1unbound-control(8)              unbound 1.17.1              unbound-control(8)
2
3
4

NAME

6       unbound-control,  unbound-control-setup - Unbound remote server control
7       utility.
8

SYNOPSIS

10       unbound-control [-hq] [-c cfgfile] [-s server] command
11

DESCRIPTION

13       Unbound-control performs remote administration on  the  unbound(8)  DNS
14       server.   It  reads the configuration file, contacts the Unbound server
15       over SSL sends the command and displays the result.
16
17       The available options are:
18
19       -h     Show the version and commandline option help.
20
21       -c cfgfile
22              The config file to read with settings.  If not given the default
23              config file /etc/unbound/unbound.conf is used.
24
25       -s server[@port]
26              IPv4  or  IPv6  address of the server to contact.  If not given,
27              the address is read from the config file.
28
29       -q     quiet, if the option is given it does not print anything  if  it
30              works ok.
31

COMMANDS

33       There are several commands that the server understands.
34
35       start  Start  the  server.  Simply  execs unbound(8).  The Unbound exe‐
36              cutable is searched for in the PATH set in the environment.   It
37              is  started  with  the config file specified using -c or the de‐
38              fault config file.
39
40       stop   Stop the server. The server daemon exits.
41
42       reload Reload the server. This flushes the cache and reads  the  config
43              file fresh.
44
45       reload_keep_cache
46              Reload the server but try to keep the RRset and message cache if
47              (re)configuration allows for it.  That means  the  caches  sizes
48              and the number of threads must not change between reloads.
49
50       verbosity number
51              Change  verbosity  value  for  logging. Same values as verbosity
52              keyword in unbound.conf(5).  This new setting  lasts  until  the
53              server is issued a reload (taken from config file again), or the
54              next verbosity control command.
55
56       log_reopen
57              Reopen the logfile, close and open it.  Useful  for  logrotation
58              to  make  the  daemon release the file it is logging to.  If you
59              are using syslog it will attempt to close and  open  the  syslog
60              (which may not work if chrooted).
61
62       stats  Print statistics. Resets the internal counters to zero, this can
63              be controlled using the statistics-cumulative config  statement.
64              Statistics are printed with one [name]: [value] per line.
65
66       stats_noreset
67              Peek at statistics. Prints them like the stats command does, but
68              does not reset the internal counters to zero.
69
70       status Display server status. Exit code 3 if not running  (the  connec‐
71              tion to the port is refused), 1 on error, 0 if running.
72
73       local_zone name type
74              Add  new  local  zone with name and type. Like local-zone config
75              statement.  If the zone already exists, the type is  changed  to
76              the given argument.
77
78       local_zone_remove name
79              Remove  the  local  zone with the given name.  Removes all local
80              data inside it.  If the zone does not exist,  the  command  suc‐
81              ceeds.
82
83       local_data RR data...
84              Add  new  local data, the given resource record. Like local-data
85              config statement, except for when no covering zone  exists.   In
86              that case this remote control command creates a transparent zone
87              with the same name as this record.
88
89       local_data_remove name
90              Remove all RR data from local name.  If the name already has  no
91              items,  nothing happens.  Often results in NXDOMAIN for the name
92              (in a static zone), but if the name has become an empty  nonter‐
93              minal  (there  is  still  data in domain names below the removed
94              name), NOERROR nodata answers are the result for that name.
95
96       local_zones
97              Add local zones read from stdin  of  unbound-control.  Input  is
98              read  per  line,  with name space type on a line. For bulk addi‐
99              tions.
100
101       local_zones_remove
102              Remove local zones read from stdin of unbound-control. Input  is
103              one name per line. For bulk removals.
104
105       local_datas
106              Add  local data RRs read from stdin of unbound-control. Input is
107              one RR per line. For bulk additions.
108
109       local_datas_remove
110              Remove local data RRs read from stdin of unbound-control.  Input
111              is one name per line. For bulk removals.
112
113       dump_cache
114              The contents of the cache is printed in a text format to stdout.
115              You can redirect it to a file to store the cache in a file.
116
117       load_cache
118              The contents of the cache is loaded from stdin.  Uses  the  same
119              format as dump_cache uses.  Loading the cache with old, or wrong
120              data can result in old or wrong data returned to clients.  Load‐
121              ing data into the cache in this way is supported in order to aid
122              with debugging.
123
124       lookup name
125              Print to stdout the name servers that would be used to  look  up
126              the name specified.
127
128       flush name
129              Remove  the  name from the cache. Removes the types A, AAAA, NS,
