1unbound-control(8)               unbound 1.8.3              unbound-control(8)
2
3
4

NAME

6       unbound-control,  unbound-control-setup - Unbound remote server control
7       utility.
8

SYNOPSIS

10       unbound-control [-hq] [-c cfgfile] [-s server] command
11

DESCRIPTION

13       Unbound-control performs remote administration on  the  unbound(8)  DNS
14       server.   It  reads the configuration file, contacts the unbound server
15       over SSL sends the command and displays the result.
16
17       The available options are:
18
19       -h     Show the version and commandline option help.
20
21       -c cfgfile
22              The config file to read with settings.  If not given the default
23              config file /etc/unbound/unbound.conf is used.
24
25       -s server[@port]
26              IPv4  or  IPv6  address of the server to contact.  If not given,
27              the address is read from the config file.
28
29       -q     quiet, if the option is given it does not print anything  if  it
30              works ok.
31

COMMANDS

33       There are several commands that the server understands.
34
35       start  Start  the  server.  Simply  execs unbound(8).  The unbound exe‐
36              cutable is searched for in the PATH set in the environment.   It
37              is  started  with  the  config  file  specified  using -c or the
38              default config file.
39
40       stop   Stop the server. The server daemon exits.
41
42       reload Reload the server. This flushes the cache and reads  the  config
43              file fresh.
44
45       verbosity number
46              Change  verbosity  value  for  logging. Same values as verbosity
47              keyword in unbound.conf(5).  This new setting  lasts  until  the
48              server is issued a reload (taken from config file again), or the
49              next verbosity control command.
50
51       log_reopen
52              Reopen the logfile, close and open it.  Useful  for  logrotation
53              to  make  the  daemon release the file it is logging to.  If you
54              are using syslog it will attempt to close and  open  the  syslog
55              (which may not work if chrooted).
56
57       stats  Print statistics. Resets the internal counters to zero, this can
58              be controlled using the statistics-cumulative config  statement.
59              Statistics are printed with one [name]: [value] per line.
60
61       stats_noreset
62              Peek at statistics. Prints them like the stats command does, but
63              does not reset the internal counters to zero.
64
65       status Display server status. Exit code 3 if not running  (the  connec‐
66              tion to the port is refused), 1 on error, 0 if running.
67
68       local_zone name type
69              Add  new  local  zone with name and type. Like local-zone config
70              statement.  If the zone already exists, the type is  changed  to
71              the given argument.
72
73       local_zone_remove name
74              Remove  the  local  zone with the given name.  Removes all local
75              data inside it.  If the zone does not exist,  the  command  suc‐
76              ceeds.
77
78       local_data RR data...
79              Add  new  local data, the given resource record. Like local-data
80              config statement, except for when no covering zone  exists.   In
81              that case this remote control command creates a transparent zone
82              with the same name as this record.  This command is not good  at
83              returning detailed syntax errors.
84
85       local_data_remove name
86              Remove  all RR data from local name.  If the name already has no
87              items, nothing happens.  Often results in NXDOMAIN for the  name
88              (in  a static zone), but if the name has become an empty nonter‐
89              minal (there is still data in domain  names  below  the  removed
90              name), NOERROR nodata answers are the result for that name.
91
92       local_zones
93              Add  local  zones  read  from stdin of unbound-control. Input is
94              read per line, with name space type on a line.  For  bulk  addi‐
95              tions.
96
97       local_zones_remove
98              Remove  local zones read from stdin of unbound-control. Input is
99              one name per line. For bulk removals.
100
101       local_datas
102              Add local data RRs read from stdin of unbound-control. Input  is
103              one RR per line. For bulk additions.
104
105       local_datas_remove
106              Remove  local data RRs read from stdin of unbound-control. Input
107              is one name per line. For bulk removals.
108
109       dump_cache
110              The contents of the cache is printed in a text format to stdout.
111              You can redirect it to a file to store the cache in a file.
112
113       load_cache
114              The  contents  of the cache is loaded from stdin.  Uses the same
115              format as dump_cache uses.  Loading the cache with old, or wrong
116              data can result in old or wrong data returned to clients.  Load‐
117              ing data into the cache in this way is supported in order to aid
118              with debugging.
119
120       lookup name
121              Print  to  stdout the name servers that would be used to look up
122              the name specified.
123
124       flush name
125              Remove the name from the cache. Removes the types A,  AAAA,  NS,
