diff options
Diffstat (limited to '')
-rw-r--r-- | external/unbound/doc/unbound.conf.5.in | 1578 |
1 files changed, 0 insertions, 1578 deletions
diff --git a/external/unbound/doc/unbound.conf.5.in b/external/unbound/doc/unbound.conf.5.in deleted file mode 100644 index b2c76ac95..000000000 --- a/external/unbound/doc/unbound.conf.5.in +++ /dev/null @@ -1,1578 +0,0 @@ -.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3" -.\" -.\" unbound.conf.5 -- unbound.conf manual -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B unbound.conf -\- Unbound configuration file. -.SH "SYNOPSIS" -.B unbound.conf -.SH "DESCRIPTION" -.B unbound.conf -is used to configure -\fIunbound\fR(8). -The file format has attributes and values. Some attributes have attributes inside them. -The notation is: attribute: value. -.P -Comments start with # and last to the end of line. Empty lines are -ignored as is whitespace at the beginning of a line. -.P -The utility -\fIunbound\-checkconf\fR(8) -can be used to check unbound.conf prior to usage. -.SH "EXAMPLE" -An example config file is shown below. Copy this to /etc/unbound/unbound.conf -and start the server with: -.P -.nf - $ unbound \-c /etc/unbound/unbound.conf -.fi -.P -Most settings are the defaults. Stop the server with: -.P -.nf - $ kill `cat /etc/unbound/unbound.pid` -.fi -.P -Below is a minimal config file. The source distribution contains an extensive -example.conf file with all the options. -.P -.nf -# unbound.conf(5) config file for unbound(8). -server: - directory: "/etc/unbound" - username: unbound - # make sure unbound can access entropy from inside the chroot. - # e.g. on linux the use these commands (on BSD, devfs(8) is used): - # mount \-\-bind \-n /dev/random /etc/unbound/dev/random - # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log - chroot: "/etc/unbound" - # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile. - pidfile: "/etc/unbound/unbound.pid" - # verbosity: 1 # uncomment and increase to get more logging. - # listen on all interfaces, answer queries from the local subnet. - interface: 0.0.0.0 - interface: ::0 - access\-control: 10.0.0.0/8 allow - access\-control: 2001:DB8::/64 allow -.fi -.SH "FILE FORMAT" -There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute -is followed by its containing attributes, or a value. -.P -Files can be included using the -.B include: -directive. It can appear anywhere, it accepts a single file name as argument. -Processing continues as if the text from the included file was copied into -the config file at that point. If also using chroot, using full path names -for the included files works, relative pathnames for the included names work -if the directory where the daemon is started equals its chroot/working -directory or is specified before the include statement with directory: dir. -Wildcards can be used to include multiple files, see \fIglob\fR(7). -.SS "Server Options" -These options are part of the -.B server: -clause. -.TP -.B verbosity: \fI<number> -The verbosity number, level 0 means no verbosity, only errors. Level 1 -gives operational information. Level 2 gives detailed operational -information. Level 3 gives query level information, output per query. -Level 4 gives algorithm level information. Level 5 logs client -identification for cache misses. Default is level 1. -The verbosity can also be increased from the commandline, see \fIunbound\fR(8). -.TP -.B statistics\-interval: \fI<seconds> -The number of seconds between printing statistics to the log for every thread. -Disable with value 0 or "". Default is disabled. The histogram statistics -are only printed if replies were sent during the statistics interval, -requestlist statistics are printed for every interval (but can be 0). -This is because the median calculation requires data to be present. -.TP -.B statistics\-cumulative: \fI<yes or no> -If enabled, statistics are cumulative since starting unbound, without clearing -the statistics counters after logging the statistics. Default is no. -.TP -.B extended\-statistics: \fI<yes or no> -If enabled, extended statistics are printed from \fIunbound\-control\fR(8). -Default is off, because keeping track of more statistics takes time. The -counters are listed in \fIunbound\-control\fR(8). -.TP -.B num\-threads: \fI<number> -The number of threads to create to serve clients. Use 1 for no threading. -.TP -.B port: \fI<port number> -The port number, default 53, on which the server responds to queries. -.TP -.B interface: \fI<ip address[@port]> -Interface to use to connect to the network. This interface is listened to -for queries from clients, and answers to clients are given from it. -Can be given multiple times to work on several interfaces. If none are -given the default is to listen to localhost. -The interfaces are not changed on a reload (kill \-HUP) but only on restart. -A port number can be specified with @port (without spaces between -interface and port number), if not specified the default port (from -\fBport\fR) is used. -.TP -.B ip\-address: \fI<ip address[@port]> -Same as interface: (for easy of compatibility with nsd.conf). -.TP -.B interface\-automatic: \fI<yes or no> -Detect source interface on UDP queries and copy them to replies. This -feature is experimental, and needs support in your OS for particular socket -options. Default value is no. -.TP -.B outgoing\-interface: \fI<ip address or ip6 netblock> -Interface to use to connect to the network. This interface is used to send -queries to authoritative servers and receive their replies. Can be given -multiple times to work on several interfaces. If none are given the -default (all) is used. You can specify the same interfaces in -.B interface: -and -.B outgoing\-interface: -lines, the interfaces are then used for both purposes. Outgoing queries are -sent via a random outgoing interface to counter spoofing. -.IP -If an IPv6 netblock is specified instead of an individual IPv6 address, -outgoing UDP queries will use a randomised source address taken from the -netblock to counter spoofing. Requires the IPv6 netblock to be routed to the -host running unbound, and requires OS support for unprivileged non-local binds -(currently only supported on Linux). Several netblocks may be specified with -multiple -.B outgoing\-interface: -options, but do not specify both an individual IPv6 address and an IPv6 -netblock, or the randomisation will be compromised. Consider combining with -.B prefer\-ip6: yes -to increase the likelihood of IPv6 nameservers being selected for queries. -On Linux you need these two commands to be able to use the freebind socket -option to receive traffic for the ip6 netblock: -ip \-6 addr add mynetblock/64 dev lo && -ip \-6 route add local mynetblock/64 dev lo -.TP -.B outgoing\-range: \fI<number> -Number of ports to open. This number of file descriptors can be opened per -thread. Must be at least 1. Default depends on compile options. Larger -numbers need extra resources from the operating system. For performance a -very large value is best, use libevent to make this possible. -.TP -.B outgoing\-port\-permit: \fI<port number or range> -Permit unbound to open this port or range of ports for use to send queries. -A larger number of permitted outgoing ports increases resilience against -spoofing attempts. Make sure these ports are not needed by other daemons. -By default only ports above 1024 that have not been assigned by IANA are used. -Give a port number or a range of the form "low\-high", without spaces. -.IP -The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements -are processed in the line order of the config file, adding the permitted ports -and subtracting the avoided ports from the set of allowed ports. The -processing starts with the non IANA allocated ports above 1024 in the set -of allowed ports. -.TP -.B outgoing\-port\-avoid: \fI<port number or range> -Do not permit unbound to open this port or range of ports for use to send -queries. Use this to make sure unbound does not grab a port that another -daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. -By default only ports above 1024 that have not been assigned by IANA are used. -Give a port number or a range of the form "low\-high", without spaces. -.TP -.B outgoing\-num\-tcp: \fI<number> -Number of outgoing TCP buffers to allocate per thread. Default is 10. If -set to 0, or if do\-tcp is "no", no TCP queries to authoritative servers -are done. For larger installations increasing this value is a good idea. -.TP -.B incoming\-num\-tcp: \fI<number> -Number of incoming TCP buffers to allocate per thread. Default is -10. If set to 0, or if do\-tcp is "no", no TCP queries from clients are -accepted. For larger installations increasing this value is a good idea. -.TP -.B edns\-buffer\-size: \fI<number> -Number of bytes size to advertise as the EDNS reassembly buffer size. -This is the value put into datagrams over UDP towards peers. The actual -buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do -not set higher than that value. Default is 4096 which is RFC recommended. -If you have fragmentation reassembly problems, usually seen as timeouts, -then a value of 1480 can fix it. Setting to 512 bypasses even the most -stringent path MTU problems, but is seen as extreme, since the amount -of TCP fallback generated is excessive (probably also for this resolver, -consider tuning the outgoing tcp number). -.TP -.B max\-udp\-size: \fI<number> -Maximum UDP response size (not applied to TCP response). 