1unbound-control(8)              unbound 1.13.1              unbound-control(8)
2
3
4

NAME

6       unbound-control,  unbound-control-setup - Unbound remote server control
7       utility.
8

SYNOPSIS

10       unbound-control [-hq] [-c cfgfile] [-s server] command
11

DESCRIPTION

13       Unbound-control performs remote administration on  the  unbound(8)  DNS
14       server.   It  reads the configuration file, contacts the unbound server
15       over SSL sends the command and displays the result.
16
17       The available options are:
18
19       -h     Show the version and commandline option help.
20
21       -c cfgfile
22              The config file to read with settings.  If not given the default
23              config file /etc/unbound/unbound.conf is used.
24
25       -s server[@port]
26              IPv4  or  IPv6  address of the server to contact.  If not given,
27              the address is read from the config file.
28
29       -q     quiet, if the option is given it does not print anything  if  it
30              works ok.
31

COMMANDS

33       There are several commands that the server understands.
34
35       start  Start  the  server.  Simply  execs unbound(8).  The unbound exe‐
36              cutable is searched for in the PATH set in the environment.   It
37              is  started  with  the  config  file  specified  using -c or the
38              default config file.
39
40       stop   Stop the server. The server daemon exits.
41
42       reload Reload the server. This flushes the cache and reads  the  config
43              file fresh.
44
45       verbosity number
46              Change  verbosity  value  for  logging. Same values as verbosity
47              keyword in unbound.conf(5).  This new setting  lasts  until  the
48              server is issued a reload (taken from config file again), or the
49              next verbosity control command.
50
51       log_reopen
52              Reopen the logfile, close and open it.  Useful  for  logrotation
53              to  make  the  daemon release the file it is logging to.  If you
54              are using syslog it will attempt to close and  open  the  syslog
55              (which may not work if chrooted).
56
57       stats  Print statistics. Resets the internal counters to zero, this can
58              be controlled using the statistics-cumulative config  statement.
59              Statistics are printed with one [name]: [value] per line.
60
61       stats_noreset
62              Peek at statistics. Prints them like the stats command does, but
63              does not reset the internal counters to zero.
64
65       status Display server status. Exit code 3 if not running  (the  connec‐
66              tion to the port is refused), 1 on error, 0 if running.
67
68       local_zone name type
69              Add  new  local  zone with name and type. Like local-zone config
70              statement.  If the zone already exists, the type is  changed  to
71              the given argument.
72
73       local_zone_remove name
74              Remove  the  local  zone with the given name.  Removes all local
75              data inside it.  If the zone does not exist,  the  command  suc‐
76              ceeds.
77
78       local_data RR data...
79              Add  new  local data, the given resource record. Like local-data
80              config statement, except for when no covering zone  exists.   In
81              that case this remote control command creates a transparent zone
82              with the same name as this record.  This command is not good  at
83              returning detailed syntax errors.
84
85       local_data_remove name
86              Remove  all RR data from local name.  If the name already has no
87              items, nothing happens.  Often results in NXDOMAIN for the  name
88              (in  a static zone), but if the name has become an empty nonter‐
89              minal (there is still data in domain  names  below  the  removed
90              name), NOERROR nodata answers are the result for that name.
91
92       local_zones
93              Add  local  zones  read  from stdin of unbound-control. Input is
94              read per line, with name space type on a line.  For  bulk  addi‐
95              tions.
96
97       local_zones_remove