126              SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.  Because that is fast
127              to do. Other record types can be  removed  using  flush_type  or
128              flush_zone.
129
130       flush_type name type
131              Remove the name, type information from the cache.
132
133       flush_zone name
134              Remove all information at or below the name from the cache.  The
135              rrsets and key entries are removed so that new lookups  will  be
136              performed.  This needs to walk and inspect the entire cache, and
137              is a slow operation.  The entries are  set  to  expired  in  the
138              implementation  of this command (so, with serve-expired enabled,
139              it'll serve that information but schedule  a  prefetch  for  new
140              information).
141
142       flush_bogus
143              Remove all bogus data from the cache.
144
145       flush_negative
146              Remove  all  negative  data  from  the  cache.  This is nxdomain
147              answers, nodata answers and servfail answers.  Also removes  bad
148              key  entries  (which  could  be  due to failed lookups) from the
149              dnssec key cache, and iterator last-resort lookup failures  from
150              the rrset cache.
151
152       flush_stats
153              Reset statistics to zero.
154
155       flush_requestlist
156              Drop  the  queries  that  are  worked  on.  Stops working on the
157              queries that the server is working on now.  The cache  is  unaf‐
158              fected.   No  reply  is  sent for those queries, probably making
159              those users request again later.   Useful  to  make  the  server
160              restart  working  on queries with new settings, such as a higher
161              verbosity level.
162
163       dump_requestlist
164              Show what is worked on.  Prints all queries that the  server  is
165              currently  working  on.   Prints  the  time that users have been
166              waiting.  For internal requests, no time is printed.   And  then
167              prints  out the module status.  This prints the queries from the
168              first thread, and not queries that are being serviced from other
169              threads.
170
171       flush_infra all|IP
172              If  all  then  entire  infra cache is emptied.  If a specific IP
173              address, the entry for that address is removed from  the  cache.
174              It contains EDNS, ping and lameness data.
175
176       dump_infra
177              Show the contents of the infra cache.
178
179       set_option opt: val
180              Set  the  option to the given value without a reload.  The cache
181              is therefore not flushed.  The option must end with  a  ':'  and
182              whitespace  must be between the option and the value.  Some val‐
183              ues may not have an effect if set this way, the new  values  are
184              not  written  to the config file, not all options are supported.
185              This is different from the set_option call in libunbound,  where
186              all values work because unbound has not been initialized.
187
188              The  values that work are: statistics-interval, statistics-cumu‐
189              lative,      do-not-query-localhost,       harden-short-bufsize,
190              harden-large-queries,    harden-glue,    harden-dnssec-stripped,
191              harden-below-nxdomain,      harden-referral-path,      prefetch,
192              prefetch-key,  log-queries,  hide-identity,  hide-version, iden‐
193              tity, version, val-log-level,  val-log-squelch,  ignore-cd-flag,
194              add-holddown,    del-holddown,    keep-missing,    tcp-upstream,
195              ssl-upstream,     max-udp-size,     ratelimit,     ip-ratelimit,
196              cache-max-ttl, cache-min-ttl, cache-max-negative-ttl.
197
198       get_option opt
199              Get  the  value  of  the option.  Give the option name without a
200              trailing ':'.  The value is printed.  If the value is "",  noth‐
201              ing  is printed and the connection closes.  On error 'error ...'
202              is printed (it gives a syntax error  on  unknown  option).   For
203              some  options  a  list  of values, one on each line, is printed.
204              The options are shown from the  config  file  as  modified  with
205              set_option.   For  some  options an override may have been taken
206              that does not show up with this command, not results  from  e.g.
207              the  verbosity  and  forward  control commands.  Not all options
208              work,  see  list_stubs,  list_forwards,   list_local_zones   and
209              list_local_data for those.
210
211       list_stubs
212              List the stub zones in use.  These are printed one by one to the
213              output.  This includes the root hints in use.
214
215       list_forwards
216              List the forward zones in use.  These are printed zone  by  zone
217              to the output.
218
219       list_insecure
220              List the zones with domain-insecure.
221
222       list_local_zones
223              List  the  local  zones  in use.  These are printed one per line
224              with zone type.
225
226       list_local_data
227              List the local data  RRs  in  use.   The  resource  records  are
228              printed.
229
230       insecure_add zone
231              Add  a domain-insecure for the given zone, like the statement in
