Lines Matching +full:ports +full:- +full:block +full:- +full:group +full:- +full:count
3 .\" unbound.conf.5 -- unbound.conf manual
12 \- Unbound configuration file.
27 \fIunbound\-checkconf\fR(8)
34 $ unbound \-c /etc/unbound/unbound.conf
53 # mount \-\-bind \-n /dev/urandom /etc/unbound/dev/urandom
54 # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log
62 access\-control: 10.0.0.0/8 allow
63 access\-control: 2001:DB8::/64 allow
69 the file (or included files) to group attributes under the same clause.
82 .B include\-toplevel:
99 .B statistics\-interval: \fI<seconds>
106 .B statistics\-cumulative: \fI<yes or no>
110 .B extended\-statistics: \fI<yes or no>
111 If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
113 counters are listed in \fIunbound\-control\fR(8).
115 .B num\-threads: \fI<number>
127 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
132 .B ip\-address: \fI<ip address[@port]>
135 .B interface\-automatic: \fI<yes or no>
138 ip\-transparent, but this option services all interfaces whilst with
139 ip\-transparent you can select which (future) interfaces Unbound provides
143 .B outgoing\-interface: \fI<ip address or ip6 netblock>
150 .B outgoing\-interface:
157 host running Unbound, and requires OS support for unprivileged non-local binds
160 .B outgoing\-interface:
163 .B prefer\-ip6: yes
167 ip \-6 addr add mynetblock/64 dev lo &&
168 ip \-6 route add local mynetblock/64 dev lo
170 .B outgoing\-range: \fI<number>
171 Number of ports to open. This number of file descriptors can be opened per
176 .B outgoing\-port\-permit: \fI<port number or range>
177 Permit Unbound to open this port or range of ports for use to send queries.
178 A larger number of permitted outgoing ports increases resilience against
179 spoofing attempts. Make sure these ports are not needed by other daemons.
180 By default only ports above 1024 that have not been assigned by IANA are used.
181 Give a port number or a range of the form "low\-high", without spaces.
183 The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
184 are processed in the line order of the config file, adding the permitted ports
185 and subtracting the avoided ports from the set of allowed ports. The
186 processing starts with the non IANA allocated ports above 1024 in the set
187 of allowed ports.
189 .B outgoing\-port\-avoid: \fI<port number or range>
190 Do not permit Unbound to open this port or range of ports for use to send
193 By default only ports above 1024 that have not been assigned by IANA are used.
194 Give a port number or a range of the form "low\-high", without spaces.
196 .B outgoing\-num\-tcp: \fI<number>
198 set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers
201 .B incoming\-num\-tcp: \fI<number>
203 10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are
206 .B edns\-buffer\-size: \fI<number>
209 buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
216 .B max\-udp\-size: \fI<number>
221 .B stream\-wait\-size: \fI<number>
231 .B msg\-buffer\-size: \fI<number>
238 .B msg\-cache\-size: \fI<number>
243 .B msg\-cache\-slabs: \fI<number>
248 .B num\-queries\-per\-thread: \fI<number>
251 (see \fIjostle\-timeout\fR), then the queries are dropped. This forces
255 .B jostle\-timeout: \fI<msec>
262 The effect is that the qps for long-lasting queries is about
268 .B delay\-close: \fI<msec>
269 Extra delay for timeouted UDP ports before they are closed, in msec.
272 closed ports and setting off all sort of close-port counters, with
277 .B udp\-connect: \fI<yes or no>
281 .B unknown\-server\-time\-limit: \fI<msec>
284 That would then avoid re\-querying every initial query because it times out.
287 .B so\-rcvbuf: \fI<number>
290 servers do not drop packets (see counter in netstat \-su). Default is
295 On OpenBSD change header and recompile kernel. On Solaris ndd \-set
298 .B so\-sndbuf: \fI<number>
302 can get logged, the buffer overrun is also visible by netstat \-su.
307 to so\-rcvbuf.
309 .B so\-reuseport: \fI<yes or no>
321 .B ip\-transparent: \fI<yes or no>
324 non\-local interfaces. For example for non\-existent IP addresses that
326 a lot like interface\-automatic, but that one services all interfaces
332 .B ip\-freebind: \fI<yes or no>
337 ip\-transparent option is also available.
339 .B ip-dscp: \fI<number>
342 The field replaces the outdated IPv4 Type-Of-Service field and the
345 .B rrset\-cache\-size: \fI<number>
350 .B rrset\-cache\-slabs: \fI<number>
354 .B cache\-max\-ttl: \fI<seconds>
360 .B cache\-min\-ttl: \fI<seconds>
368 .B cache\-max\-negative\-ttl: \fI<seconds>
373 .B infra\-host\-ttl: \fI<seconds>
377 .B infra\-cache\-slabs: \fI<number>
381 .B infra\-cache\-numhosts: \fI<number>
384 .B infra\-cache\-min\-rtt: \fI<msec>
389 .B infra\-keep\-probing: \fI<yes or no>
393 it may take \fBinfra\-host\-ttl\fR time to get probed again.
