Lines Matching +full:low +full:- +full:leakage
3 .\" unbound.conf.5 -- unbound.conf manual
12 \- Unbound configuration file.
27 \fIunbound\-checkconf\fR(8)
34 $ unbound \-c /etc/unbound/unbound.conf
53 # mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom
54 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
62 access\-control: 10.0.0.0/8 allow
63 access\-control: 2001:DB8::/64 allow
82 .B include\-toplevel:
99 .B statistics\-interval: \fI<seconds>
106 .B statistics\-cumulative: \fI<yes or no>
110 .B extended\-statistics: \fI<yes or no>
111 If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
113 counters are listed in \fIunbound\-control\fR(8).
115 .B num\-threads: \fI<number>
127 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
132 .B ip\-address: \fI<ip address[@port]>
135 .B interface\-automatic: \fI<yes or no>
138 ip\-transparent, but this option services all interfaces whilst with
139 ip\-transparent you can select which (future) interfaces Unbound provides
143 .B outgoing\-interface: \fI<ip address or ip6 netblock>
150 .B outgoing\-interface:
157 host running Unbound, and requires OS support for unprivileged non-local binds
160 .B outgoing\-interface:
163 .B prefer\-ip6: yes
167 ip \-6 addr add mynetblock/64 dev lo &&
168 ip \-6 route add local mynetblock/64 dev lo
170 .B outgoing\-range: \fI<number>
176 .B outgoing\-port\-permit: \fI<port number or range>
181 Give a port number or a range of the form "low\-high", without spaces.
183 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
189 .B outgoing\-port\-avoid: \fI<port number or range>
194 Give a port number or a range of the form "low\-high", without spaces.
196 .B outgoing\-num\-tcp: \fI<number>
198 set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
201 .B incoming\-num\-tcp: \fI<number>
203 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
206 .B edns\-buffer\-size: \fI<number>
209 buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
216 .B max\-udp\-size: \fI<number>
221 .B stream\-wait\-size: \fI<number>
231 .B msg\-buffer\-size: \fI<number>
238 .B msg\-cache\-size: \fI<number>
243 .B msg\-cache\-slabs: \fI<number>
248 .B num\-queries\-per\-thread: \fI<number>
251 (see \fIjostle\-timeout\fR), then the queries are dropped. This forces
255 .B jostle\-timeout: \fI<msec>
262 The effect is that the qps for long-lasting queries is about
268 .B delay\-close: \fI<msec>
272 closed ports and setting off all sort of close-port counters, with
277 .B udp\-connect: \fI<yes or no>
278 Perform connect for UDP sockets that mitigates ICMP side channel leakage.
281 .B unknown\-server\-time\-limit: \fI<msec>
284 That would then avoid re\-querying every initial query because it times out.
287 .B so\-rcvbuf: \fI<number>
290 servers do not drop packets (see counter in netstat \-su). Default is
295 On OpenBSD change header and recompile kernel. On Solaris ndd \-set
298 .B so\-sndbuf: \fI<number>
302 can get logged, the buffer overrun is also visible by netstat \-su.
307 to so\-rcvbuf.
309 .B so\-reuseport: \fI<yes or no>
321 .B ip\-transparent: \fI<yes or no>
324 non\-local interfaces. For example for non\-existent IP addresses that
326 a lot like interface\-automatic, but that one services all interfaces
332 .B ip\-freebind: \fI<yes or no>
337 ip\-transparent option is also available.
339 .B ip-dscp: \fI<number>
342 The field replaces the outdated IPv4 Type-Of-Service field and the
345 .B rrset\-cache\-size: \fI<number>
350 .B rrset\-cache\-slabs: \fI<number>
354 .B cache\-max\-ttl: \fI<seconds>
360 .B cache\-min\-ttl: \fI<seconds>
368 .B cache\-max\-negative\-ttl: \fI<seconds>
373 .B infra\-host\-ttl: \fI<seconds>
377 .B infra\-cache\-slabs: \fI<number>
381 .B infra\-cache\-numhosts: \fI<number>
384 .B infra\-cache\-min\-rtt: \fI<msec>
389 .B infra\-keep\-probing: \fI<yes or no>
393 it may take \fBinfra\-host\-ttl\fR time to get probed again.