65536 disables the -udp response size maximum, and uses the choice from the client, always. -Suggested values are 512 to 4096. Default is 4096. -.TP -.B msg\-buffer\-size: \fI<number> -Number of bytes size of the message buffers. Default is 65552 bytes, enough -for 64 Kb packets, the maximum DNS message size. No message larger than this -can be sent or received. Can be reduced to use less memory, but some requests -for DNS data, such as for huge resource records, will result in a SERVFAIL -reply to the client. -.TP -.B msg\-cache\-size: \fI<number> -Number of bytes size of the message cache. Default is 4 megabytes. -A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes -or gigabytes (1024*1024 bytes in a megabyte). -.TP -.B msg\-cache\-slabs: \fI<number> -Number of slabs in the message cache. Slabs reduce lock contention by threads. -Must be set to a power of 2. Setting (close) to the number of cpus is a -reasonable guess. -.TP -.B num\-queries\-per\-thread: \fI<number> -The number of queries that every thread will service simultaneously. -If more queries arrive that need servicing, and no queries can be jostled out -(see \fIjostle\-timeout\fR), then the queries are dropped. This forces -the client to resend after a timeout; allowing the server time to work on -the existing queries. Default depends on compile options, 512 or 1024. -.TP -.B jostle\-timeout: \fI<msec> -Timeout used when the server is very busy. Set to a value that usually -results in one roundtrip to the authority servers. If too many queries -arrive, then 50% of the queries are allowed to run to completion, and -the other 50% are replaced with the new incoming query if they have already -spent more than their allowed time. This protects against denial of -service by slow queries or high query rates. Default 200 milliseconds. -The effect is that the qps for long-lasting queries is about -(numqueriesperthread / 2) / (average time for such long queries) qps. -The qps for short queries can be about (numqueriesperthread / 2) -/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 -qps by default. -.TP -.B delay\-close: \fI<msec> -Extra delay for timeouted UDP ports before they are closed, in msec. -Default is 0, and that disables it. This prevents very delayed answer -packets from the upstream (recursive) servers from bouncing against -closed ports and setting off all sort of close-port counters, with -eg. 1500 msec. When timeouts happen you need extra sockets, it checks -the ID and remote IP of packets, and unwanted packets are added to the -unwanted packet counter. -.TP -.B so\-rcvbuf: \fI<number> -If not 0, then set the SO_RCVBUF socket option to get more buffer -space on UDP port 53 incoming queries. So that short spikes on busy -servers do not drop packets (see counter in netstat \-su). Default is -0 (use system value). Otherwise, the number of bytes to ask for, try -"4m" on a busy server. The OS caps it at a maximum, on linux unbound -needs root permission to bypass the limit, or the admin can use sysctl -net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. -On OpenBSD change header and recompile kernel. On Solaris ndd \-set -/dev/udp udp_max_buf 8388608. -.TP -.B so\-sndbuf: \fI<number> -If not 0, then set the SO_SNDBUF socket option to get more buffer space on -UDP port 53 outgoing queries. This for very busy servers handles spikes -in answer traffic, otherwise 'send: resource temporarily unavailable' -can get logged, the buffer overrun is also visible by netstat \-su. -Default is 0 (use system value). Specify the number of bytes to ask -for, try "4m" on a very busy server. The OS caps it at a maximum, on -linux unbound needs root permission to bypass the limit, or the admin -can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar -to so\-rcvbuf. -.TP -.B so\-reuseport: \fI<yes or no> -If yes, then open dedicated listening sockets for incoming queries for each -thread and try to set the SO_REUSEPORT socket option on each socket. May -distribute incoming queries to threads more evenly. Default is no. On Linux -it is supported in kernels >= 3.9. On other systems, FreeBSD, OSX it may -also work. You can enable it (on any platform and kernel), -it then attempts to open the port and passes the option if it was available -at compile time, if that works it is used, if it fails, it continues -silently (unless verbosity 3) without the option. -.TP -.B ip\-transparent: \fI<yes or no> -If yes, then use IP_TRANSPARENT socket option on sockets where unbound -is listening for incoming traffic. Default no. Allows you to bind to -non\-local interfaces. For example for non\-existant IP addresses that -are going to exist later on, with host failover configuration. This is -a lot like interface\-automatic, but that one services all interfaces -and with this option you can select which (future) interfaces unbound -provides service on. This option needs unbound to be started with root -permissions on some systems. The option uses IP_BINDANY on FreeBSD systems. -.TP -.B ip\-freebind: \fI<yes or no> -If yes, then use IP_FREEBIND socket option on sockets where unbound -is listening to incoming traffic. Default no. Allows you to bind to -IP addresses that are nonlocal or do not exist, like when the network -interface or IP address is down. Exists only on Linux, where the similar -ip\-transparent option is also available. -.TP -.B rrset\-cache\-size: \fI<number> -Number of bytes size of the RRset cache. Default is 4 megabytes. -A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes -or gigabytes (1024*1024 bytes in a megabyte). -.TP -.B rrset\-cache\-slabs: \fI<number> -Number of slabs in the RRset cache. Slabs reduce lock contention by threads. -Must be set to a power of 2. -.TP -.B cache\-max\-ttl: \fI<seconds> -Time to live maximum for RRsets and messages in the cache. Default is -86400 seconds (1 day). If the maximum kicks in, responses to clients -still get decrementing TTLs based on the original (larger) values. -When the internal TTL expires, the cache item has expired. -Can be set lower to force the resolver to query for data often, and not -trust (very large) TTL values. -.TP -.B cache\-min\-ttl: \fI<seconds> -Time to live minimum for RRsets and messages in the cache. Default is 0. -If the minimum kicks in, the data is cached for longer than the domain -owner intended, and thus less queries are made to look up the data. -Zero makes sure the data in the cache is as the domain owner intended, -higher values, especially more than an hour or so, can lead to trouble as -the data in the cache does not match up with the actual data any more. -.TP -.B cache\-max\-negative\-ttl: \fI<seconds> -Time to live maximum for negative responses, these have a SOA in the -authority section that is limited in time. Default is 3600. -.TP -.B infra\-host\-ttl: \fI<seconds> -Time to live for entries in the host cache. The host cache contains -roundtrip timing, lameness and EDNS support information. Default is 900. -.TP -.B infra\-cache\-slabs: \fI<number> -Number of slabs in the infrastructure cache. Slabs reduce lock contention -by threads. Must be set to a power of 2. -.TP -.B infra\-cache\-numhosts: \fI<number> -Number of hosts for which information is cached. Default is 10000. -.TP -.B infra\-cache\-min\-rtt: \fI<msec> -Lower limit for dynamic retransmit timeout calculation in infrastructure -cache. Default is 50 milliseconds. Increase this value if using forwarders -needing more time to do recursive name resolution. -.TP -.B define\-tag: \fI<"list of tags"> -Define the tags that can be used with local\-zone and access\-control. -Enclose the list between quotes ("") and put spaces between tags. -.TP -.B do\-ip4: \fI<yes or no> -Enable or disable whether ip4 queries are answered or issued. Default is yes. -.TP -.B do\-ip6: \fI<yes or no> -Enable or disable whether ip6 queries are answered or issued. Default is yes. -If disabled, queries are not answered on IPv6, and queries are not sent on -IPv6 to the internet nameservers. With this option you can disable the -ipv6 transport for sending DNS traffic, it does not impact the contents of -the DNS traffic, which may have ip4 and ip6 addresses in it. -.TP -.B prefer\-ip6: \fI<yes or no> -If enabled, prefer IPv6 transport for sending DNS queries to internet -nameservers. Default is no. -.TP -.B do\-udp: \fI<yes or no> -Enable or disable whether UDP queries are answered or issued. Default is yes. -.TP -.B do\-tcp: \fI<yes or no> -Enable or disable whether TCP queries are answered or issued. Default is yes. -.TP -.B tcp\-mss: \fI<number> -Maximum segment size (MSS) of TCP socket on which the server responds -to queries. Value lower than common MSS on Ethernet -(1220 for example) will address path MTU problem. -Note that not all platform supports socket option to set MSS (TCP_MAXSEG). -Default is system default MSS determined by interface MTU and -negotiation between server and client. -.TP -.B outgoing\-tcp\-mss: \fI<number> -Maximum segment size (MSS) of TCP socket for outgoing queries -(from Unbound to other servers). Value lower than -common MSS on Ethernet (1220 for example) will address path MTU problem. -Note that not all platform supports socket option to set