232              unbound.conf.  Adds to the running unbound without affecting the
233              cache  contents  (which  may  still  be bogus, use flush_zone to
234              remove it), does not affect the config file.
235
236       insecure_remove zone
237              Removes domain-insecure for the given zone.
238
239       forward_add [+i] zone addr ...
240              Add a new forward zone to running unbound.  With +i option  also
241              adds  a  domain-insecure  for  the zone (so it can resolve inse‐
242              curely if you have a DNSSEC root  trust  anchor  configured  for
243              other  names).   The  addr  can be IP4, IP6 or nameserver names,
244              like forward-zone config in unbound.conf.
245
246       forward_remove [+i] zone
247              Remove a forward zone from running unbound.  The +i also removes
248              a domain-insecure for the zone.
249
250       stub_add [+ip] zone addr ...
251              Add  a  new  stub  zone to running unbound.  With +i option also
252              adds a domain-insecure for the zone.  With +p the stub  zone  is
253              set to prime, without it it is set to notprime.  The addr can be
254              IP4, IP6 or nameserver  names,  like  the  stub-zone  config  in
255              unbound.conf.
256
257       stub_remove [+i] zone
258              Remove  a stub zone from running unbound.  The +i also removes a
259              domain-insecure for the zone.
260
261       forward [off | addr ... ]
262              Setup forwarding mode.  Configures  if  the  server  should  ask
263              other upstream nameservers, should go to the internet root name‐
264              servers itself, or show the current config.  You could pass  the
265              nameservers after a DHCP update.
266
267              Without  arguments the current list of addresses used to forward
268              all queries to is printed.  On startup this  is  from  the  for‐
269              ward-zone  "."  configuration.   Afterwards it shows the status.
270              It prints off when no forwarding is used.
271
272              If off is passed, forwarding is  disabled  and  the  root  name‐
273              servers  are  used.  This can be used to avoid to avoid buggy or
274              non-DNSSEC supporting nameservers returned from DHCP.   But  may
275              not work in hotels or hotspots.
276
277              If  one or more IPv4 or IPv6 addresses are given, those are then
278              used to forward queries to.  The  addresses  must  be  separated
279              with spaces.  With '@port' the port number can be set explicitly
280              (default port is 53 (DNS)).
281
282              By default the forwarder information from the  config  file  for
283              the  root "." is used.  The config file is not changed, so after
284              a reload these changes are gone.  Other forward zones  from  the
285              config file are not affected by this command.
286
287       ratelimit_list [+a]
288              List  the  domains  that  are ratelimited.  Printed one per line
289              with current estimated qps and qps limit from config.   With  +a
290              it  prints  all  domains, not just the ratelimited domains, with
291              their estimated qps.  The ratelimited domains  return  an  error
292              for uncached (new) queries, but cached queries work as normal.
293
294       ip_ratelimit_list [+a]
295              List  the  ip  addresses  that are ratelimited.  Printed one per
296              line with current estimated qps and qps limit from config.  With
297              +a  it  prints all ips, not just the ratelimited ips, with their
298              estimated qps.  The ratelimited ips are dropped before  checking
299              the cache.
300
301       list_auth_zones
302              List  the  auth zones that are configured.  Printed one per line
303              with a status, indicating if the zone  is  expired  and  current
304              serial number.
305
306       auth_zone_reload zone
307              Reload  the  auth  zone  from zonefile.  The zonefile is read in
308              overwriting the current contents of the zone  in  memory.   This
309              changes  the  auth zone contents itself, not the cache contents.
310              Such cache contents exists if you set unbound to  validate  with
311              for-upstream yes and that can be cleared with flush_zone zone.
312
313       auth_zone_transfer zone
314              Transfer  the  auth  zone  from  master.   The  auth  zone probe
315              sequence is started, where the masters are probed to see if they
316              have  an updated zone (with the SOA serial check).  And then the
317              zone is transferred for a newer zone version.
318
319       view_list_local_zones view
320              list_local_zones for given view.
321
322       view_local_zone view name type
323              local_zone for given view.
324
325       view_local_zone_remove view name
326              local_zone_remove for given view.
327
328       view_list_local_data view
329              list_local_data for given view.
330
331       view_local_data view RR data...
332              local_data for given view.
333
334       view_local_data_remove view name
335              local_data_remove for given view.
336
337       view_local_datas view
338              Add a list of  local_data  for  given  view  from  stdin.   Like
339              local_datas.
340