395 .B define\-tag: \fI<"list of tags">
396 Define the tags that can be used with local\-zone and access\-control.
399 .B do\-ip4: \fI<yes or no>
402 .B do\-ip6: \fI<yes or no>
409 .B prefer\-ip4: \fI<yes or no>
416 .B prefer\-ip6: \fI<yes or no>
420 .B do\-udp: \fI<yes or no>
423 .B do\-tcp: \fI<yes or no>
426 .B tcp\-mss: \fI<number>
434 .B outgoing\-tcp\-mss: \fI<number>
442 .B tcp-idle-timeout: \fI<msec>\fR
454 .B tcp-reuse-timeout: \fI<msec>\fR
458 .B max-reuse-tcp-queries: \fI<number>\fR
463 .B tcp-auth-query-timeout: \fI<number>\fR
467 .B edns-tcp-keepalive: \fI<yes or no>\fR
470 .B edns-tcp-keepalive-timeout: \fI<msec>\fR
486 .B tcp\-upstream: \fI<yes or no>
489 TCP transport only for selected forward or stub zones using forward-tcp-upstream
490 or stub-tcp-upstream respectively.
492 .B udp\-upstream\-without\-downstream: \fI<yes or no>
493 Enable udp upstream even if do-udp is no. Default is no, and this does not
497 .B tls\-upstream: \fI<yes or no>
501 \fBtls\-service\-key\fR).
502 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
505 …e TLS specifically for some forward zones with forward\-tls\-upstream. And also with stub\-tls\-u…
507 .B ssl\-upstream: \fI<yes or no>
508 Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
511 .B tls\-service\-key: \fI<file>
512 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
513 TCP ports marked implicitly or explicitly for these services with tls\-port or
514 https\-port. The file must contain the private key for the TLS session, the
515 public certificate is in the tls\-service\-pem file and it must also be
516 specified if tls\-service\-key is specified. The default is "", turned off.
519 The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
520 \fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
521 compiled with libnghttp2 in order to provide DNS-over-HTTPS.
523 .B ssl\-service\-key: \fI<file>
524 Alternate syntax for \fBtls\-service\-key\fR.
526 .B tls\-service\-pem: \fI<file>
530 .B ssl\-service\-pem: \fI<file>
531 Alternate syntax for \fBtls\-service\-pem\fR.
533 .B tls\-port: \fI<number>
537 .B ssl\-port: \fI<number>
538 Alternate syntax for \fBtls\-port\fR.
540 .B tls\-cert\-bundle: \fI<file>
542 for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used
543 for authenticating connections made to outside peers. For example auth\-zone
547 .B ssl\-cert\-bundle: \fI<file>
548 Alternate syntax for \fBtls\-cert\-bundle\fR.
550 .B tls\-win\-cert: \fI<yes or no>
554 the tls\-cert\-bundle option on other systems.
556 .B tls\-additional\-port: \fI<portnr>
557 List portnumbers as tls\-additional\-port, and when interfaces are defined,
561 .B tls-session-ticket-keys: \fI<file>
574 .B tls\-ciphers: \fI<string with cipher list>
578 .B tls\-ciphersuites: \fI<string with ciphersuites list>
582 .B pad\-responses: \fI<yes or no>
585 \fBpad\-responses\-block\-size\fR.
588 .B pad\-responses\-block\-size: \fI<number>
593 .B pad\-queries: \fI<yes or no>
595 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
598 .B pad\-queries\-block\-size: \fI<number>
602 .B tls\-use\-sni: \fI<yes or no>
607 .B https\-port: \fI<number>
608 The port number on which to provide DNS-over-HTTPS service, default 443, only
611 .B http\-endpoint: \fI<endpoint string>
612 The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
614 .B http\-max\-streams: \fI<number of streams>
616 SETTINGS frame for DNS-over-HTTPS connections. Default 100.
618 .B http\-query\-buffer\-size: \fI<size in bytes>
625 .B http\-response\-buffer\-size: \fI<size in bytes>
632 .B http\-nodelay: \fI<yes or no>
633 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
636 .B http\-notls\-downstream: \fI<yes or no>
637 Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
640 .B use\-systemd: \fI<yes or no>
644 .B do\-daemonize: \fI<yes or no>
649 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
654 .B access\-control: \fI<IP netblock> <action>
660 The order of the access\-control statements therefore does not matter.
672 local\-data that is configured. The reason is that this does not involve
695 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
700 only allowed to query for the authoritative local\-data, they are not
705 .B access\-control\-tag: \fI<IP netblock> <"list of tags">
706 Assign tags to access-control elements. Clients using this access control
708 defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
709 spaces between tags. If access\-control\-tag is configured for a netblock that
710 does not have an access\-control, an access\-control element with action
713 .B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
716 between access\-control\-tag and local\-zone\-tag where "first" comes from the
717 order of the define-tag values.
