1unbound-control(8)              unbound 1.16.0              unbound-control(8)
2
3
4

NAME

6       unbound-control,  unbound-control-setup - Unbound remote server control
7       utility.
8

SYNOPSIS

10       unbound-control [-hq] [-c cfgfile] [-s server] command
11

DESCRIPTION

13       Unbound-control performs remote administration on  the  unbound(8)  DNS
14       server.   It  reads the configuration file, contacts the Unbound server
15       over SSL sends the command and displays the result.
16
17       The available options are:
18
19       -h     Show the version and commandline option help.
20
21       -c cfgfile
22              The config file to read with settings.  If not given the default
23              config file /etc/unbound/unbound.conf is used.
24
25       -s server[@port]
26              IPv4  or  IPv6  address of the server to contact.  If not given,
27              the address is read from the config file.
28
29       -q     quiet, if the option is given it does not print anything  if  it
30              works ok.
31

COMMANDS

33       There are several commands that the server understands.
34
35       start  Start  the  server.  Simply  execs unbound(8).  The Unbound exe‐
36              cutable is searched for in the PATH set in the environment.   It
37              is  started  with  the config file specified using -c or the de‐
38              fault config file.
39
40       stop   Stop the server. The server daemon exits.
41
42       reload Reload the server. This flushes the cache and reads  the  config
43              file fresh.
44
45       verbosity number
46              Change  verbosity  value  for  logging. Same values as verbosity
47              keyword in unbound.conf(5).  This new setting  lasts  until  the
48              server is issued a reload (taken from config file again), or the
49              next verbosity control command.
50
51       log_reopen
52              Reopen the logfile, close and open it.  Useful  for  logrotation
53              to  make  the  daemon release the file it is logging to.  If you
54              are using syslog it will attempt to close and  open  the  syslog
55              (which may not work if chrooted).
56
57       stats  Print statistics. Resets the internal counters to zero, this can
58              be controlled using the statistics-cumulative config  statement.
59              Statistics are printed with one [name]: [value] per line.
60
61       stats_noreset
62              Peek at statistics. Prints them like the stats command does, but
63              does not reset the internal counters to zero.
64
65       status Display server status. Exit code 3 if not running  (the  connec‐
66              tion to the port is refused), 1 on error, 0 if running.
67
68       local_zone name type
69              Add  new  local  zone with name and type. Like local-zone config
70              statement.  If the zone already exists, the type is  changed  to
71              the given argument.
72
73       local_zone_remove name
74              Remove  the  local  zone with the given name.  Removes all local
75              data inside it.  If the zone does not exist,  the  command  suc‐
76              ceeds.
77
78       local_data RR data...
79              Add  new  local data, the given resource record. Like local-data
80              config statement, except for when no covering zone  exists.   In
81              that case this remote control command creates a transparent zone
82              with the same name as this record.
83
84       local_data_remove name
85              Remove all RR data from local name.  If the name already has  no
86              items,  nothing happens.  Often results in NXDOMAIN for the name
87              (in a static zone), but if the name has become an empty  nonter‐
88              minal  (there  is  still  data in domain names below the removed
89              name), NOERROR nodata answers are the result for that name.
90
91       local_zones
92              Add local zones read from stdin  of  unbound-control.  Input  is
93              read  per  line,  with name space type on a line. For bulk addi‐
94              tions.
95
96       local_zones_remove
97              Remove local zones read from stdin of unbound-control. Input  is