MSS (TCP_MAXSEG). -Default is system default MSS determined by interface MTU and -negotiation between Unbound and other servers. -.TP -.B tcp\-upstream: \fI<yes or no> -Enable or disable whether the upstream queries use TCP only for transport. -Default is no. Useful in tunneling scenarios. -.TP -.B ssl\-upstream: \fI<yes or no> -Enabled or disable whether the upstream queries use SSL only for transport. -Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in -TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR). -.TP -.B ssl\-service-key: \fI<file> -If enabled, the server provider SSL service on its TCP sockets. The clients -have to use ssl\-upstream: yes. The file is the private key for the TLS -session. The public certificate is in the ssl\-service\-pem file. Default -is "", turned off. Requires a restart (a reload is not enough) if changed, -because the private key is read while root permissions are held and before -chroot (if any). Normal DNS TCP service is not provided and gives errors, -this service is best run with a different \fBport:\fR config or \fI@port\fR -suffixes in the \fBinterface\fR config. -.TP -.B ssl\-service\-pem: \fI<file> -The public key certificate pem file for the ssl service. Default is "", -turned off. -.TP -.B ssl\-port: \fI<number> -The port number on which to provide TCP SSL service, default 853, only -interfaces configured with that port number as @number get the SSL service. -.TP -.B use\-systemd: \fI<yes or no> -Enable or disable systemd socket activation. -Default is no. -.TP -.B do\-daemonize: \fI<yes or no> -Enable or disable whether the unbound server forks into the background as -a daemon. Set the value to \fIno\fR when unbound runs as systemd service. -Default is yes. -.TP -.B access\-control: \fI<IP netblock> <action> -The netblock is given as an IP4 or IP6 address with /size appended for a -classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, -\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. -The most specific netblock match is used, if none match \fIdeny\fR is used. -.IP -The action \fIdeny\fR stops queries from hosts from that netblock. -.IP -The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED -error message back. -.IP -The action \fIallow\fR gives access to clients from that netblock. -It gives only access for recursion clients (which is -what almost all clients need). Nonrecursive queries are refused. -.IP -The \fIallow\fR action does allow nonrecursive queries to access the -local\-data that is configured. The reason is that this does not involve -the unbound server recursive lookup algorithm, and static data is served -in the reply. This supports normal operations where nonrecursive queries -are made for the authoritative data. For nonrecursive queries any replies -from the dynamic cache are refused. -.IP -The action \fIallow_snoop\fR gives nonrecursive access too. This give -both recursive and non recursive access. The name \fIallow_snoop\fR refers -to cache snooping, a technique to use nonrecursive queries to examine -the cache contents (for malicious acts). However, nonrecursive queries can -also be a valuable debugging tool (when you want to examine the cache -contents). In that case use \fIallow_snoop\fR for your administration host. -.IP -By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. -The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS -protocol is not designed to handle dropped packets due to policy, and -dropping may result in (possibly excessive) retried queries. -.IP -The deny_non_local and refuse_non_local settings are for hosts that are -only allowed to query for the authoritative local\-data, they are not -allowed full recursion but only the static data. With deny_non_local, -messages that are disallowed are dropped, with refuse_non_local they -receive error code REFUSED. -.TP -.B access\-control\-tag: \fI<IP netblock> <"list of tags"> -Assign tags to access-control elements. Clients using this access control -element use localzones that are tagged with one of these tags. Tags must be -defined in \fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put -spaces between tags. If access\-control\-tag is configured for a netblock that -does not have an access\-control, an access\-control element with action -\fIallow\fR is configured for this netblock. -.TP -.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action> -Set action for particular tag for given access control element. If you have -multiple tag values, the tag used to lookup the action is the first tag match -between access\-control\-tag and local\-zone\-tag where "first" comes from the -order of the define-tag values. -.TP -.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string"> -Set redirect data for particular tag for given access control element. -.TP -.B access\-control\-view: \fI<IP netblock> <view name> -Set view for given access control element. -.TP -.B chroot: \fI<directory> -If chroot is enabled, you should pass the configfile (from the -commandline) as a full path from the original root. After the -chroot has been performed the now defunct portion of the config -file path is removed to be able to reread the config after a reload. -.IP -All other file paths (working dir, logfile, roothints, and -key files) can be specified in several ways: -as an absolute path relative to the new root, -as a relative path to the working directory, or -as an absolute path relative to the original root. -In the last case the path is adjusted to remove the unused portion. -.IP -The pidfile can be either a relative path to the working directory, or -an absolute path relative to the original root. It is written just prior -to chroot and dropping permissions. This allows the pidfile to be -/var/run/unbound.pid and the chroot to be /var/unbound, for example. -.IP -Additionally, unbound may need to access /dev/random (for entropy) -from inside the chroot. -.IP -If given a chroot is done to the given directory. The default is -"@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed. -.TP -.B username: \fI<name> -If given, after binding the port the user privileges are dropped. Default is -"@UNBOUND_USERNAME@". If you give username: "" no user change is performed. -.IP -If this user is not capable of binding the -port, reloads (by signal HUP) will still retain the opened ports. -If you change the port number in the config file, and that new port number -requires privileges, then a reload will fail; a restart is needed. -.TP -.B directory: \fI<directory> -Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@". -On Windows the string "%EXECUTABLE%" tries to change to the directory -that unbound.exe resides in. -If you give a server: directory: dir before include: file statements -then those includes can be relative to the working directory. -.TP -.B logfile: \fI<filename> -If "" is given, logging goes to stderr, or nowhere once daemonized. -The logfile is appended to, in the following format: -.nf -[seconds since 1970] unbound[pid:tid]: type: message. -.fi -If this option is given, the use\-syslog is option is set to "no". -The logfile is reopened (for append) when the config file is reread, on -SIGHUP. -.TP -.B use\-syslog: \fI<yes or no> -Sets unbound to send log messages to the syslogd, using -\fIsyslog\fR(3). -The log facility LOG_DAEMON is used, with identity "unbound". -The logfile setting is overridden when use\-syslog is turned on. -The default is to log to syslog. -.TP -.B log\-identity: \fI<string> -If "" is given (default), then the name of the executable, usually "unbound" -is used to report to the log. Enter a string to override it -with that, which is useful on systems that run more than one instance of -unbound, with different configurations, so that the logs can be easily -distinguished against. -.TP -.B log\-time\-ascii: \fI<yes or no> -Sets logfile lines to use a timestamp in UTC ascii. Default is no, which -prints the seconds since 1970 in brackets. No effect if using syslog, in -that case syslog formats the timestamp printed into the log files. -.TP -.B log\-queries: \fI<yes or no> -Prints one line per query to the log, with the log timestamp and IP address, -name, type and class. Default is no. Note that it takes time to print these -lines which makes the server (significantly) slower. Odd (nonprintable) -characters in names are printed as '?'. -.TP -.B log\-replies: \fI<yes or no> -Prints one line per reply to the log, with the log timestamp and IP address, -name, type, class, return code, time to resolve, from cache and response size. -Default is no. Note that it takes time to print these -lines which makes the server (significantly) slower. Odd (nonprintable) -characters in names are printed as '?'