719 .B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
722 .B access\-control\-view: \fI<IP netblock> <view name>
774 If this option is given, the use\-syslog is option is set to "no".
778 .B use\-syslog: \fI<yes or no>
782 The logfile setting is overridden when use\-syslog is turned on.
785 .B log\-identity: \fI<string>
792 .B log\-time\-ascii: \fI<yes or no>
797 .B log\-queries: \fI<yes or no>
803 .B log\-replies: \fI<yes or no>
810 .B log\-tag\-queryreply: \fI<yes or no>
811 Prints the word 'query' and 'reply' with log\-queries and log\-replies.
815 .B log\-local\-actions: \fI<yes or no>
817 local\-zone type inform prints out, but they are also printed for the other
820 .B log\-servfail: \fI<yes or no>
829 kill \-HUP `cat @UNBOUND_PIDFILE@`
833 kill \-TERM `cat @UNBOUND_PIDFILE@`
837 .B root\-hints: \fI<filename>
841 when servers change, therefore it is good practice to use a root\-hints file.
843 .B hide\-identity: \fI<yes or no>
850 .B hide\-version: \fI<yes or no>
857 .B hide\-http\-user\-agent: \fI<yes or no>
858 If enabled the HTTP header User-Agent is not set. Use with caution as some
861 .B http\-user\-agent
864 .B http\-user\-agent: \fI<string>
865 Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
873 .B hide\-trustanchor: \fI<yes or no>
876 .B target\-fetch\-policy: \fI<"list of numbers">
883 A value of \-1 means to fetch all targets opportunistically for that dependency
889 closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
892 .B harden\-short\-bufsize: \fI<yes or no>
896 .B harden\-large\-queries: \fI<yes or no>
901 .B harden\-glue: \fI<yes or no>
904 .B harden\-dnssec\-stripped: \fI<yes or no>
905 Require DNSSEC data for trust\-anchored zones, if such data is absent,
914 .B harden\-below\-nxdomain: \fI<yes or no>
921 this only DNSSEC-secure nxdomains are used, because the old software does not
925 .B harden\-referral\-path: \fI<yes or no>
934 If you enable it consider adding more numbers after the target\-fetch\-policy
937 .B harden\-algo\-downgrade: \fI<yes or no>
944 .B use\-caps\-for\-id: \fI<yes or no>
945 Use 0x20\-encoded random bits in the query to foil spoof attempts.
949 This feature is an experimental implementation of draft dns\-0x20.
951 .B caps\-exempt: \fI<domain>
952 Exempt the domain so that it does not receive caps\-for\-id perturbed
957 .B caps\-whitelist: \fI<yes or no>
958 Alternate syntax for \fBcaps\-exempt\fR.
960 .B qname\-minimisation: \fI<yes or no>
967 .B qname\-minimisation\-strict: \fI<yes or no>
968 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
971 This option only has effect when qname-minimisation is enabled. Default is no.
973 .B aggressive\-nsec: \fI<yes or no>
979 .B private\-address: \fI<IP address or subnet>
984 answers bogus. This protects against so\-called DNS Rebinding, where
988 \fBlocal\-data\fR that you configured is allowed to, and you can specify
989 additional names using \fBprivate\-domain\fR. No private addresses are
996 stops IPv4-mapped IPv6 addresses from bypassing the filter.
