1unbound-control(8)              unbound 1.13.2              unbound-control(8)
2
3
4

NAME

6       unbound-control,  unbound-control-setup - Unbound remote server control
7       utility.
8

SYNOPSIS

10       unbound-control [-hq] [-c cfgfile] [-s server] command
11

DESCRIPTION

13       Unbound-control performs remote administration on  the  unbound(8)  DNS
14       server.   It  reads the configuration file, contacts the unbound server
15       over SSL sends the command and displays the result.
16
17       The available options are:
18
19       -h     Show the version and commandline option help.
20
21       -c cfgfile
22              The config file to read with settings.  If not given the default
23              config file /etc/unbound/unbound.conf is used.
24
25       -s server[@port]
26              IPv4  or  IPv6  address of the server to contact.  If not given,
27              the address is read from the config file.
28
29       -q     quiet, if the option is given it does not print anything  if  it
30              works ok.
31

COMMANDS

33       There are several commands that the server understands.
34
35       start  Start  the  server.  Simply  execs unbound(8).  The unbound exe‐
36              cutable is searched for in the PATH set in the environment.   It
37              is  started  with  the config file specified using -c or the de‐
38              fault config file.
39
40       stop   Stop the server. The server daemon exits.
41
42       reload Reload the server. This flushes the cache and reads  the  config
43              file fresh.
44
45       verbosity number
46              Change  verbosity  value  for  logging. Same values as verbosity
47              keyword in unbound.conf(5).  This new setting  lasts  until  the
48              server is issued a reload (taken from config file again), or the
49              next verbosity control command.
50
51       log_reopen
52              Reopen the logfile, close and open it.  Useful  for  logrotation
53              to  make  the  daemon release the file it is logging to.  If you
54              are using syslog it will attempt to close and  open  the  syslog
55              (which may not work if chrooted).
56
57       stats  Print statistics. Resets the internal counters to zero, this can
58              be controlled using the statistics-cumulative config  statement.
59              Statistics are printed with one [name]: [value] per line.
60
61       stats_noreset
62              Peek at statistics. Prints them like the stats command does, but
63              does not reset the internal counters to zero.
64
65       status Display server status. Exit code 3 if not running  (the  connec‐
66              tion to the port is refused), 1 on error, 0 if running.
67
68       local_zone name type
69              Add  new  local  zone with name and type. Like local-zone config
70              statement.  If the zone already exists, the type is  changed  to
71              the given argument.
72
73       local_zone_remove name
74              Remove  the  local  zone with the given name.  Removes all local
75              data inside it.  If the zone does not exist,  the  command  suc‐
76              ceeds.
77
78       local_data RR data...
79              Add  new  local data, the given resource record. Like local-data
80              config statement, except for when no covering zone  exists.   In
81              that case this remote control command creates a transparent zone
82              with the same name as this record.
83
84       local_data_remove name
85              Remove all RR data from local name.  If the name already has  no
86              items,  nothing happens.  Often results in NXDOMAIN for the name
87              (in a static zone), but if the name has become an empty  nonter‐
88              minal  (there  is  still  data in domain names below the removed
89              name), NOERROR nodata answers are the result for that name.
90
91       local_zones
92              Add local zones read from stdin  of  unbound-control.  Input  is
93              read  per  line,  with name space type on a line. For bulk addi‐
94              tions.
95
96       local_zones_remove
97              Remove local zones read from stdin of unbound-control. Input  is