98              one name per line. For bulk removals.
99
100       local_datas
101              Add  local data RRs read from stdin of unbound-control. Input is
102              one RR per line. For bulk additions.
103
104       local_datas_remove
105              Remove local data RRs read from stdin of unbound-control.  Input
106              is one name per line. For bulk removals.
107
108       dump_cache
109              The contents of the cache is printed in a text format to stdout.
110              You can redirect it to a file to store the cache in a file.
111
112       load_cache
113              The contents of the cache is loaded from stdin.  Uses  the  same
114              format as dump_cache uses.  Loading the cache with old, or wrong
115              data can result in old or wrong data returned to clients.  Load‐
116              ing data into the cache in this way is supported in order to aid
117              with debugging.
118
119       lookup name
120              Print to stdout the name servers that would be used to  look  up
121              the name specified.
122
123       flush name
124              Remove  the  name from the cache. Removes the types A, AAAA, NS,
125              SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.  Because that is fast
126              to  do.  Other  record  types can be removed using flush_type or
127              flush_zone.
128
129       flush_type name type
130              Remove the name, type information from the cache.
131
132       flush_zone name
133              Remove all information at or below the name from the cache.  The
134              rrsets  and  key entries are removed so that new lookups will be
135              performed.  This needs to walk and inspect the entire cache, and
136              is  a slow operation.  The entries are set to expired in the im‐
137              plementation of this command (so,  with  serve-expired  enabled,
138              it'll serve that information but schedule a prefetch for new in‐
139              formation).
140
141       flush_bogus
142              Remove all bogus data from the cache.
143
144       flush_negative
145              Remove all negative data from the cache.  This is  nxdomain  an‐
146              swers,  nodata  answers  and servfail answers.  Also removes bad
147              key entries (which could be due  to  failed  lookups)  from  the
148              dnssec  key cache, and iterator last-resort lookup failures from
149              the rrset cache.
150
151       flush_stats
152              Reset statistics to zero.
153
154       flush_requestlist
155              Drop the queries that are  worked  on.   Stops  working  on  the
156              queries  that  the server is working on now.  The cache is unaf‐
157              fected.  No reply is sent for  those  queries,  probably  making
158              those  users  request  again  later.   Useful to make the server
159              restart working on queries with new settings, such as  a  higher
160              verbosity level.
161
162       dump_requestlist
163              Show  what  is worked on.  Prints all queries that the server is
164              currently working on.  Prints the  time  that  users  have  been
165              waiting.   For  internal requests, no time is printed.  And then
166              prints out the module status.  This prints the queries from  the
167              first thread, and not queries that are being serviced from other
168              threads.
169
170       flush_infra all|IP
171              If all then entire infra cache is emptied.  If a specific IP ad‐
172              dress, the entry for that address is removed from the cache.  It
173              contains EDNS, ping and lameness data.
174
175       dump_infra
176              Show the contents of the infra cache.
177
178       set_option opt: val
179              Set the option to the given value without a reload.   The  cache
180              is  therefore  not  flushed.  The option must end with a ':' and
181              whitespace must be between the option and the value.  Some  val‐
182              ues  may  not have an effect if set this way, the new values are