998 .B private\-domain: \fI<domain name>
1003 .B unwanted\-reply\-threshold: \fI<number>
1010 .B do\-not\-query\-address: \fI<IP address>
1015 .B do\-not\-query\-localhost: \fI<yes or no>
1016 If yes, localhost is added to the do\-not\-query\-address entries, both
1026 .B prefetch\-key: \fI<yes or no>
1031 .B deny\-any: \fI<yes or no>
1037 .B rrset\-roundrobin: \fI<yes or no>
1041 .B minimal-responses: \fI<yes or no>
1051 .B disable-dnssec-lame-check: \fI<yes or no>
1058 .B module\-config: \fI<"module names">
1062 Setting this to just "\fIiterator\fR" will result in a non\-validating
1067 You must also set \fItrust\-anchors\fR for validation to be useful.
1083 .B trust\-anchor\-file: \fI<filename>
1088 .B auto\-trust\-anchor\-file: \fI<filename>
1092 \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
1098 .B trust\-anchor: \fI<"Resource Record">
1100 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
1106 .B trusted\-keys\-file: \fI<filename>
1108 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
1109 but has a different file format. Format is BIND\-9 style format,
1110 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
1114 .B trust\-anchor\-signaling: \fI<yes or no>
1117 .B root\-key\-sentinel: \fI<yes or no>
1120 .B domain\-insecure: \fI<domain name>
1133 .B val\-override\-date: \fI<rrsig\-style date spec>
1137 you are debugging signature inception and expiration. The value \-1 ignores
1140 .B val\-sig\-skew\-min: \fI<seconds>
1142 A value of 10% of the signature lifetime (expiration \- inception) is
1147 .B val\-sig\-skew\-max: \fI<seconds>
1149 A value of 10% of the signature lifetime (expiration \- inception)
1152 min and max very low disables the clock skew allowances. Setting both
1156 .B val\-max\-restart: \fI<number>
1160 .B val\-bogus\-ttl: \fI<number>
1166 .B val\-clean\-additional: \fI<yes or no>
1173 .B val\-log\-level: \fI<number>
1182 .B val\-permissive\-mode: \fI<yes or no>
1190 .B ignore\-cd\-flag: \fI<yes or no>
1198 .B serve\-expired: \fI<yes or no>
1200 TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
1204 .B serve\-expired\-ttl: \fI<seconds>
1206 disables the limit. This option only applies when \fBserve\-expired\fR is
1210 .B serve\-expired\-ttl\-reset: \fI<yes or no>
1211 Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
1216 .B serve\-expired\-reply\-ttl: \fI<seconds>
1218 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
1221 .B serve\-expired\-client\-timeout: \fI<msec>
1223 essentially enables the serve-stale behavior as specified in
1229 .B serve\-original\-ttl: \fI<yes or no>
1233 front-end to a hidden authoritative name server. Enabling this feature does
1238 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
1242 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
1251 .B zonemd\-permissive\-mode: \fI<yes or no>
1257 .B add\-holddown: \fI<seconds>
1258 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1262 .B del\-holddown: \fI<seconds>
1263 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1268 .B keep\-missing: \fI<seconds>
1269 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1273 mechanism work with zones that perform regular (non\-5011) rollovers.
1277 .B permit\-small\-holddown: \fI<yes or no>
1281 .B key\-cache\-size: \fI<number>
1286 .B key\-cache\-slabs: \fI<number>
1291 .B neg\-cache\-size: \fI<number>
1296 .B unblock\-lan\-zones: \fI<yes or no>
1303 as a (DHCP-) DNS network resolver for a group of machines, where such
1305 data leakage about the local network to the upstream DNS servers.
1307 .B insecure\-lan\-zones: \fI<yes or no>
1310 \fIunblock\-lan\-zones\fR is used.
1312 .B local\-zone: \fI<zone> <type>
1314 there is no match from local\-data. The types are deny, refuse, static,
1318 local\-data: to enter data into the local zone. Answers for local zones
1322 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1337 as local\-data for the zone apex domain.
1344 If no local\-zone is given local\-data causes a transparent zone
1361 local\-zone: "example.com." redirect and
1362 local\-data: "example.com. A 127.0.0.1"
1369 timestamp, unbound-pid, info: zonename inform IP@port queryname type
1420 can be turned off by specifying your own local\-zone of that name, or
1427 local\-zone: "localhost." redirect
1428 local\-data: "localhost. 10800 IN NS localhost."
1429 local\-data: "localhost. 10800 IN
1431 local\-data: "localhost. 10800 IN A 127.0.0.1"
1432 local\-data: "localhost. 10800 IN AAAA ::1"
1438 local\-zone: "127.in\-addr.arpa." static
1439 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
1440 local\-data: "127.in\-addr.arpa. 10800 IN
1442 local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
1449 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1451 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1454 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1457 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1465 local\-zone: "home.arpa." static
1466 local\-data: "home.arpa. 10800 IN NS localhost."