98              one name per line. For bulk removals.
99
100       local_datas
101              Add  local data RRs read from stdin of unbound-control. Input is
102              one RR per line. For bulk additions.
103
104       local_datas_remove
105              Remove local data RRs read from stdin of unbound-control.  Input
106              is one name per line. For bulk removals.
107
108       dump_cache
109              The contents of the cache is printed in a text format to stdout.
110              You can redirect it to a file to store the cache in a file.
111
112       load_cache
113              The contents of the cache is loaded from stdin.  Uses  the  same
114              format as dump_cache uses.  Loading the cache with old, or wrong
115              data can result in old or wrong data returned to clients.  Load‐
116              ing data into the cache in this way is supported in order to aid
117              with debugging.
118
119       lookup name
120              Print to stdout the name servers that would be used to  look  up
121              the name specified.
122
123       flush name
124              Remove  the  name from the cache. Removes the types A, AAAA, NS,
125              SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.  Because that is fast
126              to  do.  Other  record  types can be removed using flush_type or
127              flush_zone.
128
129       flush_type name type
130              Remove the name, type information from the cache.
131
132       flush_zone name
133              Remove all information at or below the name from the cache.  The
134              rrsets  and  key entries are removed so that new lookups will be
135              performed.  This needs to walk and inspect the entire cache, and
136              is  a slow operation.  The entries are set to expired in the im‐
137              plementation of this command (so,  with  serve-expired  enabled,
138              it'll serve that information but schedule a prefetch for new in‐
139              formation).
140
141       flush_bogus
142              Remove all bogus data from the cache.
143
144       flush_negative
145              Remove all negative data from the cache.  This is  nxdomain  an‐
146              swers,  nodata  answers  and servfail answers.  Also removes bad
147              key entries (which could be due  to  failed  lookups)  from  the
148              dnssec  key cache, and iterator last-resort lookup failures from
149              the rrset cache.
150
151       flush_stats
152              Reset statistics to zero.
153
154       flush_requestlist
155              Drop the queries that are  worked  on.   Stops  working  on  the
156              queries  that  the server is working on now.  The cache is unaf‐
157              fected.  No reply is sent for  those  queries,  probably  making
158              those  users  request  again  later.   Useful to make the server
159              restart working on queries with new settings, such as  a  higher
160              verbosity level.
161
162       dump_requestlist
163              Show  what  is worked on.  Prints all queries that the server is
164              currently working on.  Prints the  time  that  users  have  been
165              waiting.   For  internal requests, no time is printed.  And then
166              prints out the module status.  This prints the queries from  the
167              first thread, and not queries that are being serviced from other
168              threads.
169
170       flush_infra all|IP
171              If all then entire infra cache is emptied.  If a specific IP ad‐
172              dress, the entry for that address is removed from the cache.  It
173              contains EDNS, ping and lameness data.
174
175       dump_infra
176              Show the contents of the infra cache.
177
178       set_option opt: val
179              Set the option to the given value without a reload.   The  cache
180              is  therefore  not  flushed.  The option must end with a ':' and
181              whitespace must be between the option and the value.  Some  val‐
182              ues  may  not have an effect if set this way, the new values are