183              not written to the config file, not all options  are  supported.
184              This  is different from the set_option call in libunbound, where
185              all values work because Unbound has not been initialized.
186
187              The values that work are: statistics-interval,  statistics-cumu‐
188              lative,       do-not-query-localhost,      harden-short-bufsize,
189              harden-large-queries,    harden-glue,    harden-dnssec-stripped,
190              harden-below-nxdomain,      harden-referral-path,      prefetch,
191              prefetch-key, log-queries,  hide-identity,  hide-version,  iden‐
192              tity,  version,  val-log-level, val-log-squelch, ignore-cd-flag,
193              add-holddown, del-holddown, keep-missing, tcp-upstream,  ssl-up‐
194              stream,  max-udp-size,  ratelimit,  ip-ratelimit, cache-max-ttl,
195              cache-min-ttl, cache-max-negative-ttl.
196
197       get_option opt
198              Get the value of the option.  Give the  option  name  without  a
199              trailing  ':'.  The value is printed.  If the value is "", noth‐
200              ing is printed and the connection closes.  On error 'error  ...'
201              is  printed  (it  gives  a syntax error on unknown option).  For
202              some options a list of values, one on  each  line,  is  printed.
203              The  options  are  shown  from  the config file as modified with
204              set_option.  For some options an override may  have  been  taken
205              that  does  not show up with this command, not results from e.g.
206              the verbosity and forward control  commands.   Not  all  options
207              work,   see   list_stubs,  list_forwards,  list_local_zones  and
208              list_local_data for those.
209
210       list_stubs
211              List the stub zones in use.  These are printed one by one to the
212              output.  This includes the root hints in use.
213
214       list_forwards
215              List  the  forward zones in use.  These are printed zone by zone
216              to the output.
217
218       list_insecure
219              List the zones with domain-insecure.
220
221       list_local_zones
222              List the local zones in use.  These are  printed  one  per  line
223              with zone type.
224
225       list_local_data
226              List  the  local  data  RRs  in  use.   The resource records are
227              printed.
228
229       insecure_add zone
230              Add a domain-insecure for the given zone, like the statement  in
231              unbound.conf.  Adds to the running Unbound without affecting the
232              cache contents (which may still be bogus, use flush_zone to  re‐
233              move it), does not affect the config file.
234
235       insecure_remove zone
236              Removes domain-insecure for the given zone.
237
238       forward_add [+i] zone addr ...
239              Add  a new forward zone to running Unbound.  With +i option also
240              adds a domain-insecure for the zone (so  it  can  resolve  inse‐
241              curely  if  you  have  a DNSSEC root trust anchor configured for
242              other names).  The addr can be IP4,  IP6  or  nameserver  names,
243              like forward-zone config in unbound.conf.
244
245       forward_remove [+i] zone
246              Remove a forward zone from running Unbound.  The +i also removes
247              a domain-insecure for the zone.
248
249       stub_add [+ip] zone addr ...
250              Add a new stub zone to running Unbound.   With  +i  option  also
251              adds  a  domain-insecure for the zone.  With +p the stub zone is
252              set to prime, without it it is set to notprime.  The addr can be
253              IP4,  IP6  or nameserver names, like the stub-zone config in un‐
254              bound.conf.
255
256       stub_remove [+i] zone
257              Remove a stub zone from running Unbound.  The +i also removes  a
258              domain-insecure for the zone.
259
260       forward [off | addr ... ]
261              Setup  forwarding  mode.   Configures  if  the server should ask
262              other upstream nameservers, should go to the internet root name‐