. -.TP -.B pidfile: \fI<filename> -The process id is written to the file. Default is "@UNBOUND_PIDFILE@". -So, -.nf -kill \-HUP `cat @UNBOUND_PIDFILE@` -.fi -triggers a reload, -.nf -kill \-TERM `cat @UNBOUND_PIDFILE@` -.fi -gracefully terminates. -.TP -.B root\-hints: \fI<filename> -Read the root hints from this file. Default is nothing, using builtin hints -for the IN class. The file has the format of zone files, with root -nameserver names and addresses only. The default may become outdated, -when servers change, therefore it is good practice to use a root\-hints file. -.TP -.B hide\-identity: \fI<yes or no> -If enabled id.server and hostname.bind queries are refused. -.TP -.B identity: \fI<string> -Set the identity to report. If set to "", the default, then the hostname -of the server is returned. -.TP -.B hide\-version: \fI<yes or no> -If enabled version.server and version.bind queries are refused. -.TP -.B version: \fI<string> -Set the version to report. If set to "", the default, then the package -version is returned. -.TP -.B hide\-trustanchor: \fI<yes or no> -If enabled trustanchor.unbound queries are refused. -.TP -.B target\-fetch\-policy: \fI<"list of numbers"> -Set the target fetch policy used by unbound to determine if it should fetch -nameserver target addresses opportunistically. The policy is described per -dependency depth. -.IP -The number of values determines the maximum dependency depth -that unbound will pursue in answering a query. -A value of \-1 means to fetch all targets opportunistically for that dependency -depth. A value of 0 means to fetch on demand only. A positive value fetches -that many targets opportunistically. -.IP -Enclose the list between quotes ("") and put spaces between numbers. -The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour -closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour -rumoured to be closer to that of BIND 8. -.TP -.B harden\-short\-bufsize: \fI<yes or no> -Very small EDNS buffer sizes from queries are ignored. Default is off, since -it is legal protocol wise to send these, and unbound tries to give very -small answers to these queries, where possible. -.TP -.B harden\-large\-queries: \fI<yes or no> -Very large queries are ignored. Default is off, since it is legal protocol -wise to send these, and could be necessary for operation if TSIG or EDNS -payload is very large. -.TP -.B harden\-glue: \fI<yes or no> -Will trust glue only if it is within the servers authority. Default is on. -.TP -.B harden\-dnssec\-stripped: \fI<yes or no> -Require DNSSEC data for trust\-anchored zones, if such data is absent, -the zone becomes bogus. If turned off, and no DNSSEC data is received -(or the DNSKEY data fails to validate), then the zone is made insecure, -this behaves like there is no trust anchor. You could turn this off if -you are sometimes behind an intrusive firewall (of some sort) that -removes DNSSEC data from packets, or a zone changes from signed to -unsigned to badly signed often. If turned off you run the risk of a -downgrade attack that disables security for a zone. Default is on. -.TP -.B harden\-below\-nxdomain: \fI<yes or no> -From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"), -returns nxdomain to queries for a name -below another name that is already known to be nxdomain. DNSSEC mandates -noerror for empty nonterminals, hence this is possible. Very old software -might return nxdomain for empty nonterminals (that usually happen for reverse -IP address lookups), and thus may be incompatible with this. To try to avoid -this only DNSSEC-secure nxdomains are used, because the old software does not -have DNSSEC. Default is off. -The nxdomain must be secure, this means nsec3 with optout is insufficient. -.TP -.B harden\-referral\-path: \fI<yes or no> -Harden the referral path by performing additional queries for -infrastructure data. Validates the replies if trust anchors are configured -and the zones are signed. This enforces DNSSEC validation on nameserver -NS sets and the nameserver addresses that are encountered on the referral -path to the answer. -Default off, because it burdens the authority servers, and it is -not RFC standard, and could lead to performance problems because of the -extra query load that is generated. Experimental option. -If you enable it consider adding more numbers after the target\-fetch\-policy -to increase the max depth that is checked to. -.TP -.B harden\-algo\-downgrade: \fI<yes or no> -Harden against algorithm downgrade when multiple algorithms are -advertised in the DS record. If no, allows the weakest algorithm to -validate the zone. Default is no. Zone signers must produce zones -that allow this feature to work, but sometimes they do not, and turning -this option off avoids that validation failure. -.TP -.B use\-caps\-for\-id: \fI<yes or no> -Use 0x20\-encoded random bits in the query to foil spoof attempts. -This perturbs the lowercase and uppercase of query names sent to -authority servers and checks if the reply still has the correct casing. -Disabled by default. -This feature is an experimental implementation of draft dns\-0x20. -.TP -.B caps\-whitelist: \fI<domain> -Whitelist the domain so that it does not receive caps\-for\-id perturbed -queries. For domains that do not support 0x20 and also fail with fallback -because they keep sending different answers, like some load balancers. -Can be given multiple times, for different domains. -.TP -.B qname\-minimisation: \fI<yes or no> -Send minimum amount of information to upstream servers to enhance privacy. -Only sent minimum required labels of the QNAME and set QTYPE to NS when -possible. Best effort approach; full QNAME and original QTYPE will be sent when -upstream replies with a RCODE other than NOERROR, except when receiving -NXDOMAIN from a DNSSEC signed zone. Default is off. -.TP -.B qname\-minimisation\-strict: \fI<yes or no> -QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to -potentially broken nameservers. A lot of domains will not be resolvable when -this option in enabled. Only use if you know what you are doing. -This option only has effect when qname-minimisation is enabled. Default is off. -.TP -.B private\-address: \fI<IP address or subnet> -Give IPv4 of IPv6 addresses or classless subnets. These are addresses -on your private network, and are not allowed to be returned for -public internet names. Any occurrence of such addresses are removed -from DNS answers. Additionally, the DNSSEC validator may mark the -answers bogus. This protects against so\-called DNS Rebinding, where -a user browser is turned into a network proxy, allowing remote access -through the browser to other parts of your private network. Some names -can be allowed to contain your private addresses, by default all the -\fBlocal\-data\fR that you configured is allowed to, and you can specify -additional names using \fBprivate\-domain\fR. No private addresses are -enabled by default. We consider to enable this for the RFC1918 private -IP address space by default in later releases. That would enable private -addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 -fd00::/8 and fe80::/10, since the RFC standards say these addresses -should not be visible on the public internet. Turning on 127.0.0.0/8 -would hinder many spamblocklists as they use that. Adding ::ffff:0:0/96 -stops IPv4-mapped IPv6 addresses from bypassing the filter. -.TP -.B private\-domain: \fI<domain name> -Allow this domain, and all its subdomains to contain private addresses. -Give multiple times to allow multiple domain names to contain private -addresses. Default is none. -.TP -.B unwanted\-reply\-threshold: \fI<number> -If set, a total number of unwanted replies is kept track of in every thread. -When it reaches the threshold, a defensive action is taken and a warning -is printed to the log. The defensive action is to clear the rrset and -message caches, hopefully flushing away any poison. A value of 10 million -is suggested. Default is 0 (turned off). -.TP -.B do\-not\-query\-address: \fI<IP address> -Do not query the given IP address. Can be IP4 or IP6. Append /num to -indicate a classless delegation netblock, for example like -10.2.3.4/24 or 2001::11/64. -.TP -.B do\-not\-query\-localhost: \fI<yes or no> -If yes, localhost is added to the do\-not\-query\-address entries, both -IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send -queries to. Default is yes. -.TP -.B prefetch: \fI<yes or no> -If yes, message cache elements are prefetched before they expire to -keep the cache up to date. Default is no. Turning it on gives about -10 percent more traffic and load on the machine, but popular items do -not expire from the cache. -.TP -.B prefetch-key: \fI<yes or no> -If yes, fetch the DNSKEYs earlier in the validation process, when a DS -record is encountered. This lowers the latency of requests. It does use -a little more CPU. Also if the cache is set to 0, it is no use. Default is no. -.TP -.B rrset-roundrobin: \fI<yes or no> -If yes, Unbound rotates RRSet order in response (the random number is taken -from the query ID, for speed and thread safety). Default is no. -.TP -.B minimal-responses: \fI<yes or no> -If yes, Unbound doesn't insert authority/additional sections into response -messages when those sections are not required. This reduces response -size significantly, and may avoid TCP fallback for some responses. -This may cause a slight speedup. The default is no, because the DNS -protocol RFCs mandate these sections, and the additional content could -be of use and save roundtrips for clients. -.TP -.B disable-dnssec-lame-check: \fI<yes or no> -If true, disables the DNSSEC lameness check in the iterator. This check -sees if RRSIGs are present in the answer, when dnssec is expected, -and retries another authority if RRSIGs are unexpectedly missing. -The validator will insist in RRSIGs for DNSSEC signed domains regardless -of this setting, if a trust anchor is loaded. -.TP -.B