395 .B define\-tag: \fI<"list of tags">
396 Define the tags that can be used with local\-zone and access\-control.
399 .B do\-ip4: \fI<yes or no>
402 .B do\-ip6: \fI<yes or no>
409 .B prefer\-ip4: \fI<yes or no>
416 .B prefer\-ip6: \fI<yes or no>
420 .B do\-udp: \fI<yes or no>
423 .B do\-tcp: \fI<yes or no>
426 .B tcp\-mss: \fI<number>
434 .B outgoing\-tcp\-mss: \fI<number>
442 .B tcp-idle-timeout: \fI<msec>\fR
454 .B tcp-reuse-timeout: \fI<msec>\fR
458 .B max-reuse-tcp-queries: \fI<number>\fR
463 .B tcp-auth-query-timeout: \fI<number>\fR
467 .B edns-tcp-keepalive: \fI<yes or no>\fR
470 .B edns-tcp-keepalive-timeout: \fI<msec>\fR
486 .B tcp\-upstream: \fI<yes or no>
489 TCP transport only for selected forward or stub zones using forward-tcp-upstream
490 or stub-tcp-upstream respectively.
492 .B udp\-upstream\-without\-downstream: \fI<yes or no>
493 Enable udp upstream even if do-udp is no. Default is no, and this does not
497 .B tls\-upstream: \fI<yes or no>
501 \fBtls\-service\-key\fR).
502 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
505 …e TLS specifically for some forward zones with forward\-tls\-upstream. And also with stub\-tls\-u…
507 .B ssl\-upstream: \fI<yes or no>
508 Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
511 .B tls\-service\-key: \fI<file>
512 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
513 TCP ports marked implicitly or explicitly for these services with tls\-port or
514 https\-port. The file must contain the private key for the TLS session, the
515 public certificate is in the tls\-service\-pem file and it must also be
516 specified if tls\-service\-key is specified. The default is "", turned off.
519 The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
520 \fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
521 compiled with libnghttp2 in order to provide DNS-over-HTTPS.
523 .B ssl\-service\-key: \fI<file>
524 Alternate syntax for \fBtls\-service\-key\fR.
526 .B tls\-service\-pem: \fI<file>
530 .B ssl\-service\-pem: \fI<file>
531 Alternate syntax for \fBtls\-service\-pem\fR.
533 .B tls\-port: \fI<number>
537 .B ssl\-port: \fI<number>
538 Alternate syntax for \fBtls\-port\fR.
540 .B tls\-cert\-bundle: \fI<file>
542 for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used
543 for authenticating connections made to outside peers. For example auth\-zone
547 .B ssl\-cert\-bundle: \fI<file>
548 Alternate syntax for \fBtls\-cert\-bundle\fR.
550 .B tls\-win\-cert: \fI<yes or no>
554 the tls\-cert\-bundle option on other systems.
556 .B tls\-additional\-port: \fI<portnr>
557 List portnumbers as tls\-additional\-port, and when interfaces are defined,
561 .B tls-session-ticket-keys: \fI<file>
570 One way to create the file is dd if=/dev/random bs=1 count=80 of=ticket.dat
574 .B tls\-ciphers: \fI<string with cipher list>
578 .B tls\-ciphersuites: \fI<string with ciphersuites list>
582 .B pad\-responses: \fI<yes or no>
585 \fBpad\-responses\-block\-size\fR.