130              SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, SVCB and HTTPS.  Because
131              that  is  fast  to  do.  Other record types can be removed using
132              flush_type or flush_zone.
133
134       flush_type name type
135              Remove the name, type information from the cache.
136
137       flush_zone name
138              Remove all information at or below the name from the cache.  The
139              rrsets  and  key entries are removed so that new lookups will be
140              performed.  This needs to walk and inspect the entire cache, and
141              is  a slow operation.  The entries are set to expired in the im‐
142              plementation of this command (so,  with  serve-expired  enabled,
143              it'll serve that information but schedule a prefetch for new in‐
144              formation).
145
146       flush_bogus
147              Remove all bogus data from the cache.
148
149       flush_negative
150              Remove all negative data from the cache.  This is  nxdomain  an‐
151              swers,  nodata  answers  and servfail answers.  Also removes bad
152              key entries (which could be due  to  failed  lookups)  from  the
153              dnssec  key cache, and iterator last-resort lookup failures from
154              the rrset cache.
155
156       flush_stats
157              Reset statistics to zero.
158
159       flush_requestlist
160              Drop the queries that are  worked  on.   Stops  working  on  the
161              queries  that  the server is working on now.  The cache is unaf‐
162              fected.  No reply is sent for  those  queries,  probably  making
163              those  users  request  again  later.   Useful to make the server
164              restart working on queries with new settings, such as  a  higher
165              verbosity level.
166
167       dump_requestlist
168              Show  what  is worked on.  Prints all queries that the server is
169              currently working on.  Prints the  time  that  users  have  been
170              waiting.   For  internal requests, no time is printed.  And then
171              prints out the module status.  This prints the queries from  the
172              first thread, and not queries that are being serviced from other
173              threads.
174
175       flush_infra all|IP
176              If all then entire infra cache is emptied.  If a specific IP ad‐
177              dress, the entry for that address is removed from the cache.  It
178              contains EDNS, ping and lameness data.
179
180       dump_infra
181              Show the contents of the infra cache.
182
183       set_option opt: val
184              Set the option to the given value without a reload.   The  cache
185              is  therefore  not  flushed.  The option must end with a ':' and
186              whitespace must be between the option and the value.  Some  val‐
187              ues  may  not have an effect if set this way, the new values are
188              not written to the config file, not all options  are  supported.
189              This  is different from the set_option call in libunbound, where
190              all values work because Unbound has not been initialized.
191
192              The values that work are: statistics-interval,  statistics-cumu‐
193              lative,       do-not-query-localhost,      harden-short-bufsize,
194              harden-large-queries,    harden-glue,    harden-dnssec-stripped,
195              harden-below-nxdomain,      harden-referral-path,      prefetch,
196              prefetch-key, log-queries,  hide-identity,  hide-version,  iden‐
197              tity,  version,  val-log-level, val-log-squelch, ignore-cd-flag,
198              add-holddown, del-holddown, keep-missing, tcp-upstream,  ssl-up‐
199              stream,  max-udp-size,  ratelimit,  ip-ratelimit, cache-max-ttl,
200              cache-min-ttl, cache-max-negative-ttl.
201
202       get_option opt
203              Get the value of the option.  Give the  option  name  without  a
204              trailing  ':'.  The value is printed.  If the value is "", noth‐
205              ing is printed and the connection closes.  On error 'error  ...'
206              is  printed  (it  gives  a syntax error on unknown option).  For
207              some options a list of values, one on  each  line,  is  printed.
208              The  options  are  shown  from  the config file as modified with
209              set_option.  For some options an override may  have  been  taken
210              that  does  not show up with this command, not results from e.g.
211              the verbosity and forward control  commands.   Not  all  options
212              work,   see   list_stubs,  list_forwards,  list_local_zones  and
213              list_local_data for those.
214
215       list_stubs
216              List the stub zones in use.  These are printed one by one to the
217              output.  This includes the root hints in use.
218
219       list_forwards
220              List  the  forward zones in use.  These are printed zone by zone
221              to the output.
222
223       list_insecure
224              List the zones with domain-insecure.
225
226       list_local_zones
227              List the local zones in use.  These are  printed  one  per  line
228              with zone type.
229
230       list_local_data
231              List  the  local  data  RRs  in  use.   The resource records are
232              printed.
233
234       insecure_add zone
235              Add a domain-insecure for the given zone, like the statement  in
236              unbound.conf.  Adds to the running Unbound without affecting the
237              cache contents (which may still be bogus, use flush_zone to  re‐