module\-config: \fI<"module names"> -Module configuration, a list of module names separated by spaces, surround -the string with quotes (""). The modules can be validator, iterator. -Setting this to "iterator" will result in a non\-validating server. -Setting this to "validator iterator" will turn on DNSSEC validation. -The ordering of the modules is important. -You must also set trust\-anchors for validation to be useful. -.TP -.B trust\-anchor\-file: \fI<filename> -File with trusted keys for validation. Both DS and DNSKEY entries can appear -in the file. The format of the file is the standard DNS Zone file format. -Default is "", or no trust anchor file. -.TP -.B auto\-trust\-anchor\-file: \fI<filename> -File with trust anchor for one zone, which is tracked with RFC5011 probes. -The probes are several times per month, thus the machine must be online -frequently. The initial file can be one with contents as described in -\fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, -so the unbound user must have write permission. Write permission to the file, -but also to the directory it is in (to create a temporary file, which is -necessary to deal with filesystem full events), it must also be inside the -chroot (if that is used). -.TP -.B trust\-anchor: \fI<"Resource Record"> -A DS or DNSKEY RR for a key to use for validation. Multiple entries can be -given to specify multiple trusted keys, in addition to the trust\-anchor\-files. -The resource record is entered in the same format as 'dig' or 'drill' prints -them, the same format as in the zone file. Has to be on a single line, with -"" around it. A TTL can be specified for ease of cut and paste, but is ignored. -A class can be specified, but class IN is default. -.TP -.B trusted\-keys\-file: \fI<filename> -File with trusted keys for validation. Specify more than one file -with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR -but has a different file format. Format is BIND\-9 style format, -the trusted\-keys { name flag proto algo "key"; }; clauses are read. -It is possible to use wildcards with this statement, the wildcard is -expanded on start and on reload. -.TP -.B dlv\-anchor\-file: \fI<filename> -This option was used during early days DNSSEC deployment when no parent-side -DS record registrations were easily available. Nowadays, it is best to have -DS records registered with the parent zone (many top level zones are signed). -File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and -DNSKEY entries can be used in the file, in the same format as for -\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more -would be slow. The DLV configured is used as a root trusted DLV, this -means that it is a lookaside for the root. Default is "", or no dlv anchor file. -DLV is going to be decommissioned. Please do not use it any more. -.TP -.B dlv\-anchor: \fI<"Resource Record"> -Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline. -DLV is going to be decommissioned. Please do not use it any more. -.TP -.B domain\-insecure: \fI<domain name> -Sets domain name to be insecure, DNSSEC chain of trust is ignored towards -the domain name. So a trust anchor above the domain name can not make the -domain secure with a DS record, such a DS record is then ignored. -Also keys from DLV are ignored for the domain. Can be given multiple times -to specify multiple domains that are treated as if unsigned. If you set -trust anchors for the domain they override this setting (and the domain -is secured). -.IP -This can be useful if you want to make sure a trust anchor for external -lookups does not affect an (unsigned) internal domain. A DS record -externally can create validation failures for that internal domain. -.TP -.B val\-override\-date: \fI<rrsig\-style date spec> -Default is "" or "0", which disables this debugging feature. If enabled by -giving a RRSIG style date, that date is used for verifying RRSIG inception -and expiration dates, instead of the current date. Do not set this unless -you are debugging signature inception and expiration. The value \-1 ignores -the date altogether, useful for some special applications. -.TP -.B val\-sig\-skew\-min: \fI<seconds> -Minimum number of seconds of clock skew to apply to validated signatures. -A value of 10% of the signature lifetime (expiration \- inception) is -used, capped by this setting. Default is 3600 (1 hour) which allows for -daylight savings differences. Lower this value for more strict checking -of short lived signatures. -.TP -.B val\-sig\-skew\-max: \fI<seconds> -Maximum number of seconds of clock skew to apply to validated signatures. -A value of 10% of the signature lifetime (expiration \- inception) -is used, capped by this setting. Default is 86400 (24 hours) which -allows for timezone setting problems in stable domains. Setting both -min and max very low disables the clock skew allowances. Setting both -min and max very high makes the validator check the signature timestamps -less strictly. -.TP -.B val\-bogus\-ttl: \fI<number> -The time to live for bogus data. This is data that has failed validation; -due to invalid signatures or other checks. The TTL from that data cannot be -trusted, and this value is used instead. The value is in seconds, default 60. -The time interval prevents repeated revalidation of bogus data. -.TP -.B val\-clean\-additional: \fI<yes or no> -Instruct the validator to remove data from the additional section of secure -messages that are not signed properly. Messages that are insecure, bogus, -indeterminate or unchecked are not affected. Default is yes. Use this setting -to protect the users that rely on this validator for authentication from -potentially bad data in the additional section. -.TP -.B val\-log\-level: \fI<number> -Have the validator print validation failures to the log. Regardless of -the verbosity setting. Default is 0, off. At 1, for every user query -that fails a line is printed to the logs. This way you can monitor what -happens with validation. Use a diagnosis tool, such as dig or drill, -to find out why validation is failing for these queries. At 2, not only -the query that failed is printed but also the reason why unbound thought -it was wrong and which server sent the faulty data. -.TP -.B val\-permissive\-mode: \fI<yes or no> -Instruct the validator to mark bogus messages as indeterminate. The security -checks are performed, but if the result is bogus (failed security), the -reply is not withheld from the client with SERVFAIL as usual. The client -receives the bogus data. For messages that are found to be secure the AD bit -is set in replies. Also logging is performed as for full validation. -The default value is "no". -.TP -.B ignore\-cd\-flag: \fI<yes or no> -Instruct unbound to ignore the CD flag from clients and refuse to -return bogus answers to them. Thus, the CD (Checking Disabled) flag -does not disable checking any more. This is useful if legacy (w2008) -servers that set the CD flag but cannot validate DNSSEC themselves are -the clients, and then unbound provides them with DNSSEC protection. -The default value is "no". -.TP -.B serve\-expired: \fI<yes or no> -If enabled, unbound attempts to serve old responses from cache with a -TTL of 0 in the response without waiting for the actual resolution to finish. -The actual resolution answer ends up in the cache later on. Default is "no". -.TP -.B val\-nsec3\-keysize\-iterations: \fI<"list of values"> -List of keysize and iteration count values, separated by spaces, surrounded -by quotes. Default is "1024 150 2048 500 4096 2500". This determines the -maximum allowed NSEC3 iteration count before a message is simply marked -insecure instead of performing the many hashing iterations. The list must -be in ascending order and have at least one entry. If you set it to -"1024 65535" there is no restriction to NSEC3 iteration values. -This table must be kept short; a very long list could cause slower operation. -.TP -.B add\-holddown: \fI<seconds> -Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 -autotrust updates to add new trust anchors only after they have been -visible for this time. Default is 30 days as per the RFC. -.TP -.B del\-holddown: \fI<seconds> -Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 -autotrust updates to remove revoked trust anchors after they have been -kept in the revoked list for this long. Default is 30 days as per -the RFC. -.TP -.B keep\-missing: \fI<seconds> -Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011 -autotrust updates to remove missing trust anchors after they have been -unseen for this long. This cleans up the state file if the target zone -does not perform trust anchor revocation, so this makes the auto probe -mechanism work with zones that perform regular (non\-5011) rollovers. -The default is 366 days. The value 0 does not remove missing anchors, -as per the RFC. -.TP -.B permit\-small\-holddown: \fI<yes or no> -Debug option that allows the autotrust 5011 rollover timers to assume -very small values. Default is no. -.TP -.B key\-cache\-size: \fI<number> -Number of bytes size of the key cache. Default is 4 megabytes. -A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes -or gigabytes (1024*1024 bytes in a megabyte). -.TP -.B key\-cache\-slabs: \fI<number> -Number of slabs in the key cache. Slabs reduce lock contention by threads. -Must be