1467 local\-data: "home.arpa. 10800 IN
1474 local\-zone: "onion." static
1475 local\-data: "onion. 10800 IN NS localhost."
1476 local\-data: "onion. 10800 IN
1483 local\-zone: "test." static
1484 local\-data: "test. 10800 IN NS localhost."
1485 local\-data: "test. 10800 IN
1492 local\-zone: "invalid." static
1493 local\-data: "invalid. 10800 IN NS localhost."
1494 local\-data: "invalid. 10800 IN
1499 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
1500 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
1501 The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
1504 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
1505 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
1506 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
1507 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
1508 And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
1527 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
1530 transparent with a local\-zone statement.
1532 .\" End of local-zone listing.
1534 .B local\-data: \fI"<resource record string>"
1536 The query has to match exactly unless you configure the local\-zone as
1537 redirect. If not matched exactly, the local\-zone type determines
1538 further processing. If local\-data is configured that is not a subdomain of
1539 a local\-zone, a transparent local\-zone is configured.
1541 local\-data: 'example. TXT "text"'.
1544 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1547 .B local\-data\-ptr: \fI"IPaddr name"
1552 .B local\-zone\-tag: \fI<zone> <"list of tags">
1554 used access-control element has a matching tag. Tags must be defined in
1555 \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
1557 list of tags for the query and local\-zone\-tag is non-empty.
1559 .B local\-zone\-override: \fI<zone> <IP netblock> <type>
1561 Use this localzone type, regardless the type configured for the local-zone
1563 access\-control\-tag\-action.
1565 .B response\-ip: \fI<IP-netblock> <action>
1572 \fIaccess-control-tag-action\fR, but there are some exceptions.
1574 Actions for \fIresponse-ip\fR are different from those for
1575 \fIlocal-zone\fR in that in case of the former there is no point of
1577 Because of this difference, the semantics of \fIresponse-ip\fR actions
1580 invalid for \fIresponse-ip\fR.
1582 faulty. The \fIdeny\fR action is non-conditional, i.e. it always
1587 .B response-ip-data: \fI<IP-netblock> <"resource record string">
1590 This specifies the action data for \fIresponse-ip\fR with action being
1592 record string" is similar to that of \fIaccess-control-tag-action\fR,
1594 If the IP-netblock is an IPv6/IPV4 prefix, the record
1597 more than one \fIresponse-ip-data\fR for the same IP-netblock.
1599 IP-netblock, following the normal rules for CNAME records.
1604 .B response-ip-tag: \fI<IP-netblock> <"list of tags">
1607 Assign tags to response IP-netblocks. If the IP address in an AAAA or
1609 IP-netblock, the specified tags are assigned to the IP address.
1610 Then, if an \fIaccess-control-tag\fR is defined for the client and it
1612 \fIaccess-control-tag-action\fR will apply.
1613 Tag matching rule is the same as that for \fIaccess-control-tag\fR and
1614 \fIlocal-zones\fR.
1615 Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
1616 an IP-netblock even if no \fIresponse-ip\fR is defined for that
1618 If multiple \fIresponse-ip-tag\fR options are specified for the same
1619 IP-netblock in different statements, all but the first will be
1625 \fIaccess-control-tag-action\fR that has a matching tag with
1626 \fIresponse-ip-tag\fR can be those that are "invalid" for
1627 \fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
1631 \fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
1632 of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
1633 specific, and non-existence of data does not indicate anything about
1634 the existence or non-existence of the qname itself.
1636 no data for the corresponding \fIresponse-ip\fR configuration, then
1654 .B ratelimit\-size: \fI<memory size>
1660 .B ratelimit\-slabs: \fI<number>
1665 .B ratelimit\-factor: \fI<number>
1674 .B ratelimit\-backoff: \fI<yes or no>
1678 window. No traffic is allowed, except for ratelimit\-factor, until demand
1683 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
1686 a top\-level\-domain you may want to have a higher limit than other names.
1689 .B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
1694 is not changed, use ratelimit\-for\-domain to set that, you might want
1695 to use different settings for a top\-level\-domain and subdomains.