98              Remove  local zones read from stdin of unbound-control. Input is
99              one name per line. For bulk removals.
100
101       local_datas
102              Add local data RRs read from stdin of unbound-control. Input  is
103              one RR per line. For bulk additions.
104
105       local_datas_remove
106              Remove  local data RRs read from stdin of unbound-control. Input
107              is one name per line. For bulk removals.
108
109       dump_cache
110              The contents of the cache is printed in a text format to stdout.
111              You can redirect it to a file to store the cache in a file.
112
113       load_cache
114              The  contents  of the cache is loaded from stdin.  Uses the same
115              format as dump_cache uses.  Loading the cache with old, or wrong
116              data can result in old or wrong data returned to clients.  Load‐
117              ing data into the cache in this way is supported in order to aid
118              with debugging.
119
120       lookup name
121              Print  to  stdout the name servers that would be used to look up
122              the name specified.
123
124       flush name
125              Remove the name from the cache. Removes the types A,  AAAA,  NS,
126              SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.  Because that is fast
127              to do. Other record types can be  removed  using  flush_type  or
128              flush_zone.
129
130       flush_type name type
131              Remove the name, type information from the cache.
132
133       flush_zone name
134              Remove all information at or below the name from the cache.  The
135              rrsets and key entries are removed so that new lookups  will  be
136              performed.  This needs to walk and inspect the entire cache, and
137              is a slow operation.  The entries are  set  to  expired  in  the
138              implementation  of this command (so, with serve-expired enabled,
139              it'll serve that information but schedule  a  prefetch  for  new
140              information).
141
142       flush_bogus
143              Remove all bogus data from the cache.
144
145       flush_negative
146              Remove  all  negative  data  from  the  cache.  This is nxdomain
147              answers, nodata answers and servfail answers.  Also removes  bad
148              key  entries  (which  could  be  due to failed lookups) from the
149              dnssec key cache, and iterator last-resort lookup failures  from
150              the rrset cache.
151
152       flush_stats
153              Reset statistics to zero.
154
155       flush_requestlist
156              Drop  the  queries  that  are  worked  on.  Stops working on the
157              queries that the server is working on now.  The cache  is  unaf‐
158              fected.   No  reply  is  sent for those queries, probably making
159              those users request again later.   Useful  to  make  the  server
160              restart  working  on queries with new settings, such as a higher
161              verbosity level.
162
163       dump_requestlist
164              Show what is worked on.  Prints all queries that the  server  is
165              currently  working  on.   Prints  the  time that users have been
166              waiting.  For internal requests, no time is printed.   And  then
167              prints  out the module status.  This prints the queries from the
168              first thread, and not queries that are being serviced from other
169              threads.
170
171       flush_infra all|IP
172              If  all  then  entire  infra cache is emptied.  If a specific IP
173              address, the entry for that address is removed from  the  cache.
174              It contains EDNS, ping and lameness data.
175
176       dump_infra
177              Show the contents of the infra cache.
178
179       set_option opt: val
180              Set  the  option to the given value without a reload.  The cache
181              is therefore not flushed.  The option must end with  a  ':'  and
182              whitespace  must be between the option and the value.  Some val‐
183              ues may not have an effect if set this way, the new  values  are