set to a power of 2. Setting (close) to the number of cpus is a -reasonable guess. -.TP -.B neg\-cache\-size: \fI<number> -Number of bytes size of the aggressive negative cache. Default is 1 megabyte. -A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes -or gigabytes (1024*1024 bytes in a megabyte). -.TP -.B unblock\-lan\-zones: \fI<yesno> -Default is disabled. If enabled, then for private address space, -the reverse lookups are no longer filtered. This allows unbound when -running as dns service on a host where it provides service for that host, -to put out all of the queries for the 'lan' upstream. When enabled, -only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured -with default local zones. Disable the option when unbound is running -as a (DHCP-) DNS network resolver for a group of machines, where such -lookups should be filtered (RFC compliance), this also stops potential -data leakage about the local network to the upstream DNS servers. -.TP -.B insecure\-lan\-zones: \fI<yesno> -Default is disabled. If enabled, then reverse lookups in private -address space are not validated. This is usually required whenever -\fIunblock\-lan\-zones\fR is used. -.TP -.B local\-zone: \fI<zone> <type> -Configure a local zone. The type determines the answer to give if -there is no match from local\-data. The types are deny, refuse, static, -transparent, redirect, nodefault, typetransparent, inform, inform_deny, -always_transparent, always_refuse, always_nxdomain, -and are explained below. After that the default settings are listed. Use -local\-data: to enter data into the local zone. Answers for local zones -are authoritative DNS answers. By default the zones are class IN. -.IP -If you need more complicated authoritative data, with referrals, wildcards, -CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for -it as detailed in the stub zone section below. -.TP 10 -\h'5'\fIdeny\fR -Do not send an answer, drop the query. -If there is a match from local data, the query is answered. -.TP 10 -\h'5'\fIrefuse\fR -Send an error message reply, with rcode REFUSED. -If there is a match from local data, the query is answered. -.TP 10 -\h'5'\fIstatic\fR -If there is a match from local data, the query is answered. -Otherwise, the query is answered with nodata or nxdomain. -For a negative answer a SOA is included in the answer if present -as local\-data for the zone apex domain. -.TP 10 -\h'5'\fItransparent\fR -If there is a match from local data, the query is answered. -Otherwise if the query has a different name, the query is resolved normally. -If the query is for a name given in localdata but no such type of data is -given in localdata, then a noerror nodata answer is returned. -If no local\-zone is given local\-data causes a transparent zone -to be created by default. -.TP 10 -\h'5'\fItypetransparent\fR -If there is a match from local data, the query is answered. If the query -is for a different name, or for the same name but for a different type, -the query is resolved normally. So, similar to transparent but types -that are not listed in local data are resolved normally, so if an A record -is in the local data that does not cause a nodata reply for AAAA queries. -.TP 10 -\h'5'\fIredirect\fR -The query is answered from the local data for the zone name. -There may be no local data beneath the zone name. -This answers queries for the zone, and all subdomains of the zone -with the local data for the zone. -It can be used to redirect a domain to return a different address record -to the end user, with -local\-zone: "example.com." redirect and -local\-data: "example.com. A 127.0.0.1" -queries for www.example.com and www.foo.example.com are redirected, so -that users with web browsers cannot access sites with suffix example.com. -.TP 10 -\h'5'\fIinform\fR -The query is answered normally, same as transparent. The client IP -address (@portnumber) is printed to the logfile. The log message is: -timestamp, unbound-pid, info: zonename inform IP@port queryname type -class. This option can be used for normal resolution, but machines -looking up infected names are logged, eg. to run antivirus on them. -.TP 10 -\h'5'\fIinform_deny\fR -The query is dropped, like 'deny', and logged, like 'inform'. Ie. find -infected machines without answering the queries. -.TP 10 -\h'5'\fIalways_transparent\fR -Like transparent, but ignores local data and resolves normally. -.TP 10 -\h'5'\fIalways_refuse\fR -Like refuse, but ignores local data and refuses the query. -.TP 10 -\h'5'\fIalways_nxdomain\fR -Like static, but ignores local data and returns nxdomain for the query. -.TP 10 -\h'5'\fInodefault\fR -Used to turn off default contents for AS112 zones. The other types -also turn off default contents for the zone. The 'nodefault' option -has no other effect than turning off default contents for the -given zone. Use \fInodefault\fR if you use exactly that zone, if you want to -use a subzone, use \fItransparent\fR. -.P -The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and -the AS112 zones. The AS112 zones are reverse DNS zones for private use and -reserved IP addresses for which the servers on the internet cannot provide -correct answers. They are configured by default to give nxdomain (no reverse -information) answers. The defaults can be turned off by specifying your -own local\-zone of that name, or using the 'nodefault' type. Below is a -list of the default zone contents. -.TP 10 -\h'5'\fIlocalhost\fR -The IP4 and IP6 localhost information is given. NS and SOA records are provided -for completeness and to satisfy some DNS update tools. Default content: -.nf -local\-zone: "localhost." static -local\-data: "localhost. 10800 IN NS localhost." -local\-data: "localhost. 10800 IN - SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" -local\-data: "localhost. 10800 IN A 127.0.0.1" -local\-data: "localhost. 10800 IN AAAA ::1" -.fi -.TP 10 -\h'5'\fIreverse IPv4 loopback\fR -Default content: -.nf -local\-zone: "127.in\-addr.arpa." static -local\-data: "127.in\-addr.arpa. 10800 IN NS localhost." -local\-data: "127.in\-addr.arpa. 10800 IN - SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" -local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN - PTR localhost." -.fi -.TP 10 -\h'5'\fIreverse IPv6 loopback\fR -Default content: -.nf -local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static -local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN - NS localhost." -local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN - SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" -local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN - PTR localhost." -.fi -.TP 10 -\h'5'\fIonion (RFC 7686)\fR -Default content: -.nf -local\-zone: "onion." static -local\-data: "onion. 10800 IN NS localhost." -local\-data: "onion. 10800 IN - SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" -.fi -.TP 10 -\h'5'\fIreverse RFC1918 local use zones\fR -Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to -31.172.in\-addr.arpa, 168.192.in\-addr.arpa. -The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS -records are provided. -.TP 10 -\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR -Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, -2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2), -113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa. -And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space). -.TP 10 -\h'5'\fIreverse RFC4291 IP6 unspecified\fR -Reverse data for zone -.nf -0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. -0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. -.fi -.TP 10 -\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR -Reverse data for zone D.F.ip6.arpa. -.TP 10 -\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR -Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa. -.TP 10 -\h'5'\fIreverse IPv6 Example Prefix\fR -Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for -tutorials and examples. You can remove the block on this zone with: -.nf - local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault -.fi -You can also selectively unblock a part of the zone by making that part -transparent with a local\-zone statement. -This also works with the other default zones. -.