183              not written to the config file, not all options  are  supported.
184              This  is different from the set_option call in libunbound, where
185              all values work because unbound has not been initialized.
186
187              The values that work are: statistics-interval,  statistics-cumu‐
188              lative,       do-not-query-localhost,      harden-short-bufsize,
189              harden-large-queries,    harden-glue,    harden-dnssec-stripped,
190              harden-below-nxdomain,      harden-referral-path,      prefetch,
191              prefetch-key, log-queries,  hide-identity,  hide-version,  iden‐
192              tity,  version,  val-log-level, val-log-squelch, ignore-cd-flag,
193              add-holddown, del-holddown, keep-missing, tcp-upstream,  ssl-up‐
194              stream,  max-udp-size,  ratelimit,  ip-ratelimit, cache-max-ttl,
195              cache-min-ttl, cache-max-negative-ttl.
196
197       get_option opt
198              Get the value of the option.  Give the  option  name  without  a
199              trailing  ':'.  The value is printed.  If the value is "", noth‐
200              ing is printed and the connection closes.  On error 'error  ...'
201              is  printed  (it  gives  a syntax error on unknown option).  For
202              some options a list of values, one on  each  line,  is  printed.
203              The  options  are  shown  from  the config file as modified with
204              set_option.  For some options an override may  have  been  taken
205              that  does  not show up with this command, not results from e.g.
206              the verbosity and forward control  commands.   Not  all  options
207              work,   see   list_stubs,  list_forwards,  list_local_zones  and
208              list_local_data for those.
209
210       list_stubs
211              List the stub zones in use.  These are printed one by one to the
212              output.  This includes the root hints in use.
213
214       list_forwards
215              List  the  forward zones in use.  These are printed zone by zone
216              to the output.
217
218       list_insecure
219              List the zones with domain-insecure.
220
221       list_local_zones
222              List the local zones in use.  These are  printed  one  per  line
223              with zone type.
224
225       list_local_data
226              List  the  local  data  RRs  in  use.   The resource records are
227              printed.
228
229       insecure_add zone
230              Add a domain-insecure for the given zone, like the statement  in
231              unbound.conf.  Adds to the running unbound without affecting the
232              cache contents (which may still be bogus, use flush_zone to  re‐
233              move it), does not affect the config file.
234
235       insecure_remove zone
236              Removes domain-insecure for the given zone.
237
238       forward_add [+i] zone addr ...
239              Add  a new forward zone to running unbound.  With +i option also
240              adds a domain-insecure for the zone (so  it  can  resolve  inse‐
241              curely  if  you  have  a DNSSEC root trust anchor configured for
242              other names).  The addr can be IP4,  IP6  or  nameserver  names,
243              like forward-zone config in unbound.conf.
244
245       forward_remove [+i] zone
246              Remove a forward zone from running unbound.  The +i also removes
247              a domain-insecure for the zone.
248
249       stub_add [+ip] zone addr ...
250              Add a new stub zone to running unbound.   With  +i  option  also
251              adds  a  domain-insecure for the zone.  With +p the stub zone is
252              set to prime, without it it is set to notprime.  The addr can be
253              IP4,  IP6  or nameserver names, like the stub-zone config in un‐
254              bound.conf.
255
256       stub_remove [+i] zone
257              Remove a stub zone from running unbound.  The +i also removes  a
258              domain-insecure for the zone.
259
260       forward [off | addr ... ]
261              Setup  forwarding  mode.   Configures  if  the server should ask