EXIT CODE

342       The  unbound-control  program  exits  with status code 1 on error, 0 on
343       success.
344

SET UP

346       The setup requires a self-signed certificate and private keys for  both
347       the  server  and  client.   The  script unbound-control-setup generates
348       these in the default run directory, or with -d  in  another  directory.
349       If  you  change the access control permissions on the key files you can
350       decide who can use unbound-control, by default owner and group but  not
351       all  users.  Run the script under the same username as you have config‐
352       ured in unbound.conf or as root, so that the  daemon  is  permitted  to
353       read the files, for example with:
354           sudo -u unbound unbound-control-setup
355       If  you  have  not configured a username in unbound.conf, the keys need
356       read permission for the user credentials  under  which  the  daemon  is
357       started.   The  script preserves private keys present in the directory.
358       After  running  the  script  as  root,  turn   on   control-enable   in
359       unbound.conf.
360

STATISTIC COUNTERS

362       The stats command shows a number of statistic counters.
363
364       threadX.num.queries
365              number of queries received by thread
366
367       threadX.num.queries_ip_ratelimited
368              number of queries rate limited by thread
369
370       threadX.num.cachehits
371              number  of queries that were successfully answered using a cache
372              lookup
373
374       threadX.num.cachemiss
375              number of queries that needed recursive processing
376
377       threadX.num.dnscrypt.crypted
378              number of queries that were encrypted and successfully  decapsu‐
379              lated by dnscrypt.
380
381       threadX.num.dnscrypt.cert
382              number of queries that were requesting dnscrypt certificates.
383
384       threadX.num.dnscrypt.cleartext
385              number  of queries received on dnscrypt port that were cleartext
386              and not a request for certificates.
387
388       threadX.num.dnscrypt.malformed
389              number  of  request  that  were  neither  cleartext,  not  valid
390              dnscrypt messages.
391
392       threadX.num.prefetch
393              number  of  cache prefetches performed.  This number is included
394              in cachehits, as the original query had the unprefetched  answer
395              from  cache, and resulted in recursive processing, taking a slot
396              in the requestlist.  Not part of the  recursivereplies  (or  the
397              histogram thereof) or cachemiss, as a cache response was sent.
398
399       threadX.num.zero_ttl
400              number  of replies with ttl zero, because they served an expired
401              cache entry.
402
403       threadX.num.recursivereplies
404              The number of replies sent to queries that needed recursive pro‐
405              cessing.  Could  be smaller than threadX.num.cachemiss if due to
406              timeouts no replies were sent for some queries.
407
408       threadX.requestlist.avg
409              The average number of requests in the  internal  recursive  pro‐
410              cessing  request list on insert of a new incoming recursive pro‐
411              cessing query.
412
413       threadX.requestlist.max
414              Maximum size  attained  by  the  internal  recursive  processing
415              request list.
416
417       threadX.requestlist.overwritten
418              Number  of requests in the request list that were overwritten by
419              newer entries. This happens if there is a flood of queries  that
420              recursive processing and the server has a hard time.
421
422       threadX.requestlist.exceeded
423              Queries  that  were  dropped  because the request list was full.
424              This happens if a flood of queries  need  recursive  processing,
425              and the server can not keep up.
426
427       threadX.requestlist.current.all
428              Current  size of the request list, includes internally generated
429              queries (such as priming queries and glue lookups).
430
431       threadX.requestlist.current.user
432              Current size of the request list, only the requests from  client
433              queries.
434
435       threadX.recursion.time.avg
436              Average  time  it  took  to answer queries that needed recursive
437              processing. Note that queries that were answered from the  cache
438              are not in this average.
439
440       threadX.recursion.time.median
441              The  median  of  the  time it took to answer queries that needed
442              recursive processing.  The median means that  50%  of  the  user
443              queries  were  answered  in less than this time.  Because of big
444              outliers (usually queries to non responsive servers), the  aver‐
445              age  can be bigger than the median.  This median has been calcu‐
446              lated by interpolation from a histogram.
447
448       threadX.tcpusage
449              The currently held tcp buffers for incoming connections.  A spot
450              value  on  the  time of the request.  This helps you spot if the
451              incoming-num-tcp buffers are full.
452
453       total.num.queries
454              summed over threads.
455
456       total.num.cachehits
457              summed over threads.
458
459       total.num.cachemiss
460              summed over threads.
461
462       total.num.dnscrypt.crypted
463              summed over threads.
464
465       total.num.dnscrypt.cert
466              summed over threads.
467
468       total.num.dnscrypt.cleartext
469              summed over threads.
470
471       total.num.dnscrypt.malformed
472              summed over threads.
473
474       total.num.prefetch
475              summed over threads.
476
477       total.num.zero_ttl
478              summed over threads.
479
480       total.num.recursivereplies
481              summed over threads.
482
483       total.requestlist.avg
484              averaged over threads.
485
486       total.requestlist.max
487              the maximum of the thread requestlist.max values.
488
489       total.requestlist.overwritten
490              summed over threads.
491
492       total.requestlist.exceeded
493              summed over threads.
494
495       total.requestlist.current.all
496              summed over threads.
497
498       total.recursion.time.median
499              averaged over threads.
500
501       total.tcpusage
502              summed over threads.
503
504       time.now
505              current time in seconds since 1970.
506
507       time.up
508              uptime since server boot in seconds.
509
510       time.elapsed
511              time since last statistics printout, in seconds.
512