\" End of local-zone listing. -.TP 5 -.B local\-data: \fI"<resource record string>" -Configure local data, which is served in reply to queries for it. -The query has to match exactly unless you configure the local\-zone as -redirect. If not matched exactly, the local\-zone type determines -further processing. If local\-data is configured that is not a subdomain of -a local\-zone, a transparent local\-zone is configured. -For record types such as TXT, use single quotes, as in -local\-data: 'example. TXT "text"'. -.IP -If you need more complicated authoritative data, with referrals, wildcards, -CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for -it as detailed in the stub zone section below. -.TP 5 -.B local\-data\-ptr: \fI"IPaddr name" -Configure local data shorthand for a PTR record with the reversed IPv4 or -IPv6 address and the host name. For example "192.0.2.4 www.example.com". -TTL can be inserted like this: "2001:DB8::4 7200 www.example.com" -.TP 5 -.B local\-zone\-tag: \fI<zone> <"list of tags"> -Assign tags to localzones. Tagged localzones will only be applied when the -used access-control element has a matching tag. Tags must be defined in -\fIdefine\-tags\fR. Enclose list of tags in quotes ("") and put spaces between -tags. -.TP 5 -.B local\-zone\-override: \fI<zone> <IP netblock> <type> -Override the localzone type for queries from addresses matching netblock. -Use this localzone type, regardless the type configured for the local-zone -(both tagged and untagged) and regardless the type configured using -access\-control\-tag\-action. -.TP 5 -.B ratelimit: \fI<number or 0> -Enable ratelimiting of queries sent to nameserver for performing recursion. -If 0, the default, it is disabled. This option is experimental at this time. -The ratelimit is in queries per second that are allowed. More queries are -turned away with an error (servfail). This stops recursive floods, eg. random -query names, but not spoofed reflection floods. Cached responses are not -ratelimited by this setting. The zone of the query is determined by examining -the nameservers for it, the zone name is used to keep track of the rate. -For example, 1000 may be a suitable value to stop the server from being -overloaded with random names, and keeps unbound from sending traffic to the -nameservers for those zones. -.TP 5 -.B ratelimit\-size: \fI<memory size> -Give the size of the data structure in which the current ongoing rates are -kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga). -The ratelimit structure is small, so this data structure likely does -not need to be large. -.TP 5 -.B ratelimit\-slabs: \fI<number> -Give power of 2 number of slabs, this is used to reduce lock contention -in the ratelimit tracking data structure. Close to the number of cpus is -a fairly good setting. -.TP 5 -.B ratelimit\-factor: \fI<number> -Set the amount of queries to rate limit when the limit is exceeded. -If set to 0, all queries are dropped for domains where the limit is -exceeded. If set to another value, 1 in that number is allowed through -to complete. Default is 10, allowing 1/10 traffic to flow normally. -This can make ordinary queries complete (if repeatedly queried for), -and enter the cache, whilst also mitigating the traffic flow by the -factor given. -.TP 5 -.B ratelimit\-for\-domain: \fI<domain> <number qps> -Override the global ratelimit for an exact match domain name with the listed -number. You can give this for any number of names. For example, for -a top\-level\-domain you may want to have a higher limit than other names. -.TP 5 -.B ratelimit\-below\-domain: \fI<domain> <number qps> -Override the global ratelimit for a domain name that ends in this name. -You can give this multiple times, it then describes different settings -in different parts of the namespace. The closest matching suffix is used -to determine the qps limit. The rate for the exact matching domain name -is not changed, use ratelimit\-for\-domain to set that, you might want -to use different settings for a top\-level\-domain and subdomains. -.TP 5 -.B ip\-ratelimit: \fI<number or 0> -Enable global ratelimiting of queries accepted per ip address. -If 0, the default, it is disabled. This option is experimental at this time. -The ratelimit is in queries per second that are allowed. More queries are -completely dropped and will not receive a reply, SERVFAIL or otherwise. -IP ratelimiting happens before looking in the cache. This may be useful for -mitigating amplification attacks. -.TP 5 -.B ip\-ratelimit\-size: \fI<memory size> -Give the size of the data structure in which the current ongoing rates are -kept track in. Default 4m. In bytes or use m(mega), k(kilo), g(giga). -The ip ratelimit structure is small, so this data structure likely does -not need to be large. -.TP 5 -.B ip\-ratelimit\-slabs: \fI<number> -Give power of 2 number of slabs, this is used to reduce lock contention -in the ip ratelimit tracking data structure. Close to the number of cpus is -a fairly good setting. -.TP 5 -.B ip\-ratelimit\-factor: \fI<number> -Set the amount of queries to rate limit when the limit is exceeded. -If set to 0, all queries are dropped for addresses where the limit is -exceeded. If set to another value, 1 in that number is allowed through -to complete. Default is 10, allowing 1/10 traffic to flow normally. -This can make ordinary queries complete (if repeatedly queried for), -and enter the cache, whilst also mitigating the traffic flow by the -factor given. -.SS "Remote Control Options" -In the -.B remote\-control: -clause are the declarations for the remote control facility. If this is -enabled, the \fIunbound\-control\fR(8) utility can be used to send -commands to the running unbound server. The server uses these clauses -to setup SSLv3 / TLSv1 security for the connection. The -\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR -section for options. To setup the correct self\-signed certificates use the -\fIunbound\-control\-setup\fR(8) utility. -.TP 5 -.B control\-enable: \fI<yes or no> -The option is used to enable remote control, default is "no". -If turned off, the server does not listen for control commands. -.TP 5 -.B control\-interface: \fI<ip address or path> -Give IPv4 or IPv6 addresses or local socket path to listen on for -control commands. -By default localhost (127.0.0.1 and ::1) is listened to. -Use 0.0.0.0 and ::0 to listen to all interfaces. -If you change this and permissions have been dropped, you must restart -the server for the change to take effect. -.TP 5 -.B control\-port: \fI<port number> -The port number to listen on for IPv4 or IPv6 control interfaces, -default is 8953. -If you change this and permissions have been dropped, you must restart -the server for the change to take effect. -.TP 5 -.B control\-use\-cert: \fI<yes or no> -Whether to require certificate authentication of control connections. -The default is "yes". -This should not be changed unless there are other mechanisms in place -to prevent untrusted users from accessing the remote control -interface. -.TP 5 -.B server\-key\-file: \fI<private key file> -Path to the server private key, by default unbound_server.key. -This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, but not by \fIunbound\-control\fR. -.TP 5 -.B server\-cert\-file: \fI<certificate file.pem> -Path to the server self signed certificate, by default unbound_server.pem. -This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, and also by \fIunbound\-control\fR. -.TP 5 -.B control\-key\-file: \fI<private key file> -Path to the control client private key, by default unbound_control.key. -This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by \fIunbound\-control\fR. -.TP 5 -.B control\-cert\-file: \fI<certificate file.pem> -Path to the control client certificate, by default unbound_control.pem. -This certificate has to be signed with the server certificate. -This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by \fIunbound\-control\fR. -.SS "Stub Zone Options" -.LP -There may be multiple -.B stub\-zone: -clauses. Each with a name: and zero or more hostnames or IP addresses. -For the stub zone this list of nameservers is used. Class IN is assumed. -The servers should be authority servers, not recursors; unbound performs -the recursive processing itself for stub zones. -.P -The stub zone can be used to configure authoritative data to be used -by the resolver that cannot be accessed using the public internet servers. -This is useful for company\-local data or private zones. Setup an -authoritative server on a different host (or different port). Enter a config -entry for unbound with -.B stub\-addr: -<ip address of host[@port]>. -The unbound resolver can then access the data, without referring to the -public internet for it. -.P -This setup allows DNSSEC signed zones to be served by that -authoritative server, in which case a trusted key entry with the public key -can be put in config, so that unbound can validate the data and set the AD -bit on replies for the private zone (authoritative servers do not set the -AD bit). This setup makes unbound capable of answering queries for the -private zone, and can even set the AD bit ('authentic'), but the AA -('authoritative') bit is not set on these replies. -.P -Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and -for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally -served zone. The insecure clause stops DNSSEC from invalidating the -zone. The local zone nodefault (or \fItransparent\fR) clause makes the -(reverse\-) zone bypass unbound's filtering of RFC1918 zones. -.TP -.B name: \fI<domain name> -Name of the stub zone. -.TP -.B stub\-host: \fI<domain name> -Name of stub zone nameserver. Is itself resolved before it is used. -.TP -.B stub\-addr: \fI<IP address> -IP address of stub zone nameserver. Can be IP 4 or IP 6. -To use a nondefault port for DNS communication append '@' with the port number. -.TP -.B stub\-prime: \fI<yes or no> -This option is by default off. If enabled it performs NS set priming, -which is similar to root hints, where it starts using the list of nameservers -currently published by the zone. Thus, if the hint list is slightly outdated, -the resolver picks up a correct list online. -.TP -.B stub\-first: \fI<yes or no> -If enabled, a query is attempted without the stub clause if it fails. -The data could not be retrieved and would have caused SERVFAIL because -the servers are