262              other upstream nameservers, should go to the internet root name‐
263              servers  itself, or show the current config.  You could pass the
264              nameservers after a DHCP update.
265
266              Without arguments the current list of addresses used to  forward
267              all  queries  to  is  printed.  On startup this is from the for‐
268              ward-zone "." configuration.  Afterwards it  shows  the  status.
269              It prints off when no forwarding is used.
270
271              If  off  is  passed,  forwarding  is disabled and the root name‐
272              servers are used.  This can be used to avoid to avoid  buggy  or
273              non-DNSSEC  supporting  nameservers returned from DHCP.  But may
274              not work in hotels or hotspots.
275
276              If one or more IPv4 or IPv6 addresses are given, those are  then
277              used  to  forward  queries  to.  The addresses must be separated
278              with spaces.  With '@port' the port number can be set explicitly
279              (default port is 53 (DNS)).
280
281              By  default  the  forwarder information from the config file for
282              the root "." is used.  The config file is not changed, so  after
283              a  reload  these changes are gone.  Other forward zones from the
284              config file are not affected by this command.
285
286       ratelimit_list [+a]
287              List the domains that are ratelimited.   Printed  one  per  line
288              with  current  estimated qps and qps limit from config.  With +a
289              it prints all domains, not just the  ratelimited  domains,  with
290              their  estimated  qps.   The ratelimited domains return an error
291              for uncached (new) queries, but cached queries work as normal.
292
293       ip_ratelimit_list [+a]
294              List the ip addresses that are  ratelimited.   Printed  one  per
295              line with current estimated qps and qps limit from config.  With
296              +a it prints all ips, not just the ratelimited ips,  with  their
297              estimated  qps.  The ratelimited ips are dropped before checking
298              the cache.
299
300       list_auth_zones
301              List the auth zones that are configured.  Printed one  per  line
302              with a status, indicating if the zone is expired and current se‐
303              rial number.
304
305       auth_zone_reload zone
306              Reload the auth zone from zonefile.  The  zonefile  is  read  in
307              overwriting  the  current  contents of the zone in memory.  This
308              changes the auth zone contents itself, not the  cache  contents.
309              Such  cache  contents exists if you set unbound to validate with
310              for-upstream yes and that can be cleared with flush_zone zone.
311
312       auth_zone_transfer zone
313              Transfer the auth zone from master.  The  auth  zone  probe  se‐
314              quence  is  started, where the masters are probed to see if they
315              have an updated zone (with the SOA serial check).  And then  the
316              zone is transferred for a newer zone version.
317
318       rpz_enable zone
319              Enable the RPZ zone if it had previously been disabled.
320
321       rpz_disable zone
322              Disable the RPZ zone.
323
324       view_list_local_zones view
325              list_local_zones for given view.
326
327       view_local_zone view name type
328              local_zone for given view.
329
330       view_local_zone_remove view name
331              local_zone_remove for given view.
332
333       view_list_local_data view
334              list_local_data for given view.
335
336       view_local_data view RR data...
337              local_data for given view.
338
339       view_local_data_remove view name
340              local_data_remove for given view.
341
342       view_local_datas_remove view
343              Remove  a list of local_data for given view from stdin. Like lo‐
344              cal_datas_remove.
345
346       view_local_datas view
347              Add a list of local_data for given view from  stdin.   Like  lo‐
348              cal_datas.
349