184              not  written  to the config file, not all options are supported.
185              This is different from the set_option call in libunbound,  where
186              all values work because unbound has not been initialized.
187
188              The  values that work are: statistics-interval, statistics-cumu‐
189              lative,      do-not-query-localhost,       harden-short-bufsize,
190              harden-large-queries,    harden-glue,    harden-dnssec-stripped,
191              harden-below-nxdomain,      harden-referral-path,      prefetch,
192              prefetch-key,  log-queries,  hide-identity,  hide-version, iden‐
193              tity, version, val-log-level,  val-log-squelch,  ignore-cd-flag,
194              add-holddown,    del-holddown,    keep-missing,    tcp-upstream,
195              ssl-upstream,     max-udp-size,     ratelimit,     ip-ratelimit,
196              cache-max-ttl, cache-min-ttl, cache-max-negative-ttl.
197
198       get_option opt
199              Get  the  value  of  the option.  Give the option name without a
200              trailing ':'.  The value is printed.  If the value is "",  noth‐
201              ing  is printed and the connection closes.  On error 'error ...'
202              is printed (it gives a syntax error  on  unknown  option).   For
203              some  options  a  list  of values, one on each line, is printed.
204              The options are shown from the  config  file  as  modified  with
205              set_option.   For  some  options an override may have been taken
206              that does not show up with this command, not results  from  e.g.
207              the  verbosity  and  forward  control commands.  Not all options
208              work,  see  list_stubs,  list_forwards,   list_local_zones   and
209              list_local_data for those.
210
211       list_stubs
212              List the stub zones in use.  These are printed one by one to the
213              output.  This includes the root hints in use.
214
215       list_forwards
216              List the forward zones in use.  These are printed zone  by  zone
217              to the output.
218
219       list_insecure
220              List the zones with domain-insecure.
221
222       list_local_zones
223              List  the  local  zones  in use.  These are printed one per line
224              with zone type.
225
226       list_local_data
227              List the local data  RRs  in  use.   The  resource  records  are
228              printed.
229
230       insecure_add zone
231              Add  a domain-insecure for the given zone, like the statement in
232              unbound.conf.  Adds to the running unbound without affecting the
233              cache  contents  (which  may  still  be bogus, use flush_zone to
234              remove it), does not affect the config file.
235
236       insecure_remove zone
237              Removes domain-insecure for the given zone.
238
239       forward_add [+i] zone addr ...
240              Add a new forward zone to running unbound.  With +i option  also
241              adds  a  domain-insecure  for  the zone (so it can resolve inse‐
242              curely if you have a DNSSEC root  trust  anchor  configured  for
243              other  names).   The  addr  can be IP4, IP6 or nameserver names,
244              like forward-zone config in unbound.conf.
245
246       forward_remove [+i] zone
247              Remove a forward zone from running unbound.  The +i also removes
248              a domain-insecure for the zone.
249
250       stub_add [+ip] zone addr ...
251              Add  a  new  stub  zone to running unbound.  With +i option also
252              adds a domain-insecure for the zone.  With +p the stub  zone  is
253              set to prime, without it it is set to notprime.  The addr can be
254              IP4, IP6 or nameserver  names,  like  the  stub-zone  config  in
255              unbound.conf.
256
257       stub_remove [+i] zone
258              Remove  a stub zone from running unbound.  The +i also removes a
259              domain-insecure for the zone.
260
261       forward [off | addr ... ]
262              Setup forwarding mode.  Configures  if  the  server  should  ask