263              servers  itself, or show the current config.  You could pass the
264              nameservers after a DHCP update.
265
266              Without arguments the current list of addresses used to  forward
267              all  queries  to  is  printed.  On startup this is from the for‐
268              ward-zone "." configuration.  Afterwards it  shows  the  status.
269              It prints off when no forwarding is used.
270
271              If  off  is  passed,  forwarding  is disabled and the root name‐
272              servers are used.  This can be used to avoid to avoid  buggy  or
273              non-DNSSEC  supporting  nameservers returned from DHCP.  But may
274              not work in hotels or hotspots.
275
276              If one or more IPv4 or IPv6 addresses are given, those are  then
277              used  to  forward  queries  to.  The addresses must be separated
278              with spaces.  With '@port' the port number can be set explicitly
279              (default port is 53 (DNS)).
280
281              By  default  the  forwarder information from the config file for
282              the root "." is used.  The config file is not changed, so  after
283              a  reload  these changes are gone.  Other forward zones from the
284              config file are not affected by this command.
285
286       ratelimit_list [+a]
287              List the domains that are ratelimited.   Printed  one  per  line
288              with  current  estimated qps and qps limit from config.  With +a
289              it prints all domains, not just the  ratelimited  domains,  with
290              their  estimated  qps.   The ratelimited domains return an error
291              for uncached (new) queries, but cached queries work as normal.
292
293       ip_ratelimit_list [+a]
294              List the ip addresses that are  ratelimited.   Printed  one  per
295              line with current estimated qps and qps limit from config.  With
296              +a it prints all ips, not just the ratelimited ips,  with  their
297              estimated  qps.  The ratelimited ips are dropped before checking
298              the cache.
299
300       list_auth_zones
301              List the auth zones that are configured.  Printed one  per  line
302              with a status, indicating if the zone is expired and current se‐
303              rial number.  Configured RPZ zones are included.
304
305       auth_zone_reload zone
306              Reload the auth zone (or RPZ zone) from zonefile.  The  zonefile
307              is  read in overwriting the current contents of the zone in mem‐
308              ory.  This changes the auth zone contents itself, not the  cache
309              contents.  Such cache contents exists if you set Unbound to val‐
310              idate with  for-upstream  yes  and  that  can  be  cleared  with
311              flush_zone zone.
312
313       auth_zone_transfer zone
314              Transfer the auth zone (or RPZ zone) from master.  The auth zone
315              probe sequence is started, where the masters are probed  to  see
316              if  they  have an updated zone (with the SOA serial check).  And
317              then the zone is transferred for a newer zone version.
318
319       rpz_enable zone
320              Enable the RPZ zone if it had previously been disabled.
321
322       rpz_disable zone
323              Disable the RPZ zone.
324
325       view_list_local_zones view
326              list_local_zones for given view.
327
328       view_local_zone view name type
329              local_zone for given view.
330
331       view_local_zone_remove view name
332              local_zone_remove for given view.
333
334       view_list_local_data view
335              list_local_data for given view.
336
337       view_local_data view RR data...
338              local_data for given view.
339
340       view_local_data_remove view name
341              local_data_remove for given view.
342
343       view_local_datas_remove view
344              Remove a list of local_data for given view from stdin. Like  lo‐
345              cal_datas_remove.
346
347       view_local_datas view
348              Add  a  list  of local_data for given view from stdin.  Like lo‐
349              cal_datas.
350

