1unbound-control(8)              unbound 1.4.20              unbound-control(8)
2
3
4

NAME

6       unbound-control,  unbound-control-setup - Unbound remote server control
7       utility.
8

SYNOPSIS

10       unbound-control [-hq] [-c cfgfile] [-s server] command
11

DESCRIPTION

13       Unbound-control performs remote administration on  the  unbound(8)  DNS
14       server.   It  reads the configuration file, contacts the unbound server
15       over SSL sends the command and displays the result.
16
17       The available options are:
18
19       -h     Show the version and commandline option help.
20
21       -c cfgfile
22              The config file to read with settings.  If not given the default
23              config file /etc/unbound/unbound.conf is used.
24
25       -s server[@port]
26              IPv4  or  IPv6  address of the server to contact.  If not given,
27              the address is read from the config file.
28
29       -q     quiet, if the option is given it does not print anything  if  it
30              works ok.
31

COMMANDS

33       There are several commands that the server understands.
34
35       start  Start  the  server.  Simply  execs unbound(8).  The unbound exe‐
36              cutable is searched for in the PATH set in the environment.   It
37              is  started  with  the  config  file  specified  using -c or the
38              default config file.
39
40       stop   Stop the server. The server daemon exits.
41
42       reload Reload the server. This flushes the cache and reads  the  config
43              file fresh.
44
45       verbosity number
46              Change  verbosity  value  for  logging. Same values as verbosity
47              keyword in unbound.conf(5).  This new setting  lasts  until  the
48              server is issued a reload (taken from config file again), or the
49              next verbosity control command.
50
51       log_reopen
52              Reopen the logfile, close and open it.  Useful  for  logrotation
53              to  make  the  daemon release the file it is logging to.  If you
54              are using syslog it will attempt to close and  open  the  syslog
55              (which may not work if chrooted).
56
57       stats  Print statistics. Resets the internal counters to zero, this can
58              be controlled using the statistics-cumulative config  statement.
59              Statistics are printed with one [name]: [value] per line.
60
61       stats_noreset
62              Peek at statistics. Prints them like the stats command does, but
63              does not reset the internal counters to zero.
64
65       status Display server status. Exit code 3 if not running  (the  connec‐
66              tion to the port is refused), 1 on error, 0 if running.
67
68       local_zone name type
69              Add  new  local  zone with name and type. Like local-zone config
70              statement.  If the zone already exists, the type is  changed  to
71              the given argument.
72
73       local_zone_remove name
74              Remove  the  local  zone with the given name.  Removes all local
75              data inside it.  If the zone does not exist,  the  command  suc‐
76              ceeds.
77
78       local_data RR data...
79              Add  new  local data, the given resource record. Like local-data
80              config statement, except for when no covering zone  exists.   In
81              that case this remote control command creates a transparent zone
82              with the same name as this record.  This command is not good  at
83              returning detailed syntax errors.
84
85       local_data_remove name
86              Remove  all RR data from local name.  If the name already has no
87              items, nothing happens.  Often results in NXDOMAIN for the  name
88              (in  a static zone), but if the name has become an empty nonter‐
89              minal (there is still data in domain  names  below  the  removed
90              name), NOERROR nodata answers are the result for that name.
91
92       dump_cache
93              The contents of the cache is printed in a text format to stdout.
94              You can redirect it to a file to store the cache in a file.
95
96       load_cache
97              The contents of the cache is loaded from stdin.  Uses  the  same
98              format as dump_cache uses.  Loading the cache with old, or wrong
99              data can result in old or wrong data returned to clients.  Load‐
100              ing data into the cache in this way is supported in order to aid
101              with debugging.
102
103       lookup name
104              Print to stdout the name servers that would be used to  look  up
105              the name specified.
106
107       flush name
108              Remove  the  name from the cache. Removes the types A, AAAA, NS,
109              SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.  Because that is fast
110              to  do.  Other  record  types can be removed using flush_type or
111              flush_zone.
112
113       flush_type name type
114              Remove the name, type information from the cache.
115
116       flush_zone name
117              Remove all information at or below the name from the cache.  The
118              rrsets  and  key entries are removed so that new lookups will be
119              performed.  This needs to walk and inspect the entire cache, and
120              is a slow operation.
121
122       flush_bogus
123              Remove all bogus data from the cache.
124
125       flush_stats
126              Reset statistics to zero.
127
128       flush_requestlist
129              Drop  the  queries  that  are  worked  on.  Stops working on the
130              queries that the server is working on now.  The cache  is  unaf‐
131              fected.   No  reply  is  sent for those queries, probably making
132              those users request again later.   Useful  to  make  the  server
133              restart  working  on queries with new settings, such as a higher