588 .B pad\-responses\-block\-size: \fI<number>
589 The block size with which to pad responses serviced over TLS. Only responses
593 .B pad\-queries: \fI<yes or no>
595 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
598 .B pad\-queries\-block\-size: \fI<number>
599 The block size with which to pad queries sent over TLS upstreams.
602 .B tls\-use\-sni: \fI<yes or no>
607 .B https\-port: \fI<number>
608 The port number on which to provide DNS-over-HTTPS service, default 443, only
611 .B http\-endpoint: \fI<endpoint string>
612 The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
614 .B http\-max\-streams: \fI<number of streams>
616 SETTINGS frame for DNS-over-HTTPS connections. Default 100.
618 .B http\-query\-buffer\-size: \fI<size in bytes>
625 .B http\-response\-buffer\-size: \fI<size in bytes>
632 .B http\-nodelay: \fI<yes or no>
633 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
636 .B http\-notls\-downstream: \fI<yes or no>
637 Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
640 .B use\-systemd: \fI<yes or no>
644 .B do\-daemonize: \fI<yes or no>
649 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
654 .B access\-control: \fI<IP netblock> <action>
656 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
660 The order of the access\-control statements therefore does not matter.
672 local\-data that is configured. The reason is that this does not involve
695 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
700 only allowed to query for the authoritative local\-data, they are not
705 .B access\-control\-tag: \fI<IP netblock> <"list of tags">
706 Assign tags to access-control elements. Clients using this access control
708 defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put
709 spaces between tags. If access\-control\-tag is configured for a netblock that
710 does not have an access\-control, an access\-control element with action
713 .B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
716 between access\-control\-tag and local\-zone\-tag where "first" comes from the
717 order of the define-tag values.
719 .B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
722 .B access\-control\-view: \fI<IP netblock> <view name>
757 port, reloads (by signal HUP) will still retain the opened ports.
774 If this option is given, the use\-syslog is option is set to "no".
778 .B use\-syslog: \fI<yes or no>
782 The logfile setting is overridden when use\-syslog is turned on.
785 .B log\-identity: \fI<string>
792 .B log\-time\-ascii: \fI<yes or no>
797 .B log\-queries: \fI<yes or no>
803 .B log\-replies: \fI<yes or no>
810 .B log\-tag\-queryreply: \fI<yes or no>
811 Prints the word 'query' and 'reply' with log\-queries and log\-replies.
815 .B log\-local\-actions: \fI<yes or no>
817 local\-zone type inform prints out, but they are also printed for the other
820 .B log\-servfail: \fI<yes or no>
829 kill \-HUP `cat @UNBOUND_PIDFILE@`
833 kill \-TERM `cat @UNBOUND_PIDFILE@`
837 .B root\-hints: \fI<filename>
841 when servers change, therefore it is good practice to use a root\-hints file.
843 .B hide\-identity: \fI<yes or no>
850 .B hide\-version: \fI<yes or no>
857 .B hide\-http\-user\-agent: \fI<yes or no>
858 If enabled the HTTP header User-Agent is not set. Use with caution as some
861 .B http\-user\-agent
864 .B http\-user\-agent: \fI<string>
865 Set the HTTP User-Agent header for outgoing HTTP requests. If set to "",
873 .B hide\-trustanchor: \fI<yes or no>
876 .B target\-fetch\-policy: \fI<"list of numbers">
883 A value of \-1 means to fetch all targets opportunistically for that dependency
889 closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
892 .B harden\-short\-bufsize: \fI<yes or no>
896 .B harden\-large\-queries: \fI<yes or no>
901 .B harden\-glue: \fI<yes or no>
904 .B harden\-dnssec\-stripped: \fI<yes or no>
905 Require DNSSEC data for trust\-anchored zones, if such data is absent,
914 .B harden\-below\-nxdomain: \fI<yes or no>
921 this only DNSSEC-secure nxdomains are used, because the old software does not
925 .B harden\-referral\-path: \fI<yes or no>
934 If you enable it consider adding more numbers after the target\-fetch\-policy
937 .B harden\-algo\-downgrade: \fI<yes or no>
944 .B use\-caps\-for\-id: \fI<yes or no>
945 Use 0x20\-encoded random bits in the query to foil spoof attempts.
949 This feature is an experimental implementation of draft dns\-0x20.
951 .B caps\-exempt: \fI<domain>
952 Exempt the domain so that it does not receive caps\-for\-id perturbed
957 .B caps\-whitelist: \fI<yes or no>
958 Alternate syntax for \fBcaps\-exempt\fR.
960 .B qname\-minimisation: \fI<yes or no>
967 .B qname\-minimisation\-strict: \fI<yes or no>
968 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
971 This option only has effect when qname-minimisation is enabled. Default is no.
973 .B aggressive\-nsec: \fI<yes or no>
979 .B private\-address: \fI<IP address or subnet>
984 answers bogus. This protects against so\-called DNS Rebinding, where
988 \fBlocal\-data\fR that you configured is allowed to, and you can specify
989 additional names using \fBprivate\-domain\fR. No private addresses are
996 stops IPv4-mapped IPv6 addresses from bypassing the filter.