EXIT CODE

352       The unbound-control program exits with status code 1  on  error,  0  on
353       success.
354

SET UP

356       The  setup requires a self-signed certificate and private keys for both
357       the server and  client.   The  script  unbound-control-setup  generates
358       these  in  the  default run directory, or with -d in another directory.
359       If you change the access control permissions on the key files  you  can
360       decide  who can use unbound-control, by default owner and group but not
361       all users.  Run the script under the same username as you have  config‐
362       ured  in  unbound.conf  or  as root, so that the daemon is permitted to
363       read the files, for example with:
364           sudo -u unbound unbound-control-setup
365       If you have not configured a username in unbound.conf,  the  keys  need
366       read  permission  for  the  user  credentials under which the daemon is
367       started.  The script preserves private keys present in  the  directory.
368       After  running  the  script  as  root,  turn  on  control-enable in un‐
369       bound.conf.
370

STATISTIC COUNTERS

372       The stats command shows a number of statistic counters.
373
374       threadX.num.queries
375              number of queries received by thread
376
377       threadX.num.queries_ip_ratelimited
378              number of queries rate limited by thread
379
380       threadX.num.cachehits
381              number of queries that were successfully answered using a  cache
382              lookup
383
384       threadX.num.cachemiss
385              number of queries that needed recursive processing
386
387       threadX.num.dnscrypt.crypted
388              number  of queries that were encrypted and successfully decapsu‐
389              lated by dnscrypt.
390
391       threadX.num.dnscrypt.cert
392              number of queries that were requesting dnscrypt certificates.
393
394       threadX.num.dnscrypt.cleartext
395              number of queries received on dnscrypt port that were  cleartext
396              and not a request for certificates.
397
398       threadX.num.dnscrypt.malformed
399              number  of  request  that  were  neither  cleartext,  not  valid
400              dnscrypt messages.
401
402       threadX.num.prefetch
403              number of cache prefetches performed.  This number  is  included
404              in  cachehits, as the original query had the unprefetched answer
405              from cache, and resulted in recursive processing, taking a  slot
406              in  the  requestlist.   Not part of the recursivereplies (or the
407              histogram thereof) or cachemiss, as a cache response was sent.
408
409       threadX.num.expired
410              number of replies that served an expired cache entry.
411
412       threadX.num.recursivereplies
413              The number of replies sent to queries that needed recursive pro‐
414              cessing.  Could  be smaller than threadX.num.cachemiss if due to
415              timeouts no replies were sent for some queries.
416
417       threadX.requestlist.avg
418              The average number of requests in the  internal  recursive  pro‐
419              cessing  request list on insert of a new incoming recursive pro‐
420              cessing query.
421
422       threadX.requestlist.max
423              Maximum size attained by the internal recursive  processing  re‐
424              quest list.
425
426       threadX.requestlist.overwritten
427              Number  of requests in the request list that were overwritten by
428              newer entries. This happens if there is a flood of queries  that
429              recursive processing and the server has a hard time.
430
431       threadX.requestlist.exceeded
432              Queries  that  were  dropped  because the request list was full.
433              This happens if a flood of queries  need  recursive  processing,
434              and the server can not keep up.
435
436       threadX.requestlist.current.all
437              Current  size of the request list, includes internally generated
438              queries (such as priming queries and glue lookups).
439
440       threadX.requestlist.current.user
441              Current size of the request list, only the requests from  client
442              queries.
443
444       threadX.recursion.time.avg
445              Average  time  it  took  to answer queries that needed recursive
446              processing. Note that queries that were answered from the  cache
447              are not in this average.
448
449       threadX.recursion.time.median
450              The median of the time it took to answer queries that needed re‐
451              cursive processing.  The median  means  that  50%  of  the  user
452              queries  were  answered  in less than this time.  Because of big
453              outliers (usually queries to non responsive servers), the  aver‐
454              age  can be bigger than the median.  This median has been calcu‐
455              lated by interpolation from a histogram.
456
457       threadX.tcpusage
458              The currently held tcp buffers for incoming connections.  A spot
459              value  on  the  time of the request.  This helps you spot if the
460              incoming-num-tcp buffers are full.
461
462       total.num.queries
463              summed over threads.
464
465       total.num.cachehits
466              summed over threads.
467
468       total.num.cachemiss
469              summed over threads.
470
471       total.num.dnscrypt.crypted
472              summed over threads.
473
474       total.num.dnscrypt.cert
475              summed over threads.
476
477       total.num.dnscrypt.cleartext
478              summed over threads.
479
480       total.num.dnscrypt.malformed
481              summed over threads.
482
483       total.num.prefetch
484              summed over threads.
485
486       total.num.expired
487              summed over threads.
488
489       total.num.recursivereplies
490              summed over threads.
491
492       total.requestlist.avg
493              averaged over threads.
494
495       total.requestlist.max
496              the maximum of the thread requestlist.max values.
497
498       total.requestlist.overwritten
499              summed over threads.
500
501       total.requestlist.exceeded
502              summed over threads.
503
504       total.requestlist.current.all
505              summed over threads.
506
507       total.recursion.time.median
508              averaged over threads.
509
510       total.tcpusage
511              summed over threads.
512
513       time.now
514              current time in seconds since 1970.
515
516       time.up
517              uptime since server boot in seconds.
518
519       time.elapsed
520              time since last statistics printout, in seconds.
521