134              verbosity level.
135
136       dump_requestlist
137              Show what is worked on.  Prints all queries that the  server  is
138              currently  working  on.   Prints  the  time that users have been
139              waiting.  For internal requests, no time is printed.   And  then
140              prints out the module status.
141
142       flush_infra all|IP
143              If  all  then  entire  infra cache is emptied.  If a specific IP
144              address, the entry for that address is removed from  the  cache.
145              It contains EDNS, ping and lameness data.
146
147       dump_infra
148              Show the contents of the infra cache.
149
150       set_option opt: val
151              Set  the  option to the given value without a reload.  The cache
152              is therefore not flushed.  The option must end with  a  ':'  and
153              whitespace  must be between the option and the value.  Some val‐
154              ues may not have an effect if set this way, the new  values  are
155              not  written  to the config file, not all options are supported.
156              This is different from the set_option call in libunbound,  where
157              all values work because unbound has not been inited.
158
159              The  values that work are: statistics-interval, statistics-cumu‐
160              lative,      do-not-query-localhost,       harden-short-bufsize,
161              harden-large-queries,    harden-glue,    harden-dnssec-stripped,
162              harden-below-nxdomain,      harden-referral-path,      prefetch,
163              prefetch-key,  log-queries,  hide-identity,  hide-version, iden‐
164              tity, version, val-log-level,  val-log-squelch,  ignore-cd-flag,
165              add-holddown,    del-holddown,    keep-missing,    tcp-upstream,
166              ssl-upstream.
167
168       get_option opt
169              Get the value of the option.  Give the  option  name  without  a
170              trailing  ':'.  The value is printed.  If the value is "", noth‐
171              ing is printed and the connection closes.  On error 'error  ...'
172              is  printed  (it  gives  a syntax error on unknown option).  For
173              some options a list of values, one on  each  line,  is  printed.
174              The  options  are  shown  from  the config file as modified with
175              set_option.  For some options an override may  have  been  taken
176              that  does  not show up with this command, not results from e.g.
177              the verbosity and forward control  commands.   Not  all  options
178              work,   see   list_stubs,  list_forwards,  list_local_zones  and
179              list_local_data for those.
180
181       list_stubs
182              List the stub zones in use.  These are printed one by one to the
183              output.  This includes the root hints in use.
184
185       list_forwards
186              List  the  forward zones in use.  These are printed zone by zone
187              to the output.
188
189       list_local_zones
190              List the local zones in use.  These are  printed  one  per  line
191              with zone type.
192
193       list_local_data
194              List  the  local  data  RRs  in  use.   The resource records are
195              printed.
196
197       forward_add [+i] zone addr ...
198              Add a new forward zone to running unbound.  With +i option  also
199              adds  a  domain-insecure  for  the zone (so it can resolve inse‐
200              curely if you have a DNSSEC root  trust  anchor  configured  for
201              other  names).   The  addr  can be IP4, IP6 or nameserver names,
202              like forward-zone config in unbound.conf.
203
204       forward_remove [+i] zone
205              Remove a forward zone from running unbound.  The +i also removes
206              a domain-insecure for the zone.
207
208       stub_add [+ip] zone addr ...
209              Add  a  new  stub  zone to running unbound.  With +i option also
210              adds a domain-insecure for the zone.  With +p the stub  zone  is
211              set to prime, without it it is set to notprime.  The addr can be
212              IP4, IP6 or nameserver  names,  like  the  stub-zone  config  in
213              unbound.conf.
214
215       stub_remove [+i] zone
216              Remove  a stub zone from running unbound.  The +i also removes a
217              domain-insecure for the zone.
218
219       forward [off | addr ... ]
220              Setup forwarding mode.  Configures  if  the  server  should  ask
221              other upstream nameservers, should go to the internet root name‐
222              servers itself, or show the current config.  You could pass  the
223              nameservers after a DHCP update.
224
225              Without  arguments the current list of addresses used to forward
226              all queries to is printed.  On startup this  is  from  the  for‐
227              ward-zone  "."  configuration.   Afterwards it shows the status.
228              It prints off when no forwarding is used.
229
230              If off is passed, forwarding is  disabled  and  the  root  name‐
231              servers  are  used.  This can be used to avoid to avoid buggy or
232              non-DNSSEC supporting nameservers returned from DHCP.   But  may
233              not work in hotels or hotspots.
234
235              If  one or more IPv4 or IPv6 addresses are given, those are then
236              used to forward queries to.  The  addresses  must  be  separated
237              with spaces.  With '@port' the port number can be set explicitly
238              (default port is 53 (DNS)).
239
240              By default the forwarder information from the  config  file  for
241              the  root "." is used.  The config file is not changed, so after
242              a reload these changes are gone.  Other forward zones  from  the
243              config file are not affected by this command.
244