1698 .B ip\-ratelimit: \fI<number or 0>
1706 .B ip\-ratelimit\-size: \fI<memory size>
1712 .B ip\-ratelimit\-slabs: \fI<number>
1717 .B ip\-ratelimit\-factor: \fI<number>
1726 .B ip\-ratelimit\-backoff: \fI<yes or no>
1730 window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
1732 set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
1735 .B outbound\-msg\-retry: \fI<number>
1740 .B fast\-server\-permil: \fI<number>
1744 servers for the remaining time. When prefetch is enabled (or serve\-expired),
1747 \fBfast\-server\-num\fR option can be used to specify the size of the fastest
1748 servers set. The default for fast\-server\-permil is 0.
1750 .B fast\-server\-num: \fI<number>
1752 use the fastest specified number of servers with the fast\-server\-permil
1755 .B edns\-client\-string: \fI<IP netblock> <string>
1760 .B edns\-client\-string\-opcode: \fI<opcode>
1761 EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
1762 A value from the `Reserved for Local/Experimental` range (65001-65534) should
1766 .B remote\-control:
1768 enabled, the \fIunbound\-control\fR(8) utility can be used to send
1771 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
1772 section for options. To setup the correct self\-signed certificates use the
1773 \fIunbound\-control\-setup\fR(8) utility.
1775 .B control\-enable: \fI<yes or no>
1779 .B control\-interface: \fI<ip address or path>
1795 .B control\-port: \fI<port number>
1801 .B control\-use\-cert: \fI<yes or no>
1802 For localhost control-interface you can disable the use of TLS by setting
1806 .B server\-key\-file: \fI<private key file>
1808 This file is generated by the \fIunbound\-control\-setup\fR utility.
1809 This file is used by the Unbound server, but not by \fIunbound\-control\fR.
1811 .B server\-cert\-file: \fI<certificate file.pem>
1813 This file is generated by the \fIunbound\-control\-setup\fR utility.
1814 This file is used by the Unbound server, and also by \fIunbound\-control\fR.
1816 .B control\-key\-file: \fI<private key file>
1818 This file is generated by the \fIunbound\-control\-setup\fR utility.
1819 This file is used by \fIunbound\-control\fR.
1821 .B control\-cert\-file: \fI<certificate file.pem>
1824 This file is generated by the \fIunbound\-control\-setup\fR utility.
1825 This file is used by \fIunbound\-control\fR.
1829 .B stub\-zone:
1837 This is useful for company\-local data or private zones. Setup an
1840 .B stub\-addr:
1853 Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
1854 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
1857 (reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
1862 .B stub\-host: \fI<domain name>
1868 configured tls\-port.
1870 .B stub\-addr: \fI<IP address>
1876 configured tls\-port.
1878 .B stub\-prime: \fI<yes or no>
1884 .B stub\-first: \fI<yes or no>
1890 .B stub\-tls\-upstream: \fI<yes or no>
1894 .B stub\-ssl\-upstream: \fI<yes or no>
1895 Alternate syntax for \fBstub\-tls\-upstream\fR.
1897 .B stub\-tcp\-upstream: \fI<yes or no>
1898 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
1901 .B stub\-no\-cache: \fI<yes or no>
1907 .B forward\-zone:
1910 forward the queries to. The servers listed as \fBforward\-host:\fR and
1911 \fBforward\-addr:\fR have to handle further recursion for the query. Thus,
1918 A forward\-zone entry with name "." and a forward\-addr target will
1925 .B forward\-host: \fI<domain name>
1931 configured tls\-port.
1933 .B forward\-addr: \fI<IP address>
1939 configured tls\-port.
1942 If you leave out the '#' and auth name from the forward\-addr, any
1943 name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
1945 .B forward\-first: \fI<yes or no>
1950 .B forward\-tls\-upstream: \fI<yes or no>
1953 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
1956 .B forward\-ssl\-upstream: \fI<yes or no>
1957 Alternate syntax for \fBforward\-tls\-upstream\fR.
1959 .B forward\-tcp\-upstream: \fI<yes or no>
1960 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
1963 .B forward\-no\-cache: \fI<yes or no>
1968 Authority zones are configured with \fBauth\-zone:\fR, and each one must
1969 have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with …
1971 Authority zones are processed after \fBlocal\-zones\fR and before
1972 cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
1975 information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
2017 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2023 "http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
2025 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2026 With allow\-notify you can specify additional sources of notifies.