263              other upstream nameservers, should go to the internet root name‐
264              servers itself, or show the current config.  You could pass  the
265              nameservers after a DHCP update.
266
267              Without  arguments the current list of addresses used to forward
268              all queries to is printed.  On startup this  is  from  the  for‐
269              ward-zone  "."  configuration.   Afterwards it shows the status.
270              It prints off when no forwarding is used.
271
272              If off is passed, forwarding is  disabled  and  the  root  name‐
273              servers  are  used.  This can be used to avoid to avoid buggy or
274              non-DNSSEC supporting nameservers returned from DHCP.   But  may
275              not work in hotels or hotspots.
276
277              If  one or more IPv4 or IPv6 addresses are given, those are then
278              used to forward queries to.  The  addresses  must  be  separated
279              with spaces.  With '@port' the port number can be set explicitly
280              (default port is 53 (DNS)).
281
282              By default the forwarder information from the  config  file  for
283              the  root "." is used.  The config file is not changed, so after
284              a reload these changes are gone.  Other forward zones  from  the
285              config file are not affected by this command.
286
287       ratelimit_list [+a]
288              List  the  domains  that  are ratelimited.  Printed one per line
289              with current estimated qps and qps limit from config.   With  +a
290              it  prints  all  domains, not just the ratelimited domains, with
291              their estimated qps.  The ratelimited domains  return  an  error
292              for uncached (new) queries, but cached queries work as normal.
293
294       ip_ratelimit_list [+a]
295              List  the  ip  addresses  that are ratelimited.  Printed one per
296              line with current estimated qps and qps limit from config.  With
297              +a  it  prints all ips, not just the ratelimited ips, with their
298              estimated qps.  The ratelimited ips are dropped before  checking
299              the cache.
300
301       list_auth_zones
302              List  the  auth zones that are configured.  Printed one per line
303              with a status, indicating if the zone  is  expired  and  current
304              serial number.
305
306       auth_zone_reload zone
307              Reload  the  auth  zone  from zonefile.  The zonefile is read in
308              overwriting the current contents of the zone  in  memory.   This
309              changes  the  auth zone contents itself, not the cache contents.
310              Such cache contents exists if you set unbound to  validate  with
311              for-upstream yes and that can be cleared with flush_zone zone.
312
313       auth_zone_transfer zone
314              Transfer  the  auth  zone  from  master.   The  auth  zone probe
315              sequence is started, where the masters are probed to see if they
316              have  an updated zone (with the SOA serial check).  And then the
317              zone is transferred for a newer zone version.
318
319       rpz_enable zone
320              Enable the RPZ zone if it had previously been disabled.
321
322       rpz_enable zone
323              Disable the RPZ zone.
324
325       view_list_local_zones view
326              list_local_zones for given view.
327
328       view_local_zone view name type
329              local_zone for given view.
330
331       view_local_zone_remove view name
332              local_zone_remove for given view.
333
334       view_list_local_data view
335              list_local_data for given view.
336
337       view_local_data view RR data...
338              local_data for given view.
339
340       view_local_data_remove view name
341              local_data_remove for given view.
342
343       view_local_datas_remove view
344              Remove a list of local_data for  given  view  from  stdin.  Like
345              local_datas_remove.
346
347       view_local_datas view
348              Add  a  list  of  local_data  for  given  view from stdin.  Like
349              local_datas.
350

