnet: \fI<IP address>\fR
2265 be given multiple times. Authorities not listed will not receive edns-subnet
2266 information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
2268 .B client\-subnet\-zone: \fI<domain>\fR
2270 given multiple times. Zones not listed will not receive edns-subnet information,
2271 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
2273 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
2275 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
2280 Default is no.
2282 .B max\-client\-subnet\-ipv6: \fI<number>\fR
2286 .B max\-client\-subnet\-ipv4: \fI<number>\fR
2290 .B min\-client\-subnet\-ipv6: \fI<number>\fR
2293 of 0 is always accepted. Default is 0.
2295 .B min\-client\-subnet\-ipv4: \fI<number>\fR
2298 of 0 is always accepted. Default is 0.
2300 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
2304 .B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
2309 The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
2311 \fB\-\-enable\-ipsecmod\fR to be enabled.
2335 \fBipsecmod-max-ttl\fR.
2339 \fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
2342 .B ipsecmod-enabled: \fI<yes or no>\fR
2344 needs to be defined in the \fBmodule\-config:\fR directive. This option
2345 facilitates turning on/off the module without restarting/reloading Unbound.
2348 .B ipsecmod\-hook: \fI<filename>\fR
2352 must be present when the IPsec module is defined in the \fBmodule\-config:\fR
2355 .B ipsecmod-strict: \fI<yes or no>\fR
2360 .B ipsecmod\-max-ttl: \fI<seconds>\fR
2364 .B ipsecmod-ignore-bogus: \fI<yes or no>\fR
2370 .B ipsecmod\-allow: \fI<domain>\fR
2373 not specified, all domains are treated as being allowed (default).
2375 .B ipsecmod\-whitelist: \fI<yes or no>
2376 Alternate syntax for \fBipsecmod\-allow\fR.
2379 The Cache DB module must be configured in the \fBmodule\-config:\fR
2381 with \fB\-\-enable\-cachedb\fR.
2384 When Unbound cannot find an answer to a query in its built-in in-memory
2391 This module interacts with the \fBserve\-expired\-*\fR options and will reply
2393 of \fBserve\-expired\-client\-timeout:\fR and
2394 \fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from
2399 \fB\-\-with\-libhiredis\fR
2409 preferably with some kind of least-recently-used eviction policy.
2410 Additionally, the \fBredis\-expire\-records\fR option can be used in order to
2416 based on the assumption that the communication is stable and sufficiently
2434 The default database is the in-memory backend named "testframe", which,
2436 Depending on the build-time configuration, "redis" backend may also be
2439 .B secret-seed: \fI<"secret string">\fR
2446 This option defaults to "default".
2452 .B redis-server-host: \fI<server address or name>\fR
2459 .B redis-server-port: \fI<port number>\fR
2463 .B redis-timeout: \fI<msec>\fR
2467 re-establish a new connection later.
2470 .B redis-expire-records: \fI<yes or no>
2473 Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
2478 DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
2482 threading it does not spawn a thread, but connects per-process to the
2485 .B dnstap-enable: \fI<yes or no>
2486 If dnstap is enabled. Default no. If yes, it connects to the dnstap server
2487 and if any of the dnstap-log-..-messages options is enabled it sends logs
2490 .B dnstap-bidirectional: \fI<yes or no>
2491 Use frame streams in bidirectional mode to transfer DNSTAP messages. Default is
2494 .B dnstap-socket-path: \fI<file name>
2496 listening on that socket. Default is "@DNSTAP_SOCKET_PATH@".
2498 .B dnstap-ip: \fI<IPaddress[@port]>
2502 .B dnstap-tls: \fI<yes or no>
2503 Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
2504 The default is yes. If set to no, TCP is used to connect to the server.
2506 .B dnstap-tls-server-name: \fI<name of TLS authentication>
2507 …o authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If "" it is ignored, defa…
2509 .B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
2511 server default cert bundle is used, or the windows cert bundle on windows.