EXIT CODE

351       The  unbound-control  program  exits  with status code 1 on error, 0 on
352       success.
353

SET UP

355       The setup requires a self-signed certificate and private keys for  both
356       the  server  and  client.   The  script unbound-control-setup generates
357       these in the default run directory, or with -d  in  another  directory.
358       If  you  change the access control permissions on the key files you can
359       decide who can use unbound-control, by default owner and group but  not
360       all  users.  Run the script under the same username as you have config‐
361       ured in unbound.conf or as root, so that the  daemon  is  permitted  to
362       read the files, for example with:
363           sudo -u unbound unbound-control-setup
364       If  you  have  not configured a username in unbound.conf, the keys need
365       read permission for the user credentials  under  which  the  daemon  is
366       started.   The  script preserves private keys present in the directory.
367       After running the  script  as  root,  turn  on  control-enable  in  un‐
368       bound.conf.
369

STATISTIC COUNTERS

371       The stats command shows a number of statistic counters.
372
373       threadX.num.queries
374              number of queries received by thread
375
376       threadX.num.queries_ip_ratelimited
377              number of queries rate limited by thread
378
379       threadX.num.cachehits
380              number  of queries that were successfully answered using a cache
381              lookup
382
383       threadX.num.cachemiss
384              number of queries that needed recursive processing
385
386       threadX.num.dnscrypt.crypted
387              number of queries that were encrypted and successfully  decapsu‐
388              lated by dnscrypt.
389
390       threadX.num.dnscrypt.cert
391              number of queries that were requesting dnscrypt certificates.
392
393       threadX.num.dnscrypt.cleartext
394              number  of queries received on dnscrypt port that were cleartext
395              and not a request for certificates.
396
397       threadX.num.dnscrypt.malformed
398              number  of  request  that  were  neither  cleartext,  not  valid
399              dnscrypt messages.
400
401       threadX.num.prefetch
402              number  of  cache prefetches performed.  This number is included
403              in cachehits, as the original query had the unprefetched  answer
404              from  cache, and resulted in recursive processing, taking a slot
405              in the requestlist.  Not part of the  recursivereplies  (or  the
406              histogram thereof) or cachemiss, as a cache response was sent.
407
408       threadX.num.expired
409              number of replies that served an expired cache entry.
410
411       threadX.num.recursivereplies
412              The number of replies sent to queries that needed recursive pro‐
413              cessing. Could be smaller than threadX.num.cachemiss if  due  to
414              timeouts no replies were sent for some queries.
415
416       threadX.requestlist.avg
417              The  average  number  of requests in the internal recursive pro‐
418              cessing request list on insert of a new incoming recursive  pro‐
419              cessing query.
420
421       threadX.requestlist.max
422              Maximum  size  attained by the internal recursive processing re‐
423              quest list.
424
425       threadX.requestlist.overwritten
426              Number of requests in the request list that were overwritten  by
427              newer  entries. This happens if there is a flood of queries that
428              recursive processing and the server has a hard time.
429
430       threadX.requestlist.exceeded
431              Queries that were dropped because the  request  list  was  full.
432              This  happens  if  a flood of queries need recursive processing,
433              and the server can not keep up.
434
435       threadX.requestlist.current.all
436              Current size of the request list, includes internally  generated
437              queries (such as priming queries and glue lookups).
438
439       threadX.requestlist.current.user
440              Current  size of the request list, only the requests from client
441              queries.
442
443       threadX.recursion.time.avg
444              Average time it took to answer  queries  that  needed  recursive
445              processing.  Note that queries that were answered from the cache
446              are not in this average.
447
448       threadX.recursion.time.median
449              The median of the time it took to answer queries that needed re‐
450              cursive  processing.   The  median  means  that  50% of the user
451              queries were answered in less than this time.   Because  of  big
452              outliers  (usually queries to non responsive servers), the aver‐
453              age can be bigger than the median.  This median has been  calcu‐
454              lated by interpolation from a histogram.
455
456       threadX.tcpusage
457              The currently held tcp buffers for incoming connections.  A spot
458              value on the time of the request.  This helps you  spot  if  the
459              incoming-num-tcp buffers are full.
460
461       total.num.queries
462              summed over threads.
463
464       total.num.cachehits
465              summed over threads.
466
467       total.num.cachemiss
468              summed over threads.
469
470       total.num.dnscrypt.crypted
471              summed over threads.
472
473       total.num.dnscrypt.cert
474              summed over threads.
475
476       total.num.dnscrypt.cleartext
477              summed over threads.
478
479       total.num.dnscrypt.malformed
480              summed over threads.
481
482       total.num.prefetch
483              summed over threads.
484
485       total.num.expired
486              summed over threads.
487
488       total.num.recursivereplies
489              summed over threads.
490
491       total.requestlist.avg
492              averaged over threads.
493
494       total.requestlist.max
495              the maximum of the thread requestlist.max values.
496
497       total.requestlist.overwritten
498              summed over threads.
499
500       total.requestlist.exceeded
501              summed over threads.
502
503       total.requestlist.current.all
504              summed over threads.
505
506       total.recursion.time.median
507              averaged over threads.
508
509       total.tcpusage
510              summed over threads.
511
512       time.now
513              current time in seconds since 1970.
514
515       time.up
516              uptime since server boot in seconds.
517
518       time.elapsed
519              time since last statistics printout, in seconds.
520