EXIT CODE

246       The  unbound-control  program  exits  with status code 1 on error, 0 on
247       success.
248

SET UP

250       The setup requires a self-signed certificate and private keys for  both
251       the  server  and  client.   The  script unbound-control-setup generates
252       these in the default run directory, or with -d  in  another  directory.
253       If  you  change the access control permissions on the key files you can
254       decide who can use unbound-control, by default owner and group but  not
255       all  users.  Run the script under the same username as you have config‐
256       ured in unbound.conf or as root, so that the  daemon  is  permitted  to
257       read the files, for example with:
258           sudo -u unbound unbound-control-setup
259       If  you  have  not configured a username in unbound.conf, the keys need
260       read permission for the user credentials  under  which  the  daemon  is
261       started.   The  script preserves private keys present in the directory.
262       After  running  the  script  as  root,  turn   on   control-enable   in
263       unbound.conf.
264

STATISTIC COUNTERS

266       The stats command shows a number of statistic counters.
267
268       threadX.num.queries
269              number of queries received by thread
270
271       threadX.num.cachehits
272              number  of queries that were successfully answered using a cache
273              lookup
274
275       threadX.num.cachemiss
276              number of queries that needed recursive processing
277
278       threadX.num.prefetch
279              number of cache prefetches performed.  This number  is  included
280              in  cachehits, as the original query had the unprefetched answer
281              from cache, and resulted in recursive processing, taking a  slot
282              in  the  requestlist.   Not part of the recursivereplies (or the
283              histogram thereof) or cachemiss, as a cache response was sent.
284
285       threadX.num.recursivereplies
286              The number of replies sent to queries that needed recursive pro‐
287              cessing.  Could  be smaller than threadX.num.cachemiss if due to
288              timeouts no replies were sent for some queries.
289
290       threadX.requestlist.avg
291              The average number of requests in the  internal  recursive  pro‐
292              cessing  request list on insert of a new incoming recursive pro‐
293              cessing query.
294
295       threadX.requestlist.max
296              Maximum size  attained  by  the  internal  recursive  processing
297              request list.
298
299       threadX.requestlist.overwritten
300              Number  of requests in the request list that were overwritten by
301              newer entries. This happens if there is a flood of queries  that
302              recursive processing and the server has a hard time.
303
304       threadX.requestlist.exceeded
305              Queries  that  were  dropped  because the request list was full.
306              This happens if a flood of queries  need  recursive  processing,
307              and the server can not keep up.
308
309       threadX.requestlist.current.all
310              Current  size of the request list, includes internally generated
311              queries (such as priming queries and glue lookups).
312
313       threadX.requestlist.current.user
314              Current size of the request list, only the requests from  client
315              queries.
316
317       threadX.recursion.time.avg
318              Average  time  it  took  to answer queries that needed recursive
319              processing. Note that queries that were answered from the  cache
320              are not in this average.
321
322       threadX.recursion.time.median
323              The  median  of  the  time it took to answer queries that needed
324              recursive processing.  The median means that  50%  of  the  user
325              queries  were  answered  in less than this time.  Because of big
326              outliers (usually queries to non responsive servers), the  aver‐
327              age  can be bigger than the median.  This median has been calcu‐
328              lated by interpolation from a histogram.
329
330       total.num.queries
331              summed over threads.
332
333       total.num.cachehits
334              summed over threads.
335
336       total.num.cachemiss
337              summed over threads.
338
339       total.num.prefetch
340              summed over threads.
341
342       total.num.recursivereplies
343              summed over threads.
344
345       total.requestlist.avg
346              averaged over threads.
347
348       total.requestlist.max
349              the maximum of the thread requestlist.max values.
350
351       total.requestlist.overwritten
352              summed over threads.
353
354       total.requestlist.exceeded
355              summed over threads.
356
357       total.requestlist.current.all
358              summed over threads.
359
360       total.recursion.time.median
361              averaged over threads.
362
363       time.now
364              current time in seconds since 1970.
365
366       time.up
367              uptime since server boot in seconds.
368
369       time.elapsed
370              time since last statistics printout, in seconds.
371