2512 Default is "".
2514 .B dnstap-tls-client-key-file: \fI<file name>
2516 authentication is not used. Default is "".
2518 .B dnstap-tls-client-cert-file: \fI<file name>
2519 The client cert file for TLS client authentication. Default is "".
2521 .B dnstap-send-identity: \fI<yes or no>
2523 Default is no.
2525 .B dnstap-send-version: \fI<yes or no>
2527 Default is no.
2529 .B dnstap-identity: \fI<string>
2531 Default is "".
2533 .B dnstap-version: \fI<string>
2535 Default is "".
2537 .B dnstap-log-resolver-query-messages: \fI<yes or no>
2538 Enable to log resolver query messages. Default is no.
2541 .B dnstap-log-resolver-response-messages: \fI<yes or no>
2542 Enable to log resolver response messages. Default is no.
2545 .B dnstap-log-client-query-messages: \fI<yes or no>
2546 Enable to log client query messages. Default is no.
2549 .B dnstap-log-client-response-messages: \fI<yes or no>
2550 Enable to log client response messages. Default is no.
2553 .B dnstap-log-forwarder-query-messages: \fI<yes or no>
2554 Enable to log forwarder query messages. Default is no.
2556 .B dnstap-log-forwarder-response-messages: \fI<yes or no>
2557 Enable to log forwarder response messages. Default is no.
2563 \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
2564 \fBmodule-config: "respip validator iterator"\fR.
2567 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
2568 and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
2569 before \fBauth\-zones\fR.
2572 the zone are entries, that specify what to act on (the trigger) and what to
2573 do (the action). The trigger to act on is recorded in the name, the action
2583 The triggers are encoded in the name on the left
2586 netblock.rpz-client-ip client IP address
2587 netblock.rpz-ip response IP address in the answer
2588 name.rpz-nsdname nameserver name
2589 netblock.rpz-nsip nameserver IP address
2593 of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
2594 32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
2596 The actions are specified with the record on the right
2600 CNAME rpz-passthru. do nothing, allow to continue
2601 CNAME rpz-drop. the query is dropped
2602 CNAME rpz-tcp-only. answer over TCP
2605 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
2624 IP address to avoid a circular dependency on retrieving that IP address.
2637 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2640 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2641 With allow\-notify you can specify additional sources of notifies.
2646 allowed notify by default.
2653 .B rpz\-action\-override: \fI<action>
2657 .B rpz\-cname\-override: \fI<domain>
2659 \fBrpz\-action\-override\fR.
2661 .B rpz\-log: \fI<yes or no>
2662 Log all applied RPZ actions for this RPZ zone. Default is no.
2664 .B rpz\-log\-name: \fI<name>
2667 .B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
2670 externally blocked. Default is no.
2672 .B for\-downstream: \fI<yes or no>
2676 the rpz information is up to date. Default is no.
2680 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
2681 using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
2691 which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
2696 num\-threads: 1
2697 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
2698 incoming\-num\-tcp: 1
2699 outgoing\-range: 60 # uses less memory, but less performance.
2700 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
2701 msg\-cache\-size: 100k
2702 msg\-cache\-slabs: 1
2703 rrset\-cache\-size: 100k
2704 rrset\-cache\-slabs: 1
2705 infra\-cache\-numhosts: 200
2706 infra\-cache\-slabs: 1
2707 key\-cache\-size: 100k
2708 key\-cache\-slabs: 1
2709 neg\-cache\-size: 10k
2710 num\-queries\-per\-thread: 30
2711 target\-fetch\-policy: "2 1 0 0 0 0"
2712 harden\-large\-queries: "yes"
2713 harden\-short\-bufsize: "yes"
2718 default Unbound working directory.
2721 default
2729 default Unbound pidfile with process ID of the running daemon.
2732 Unbound log file. default is to log to
2736 \fIunbound\-checkconf\fR(8).