998 .B private\-domain: \fI<domain name>
1003 .B unwanted\-reply\-threshold: \fI<number>
1010 .B do\-not\-query\-address: \fI<IP address>
1015 .B do\-not\-query\-localhost: \fI<yes or no>
1016 If yes, localhost is added to the do\-not\-query\-address entries, both
1026 .B prefetch\-key: \fI<yes or no>
1031 .B deny\-any: \fI<yes or no>
1037 .B rrset\-roundrobin: \fI<yes or no>
1041 .B minimal-responses: \fI<yes or no>
1051 .B disable-dnssec-lame-check: \fI<yes or no>
1058 .B module\-config: \fI<"module names">
1062 Setting this to just "\fIiterator\fR" will result in a non\-validating
1067 You must also set \fItrust\-anchors\fR for validation to be useful.
1083 .B trust\-anchor\-file: \fI<filename>
1088 .B auto\-trust\-anchor\-file: \fI<filename>
1092 \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated,
1098 .B trust\-anchor: \fI<"Resource Record">
1100 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
1106 .B trusted\-keys\-file: \fI<filename>
1108 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
1109 but has a different file format. Format is BIND\-9 style format,
1110 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
1114 .B trust\-anchor\-signaling: \fI<yes or no>
1117 .B root\-key\-sentinel: \fI<yes or no>
1120 .B domain\-insecure: \fI<domain name>
1133 .B val\-override\-date: \fI<rrsig\-style date spec>
1137 you are debugging signature inception and expiration. The value \-1 ignores
1140 .B val\-sig\-skew\-min: \fI<seconds>
1142 A value of 10% of the signature lifetime (expiration \- inception) is
1147 .B val\-sig\-skew\-max: \fI<seconds>
1149 A value of 10% of the signature lifetime (expiration \- inception)
1156 .B val\-max\-restart: \fI<number>
1160 .B val\-bogus\-ttl: \fI<number>
1166 .B val\-clean\-additional: \fI<yes or no>
1173 .B val\-log\-level: \fI<number>
1182 .B val\-permissive\-mode: \fI<yes or no>
1190 .B ignore\-cd\-flag: \fI<yes or no>
1198 .B serve\-expired: \fI<yes or no>
1200 TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
1204 .B serve\-expired\-ttl: \fI<seconds>
1206 disables the limit. This option only applies when \fBserve\-expired\fR is
1210 .B serve\-expired\-ttl\-reset: \fI<yes or no>
1211 Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a
1216 .B serve\-expired\-reply\-ttl: \fI<seconds>
1218 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
1221 .B serve\-expired\-client\-timeout: \fI<msec>
1223 essentially enables the serve-stale behavior as specified in
1229 .B serve\-original\-ttl: \fI<yes or no>
1233 front-end to a hidden authoritative name server. Enabling this feature does
1238 Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are
1242 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
1243 List of keysize and iteration count values, separated by spaces, surrounded
1245 maximum allowed NSEC3 iteration count before a message is simply marked
1251 .B zonemd\-permissive\-mode: \fI<yes or no>
1257 .B add\-holddown: \fI<seconds>
1258 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1262 .B del\-holddown: \fI<seconds>
1263 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1268 .B keep\-missing: \fI<seconds>
1269 Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
1273 mechanism work with zones that perform regular (non\-5011) rollovers.
1277 .B permit\-small\-holddown: \fI<yes or no>
1281 .B key\-cache\-size: \fI<number>
1286 .B key\-cache\-slabs: \fI<number>
1291 .B neg\-cache\-size: \fI<number>
1296 .B unblock\-lan\-zones: \fI<yes or no>
1303 as a (DHCP-) DNS network resolver for a group of machines, where such
1307 .B insecure\-lan\-zones: \fI<yes or no>
1310 \fIunblock\-lan\-zones\fR is used.
1312 .B local\-zone: \fI<zone> <type>
1314 there is no match from local\-data. The types are deny, refuse, static,
1318 local\-data: to enter data into the local zone. Answers for local zones
1322 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1337 as local\-data for the zone apex domain.
1344 If no local\-zone is given local\-data causes a transparent zone
1361 local\-zone: "example.com." redirect and
1362 local\-data: "example.com. A 127.0.0.1"
1369 timestamp, unbound-pid, info: zonename inform IP@port queryname type
1399 some block lists.
1420 can be turned off by specifying your own local\-zone of that name, or
1427 local\-zone: "localhost." redirect
1428 local\-data: "localhost. 10800 IN NS localhost."
1429 local\-data: "localhost. 10800 IN
1431 local\-data: "localhost. 10800 IN A 127.0.0.1"
1432 local\-data: "localhost. 10800 IN AAAA ::1"
1438 local\-zone: "127.in\-addr.arpa." static
1439 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
1440 local\-data: "127.in\-addr.arpa. 10800 IN
1442 local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
1449 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1451 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1454 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1457 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1465 local\-zone: "home.arpa." static
1466 local\-data: "home.arpa. 10800 IN NS localhost."
1467 local\-data: "home.arpa. 10800 IN
1474 local\-zone: "onion." static
1475 local\-data: "onion. 10800 IN NS localhost."