2033 .B fallback\-enabled: \fI<yes or no>
2038 .B for\-downstream: \fI<yes or no>
2043 zone but have a local copy of zone data. If for\-downstream is no and
2044 for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
2048 .B for\-upstream: \fI<yes or no>
2055 .B zonemd\-check: \fI<yes or no>
2061 .B zonemd\-reject\-absence: \fI<yes or no>
2066 failure is controlled by the \fBzonemd\-permissive\-mode\fR option, for
2082 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
2083 \fBlocal\-data\fR elements. Views can also contain view\-first,
2084 response\-ip, response\-ip\-data and local\-data\-ptr elements.
2086 view name in an \fBaccess\-control\-view\fR element. Options from matching
2091 Name of the view. Must be unique. This name is used in access\-control\-view
2094 .B local\-zone: \fI<zone> <type>
2095 View specific local\-zone elements. Has the same types and behaviour as the
2096 global local\-zone elements. When there is at least one local\-zone specified
2097 and view\-first is no, the default local-zones will be added to this view.
2098 Defaults can be disabled using the nodefault type. When view\-first is yes or
2099 when a view does not have a local\-zone, the global local\-zone will be used
2102 .B local\-data: \fI"<resource record string>"
2103 View specific local\-data elements. Has the same behaviour as the global
2104 local\-data elements.
2106 .B local\-data\-ptr: \fI"IPaddr name"
2107 View specific local\-data\-ptr elements. Has the same behaviour as the global
2108 local\-data\-ptr elements.
2110 .B view\-first: \fI<yes or no>
2111 If enabled, it attempts to use the global local\-zone and local\-data if there
2121 and the word "python" has to be put in the \fBmodule\-config:\fR option
2127 \fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
2131 .B python\-script: \fI<python file>\fR
2133 added to the \fBmodule\-config:\fR option.
2142 \fBmodule\-config:\fR option. Multiple instances of dynamic libraries are
2145 The \fBdynlib\-file:\fR path should be specified as an absolute path relative
2149 .B dynlib\-file: \fI<dynlib file>\fR
2151 instance added to the \fBmodule\-config:\fR option.
2154 The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
2158 .B dns64\-prefix: \fI<IPv6 prefix>\fR
2162 .B dns64\-synthall: \fI<yes or no>\fR
2166 .B dns64\-ignore\-aaaa: \fI<name>\fR
2177 \fB\-\-enable\-dnscrypt\fR.
2179 You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
2180 dnscrypt-wrapper/blob/master/README.md#usage
2182 .B dnscrypt\-enable: \fI<yes or no>\fR
2187 .B dnscrypt\-port: \fI<port number>
2192 .B dnscrypt\-provider: \fI<provider name>\fR
2194 \fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
2196 .B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
2200 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
2201 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
2204 .B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
2206 but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
2217 .B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
2223 .B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
2228 .B dnscrypt\-nonce\-cache\-size: \fI<memory size>
2234 .B dnscrypt\-nonce\-cache\-slabs: \fI<number>
2240 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
2252 allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
2254 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
2257 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
2262 .B send\-client\-subnet: \fI<IP address>\fR
2265 be given multiple times. Authorities not listed will not receive edns-subnet
2266 information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
2268 .B client\-subnet\-zone: \fI<domain>\fR
2270 given multiple times. Zones not listed will not receive edns-subnet information,
2271 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
2273 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
2275 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
2282 .B max\-client\-subnet\-ipv6: \fI<number>\fR
2286 .B max\-client\-subnet\-ipv4: \fI<number>\fR
2290 .B min\-client\-subnet\-ipv6: \fI<number>\fR
2295 .B min\-client\-subnet\-ipv4: \fI<number>\fR
2300 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
2304 .B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
2309 The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
2311 \fB\-\-enable\-ipsecmod\fR to be enabled.
2335 \fBipsecmod-max-ttl\fR.
2339 \fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
2342 .B ipsecmod-enabled: \fI<yes or no>\fR
2344 needs to be defined in the \fBmodule\-config:\fR directive. This option
2348 .B ipsecmod\-hook: \fI<filename>\fR
2352 must be present when the IPsec module is defined in the \fBmodule\-config:\fR
2355 .B ipsecmod-strict: \fI<yes or no>\fR
2360 .B ipsecmod\-max-ttl: \fI<seconds>\fR
2364 .B ipsecmod-ignore-bogus: \fI<yes or no>\fR
2370 .B ipsecmod\-allow: \fI<domain>\fR
2375 .B ipsecmod\-whitelist: \fI<yes or no>
2376 Alternate syntax for \fBipsecmod\-allow\fR.
2379 The Cache DB module must be configured in the \fBmodule\-config:\fR
2381 with \fB\-\-enable\-cachedb\fR.