EXIT CODE

352       The unbound-control program exits with status code 1  on  error,  0  on
353       success.
354

SET UP

356       The  setup requires a self-signed certificate and private keys for both
357       the server and  client.   The  script  unbound-control-setup  generates
358       these  in  the  default run directory, or with -d in another directory.
359       If you change the access control permissions on the key files  you  can
360       decide  who can use unbound-control, by default owner and group but not
361       all users.  Run the script under the same username as you have  config‐
362       ured  in  unbound.conf  or  as root, so that the daemon is permitted to
363       read the files, for example with:
364           sudo -u unbound unbound-control-setup
365       If you have not configured a username in unbound.conf,  the  keys  need
366       read  permission  for  the  user  credentials under which the daemon is
367       started.  The script preserves private keys present in  the  directory.
368       After   running   the   script  as  root,  turn  on  control-enable  in
369       unbound.conf.
370

STATISTIC COUNTERS

372       The stats command shows a number of statistic counters.
373
374       threadX.num.queries
375              number of queries received by thread
376
377       threadX.num.queries_ip_ratelimited
378              number of queries rate limited by thread
379
380       threadX.num.cachehits
381              number of queries that were successfully answered using a  cache
382              lookup
383
384       threadX.num.cachemiss
385              number of queries that needed recursive processing
386
387       threadX.num.dnscrypt.crypted
388              number  of queries that were encrypted and successfully decapsu‐
389              lated by dnscrypt.
390
391       threadX.num.dnscrypt.cert
392              number of queries that were requesting dnscrypt certificates.
393
394       threadX.num.dnscrypt.cleartext
395              number of queries received on dnscrypt port that were  cleartext
396              and not a request for certificates.
397
398       threadX.num.dnscrypt.malformed
399              number  of  request  that  were  neither  cleartext,  not  valid
400              dnscrypt messages.
401
402       threadX.num.prefetch
403              number of cache prefetches performed.  This number  is  included
404              in  cachehits, as the original query had the unprefetched answer
405              from cache, and resulted in recursive processing, taking a  slot
406              in  the  requestlist.   Not part of the recursivereplies (or the
407              histogram thereof) or cachemiss, as a cache response was sent.
408
409       threadX.num.expired
410              number of replies that served an expired cache entry.
411
412       threadX.num.recursivereplies
413              The number of replies sent to queries that needed recursive pro‐
414              cessing.  Could  be smaller than threadX.num.cachemiss if due to
415              timeouts no replies were sent for some queries.
416
417       threadX.requestlist.avg
418              The average number of requests in the  internal  recursive  pro‐
419              cessing  request list on insert of a new incoming recursive pro‐
420              cessing query.
421
422       threadX.requestlist.max
423              Maximum size  attained  by  the  internal  recursive  processing
424              request list.
425
426       threadX.requestlist.overwritten
427              Number  of requests in the request list that were overwritten by
428              newer entries. This happens if there is a flood of queries  that
429              recursive processing and the server has a hard time.
430
431       threadX.requestlist.exceeded
432              Queries  that  were  dropped  because the request list was full.
433              This happens if a flood of queries  need  recursive  processing,
434              and the server can not keep up.
435
436       threadX.requestlist.current.all
437              Current  size of the request list, includes internally generated
438              queries (such as priming queries and glue lookups).
439
440       threadX.requestlist.current.user
441              Current size of the request list, only the requests from  client
442              queries.
443
444       threadX.recursion.time.avg
445              Average  time  it  took  to answer queries that needed recursive
446              processing. Note that queries that were answered from the  cache
447              are not in this average.
448
449       threadX.recursion.time.median
450              The  median  of  the  time it took to answer queries that needed
451              recursive processing.  The median means that  50%  of  the  user
452              queries  were  answered  in less than this time.  Because of big
453              outliers (usually queries to non responsive servers), the  aver‐
454              age  can be bigger than the median.  This median has been calcu‐
455              lated by interpolation from a histogram.
456
457       threadX.tcpusage
458              The currently held tcp buffers for incoming connections.  A spot
459              value  on  the  time of the request.  This helps you spot if the
460              incoming-num-tcp buffers are full.
461
462       total.num.queries
463              summed over threads.
464
465       total.num.cachehits
466              summed over threads.
467
468       total.num.cachemiss
469              summed over threads.
470
471       total.num.dnscrypt.crypted
472              summed over threads.
473
474       total.num.dnscrypt.cert
475              summed over threads.
476
477       total.num.dnscrypt.cleartext
478              summed over threads.
479
480       total.num.dnscrypt.malformed
481              summed over threads.
482
483       total.num.prefetch
484              summed over threads.
485
486       total.num.expired
487              summed over threads.
488
489       total.num.recursivereplies
490              summed over threads.
491
492       total.requestlist.avg
493              averaged over threads.
494
495       total.requestlist.max
496              the maximum of the thread requestlist.max values.
497
498       total.requestlist.overwritten
499              summed over threads.
500
501       total.requestlist.exceeded
502              summed over threads.
503
504       total.requestlist.current.all
505              summed over threads.
506
507       total.recursion.time.median
508              averaged over threads.
509
510       total.tcpusage
511              summed over threads.
512
513       time.now
514              current time in seconds since 1970.
515
516       time.up
517              uptime since server boot in seconds.
518
519       time.elapsed
520              time since last statistics printout, in seconds.
521