1476 local\-data: "onion. 10800 IN
1483 local\-zone: "test." static
1484 local\-data: "test. 10800 IN NS localhost."
1485 local\-data: "test. 10800 IN
1492 local\-zone: "invalid." static
1493 local\-data: "invalid. 10800 IN NS localhost."
1494 local\-data: "invalid. 10800 IN
1499 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
1500 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
1501 The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
1504 \h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
1505 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
1506 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
1507 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
1508 And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
1525 tutorials and examples. You can remove the block on this zone with:
1527 local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
1530 transparent with a local\-zone statement.
1532 .\" End of local-zone listing.
1534 .B local\-data: \fI"<resource record string>"
1536 The query has to match exactly unless you configure the local\-zone as
1537 redirect. If not matched exactly, the local\-zone type determines
1538 further processing. If local\-data is configured that is not a subdomain of
1539 a local\-zone, a transparent local\-zone is configured.
1541 local\-data: 'example. TXT "text"'.
1544 CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
1547 .B local\-data\-ptr: \fI"IPaddr name"
1552 .B local\-zone\-tag: \fI<zone> <"list of tags">
1554 used access-control element has a matching tag. Tags must be defined in
1555 \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between
1557 list of tags for the query and local\-zone\-tag is non-empty.
1559 .B local\-zone\-override: \fI<zone> <IP netblock> <type>
1561 Use this localzone type, regardless the type configured for the local-zone
1563 access\-control\-tag\-action.
1565 .B response\-ip: \fI<IP-netblock> <action>
1572 \fIaccess-control-tag-action\fR, but there are some exceptions.
1574 Actions for \fIresponse-ip\fR are different from those for
1575 \fIlocal-zone\fR in that in case of the former there is no point of
1577 Because of this difference, the semantics of \fIresponse-ip\fR actions
1580 invalid for \fIresponse-ip\fR.
1582 faulty. The \fIdeny\fR action is non-conditional, i.e. it always
1587 .B response-ip-data: \fI<IP-netblock> <"resource record string">
1590 This specifies the action data for \fIresponse-ip\fR with action being
1592 record string" is similar to that of \fIaccess-control-tag-action\fR,
1594 If the IP-netblock is an IPv6/IPV4 prefix, the record
1597 more than one \fIresponse-ip-data\fR for the same IP-netblock.
1599 IP-netblock, following the normal rules for CNAME records.
1604 .B response-ip-tag: \fI<IP-netblock> <"list of tags">
1607 Assign tags to response IP-netblocks. If the IP address in an AAAA or
1609 IP-netblock, the specified tags are assigned to the IP address.
1610 Then, if an \fIaccess-control-tag\fR is defined for the client and it
1612 \fIaccess-control-tag-action\fR will apply.
1613 Tag matching rule is the same as that for \fIaccess-control-tag\fR and
1614 \fIlocal-zones\fR.
1615 Unlike \fIlocal-zone-tag\fR, \fIresponse-ip-tag\fR can be defined for
1616 an IP-netblock even if no \fIresponse-ip\fR is defined for that
1618 If multiple \fIresponse-ip-tag\fR options are specified for the same
1619 IP-netblock in different statements, all but the first will be
1625 \fIaccess-control-tag-action\fR that has a matching tag with
1626 \fIresponse-ip-tag\fR can be those that are "invalid" for
1627 \fIresponse-ip\fR listed above, since \fIaccess-control-tag-action\fRs
1631 \fIresponse-ip-data\fR will generally result in NOERROR/NODATA instead
1632 of NXDOMAIN, since the \fIresponse-ip\fR data are inherently type
1633 specific, and non-existence of data does not indicate anything about
1634 the existence or non-existence of the qname itself.
1636 no data for the corresponding \fIresponse-ip\fR configuration, then
1654 .B ratelimit\-size: \fI<memory size>
1660 .B ratelimit\-slabs: \fI<number>
1665 .B ratelimit\-factor: \fI<number>
1674 .B ratelimit\-backoff: \fI<yes or no>
1678 window. No traffic is allowed, except for ratelimit\-factor, until demand
1683 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
1686 a top\-level\-domain you may want to have a higher limit than other names.
1689 .B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
1694 is not changed, use ratelimit\-for\-domain to set that, you might want
1695 to use different settings for a top\-level\-domain and subdomains.