EXTENDED STATISTICS

522       mem.cache.rrset
523              Memory in bytes in use by the RRset cache.
524
525       mem.cache.message
526              Memory in bytes in use by the message cache.
527
528       mem.cache.dnscrypt_shared_secret
529              Memory in bytes in use by the dnscrypt shared secrets cache.
530
531       mem.cache.dnscrypt_nonce
532              Memory in bytes in use by the dnscrypt nonce cache.
533
534       mem.mod.iterator
535              Memory in bytes in use by the iterator module.
536
537       mem.mod.validator
538              Memory in bytes in use by the validator module. Includes the key
539              cache and negative cache.
540
541       mem.streamwait
542              Memory in bytes in used by the TCP and TLS stream wait  buffers.
543              These are answers waiting to be written back to the clients.
544
545       mem.http.query_buffer
546              Memory  in  bytes  used  by the HTTP/2 query buffers. Containing
547              (partial) DNS queries waiting for request stream completion.
548
549       mem.http.response_buffer
550              Memory in bytes used by the HTTP/2 response buffers.  Containing
551              DNS responses waiting to be written back to the clients.
552
553       histogram.<sec>.<usec>.to.<sec>.<usec>
554              Shows a histogram, summed over all threads. Every element counts
555              the recursive queries whose reply time fit between the lower and
556              upper  bound.   Times  larger  or  equal  to the lowerbound, and
557              smaller than the upper bound.  There are 40 buckets, with bucket
558              sizes doubling.
559
560       num.query.type.A
561              The  total number of queries over all threads with query type A.
562              Printed for the other query types as  well,  but  only  for  the
563              types for which queries were received, thus =0 entries are omit‐
564              ted for brevity.
565
566       num.query.type.other
567              Number of queries with query types 256-65535.
568
569       num.query.class.IN
570              The total number of queries over all threads with query class IN
571              (internet).   Also printed for other classes (such as CH (CHAOS)
572              sometimes used for debugging), or NONE, ANY, used by dynamic up‐
573              date.  num.query.class.other is printed for classes 256-65535.
574
575       num.query.opcode.QUERY
576              The  total  number of queries over all threads with query opcode
577              QUERY.  Also printed for other opcodes, UPDATE, ...
578
579       num.query.tcp
580              Number of queries that were made using TCP towards  the  unbound
581              server.
582
583       num.query.tcpout
584              Number  of queries that the unbound server made using TCP outgo‐
585              ing towards other servers.
586
587       num.query.tls
588              Number of queries that were made using TLS towards  the  unbound
589              server.   These  are  also counted in num.query.tcp, because TLS
590              uses TCP.
591
592       num.query.tls.resume
593              Number of TLS session resumptions, these are  queries  over  TLS
594              towards  the  unbound  server  where the client negotiated a TLS
595              session resumption key.
596
597       num.query.https
598              Number of queries that were made using HTTPS towards the unbound
599              server.    These   are   also   counted   in  num.query.tcp  and
600              num.query.tls, because HTTPS uses TLS and TCP.
601
602       num.query.ipv6
603              Number of queries that were made using IPv6 towards the  unbound
604              server.
605
606       num.query.flags.RD
607              The  number  of  queries that had the RD flag set in the header.
608              Also printed for flags QR, AA, TC, RA, Z,  AD,  CD.   Note  that
609              queries  with  flags QR, AA or TC may have been rejected because
610              of that.
611
612       num.query.edns.present
613              number of queries that had an EDNS OPT record present.
614
615       num.query.edns.DO
616              number of queries that had  an  EDNS  OPT  record  with  the  DO
617              (DNSSEC  OK)  bit  set.   These queries are also included in the
618              num.query.edns.present number.
619
620       num.query.ratelimited
621              The number of queries that are turned away from  being  send  to
622              nameserver due to ratelimiting.
623
624       num.query.dnscrypt.shared_secret.cachemiss
625              The number of dnscrypt queries that did not find a shared secret
626              in the cache.  The can be use to compute the shared  secret  hi‐
627              trate.
628
629       num.query.dnscrypt.replay
630              The  number  of  dnscrypt  queries that found a nonce hit in the
631              nonce cache and hence are considered a query replay.
632
633       num.answer.rcode.NXDOMAIN
634              The number of answers to queries, from cache or from  recursion,
635              that  had  the  return code NXDOMAIN. Also printed for the other
636              return codes.
637
638       num.answer.rcode.nodata
639              The number of answers to queries that had the pseudo return code
640              nodata.   This means the actual return code was NOERROR, but ad‐
641              ditionally, no data was carried in the answer  (making  what  is