EXTENDED STATISTICS

373       mem.total.sbrk
374              If sbrk(2) is available, an estimate of the  heap  size  of  the
375              program  in  number  of bytes. Close to the total memory used by
376              the program, as reported by top and ps.  Could be wrong  if  the
377              OS allocates memory non-contiguously.
378
379       mem.cache.rrset
380              Memory in bytes in use by the RRset cache.
381
382       mem.cache.message
383              Memory in bytes in use by the message cache.
384
385       mem.mod.iterator
386              Memory in bytes in use by the iterator module.
387
388       mem.mod.validator
389              Memory in bytes in use by the validator module. Includes the key
390              cache and negative cache.
391
392       histogram.<sec>.<usec>.to.<sec>.<usec>
393              Shows a histogram, summed over all threads. Every element counts
394              the recursive queries whose reply time fit between the lower and
395              upper bound.  Times larger  or  equal  to  the  lowerbound,  and
396              smaller than the upper bound.  There are 40 buckets, with bucket
397              sizes doubling.
398
399       num.query.type.A
400              The total number of queries over all threads with query type  A.
401              Printed  for  the  other  query  types as well, but only for the
402              types for which queries were received, thus =0 entries are omit‐
403              ted for brevity.
404
405       num.query.type.other
406              Number of queries with query types 256-65535.
407
408       num.query.class.IN
409              The total number of queries over all threads with query class IN
410              (internet).  Also printed for other classes (such as CH  (CHAOS)
411              sometimes  used  for  debugging),  or NONE, ANY, used by dynamic
412              update.  num.query.class.other is printed for classes 256-65535.
413
414       num.query.opcode.QUERY
415              The total number of queries over all threads with  query  opcode
416              QUERY.  Also printed for other opcodes, UPDATE, ...
417
418       num.query.tcp
419              Number  of  queries that were made using TCP towards the unbound
420              server.
421
422       num.query.ipv6
423              Number of queries that were made using IPv6 towards the  unbound
424              server.
425
426       num.query.flags.RD
427              The  number  of  queries that had the RD flag set in the header.
428              Also printed for flags QR, AA, TC, RA, Z,  AD,  CD.   Note  that
429              queries  with  flags QR, AA or TC may have been rejected because
430              of that.
431
432       num.query.edns.present
433              number of queries that had an EDNS OPT record present.
434
435       num.query.edns.DO
436              number of queries that had  an  EDNS  OPT  record  with  the  DO
437              (DNSSEC  OK)  bit  set.   These queries are also included in the
438              num.query.edns.present number.
439
440       num.answer.rcode.NXDOMAIN
441              The number of answers to queries, from cache or from  recursion,
442              that  had  the  return code NXDOMAIN. Also printed for the other
443              return codes.
444
445       num.answer.rcode.nodata
446              The number of answers to queries that had the pseudo return code
447              nodata.   This  means  the  actual  return code was NOERROR, but
448              additionally, no data was carried in the answer (making what  is
449              called   a  NOERROR/NODATA  answer).   These  queries  are  also
450              included in the  num.answer.rcode.NOERROR  number.   Common  for
451              AAAA lookups when an A record exists, and no AAAA.
452
453       num.answer.secure
454              Number  of  answers that were secure.  The answer validated cor‐
455              rectly.  The AD bit  might  have  been  set  in  some  of  these
456              answers,  where  the  client signalled (with DO or AD bit in the
457              query) that they were ready to accept the AD bit in the answer.
458
459       num.answer.bogus
460              Number of answers that were bogus.  These  answers  resulted  in
461              SERVFAIL to the client because the answer failed validation.
462
463       num.rrset.bogus
464              The  number  of rrsets marked bogus by the validator.  Increased
465              for every RRset inspection that fails.
466
467       unwanted.queries
468              Number of queries that were  refused  or  dropped  because  they
469              failed the access control settings.
470
471       unwanted.replies
472              Replies that were unwanted or unsolicited.  Could have been ran‐
473              dom traffic, delayed duplicates, very late answers, or could  be
474              spoofing  attempts.   Some low level of late answers and delayed
475              duplicates are to be expected with the UDP protocol.  Very  high
476              values could indicate a threat (spoofing).
477

FILES

479       /etc/unbound/unbound.conf
480              unbound configuration file.
481
482       /etc/unbound
483              directory with private keys (unbound_server.key and unbound_con‐
484              trol.key) and self-signed certificates  (unbound_server.pem  and
485              unbound_control.pem).
486

SEE ALSO

488       unbound.conf(5), unbound(8).
489
490
491
492NLnet Labs                       Mar 21, 2013               unbound-control(8)
Impressum