1698 .B ip\-ratelimit: \fI<number or 0>
1706 .B ip\-ratelimit\-size: \fI<memory size>
1712 .B ip\-ratelimit\-slabs: \fI<number>
1717 .B ip\-ratelimit\-factor: \fI<number>
1726 .B ip\-ratelimit\-backoff: \fI<yes or no>
1730 window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand
1732 set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
1735 .B outbound\-msg\-retry: \fI<number>
1740 .B fast\-server\-permil: \fI<number>
1744 servers for the remaining time. When prefetch is enabled (or serve\-expired),
1747 \fBfast\-server\-num\fR option can be used to specify the size of the fastest
1748 servers set. The default for fast\-server\-permil is 0.
1750 .B fast\-server\-num: \fI<number>
1752 use the fastest specified number of servers with the fast\-server\-permil
1755 .B edns\-client\-string: \fI<IP netblock> <string>
1760 .B edns\-client\-string\-opcode: \fI<opcode>
1761 EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
1762 A value from the `Reserved for Local/Experimental` range (65001-65534) should
1766 .B remote\-control:
1768 enabled, the \fIunbound\-control\fR(8) utility can be used to send
1771 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
1772 section for options. To setup the correct self\-signed certificates use the
1773 \fIunbound\-control\-setup\fR(8) utility.
1775 .B control\-enable: \fI<yes or no>
1779 .B control\-interface: \fI<ip address or path>
1790 group that is configured, the access bits are set to allow the group members
1792 in the that group. To restrict access further, create a directory to put
1795 .B control\-port: \fI<port number>
1801 .B control\-use\-cert: \fI<yes or no>
1802 For localhost control-interface you can disable the use of TLS by setting
1806 .B server\-key\-file: \fI<private key file>
1808 This file is generated by the \fIunbound\-control\-setup\fR utility.
1809 This file is used by the Unbound server, but not by \fIunbound\-control\fR.
1811 .B server\-cert\-file: \fI<certificate file.pem>
1813 This file is generated by the \fIunbound\-control\-setup\fR utility.
1814 This file is used by the Unbound server, and also by \fIunbound\-control\fR.
1816 .B control\-key\-file: \fI<private key file>
1818 This file is generated by the \fIunbound\-control\-setup\fR utility.
1819 This file is used by \fIunbound\-control\fR.
1821 .B control\-cert\-file: \fI<certificate file.pem>
1824 This file is generated by the \fIunbound\-control\-setup\fR utility.
1825 This file is used by \fIunbound\-control\fR.
1829 .B stub\-zone:
1837 This is useful for company\-local data or private zones. Setup an
1840 .B stub\-addr:
1853 Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
1854 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
1857 (reverse\-) zone bypass Unbound's filtering of RFC1918 zones.
1862 .B stub\-host: \fI<domain name>
1868 configured tls\-port.
1870 .B stub\-addr: \fI<IP address>
1876 configured tls\-port.
1878 .B stub\-prime: \fI<yes or no>
1884 .B stub\-first: \fI<yes or no>
1890 .B stub\-tls\-upstream: \fI<yes or no>
1894 .B stub\-ssl\-upstream: \fI<yes or no>
1895 Alternate syntax for \fBstub\-tls\-upstream\fR.
1897 .B stub\-tcp\-upstream: \fI<yes or no>
1898 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
1901 .B stub\-no\-cache: \fI<yes or no>
1907 .B forward\-zone:
1910 forward the queries to. The servers listed as \fBforward\-host:\fR and
1911 \fBforward\-addr:\fR have to handle further recursion for the query. Thus,
1918 A forward\-zone entry with name "." and a forward\-addr target will
1925 .B forward\-host: \fI<domain name>
1931 configured tls\-port.
1933 .B forward\-addr: \fI<IP address>
1939 configured tls\-port.
1942 If you leave out the '#' and auth name from the forward\-addr, any
1943 name is accepted. The cert must also match a CA from the tls\-cert\-bundle.
1945 .B forward\-first: \fI<yes or no>
1950 .B forward\-tls\-upstream: \fI<yes or no>
1953 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
1956 .B forward\-ssl\-upstream: \fI<yes or no>
1957 Alternate syntax for \fBforward\-tls\-upstream\fR.
1959 .B forward\-tcp\-upstream: \fI<yes or no>
1960 …t to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream.
1963 .B forward\-no\-cache: \fI<yes or no>
1968 Authority zones are configured with \fBauth\-zone:\fR, and each one must
1969 have a \fBname:\fR. There can be multiple ones, by listing multiple auth\-zone clauses, each with …
1971 Authority zones are processed after \fBlocal\-zones\fR and before
1972 cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
1975 information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
2017 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2023 "http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
2025 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2026 With allow\-notify you can specify additional sources of notifies.