2384 When Unbound cannot find an answer to a query in its built-in in-memory
2391 This module interacts with the \fBserve\-expired\-*\fR options and will reply
2393 of \fBserve\-expired\-client\-timeout:\fR and
2394 \fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from
2399 \fB\-\-with\-libhiredis\fR
2409 preferably with some kind of least-recently-used eviction policy.
2410 Additionally, the \fBredis\-expire\-records\fR option can be used in order to
2434 The default database is the in-memory backend named "testframe", which,
2436 Depending on the build-time configuration, "redis" backend may also be
2439 .B secret-seed: \fI<"secret string">\fR
2452 .B redis-server-host: \fI<server address or name>\fR
2459 .B redis-server-port: \fI<port number>\fR
2463 .B redis-timeout: \fI<msec>\fR
2467 re-establish a new connection later.
2470 .B redis-expire-records: \fI<yes or no>
2473 Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
2478 DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
2482 threading it does not spawn a thread, but connects per-process to the
2485 .B dnstap-enable: \fI<yes or no>
2487 and if any of the dnstap-log-..-messages options is enabled it sends logs
2490 .B dnstap-bidirectional: \fI<yes or no>
2494 .B dnstap-socket-path: \fI<file name>
2498 .B dnstap-ip: \fI<IPaddress[@port]>
2502 .B dnstap-tls: \fI<yes or no>
2503 Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
2506 .B dnstap-tls-server-name: \fI<name of TLS authentication>
2507 The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If ""…
2509 .B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
2514 .B dnstap-tls-client-key-file: \fI<file name>
2518 .B dnstap-tls-client-cert-file: \fI<file name>
2521 .B dnstap-send-identity: \fI<yes or no>
2525 .B dnstap-send-version: \fI<yes or no>
2529 .B dnstap-identity: \fI<string>
2533 .B dnstap-version: \fI<string>
2537 .B dnstap-log-resolver-query-messages: \fI<yes or no>
2541 .B dnstap-log-resolver-response-messages: \fI<yes or no>
2545 .B dnstap-log-client-query-messages: \fI<yes or no>
2549 .B dnstap-log-client-response-messages: \fI<yes or no>
2553 .B dnstap-log-forwarder-query-messages: \fI<yes or no>
2556 .B dnstap-log-forwarder-response-messages: \fI<yes or no>
2563 \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
2564 \fBmodule-config: "respip validator iterator"\fR.
2567 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
2568 and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
2569 before \fBauth\-zones\fR.
2586 netblock.rpz-client-ip client IP address
2587 netblock.rpz-ip response IP address in the answer
2588 name.rpz-nsdname nameserver name
2589 netblock.rpz-nsip nameserver IP address
2593 of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
2594 32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
2600 CNAME rpz-passthru. do nothing, allow to continue
2601 CNAME rpz-drop. the query is dropped
2602 CNAME rpz-tcp-only. answer over TCP
2605 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
2637 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2640 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2641 With allow\-notify you can specify additional sources of notifies.
2653 .B rpz\-action\-override: \fI<action>
2657 .B rpz\-cname\-override: \fI<domain>
2659 \fBrpz\-action\-override\fR.
2661 .B rpz\-log: \fI<yes or no>
2664 .B rpz\-log\-name: \fI<name>
2667 .B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
2672 .B for\-downstream: \fI<yes or no>
2680 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
2681 using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
2691 which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
2696 num\-threads: 1
2697 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
2698 incoming\-num\-tcp: 1
2699 outgoing\-range: 60 # uses less memory, but less performance.
2700 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
2701 msg\-cache\-size: 100k
2702 msg\-cache\-slabs: 1
2703 rrset\-cache\-size: 100k
2704 rrset\-cache\-slabs: 1
2705 infra\-cache\-numhosts: 200
2706 infra\-cache\-slabs: 1
2707 key\-cache\-size: 100k
2708 key\-cache\-slabs: 1
2709 neg\-cache\-size: 10k
2710 num\-queries\-per\-thread: 30
2711 target\-fetch\-policy: "2 1 0 0 0 0"
2712 harden\-large\-queries: "yes"
2713 harden\-short\-bufsize: "yes"
2736 \fIunbound\-checkconf\fR(8).