EXTENDED STATISTICS

523       mem.cache.rrset
524              Memory in bytes in use by the RRset cache.
525
526       mem.cache.message
527              Memory in bytes in use by the message cache.
528
529       mem.cache.dnscrypt_shared_secret
530              Memory in bytes in use by the dnscrypt shared secrets cache.
531
532       mem.cache.dnscrypt_nonce
533              Memory in bytes in use by the dnscrypt nonce cache.
534
535       mem.mod.iterator
536              Memory in bytes in use by the iterator module.
537
538       mem.mod.validator
539              Memory in bytes in use by the validator module. Includes the key
540              cache and negative cache.
541
542       mem.streamwait
543              Memory  in bytes in used by the TCP and TLS stream wait buffers.
544              These are answers waiting to be written back to the clients.
545
546       mem.http.query_buffer
547              Memory in bytes used by the  HTTP/2  query  buffers.  Containing
548              (partial) DNS queries waiting for request stream completion.
549
550       mem.http.response_buffer
551              Memory  in bytes used by the HTTP/2 response buffers. Containing
552              DNS responses waiting to be written back to the clients.
553
554       histogram.<sec>.<usec>.to.<sec>.<usec>
555              Shows a histogram, summed over all threads. Every element counts
556              the recursive queries whose reply time fit between the lower and
557              upper bound.  Times larger  or  equal  to  the  lowerbound,  and
558              smaller than the upper bound.  There are 40 buckets, with bucket
559              sizes doubling.
560
561       num.query.type.A
562              The total number of queries over all threads with query type  A.
563              Printed  for  the  other  query  types as well, but only for the
564              types for which queries were received, thus =0 entries are omit‐
565              ted for brevity.
566
567       num.query.type.other
568              Number of queries with query types 256-65535.
569
570       num.query.class.IN
571              The total number of queries over all threads with query class IN
572              (internet).  Also printed for other classes (such as CH  (CHAOS)
573              sometimes  used  for  debugging),  or NONE, ANY, used by dynamic
574              update.  num.query.class.other is printed for classes 256-65535.
575
576       num.query.opcode.QUERY
577              The total number of queries over all threads with  query  opcode
578              QUERY.  Also printed for other opcodes, UPDATE, ...
579
580       num.query.tcp
581              Number  of  queries that were made using TCP towards the unbound
582              server.
583
584       num.query.tcpout
585              Number of queries that the unbound server made using TCP  outgo‐
586              ing towards other servers.
587
588       num.query.tls
589              Number  of  queries that were made using TLS towards the unbound
590              server.  These are also counted in  num.query.tcp,  because  TLS
591              uses TCP.
592
593       num.query.tls.resume
594              Number  of  TLS  session resumptions, these are queries over TLS
595              towards the unbound server where the  client  negotiated  a  TLS
596              session resumption key.
597
598       num.query.https
599              Number of queries that were made using HTTPS towards the unbound
600              server.   These  are   also   counted   in   num.query.tcp   and
601              num.query.tls, because HTTPS uses TLS and TCP.
602
603       num.query.ipv6
604              Number  of queries that were made using IPv6 towards the unbound
605              server.
606
607       num.query.flags.RD
608              The number of queries that had the RD flag set  in  the  header.
609              Also  printed  for  flags  QR, AA, TC, RA, Z, AD, CD.  Note that
610              queries with flags QR, AA or TC may have been  rejected  because
611              of that.
612
613       num.query.edns.present
614              number of queries that had an EDNS OPT record present.
615
616       num.query.edns.DO
617              number  of  queries  that  had  an  EDNS  OPT record with the DO
618              (DNSSEC OK) bit set.  These queries are  also  included  in  the
619              num.query.edns.present number.
620
621       num.query.ratelimited
622              The  number  of  queries that are turned away from being send to
623              nameserver due to ratelimiting.
624
625       num.query.dnscrypt.shared_secret.cachemiss
626              The number of dnscrypt queries that did not find a shared secret
627              in  the  cache.   The  can  be  use to compute the shared secret
628              hitrate.
629
630       num.query.dnscrypt.replay
631              The number of dnscrypt queries that found a  nonce  hit  in  the
632              nonce cache and hence are considered a query replay.
633
634       num.answer.rcode.NXDOMAIN
635              The  number of answers to queries, from cache or from recursion,
636              that had the return code NXDOMAIN. Also printed  for  the  other
637              return codes.
638
639       num.answer.rcode.nodata
640              The number of answers to queries that had the pseudo return code
641              nodata.  This means the actual  return  code  was  NOERROR,  but
642              additionally,  no data was carried in the answer (making what is