EXTENDED STATISTICS

514       mem.cache.rrset
515              Memory in bytes in use by the RRset cache.
516
517       mem.cache.message
518              Memory in bytes in use by the message cache.
519
520       mem.cache.dnscrypt_shared_secret
521              Memory in bytes in use by the dnscrypt shared secrets cache.
522
523       mem.cache.dnscrypt_nonce
524              Memory in bytes in use by the dnscrypt nonce cache.
525
526       mem.mod.iterator
527              Memory in bytes in use by the iterator module.
528
529       mem.mod.validator
530              Memory in bytes in use by the validator module. Includes the key
531              cache and negative cache.
532
533       histogram.<sec>.<usec>.to.<sec>.<usec>
534              Shows a histogram, summed over all threads. Every element counts
535              the recursive queries whose reply time fit between the lower and
536              upper  bound.   Times  larger  or  equal  to the lowerbound, and
537              smaller than the upper bound.  There are 40 buckets, with bucket
538              sizes doubling.
539
540       num.query.type.A
541              The  total number of queries over all threads with query type A.
542              Printed for the other query types as  well,  but  only  for  the
543              types for which queries were received, thus =0 entries are omit‐
544              ted for brevity.
545
546       num.query.type.other
547              Number of queries with query types 256-65535.
548
549       num.query.class.IN
550              The total number of queries over all threads with query class IN
551              (internet).   Also printed for other classes (such as CH (CHAOS)
552              sometimes used for debugging), or NONE,  ANY,  used  by  dynamic
553              update.  num.query.class.other is printed for classes 256-65535.
554
555       num.query.opcode.QUERY
556              The  total  number of queries over all threads with query opcode
557              QUERY.  Also printed for other opcodes, UPDATE, ...
558
559       num.query.tcp
560              Number of queries that were made using TCP towards  the  unbound
561              server.
562
563       num.query.tcpout
564              Number  of queries that the unbound server made using TCP outgo‐
565              ing towards other servers.
566
567       num.query.tls
568              Number of queries that were made using TLS towards  the  unbound
569              server.   These  are  also counted in num.query.tcp, because TLS
570              uses TCP.
571
572       num.query.ipv6
573              Number of queries that were made using IPv6 towards the  unbound
574              server.
575
576       num.query.flags.RD
577              The  number  of  queries that had the RD flag set in the header.
578              Also printed for flags QR, AA, TC, RA, Z,  AD,  CD.   Note  that
579              queries  with  flags QR, AA or TC may have been rejected because
580              of that.
581
582       num.query.edns.present
583              number of queries that had an EDNS OPT record present.
584
585       num.query.edns.DO
586              number of queries that had  an  EDNS  OPT  record  with  the  DO
587              (DNSSEC  OK)  bit  set.   These queries are also included in the
588              num.query.edns.present number.
589
590       num.query.ratelimited
591              The number of queries that are turned away from  being  send  to
592              nameserver due to ratelimiting.
593
594       num.query.dnscrypt.shared_secret.cachemiss
595              The number of dnscrypt queries that did not find a shared secret
596              in the cache.  The can be  use  to  compute  the  shared  secret
597              hitrate.
598
599       num.query.dnscrypt.replay
600              The  number  of  dnscrypt  queries that found a nonce hit in the
601              nonce cache and hence are considered a query replay.
602
603       num.answer.rcode.NXDOMAIN
604              The number of answers to queries, from cache or from  recursion,
605              that  had  the  return code NXDOMAIN. Also printed for the other
606              return codes.
607
608       num.answer.rcode.nodata
609              The number of answers to queries that had the pseudo return code
610              nodata.   This  means  the  actual  return code was NOERROR, but
611              additionally, no data was carried in the answer (making what  is
612              called   a  NOERROR/NODATA  answer).   These  queries  are  also
613              included in the  num.answer.rcode.NOERROR  number.   Common  for
614              AAAA lookups when an A record exists, and no AAAA.
615
616       num.answer.secure
617              Number  of  answers that were secure.  The answer validated cor‐