EXTENDED STATISTICS

523       mem.cache.rrset
524              Memory in bytes in use by the RRset cache.
525
526       mem.cache.message
527              Memory in bytes in use by the message cache.
528
529       mem.cache.dnscrypt_shared_secret
530              Memory in bytes in use by the dnscrypt shared secrets cache.
531
532       mem.cache.dnscrypt_nonce
533              Memory in bytes in use by the dnscrypt nonce cache.
534
535       mem.mod.iterator
536              Memory in bytes in use by the iterator module.
537
538       mem.mod.validator
539              Memory in bytes in use by the validator module. Includes the key
540              cache and negative cache.
541
542       mem.streamwait
543              Memory  in bytes in used by the TCP and TLS stream wait buffers.
544              These are answers waiting to be written back to the clients.
545
546       mem.http.query_buffer
547              Memory in bytes used by the  HTTP/2  query  buffers.  Containing
548              (partial) DNS queries waiting for request stream completion.
549
550       mem.http.response_buffer
551              Memory  in bytes used by the HTTP/2 response buffers. Containing
552              DNS responses waiting to be written back to the clients.
553
554       histogram.<sec>.<usec>.to.<sec>.<usec>
555              Shows a histogram, summed over all threads. Every element counts
556              the recursive queries whose reply time fit between the lower and
557              upper bound.  Times larger  or  equal  to  the  lowerbound,  and
558              smaller than the upper bound.  There are 40 buckets, with bucket
559              sizes doubling.
560
561       num.query.type.A
562              The total number of queries over all threads with query type  A.
563              Printed  for  the  other  query  types as well, but only for the
564              types for which queries were received, thus =0 entries are omit‐
565              ted for brevity.
566
567       num.query.type.other
568              Number of queries with query types 256-65535.
569
570       num.query.class.IN
571              The total number of queries over all threads with query class IN
572              (internet).  Also printed for other classes (such as CH  (CHAOS)
573              sometimes used for debugging), or NONE, ANY, used by dynamic up‐
574              date.  num.query.class.other is printed for classes 256-65535.
575
576       num.query.opcode.QUERY
577              The total number of queries over all threads with  query  opcode
578              QUERY.  Also printed for other opcodes, UPDATE, ...
579
580       num.query.tcp
581              Number  of  queries that were made using TCP towards the Unbound
582              server.
583
584       num.query.tcpout
585              Number of queries that the Unbound server made using TCP  outgo‐
586              ing towards other servers.
587
588       num.query.tls
589              Number  of  queries that were made using TLS towards the Unbound
590              server.  These are also counted in  num.query.tcp,  because  TLS
591              uses TCP.
592
593       num.query.tls.resume
594              Number  of  TLS  session resumptions, these are queries over TLS
595              towards the Unbound server where the  client  negotiated  a  TLS
596              session resumption key.
597
598       num.query.https
599              Number of queries that were made using HTTPS towards the Unbound
600              server.   These  are   also   counted   in   num.query.tcp   and
601              num.query.tls, because HTTPS uses TLS and TCP.
602
603       num.query.ipv6
604              Number  of queries that were made using IPv6 towards the Unbound
605              server.
606
607       num.query.flags.RD
608              The number of queries that had the RD flag set  in  the  header.
609              Also  printed  for  flags  QR, AA, TC, RA, Z, AD, CD.  Note that
610              queries with flags QR, AA or TC may have been  rejected  because
611              of that.
612
613       num.query.edns.present
614              number of queries that had an EDNS OPT record present.
615
616       num.query.edns.DO
617              number  of  queries  that  had  an  EDNS  OPT record with the DO
618              (DNSSEC OK) bit set.  These queries are  also  included  in  the
619              num.query.edns.present number.
620
621       num.query.ratelimited
622              The  number  of  queries that are turned away from being send to
623              nameserver due to ratelimiting.
624
625       num.query.dnscrypt.shared_secret.cachemiss
626              The number of dnscrypt queries that did not find a shared secret
627              in  the  cache.  The can be use to compute the shared secret hi‐
628              trate.
629
630       num.query.dnscrypt.replay
631              The number of dnscrypt queries that found a  nonce  hit  in  the
632              nonce cache and hence are considered a query replay.
633
634       num.answer.rcode.NXDOMAIN
635              The  number of answers to queries, from cache or from recursion,
636              that had the return code NXDOMAIN. Also printed  for  the  other
637              return codes.
638
639       num.answer.rcode.nodata
640              The number of answers to queries that had the pseudo return code
641              nodata.  This means the actual return code was NOERROR, but  ad‐
642              ditionally,  no  data  was carried in the answer (making what is