238              move it), does not affect the config file.
239
240       insecure_remove zone
241              Removes domain-insecure for the given zone.
242
243       forward_add [+i] zone addr ...
244              Add  a new forward zone to running Unbound.  With +i option also
245              adds a domain-insecure for the zone (so  it  can  resolve  inse‐
246              curely  if  you  have  a DNSSEC root trust anchor configured for
247              other names).  The addr can be IP4,  IP6  or  nameserver  names,
248              like forward-zone config in unbound.conf.
249
250       forward_remove [+i] zone
251              Remove a forward zone from running Unbound.  The +i also removes
252              a domain-insecure for the zone.
253
254       stub_add [+ip] zone addr ...
255              Add a new stub zone to running Unbound.   With  +i  option  also
256              adds  a  domain-insecure for the zone.  With +p the stub zone is
257              set to prime, without it it is set to notprime.  The addr can be
258              IP4,  IP6  or nameserver names, like the stub-zone config in un‐
259              bound.conf.
260
261       stub_remove [+i] zone
262              Remove a stub zone from running Unbound.  The +i also removes  a
263              domain-insecure for the zone.
264
265       forward [off | addr ... ]
266              Setup  forwarding  mode.   Configures  if  the server should ask
267              other upstream nameservers, should go to the internet root name‐
268              servers  itself, or show the current config.  You could pass the
269              nameservers after a DHCP update.
270
271              Without arguments the current list of addresses used to  forward
272              all  queries  to  is  printed.  On startup this is from the for‐
273              ward-zone "." configuration.  Afterwards it  shows  the  status.
274              It prints off when no forwarding is used.
275
276              If  off  is  passed,  forwarding  is disabled and the root name‐
277              servers are used.  This can be used to avoid to avoid  buggy  or
278              non-DNSSEC  supporting  nameservers returned from DHCP.  But may
279              not work in hotels or hotspots.
280
281              If one or more IPv4 or IPv6 addresses are given, those are  then
282              used  to  forward  queries  to.  The addresses must be separated
283              with spaces.  With '@port' the port number can be set explicitly
284              (default port is 53 (DNS)).
285
286              By  default  the  forwarder information from the config file for
287              the root "." is used.  The config file is not changed, so  after
288              a  reload  these changes are gone.  Other forward zones from the
289              config file are not affected by this command.
290
291       ratelimit_list [+a]
292              List the domains that are ratelimited.   Printed  one  per  line
293              with  current  estimated qps and qps limit from config.  With +a
294              it prints all domains, not just the  ratelimited  domains,  with
295              their  estimated  qps.   The ratelimited domains return an error
296              for uncached (new) queries, but cached queries work as normal.
297
298       ip_ratelimit_list [+a]
299              List the ip addresses that are  ratelimited.   Printed  one  per
300              line with current estimated qps and qps limit from config.  With
301              +a it prints all ips, not just the ratelimited ips,  with  their
302              estimated  qps.  The ratelimited ips are dropped before checking
303              the cache.
304
305       list_auth_zones
306              List the auth zones that are configured.  Printed one  per  line
307              with a status, indicating if the zone is expired and current se‐
308              rial number.  Configured RPZ zones are included.
309
310       auth_zone_reload zone
311              Reload the auth zone (or RPZ zone) from zonefile.  The  zonefile
312              is  read in overwriting the current contents of the zone in mem‐
313              ory.  This changes the auth zone contents itself, not the  cache
314              contents.  Such cache contents exists if you set Unbound to val‐
315              idate with  for-upstream  yes  and  that  can  be  cleared  with
316              flush_zone zone.
317
318       auth_zone_transfer zone
319              Transfer the auth zone (or RPZ zone) from master.  The auth zone
320              probe sequence is started, where the masters are probed  to  see
321              if  they  have an updated zone (with the SOA serial check).  And
322              then the zone is transferred for a newer zone version.
323
324       rpz_enable zone
325              Enable the RPZ zone if it had previously been disabled.
326
327       rpz_disable zone
328              Disable the RPZ zone.
329
330       view_list_local_zones view
331              list_local_zones for given view.
332
333       view_local_zone view name type
334              local_zone for given view.
335
336       view_local_zone_remove view name
337              local_zone_remove for given view.
338
339       view_list_local_data view
340              list_local_data for given view.
341
342       view_local_data view RR data...
343              local_data for given view.
344
345       view_local_data_remove view name
346              local_data_remove for given view.
347
348       view_local_datas_remove view
349              Remove a list of local_data for given view from stdin. Like  lo‐
350              cal_datas_remove.
351
352       view_local_datas view
353              Add  a  list  of local_data for given view from stdin.  Like lo‐
354              cal_datas.
355