643              called  a  NOERROR/NODATA  answer).   These  queries  are   also
644              included  in  the  num.answer.rcode.NOERROR  number.  Common for
645              AAAA lookups when an A record exists, and no AAAA.
646
647       num.answer.secure
648              Number of answers that were secure.  The answer  validated  cor‐
649              rectly.   The  AD  bit  might  have  been  set  in some of these
650              answers, where the client signalled (with DO or AD  bit  in  the
651              query) that they were ready to accept the AD bit in the answer.
652
653       num.answer.bogus
654              Number  of  answers  that were bogus.  These answers resulted in
655              SERVFAIL to the client because the answer failed validation.
656
657       num.rrset.bogus
658              The number of rrsets marked bogus by the  validator.   Increased
659              for every RRset inspection that fails.
660
661       unwanted.queries
662              Number  of  queries  that  were  refused or dropped because they
663              failed the access control settings.
664
665       unwanted.replies
666              Replies that were unwanted or unsolicited.  Could have been ran‐
667              dom  traffic, delayed duplicates, very late answers, or could be
668              spoofing attempts.  Some low level of late answers  and  delayed
669              duplicates  are to be expected with the UDP protocol.  Very high
670              values could indicate a threat (spoofing).
671
672       msg.cache.count
673              The number of items (DNS replies) in the message cache.
674
675       rrset.cache.count
676              The number of RRsets in the rrset cache.  This  includes  rrsets
677              used  by  the messages in the message cache, but also delegation
678              information.
679
680       infra.cache.count
681              The number of items in the infra cache.  These are IP  addresses
682              with their timing and protocol support information.
683
684       key.cache.count
685              The  number  of  items in the key cache.  These are DNSSEC keys,
686              one item per delegation point, and their validation status.
687
688       dnscrypt_shared_secret.cache.count
689              The number of items in the shared secret cache. These  are  pre‐
690              computed  shared  secrets  for  a given client public key/server
691              secret key pair. Shared secrets are CPU intensive and this cache
692              allows  unbound to avoid recomputing the shared secret when mul‐
693              tiple dnscrypt queries are sent from the same client.
694
695       dnscrypt_nonce.cache.count
696              The number of items in the client nonce  cache.  This  cache  is
697              used  to  prevent dnscrypt queries replay. The client nonce must
698              be unique for each client public  key/server  secret  key  pair.
699              This cache should be able to host QPS * `replay window` interval
700              keys to prevent replay of a query during  `replay  window`  sec‐
701              onds.
702
703       num.query.authzone.up
704              The  number  of  queries  answered from auth-zone data, upstream
705              queries.  These queries would otherwise  have  been  sent  (with
706              fallback enabled) to the internet, but are now answered from the
707              auth zone.
708
709       num.query.authzone.down
710              The number of queries for  downstream  answered  from  auth-zone
711              data.   These  queries are from downstream clients, and have had
712              an answer from the data in the auth zone.
713
714       num.query.aggressive.NOERROR
715              The number of queries answered using cached  NSEC  records  with
716              NODATA  RCODE.   These queries would otherwise have been sent to
717              the internet, but are now answered using cached data.
718
719       num.query.aggressive.NXDOMAIN
720              The number of queries answered using cached  NSEC  records  with
721              NXDOMAIN RCODE.  These queries would otherwise have been sent to
722              the internet, but are now answered using cached data.
723
724       num.query.subnet
725              Number of queries that got an answer that contained EDNS  client
726              subnet data.
727
728       num.query.subnet_cache
729              Number  of  queries  answered from the edns client subnet cache.
730              These are counted as cachemiss by the main counters, but hit the
731              client  subnet  specific  cache,  after getting processed by the
732              edns client subnet module.
733
734       num.rpz.action.<rpz_action>
735              Number of queries answered using configured RPZ policy, per  RPZ
736              action  type.  Possible actions are: nxdomain, nodata, passthru,
737              drop, local_data, disabled, and cname_override.
738

FILES

740       /etc/unbound/unbound.conf
741              unbound configuration file.
742
743       /etc/unbound
744              directory with private keys (unbound_server.key and unbound_con‐
745              trol.key)  and  self-signed certificates (unbound_server.pem and
746              unbound_control.pem).
747

SEE ALSO

749       unbound.conf(5), unbound(8).
750
751
752
753NLnet Labs                       Feb  9, 2021               unbound-control(8)
Impressum