unreachable, instead it is tried without this clause. -The default is no. -.TP -.B stub\-ssl\-upstream: \fI<yes or no> -Enabled or disable whether the queries to this stub use SSL for transport. -Default is no. -.SS "Forward Zone Options" -.LP -There may be multiple -.B forward\-zone: -clauses. Each with a \fBname:\fR and zero or more hostnames or IP -addresses. For the forward zone this list of nameservers is used to -forward the queries to. The servers listed as \fBforward\-host:\fR and -\fBforward\-addr:\fR have to handle further recursion for the query. Thus, -those servers are not authority servers, but are (just like unbound is) -recursive servers too; unbound does not perform recursion itself for the -forward zone, it lets the remote server do it. Class IN is assumed. -A forward\-zone entry with name "." and a forward\-addr target will -forward all queries to that other server (unless it can answer from -the cache). -.TP -.B name: \fI<domain name> -Name of the forward zone. -.TP -.B forward\-host: \fI<domain name> -Name of server to forward to. Is itself resolved before it is used. -.TP -.B forward\-addr: \fI<IP address> -IP address of server to forward to. Can be IP 4 or IP 6. -To use a nondefault port for DNS communication append '@' with the port number. -.TP -.B forward\-first: \fI<yes or no> -If enabled, a query is attempted without the forward clause if it fails. -The data could not be retrieved and would have caused SERVFAIL because -the servers are unreachable, instead it is tried without this clause. -The default is no. -.TP -.B forward\-ssl\-upstream: \fI<yes or no> -Enabled or disable whether the queries to this forwarder use SSL for transport. -Default is no. -.SS "View Options" -.LP -There may be multiple -.B view: -clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and -\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view -name in an \fBaccess\-control\-view\fR element. Options from matching views will -override global options. Global options will be used if no matching view -is found. -.TP -.B name: \fI<view name> -Name of the view. Must be unique. This name is used in access\-control\-view -elements. -.TP -.B local\-zone: \fI<zone> <type> -View specific local\-zone elements. Has the same types and behaviour as the -global local\-zone elements. -.TP -.B local\-data: \fI"<resource record string>" -View specific local\-data elements. Has the same behaviour as the global -local\-data elements. -.TP -.B local\-data\-ptr: \fI"IPaddr name" -View specific local\-data\-ptr elements. Has the same behaviour as the global -local\-data\-ptr elements. -.TP -.B view\-first: \fI<yes or no> -If enabled, it attempts to use the global local\-zone and local\-data if there -is no match in the view specific options. -The default is no. -.SS "Python Module Options" -.LP -The -.B python: -clause gives the settings for the \fIpython\fR(1) script module. This module -acts like the iterator and validator modules do, on queries and answers. -To enable the script module it has to be compiled into the daemon, -and the word "python" has to be put in the \fBmodule\-config:\fR option -(usually first, or between the validator and iterator). -.LP -If the \fBchroot:\fR option is enabled, you should make sure Python's -library directory structure is bind mounted in the new root environment, see -\fImount\fR(8). Also the \fBpython\-script:\fR path should be specified as an -absolute path relative to the new root, or as a relative path to the working -directory. -.TP -.B python\-script: \fI<python file>\fR -The script file to load. -.SS "DNS64 Module Options" -.LP -The dns64 module must be configured in the \fBmodule\-config:\fR "dns64 -validator iterator" directive and be compiled into the daemon to be -enabled. These settings go in the \fBserver:\fR section. -.TP -.B dns64\-prefix: \fI<IPv6 prefix>\fR -This sets the DNS64 prefix to use to synthesize AAAA records with. -It must be /96 or shorter. The default prefix is 64:ff9b::/96. -.TP -.B dns64\-synthall: \fI<yes or no>\fR -Debug option, default no. If enabled, synthesize all AAAA records -despite the presence of actual AAAA records. -.SS "DNSCrypt Options" -.LP -The -.B dnscrypt: -clause give the settings of the dnscrypt channel. While those options are -available, they are only meaningful if unbound was compiled with -\fB\-\-enable\-dnscrypt\fR. -Currently certificate and secret/public keys cannot be generated by unbound. -You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage -.TP -.B dnscrypt\-enable: \fI<yes or no>\fR -Whether or not the \fBdnscrypt\fR config should be enabled. You may define -configuration but not activate it. -The default is no. -.TP -.B dnscrypt\-port: \fI<port number> -On which port should \fBdnscrypt\fR should be activated. Note that you should -have a matching \fBinterface\fR option defined in the \fBserver\fR section for -this port. -.TP -.B dnscrypt\-provider: \fI<provider name>\fR -The provider name to use to distribute certificates. This is of the form: -\fB2.dnscrypt-cert.example.com.\fR. The name \fIMUST\fR end with a dot. -.TP -.B dnscrypt\-secret\-key: \fI<path to secret key file>\fR -Path to the time limited secret key file. This option may be specified multiple -times. -.TP -.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR -Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option -may be specified multiple times. -.SS "EDNS Client Subnet Module Options" -.LP -The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache -validator iterator" directive and be compiled into the daemon to be -enabled. These settings go in the \fBserver:\fR section. -.LP -If the destination address is whitelisted with Unbound will add the EDNS0 option -to the query containing the relevant part of the client's address. When an -answer contains the ECS option the response and the option are placed in a -specialized cache. If the authority indicated no support, the response is stored -in the regular cache. -.LP -Additionally, when a client includes the option in its queries, Unbound will -forward the option to the authority regardless of the authorities presence in -the whitelist. In this case the lookup in the regular cache is skipped. -.LP -The maximum size of the ECS cache is controlled by 'msg-cache-size' in the -configuration file. On top of that, for each query only 100 different subnets -are allowed to be stored for each address family. Exceeding that number, older -entries will be purged from cache. -.TP -.B send\-client\-subnet: \fI<IP address>\fR -Send client source address to this authority. Append /num to indicate a -classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can -be given multiple times. Authorities not listed will not receive edns-subnet -information. -.TP -.B client\-subnet\-always\-forward: \fI<yes or no>\fR -Specify whether the ECS whitelist check (configured using -\fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering -query contains an ECS record, or only for queries for which the ECS record is -generated using the querier address (and therefore did not contain ECS data in -the client query). If enabled, the whitelist check is skipped when the client -query contains an ECS record. Default is no. -.TP -.B max\-client\-subnet\-ipv6: \fI<number>\fR -Specifies the maximum prefix length of the client source address we are willing -to expose to third parties for IPv6. Defaults to 56. -.TP -.B max\-client\-subnet\-ipv4: \fI<number>\fR -Specifies the maximum prefix length of the client source address we are willing -to expose to third parties for IPv4. Defaults to 24. -.SH "MEMORY CONTROL EXAMPLE" -In the example config settings below memory usage is reduced. Some service -levels are lower, notable very large data and a high TCP load are no longer -supported. Very large data and high TCP loads are exceptional for the DNS. -DNSSEC validation is enabled, just add trust anchors. -If you do not have to worry about programs using more than 3 Mb of memory, -the below example is not for you. Use the defaults to receive full service, -which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. -.P -.nf -# example settings that reduce memory usage -server: - num\-threads: 1 - outgoing\-num\-tcp: 1 # this limits TCP service, uses less buffers. - incoming\-num\-tcp: 1 - outgoing\-range: 60 # uses less memory, but less performance. - msg\-buffer\-size: 8192 # note this limits service, 'no huge stuff'. - msg\-cache\-size: 100k - msg\-cache\-slabs: 1 - rrset\-cache\-size: 100k - rrset\-cache\-slabs: 1 - infra\-cache\-numhosts: 200 - infra\-cache\-slabs: 1 - key\-cache\-size: 100k - key\-cache\-slabs: 1 - neg\-cache\-size: 10k - num\-queries\-per\-thread: 30 - target\-fetch\-policy: "2 1 0 0 0 0" - harden\-large\-queries: "yes" - harden\-short\-bufsize: "yes" -.fi -.SH "FILES" -.TP -.I @UNBOUND_RUN_DIR@ -default unbound working directory. -.TP -.I @UNBOUND_CHROOT_DIR@ -default -\fIchroot\fR(2) -location. -.TP -.I @ub_conf_file@ -unbound configuration file. -.TP -.I @UNBOUND_PIDFILE@ -default unbound pidfile with process ID of the running daemon. -.TP -.I unbound.log -unbound log file. default is to log to -\fIsyslog\fR(3). -.SH "SEE ALSO" -\fIunbound\fR(8), -\fIunbound\-checkconf\fR(8). -.SH "AUTHORS" -.B Unbound -was written by NLnet Labs. Please see CREDITS file -in the distribution for further details. |