618              rectly.  The AD bit  might  have  been  set  in  some  of  these
619              answers,  where  the  client signalled (with DO or AD bit in the
620              query) that they were ready to accept the AD bit in the answer.
621
622       num.answer.bogus
623              Number of answers that were bogus.  These  answers  resulted  in
624              SERVFAIL to the client because the answer failed validation.
625
626       num.rrset.bogus
627              The  number  of rrsets marked bogus by the validator.  Increased
628              for every RRset inspection that fails.
629
630       unwanted.queries
631              Number of queries that were  refused  or  dropped  because  they
632              failed the access control settings.
633
634       unwanted.replies
635              Replies that were unwanted or unsolicited.  Could have been ran‐
636              dom traffic, delayed duplicates, very late answers, or could  be
637              spoofing  attempts.   Some low level of late answers and delayed
638              duplicates are to be expected with the UDP protocol.  Very  high
639              values could indicate a threat (spoofing).
640
641       msg.cache.count
642              The number of items (DNS replies) in the message cache.
643
644       rrset.cache.count
645              The  number  of RRsets in the rrset cache.  This includes rrsets
646              used by the messages in the message cache, but  also  delegation
647              information.
648
649       infra.cache.count
650              The  number of items in the infra cache.  These are IP addresses
651              with their timing and protocol support information.
652
653       key.cache.count
654              The number of items in the key cache.  These  are  DNSSEC  keys,
655              one item per delegation point, and their validation status.
656
657       dnscrypt_shared_secret.cache.count
658              The  number  of items in the shared secret cache. These are pre‐
659              computed shared secrets for a  given  client  public  key/server
660              secret key pair. Shared secrets are CPU intensive and this cache
661              allows unbound to avoid recomputing the shared secret when  mul‐
662              tiple dnscrypt queries are sent from the same client.
663
664       dnscrypt_nonce.cache.count
665              The  number  of  items  in the client nonce cache. This cache is
666              used to prevent dnscrypt queries replay. The client  nonce  must
667              be  unique  for  each  client public key/server secret key pair.
668              This cache should be able to host QPS * `replay window` interval
669              keys  to  prevent  replay of a query during `replay window` sec‐
670              onds.
671
672       num.query.authzone.up
673              The number of queries answered  from  auth-zone  data,  upstream
674              queries.   These  queries  would  otherwise have been sent (with
675              fallback enabled) to the internet, but are now answered from the
676              auth zone.
677
678       num.query.authzone.down
679              The  number  of  queries  for downstream answered from auth-zone
680              data.  These queries are from downstream clients, and  have  had
681              an answer from the data in the auth zone.
682
683       num.query.aggressive.NOERROR
684              The  number  of  queries answered using cached NSEC records with
685              NODATA RCODE.  These queries would otherwise have been  sent  to
686              the internet, but are now answered using cached data.
687
688       num.query.aggressive.NXDOMAIN
689              The  number  of  queries answered using cached NSEC records with
690              NXDOMAIN RCODE.  These queries would otherwise have been sent to
691              the internet, but are now answered using cached data.
692
693       num.query.subnet
694              Number  of queries that got an answer that contained EDNS client
695              subnet data.
696
697       num.query.subnet_cache
698              Number of queries answered from the edns  client  subnet  cache.
699              These are counted as cachemiss by the main counters, but hit the
700              client subnet specific cache, after  getting  processed  by  the
701              edns client subnet module.
702

FILES

704       /etc/unbound/unbound.conf
705              unbound configuration file.
706
707       /etc/unbound
708              directory with private keys (unbound_server.key and unbound_con‐
709              trol.key) and self-signed certificates  (unbound_server.pem  and
710              unbound_control.pem).
711

SEE ALSO

713       unbound.conf(5), unbound(8).
714
715
716
717NLnet Labs                       Dec 11, 2018               unbound-control(8)
Impressum