2033 .B fallback\-enabled: \fI<yes or no>
2038 .B for\-downstream: \fI<yes or no>
2043 zone but have a local copy of zone data. If for\-downstream is no and
2044 for\-upstream is yes, then Unbound will DNSSEC validate the contents of the
2048 .B for\-upstream: \fI<yes or no>
2055 .B zonemd\-check: \fI<yes or no>
2061 .B zonemd\-reject\-absence: \fI<yes or no>
2066 failure is controlled by the \fBzonemd\-permissive\-mode\fR option, for
2067 log only or also block the zone. The default is no.
2082 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
2083 \fBlocal\-data\fR elements. Views can also contain view\-first,
2084 response\-ip, response\-ip\-data and local\-data\-ptr elements.
2086 view name in an \fBaccess\-control\-view\fR element. Options from matching
2091 Name of the view. Must be unique. This name is used in access\-control\-view
2094 .B local\-zone: \fI<zone> <type>
2095 View specific local\-zone elements. Has the same types and behaviour as the
2096 global local\-zone elements. When there is at least one local\-zone specified
2097 and view\-first is no, the default local-zones will be added to this view.
2098 Defaults can be disabled using the nodefault type. When view\-first is yes or
2099 when a view does not have a local\-zone, the global local\-zone will be used
2102 .B local\-data: \fI"<resource record string>"
2103 View specific local\-data elements. Has the same behaviour as the global
2104 local\-data elements.
2106 .B local\-data\-ptr: \fI"IPaddr name"
2107 View specific local\-data\-ptr elements. Has the same behaviour as the global
2108 local\-data\-ptr elements.
2110 .B view\-first: \fI<yes or no>
2111 If enabled, it attempts to use the global local\-zone and local\-data if there
2121 and the word "python" has to be put in the \fBmodule\-config:\fR option
2127 \fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an
2131 .B python\-script: \fI<python file>\fR
2133 added to the \fBmodule\-config:\fR option.
2142 \fBmodule\-config:\fR option. Multiple instances of dynamic libraries are
2145 The \fBdynlib\-file:\fR path should be specified as an absolute path relative
2149 .B dynlib\-file: \fI<dynlib file>\fR
2151 instance added to the \fBmodule\-config:\fR option.
2154 The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
2158 .B dns64\-prefix: \fI<IPv6 prefix>\fR
2162 .B dns64\-synthall: \fI<yes or no>\fR
2166 .B dns64\-ignore\-aaaa: \fI<name>\fR
2177 \fB\-\-enable\-dnscrypt\fR.
2179 You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
2180 dnscrypt-wrapper/blob/master/README.md#usage
2182 .B dnscrypt\-enable: \fI<yes or no>\fR
2187 .B dnscrypt\-port: \fI<port number>
2192 .B dnscrypt\-provider: \fI<provider name>\fR
2194 \fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot.
2196 .B dnscrypt\-secret\-key: \fI<path to secret key file>\fR
2200 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
2201 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
2204 .B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
2206 but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
2217 .B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
2223 .B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
2228 .B dnscrypt\-nonce\-cache\-size: \fI<memory size>
2234 .B dnscrypt\-nonce\-cache\-slabs: \fI<number>
2240 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
2252 allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
2254 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
2257 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
2262 .B send\-client\-subnet: \fI<IP address>\fR
2265 be given multiple times. Authorities not listed will not receive edns-subnet
2266 information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
2268 .B client\-subnet\-zone: \fI<domain>\fR
2270 given multiple times. Zones not listed will not receive edns-subnet information,
2271 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
2273 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
2275 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
2282 .B max\-client\-subnet\-ipv6: \fI<number>\fR
2286 .B max\-client\-subnet\-ipv4: \fI<number>\fR
2290 .B min\-client\-subnet\-ipv6: \fI<number>\fR
2295 .B min\-client\-subnet\-ipv4: \fI<number>\fR
2300 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
2304 .B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
2309 The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
2311 \fB\-\-enable\-ipsecmod\fR to be enabled.
2335 \fBipsecmod-max-ttl\fR.
2339 \fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
2342 .B ipsecmod-enabled: \fI<yes or no>\fR
2344 needs to be defined in the \fBmodule\-config:\fR directive. This option
2348 .B ipsecmod\-hook: \fI<filename>\fR
2352 must be present when the IPsec module is defined in the \fBmodule\-config:\fR
2355 .B ipsecmod-strict: \fI<yes or no>\fR
2360 .B ipsecmod\-max-ttl: \fI<seconds>\fR
2364 .B ipsecmod-ignore-bogus: \fI<yes or no>\fR
2370 .B ipsecmod\-allow: \fI<domain>\fR
2375 .B ipsecmod\-whitelist: \fI<yes or no>
2376 Alternate syntax for \fBipsecmod\-allow\fR.
2379 The Cache DB module must be configured in the \fBmodule\-config:\fR
2381 with \fB\-\-enable\-cachedb\fR.