642              called  a  NOERROR/NODATA  answer).   These queries are also in‐
643              cluded in the num.answer.rcode.NOERROR number.  Common for  AAAA
644              lookups when an A record exists, and no AAAA.
645
646       num.answer.secure
647              Number  of  answers that were secure.  The answer validated cor‐
648              rectly.  The AD bit might have been set in  some  of  these  an‐
649              swers,  where  the  client  signalled  (with DO or AD bit in the
650              query) that they were ready to accept the AD bit in the answer.
651
652       num.answer.bogus
653              Number of answers that were bogus.  These  answers  resulted  in
654              SERVFAIL to the client because the answer failed validation.
655
656       num.rrset.bogus
657              The  number  of rrsets marked bogus by the validator.  Increased
658              for every RRset inspection that fails.
659
660       unwanted.queries
661              Number of queries that were  refused  or  dropped  because  they
662              failed the access control settings.
663
664       unwanted.replies
665              Replies that were unwanted or unsolicited.  Could have been ran‐
666              dom traffic, delayed duplicates, very late answers, or could  be
667              spoofing  attempts.   Some low level of late answers and delayed
668              duplicates are to be expected with the UDP protocol.  Very  high
669              values could indicate a threat (spoofing).
670
671       msg.cache.count
672              The number of items (DNS replies) in the message cache.
673
674       rrset.cache.count
675              The  number  of RRsets in the rrset cache.  This includes rrsets
676              used by the messages in the message cache, but  also  delegation
677              information.
678
679       infra.cache.count
680              The  number of items in the infra cache.  These are IP addresses
681              with their timing and protocol support information.
682
683       key.cache.count
684              The number of items in the key cache.  These  are  DNSSEC  keys,
685              one item per delegation point, and their validation status.
686
687       dnscrypt_shared_secret.cache.count
688              The  number  of items in the shared secret cache. These are pre‐
689              computed shared secrets for a given client public key/server se‐
690              cret  key  pair. Shared secrets are CPU intensive and this cache
691              allows unbound to avoid recomputing the shared secret when  mul‐
692              tiple dnscrypt queries are sent from the same client.
693
694       dnscrypt_nonce.cache.count
695              The  number  of  items  in the client nonce cache. This cache is
696              used to prevent dnscrypt queries replay. The client  nonce  must
697              be  unique  for  each  client public key/server secret key pair.
698              This cache should be able to host QPS * `replay window` interval
699              keys  to  prevent  replay of a query during `replay window` sec‐
700              onds.
701
702       num.query.authzone.up
703              The number of queries answered  from  auth-zone  data,  upstream
704              queries.   These  queries  would  otherwise have been sent (with
705              fallback enabled) to the internet, but are now answered from the
706              auth zone.
707
708       num.query.authzone.down
709              The  number  of  queries  for downstream answered from auth-zone
710              data.  These queries are from downstream clients, and  have  had
711              an answer from the data in the auth zone.
712
713       num.query.aggressive.NOERROR
714              The  number  of  queries answered using cached NSEC records with
715              NODATA RCODE.  These queries would otherwise have been  sent  to
716              the internet, but are now answered using cached data.
717
718       num.query.aggressive.NXDOMAIN
719              The  number  of  queries answered using cached NSEC records with
720              NXDOMAIN RCODE.  These queries would otherwise have been sent to
721              the internet, but are now answered using cached data.
722
723       num.query.subnet
724              Number  of queries that got an answer that contained EDNS client
725              subnet data.
726
727       num.query.subnet_cache
728              Number of queries answered from the edns  client  subnet  cache.
729              These are counted as cachemiss by the main counters, but hit the
730              client subnet specific cache, after  getting  processed  by  the
731              edns client subnet module.
732
733       num.rpz.action.<rpz_action>
734              Number  of queries answered using configured RPZ policy, per RPZ
735              action type.  Possible actions are: nxdomain, nodata,  passthru,
736              drop, local_data, disabled, and cname_override.
737

FILES

739       /etc/unbound/unbound.conf
740              unbound configuration file.
741
742       /etc/unbound
743              directory with private keys (unbound_server.key and unbound_con‐
744              trol.key) and self-signed certificates  (unbound_server.pem  and
745              unbound_control.pem).
746

SEE ALSO

748       unbound.conf(5), unbound(8).
749
750
751
752NLnet Labs                       Aug 12, 2021               unbound-control(8)
Impressum