643              called a NOERROR/NODATA answer).  These  queries  are  also  in‐
644              cluded  in the num.answer.rcode.NOERROR number.  Common for AAAA
645              lookups when an A record exists, and no AAAA.
646
647       num.answer.secure
648              Number of answers that were secure.  The answer  validated  cor‐
649              rectly.   The  AD  bit  might have been set in some of these an‐
650              swers, where the client signalled (with DO  or  AD  bit  in  the
651              query) that they were ready to accept the AD bit in the answer.
652
653       num.answer.bogus
654              Number  of  answers  that were bogus.  These answers resulted in
655              SERVFAIL to the client because the answer failed validation.
656
657       num.rrset.bogus
658              The number of rrsets marked bogus by the  validator.   Increased
659              for every RRset inspection that fails.
660
661       unwanted.queries
662              Number  of  queries  that  were  refused or dropped because they
663              failed the access control settings.
664
665       unwanted.replies
666              Replies that were unwanted or unsolicited.  Could have been ran‐
667              dom  traffic, delayed duplicates, very late answers, or could be
668              spoofing attempts.  Some low level of late answers  and  delayed
669              duplicates  are to be expected with the UDP protocol.  Very high
670              values could indicate a threat (spoofing).
671
672       msg.cache.count
673              The number of items (DNS replies) in the message cache.
674
675       rrset.cache.count
676              The number of RRsets in the rrset cache.  This  includes  rrsets
677              used  by  the messages in the message cache, but also delegation
678              information.
679
680       infra.cache.count
681              The number of items in the infra cache.  These are IP  addresses
682              with their timing and protocol support information.
683
684       key.cache.count
685              The  number  of  items in the key cache.  These are DNSSEC keys,
686              one item per delegation point, and their validation status.
687
688       dnscrypt_shared_secret.cache.count
689              The number of items in the shared secret cache. These  are  pre‐
690              computed shared secrets for a given client public key/server se‐
691              cret key pair. Shared secrets are CPU intensive and  this  cache
692              allows  Unbound to avoid recomputing the shared secret when mul‐
693              tiple dnscrypt queries are sent from the same client.
694
695       dnscrypt_nonce.cache.count
696              The number of items in the client nonce  cache.  This  cache  is
697              used  to  prevent dnscrypt queries replay. The client nonce must
698              be unique for each client public  key/server  secret  key  pair.
699              This cache should be able to host QPS * `replay window` interval
700              keys to prevent replay of a query during  `replay  window`  sec‐
701              onds.
702
703       num.query.authzone.up
704              The  number  of  queries  answered from auth-zone data, upstream
705              queries.  These queries would otherwise  have  been  sent  (with
706              fallback enabled) to the internet, but are now answered from the
707              auth zone.
708
709       num.query.authzone.down
710              The number of queries for  downstream  answered  from  auth-zone
711              data.   These  queries are from downstream clients, and have had
712              an answer from the data in the auth zone.
713
714       num.query.aggressive.NOERROR
715              The number of queries answered using cached  NSEC  records  with
716              NODATA  RCODE.   These queries would otherwise have been sent to
717              the internet, but are now answered using cached data.
718
719       num.query.aggressive.NXDOMAIN
720              The number of queries answered using cached  NSEC  records  with
721              NXDOMAIN RCODE.  These queries would otherwise have been sent to
722              the internet, but are now answered using cached data.
723
724       num.query.subnet
725              Number of queries that got an answer that contained EDNS  client
726              subnet data.
727
728       num.query.subnet_cache
729              Number  of  queries  answered from the edns client subnet cache.
730              These are counted as cachemiss by the main counters, but hit the
731              client  subnet  specific  cache,  after getting processed by the
732              edns client subnet module.
733
734       num.rpz.action.<rpz_action>
735              Number of queries answered using configured RPZ policy, per  RPZ
736              action  type.  Possible actions are: nxdomain, nodata, passthru,
737              drop, tcp-only, local-data, disabled, and cname-override.
738

FILES

740       /etc/unbound/unbound.conf
741              Unbound configuration file.
742
743       /etc/unbound
744              directory with private keys (unbound_server.key and unbound_con‐
745              trol.key)  and  self-signed certificates (unbound_server.pem and
746              unbound_control.pem).
747

SEE ALSO

749       unbound.conf(5), unbound(8).
750
751
752
753NLnet Labs                       Jun  2, 2022               unbound-control(8)
Impressum