2384 When Unbound cannot find an answer to a query in its built-in in-memory
2391 This module interacts with the \fBserve\-expired\-*\fR options and will reply
2393 of \fBserve\-expired\-client\-timeout:\fR and
2394 \fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from
2399 \fB\-\-with\-libhiredis\fR
2409 preferably with some kind of least-recently-used eviction policy.
2410 Additionally, the \fBredis\-expire\-records\fR option can be used in order to
2434 The default database is the in-memory backend named "testframe", which,
2436 Depending on the build-time configuration, "redis" backend may also be
2439 .B secret-seed: \fI<"secret string">\fR
2452 .B redis-server-host: \fI<server address or name>\fR
2459 .B redis-server-port: \fI<port number>\fR
2463 .B redis-timeout: \fI<msec>\fR
2467 re-establish a new connection later.
2470 .B redis-expire-records: \fI<yes or no>
2473 Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0,
2478 DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled
2482 threading it does not spawn a thread, but connects per-process to the
2485 .B dnstap-enable: \fI<yes or no>
2487 and if any of the dnstap-log-..-messages options is enabled it sends logs
2490 .B dnstap-bidirectional: \fI<yes or no>
2494 .B dnstap-socket-path: \fI<file name>
2498 .B dnstap-ip: \fI<IPaddress[@port]>
2502 .B dnstap-tls: \fI<yes or no>
2503 Set this to use TLS to connect to the server specified in \fBdnstap-ip\fR.
2506 .B dnstap-tls-server-name: \fI<name of TLS authentication>
2507 The TLS server name to authenticate the server with. Used when \fBdnstap-tls\fR is enabled. If ""…
2509 .B dnstap-tls-cert-bundle: \fI<file name of cert bundle>
2514 .B dnstap-tls-client-key-file: \fI<file name>
2518 .B dnstap-tls-client-cert-file: \fI<file name>
2521 .B dnstap-send-identity: \fI<yes or no>
2525 .B dnstap-send-version: \fI<yes or no>
2529 .B dnstap-identity: \fI<string>
2533 .B dnstap-version: \fI<string>
2537 .B dnstap-log-resolver-query-messages: \fI<yes or no>
2541 .B dnstap-log-resolver-response-messages: \fI<yes or no>
2545 .B dnstap-log-client-query-messages: \fI<yes or no>
2549 .B dnstap-log-client-response-messages: \fI<yes or no>
2553 .B dnstap-log-forwarder-query-messages: \fI<yes or no>
2556 .B dnstap-log-forwarder-response-messages: \fI<yes or no>
2563 \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.:
2564 \fBmodule-config: "respip validator iterator"\fR.
2567 Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only
2568 and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and
2569 before \fBauth\-zones\fR.
2586 netblock.rpz-client-ip client IP address
2587 netblock.rpz-ip response IP address in the answer
2588 name.rpz-nsdname nameserver name
2589 netblock.rpz-nsip nameserver IP address
2593 of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and
2594 32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
2600 CNAME rpz-passthru. do nothing, allow to continue
2601 CNAME rpz-drop. the query is dropped
2602 CNAME rpz-tcp-only. answer over TCP
2605 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to
2608 The RPZ zones can be configured in the config file with these settings in the \fBrpz:\fR block.
2637 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
2640 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
2641 With allow\-notify you can specify additional sources of notifies.
2653 .B rpz\-action\-override: \fI<action>
2657 .B rpz\-cname\-override: \fI<domain>
2659 \fBrpz\-action\-override\fR.
2661 .B rpz\-log: \fI<yes or no>
2664 .B rpz\-log\-name: \fI<name>
2667 .B rpz\-signal\-nxdomain\-ra: \fI<yes or no>
2672 .B for\-downstream: \fI<yes or no>
2680 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses
2681 using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put
2691 which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
2696 num\-threads: 1
2697 outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers.
2698 incoming\-num\-tcp: 1
2699 outgoing\-range: 60 # uses less memory, but less performance.
2700 msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'.
2701 msg\-cache\-size: 100k
2702 msg\-cache\-slabs: 1
2703 rrset\-cache\-size: 100k
2704 rrset\-cache\-slabs: 1
2705 infra\-cache\-numhosts: 200
2706 infra\-cache\-slabs: 1
2707 key\-cache\-size: 100k
2708 key\-cache\-slabs: 1
2709 neg\-cache\-size: 10k
2710 num\-queries\-per\-thread: 30
2711 target\-fetch\-policy: "2 1 0 0 0 0"
2712 harden\-large\-queries: "yes"
2713 harden\-short\-bufsize: "yes"
2736 \fIunbound\-checkconf\fR(8).