EXIT CODE

357       The unbound-control program exits with status code 1  on  error,  0  on
358       success.
359

SET UP

361       The  setup requires a self-signed certificate and private keys for both
362       the server and  client.   The  script  unbound-control-setup  generates
363       these  in  the  default run directory, or with -d in another directory.
364       If you change the access control permissions on the key files  you  can
365       decide  who can use unbound-control, by default owner and group but not
366       all users.  Run the script under the same username as you have  config‐
367       ured  in  unbound.conf  or  as root, so that the daemon is permitted to
368       read the files, for example with:
369           sudo -u unbound unbound-control-setup
370       If you have not configured a username in unbound.conf,  the  keys  need
371       read  permission  for  the  user  credentials under which the daemon is
372       started.  The script preserves private keys present in  the  directory.
373       After  running  the  script  as  root,  turn  on  control-enable in un‐
374       bound.conf.
375

STATISTIC COUNTERS

377       The stats command shows a number of statistic counters.
378
379       threadX.num.queries
380              number of queries received by thread
381
382       threadX.num.queries_ip_ratelimited
383              number of queries rate limited by thread
384
385       threadX.num.cachehits
386              number of queries that were successfully answered using a  cache
387              lookup
388
389       threadX.num.cachemiss
390              number of queries that needed recursive processing
391
392       threadX.num.dnscrypt.crypted
393              number  of queries that were encrypted and successfully decapsu‐
394              lated by dnscrypt.
395
396       threadX.num.dnscrypt.cert
397              number of queries that were requesting dnscrypt certificates.
398
399       threadX.num.dnscrypt.cleartext
400              number of queries received on dnscrypt port that were  cleartext
401              and not a request for certificates.
402
403       threadX.num.dnscrypt.malformed
404              number  of  request  that  were  neither  cleartext,  not  valid
405              dnscrypt messages.
406
407       threadX.num.prefetch
408              number of cache prefetches performed.  This number  is  included
409              in  cachehits, as the original query had the unprefetched answer
410              from cache, and resulted in recursive processing, taking a  slot
411              in  the  requestlist.   Not part of the recursivereplies (or the
412              histogram thereof) or cachemiss, as a cache response was sent.
413
414       threadX.num.expired
415              number of replies that served an expired cache entry.
416
417       threadX.num.recursivereplies
418              The number of replies sent to queries that needed recursive pro‐
419              cessing.  Could  be smaller than threadX.num.cachemiss if due to
420              timeouts no replies were sent for some queries.
421
422       threadX.requestlist.avg
423              The average number of requests in the  internal  recursive  pro‐
424              cessing  request list on insert of a new incoming recursive pro‐
425              cessing query.
426
427       threadX.requestlist.max
428              Maximum size attained by the internal recursive  processing  re‐
429              quest list.
430
431       threadX.requestlist.overwritten
432              Number  of requests in the request list that were overwritten by
433              newer entries. This happens if there is a flood of queries  that
434              recursive processing and the server has a hard time.
435
436       threadX.requestlist.exceeded
437              Queries  that  were  dropped  because the request list was full.
438              This happens if a flood of queries  need  recursive  processing,
439              and the server can not keep up.
440
441       threadX.requestlist.current.all
442              Current  size of the request list, includes internally generated
443              queries (such as priming queries and glue lookups).
444
445       threadX.requestlist.current.user
446              Current size of the request list, only the requests from  client
447              queries.
448
449       threadX.recursion.time.avg
450              Average  time  it  took  to answer queries that needed recursive
451              processing. Note that queries that were answered from the  cache
452              are not in this average.
453
454       threadX.recursion.time.median
455              The median of the time it took to answer queries that needed re‐
456              cursive processing.  The median  means  that  50%  of  the  user
457              queries  were  answered  in less than this time.  Because of big
458              outliers (usually queries to non responsive servers), the  aver‐
459              age  can be bigger than the median.  This median has been calcu‐
460              lated by interpolation from a histogram.
461
462       threadX.tcpusage
463              The currently held tcp buffers for incoming connections.  A spot
464              value  on  the  time of the request.  This helps you spot if the
465              incoming-num-tcp buffers are full.
466
467       total.num.queries
468              summed over threads.
469
470       total.num.cachehits
471              summed over threads.
472
473       total.num.cachemiss
474              summed over threads.
475
476       total.num.dnscrypt.crypted
477              summed over threads.
478
479       total.num.dnscrypt.cert
480              summed over threads.
481
482       total.num.dnscrypt.cleartext
483              summed over threads.
484
485       total.num.dnscrypt.malformed
486              summed over threads.
487
488       total.num.prefetch
489              summed over threads.
490
491       total.num.expired
492              summed over threads.
493
494       total.num.recursivereplies
495              summed over threads.
496
497       total.requestlist.avg
498              averaged over threads.
499
500       total.requestlist.max
501              the maximum of the thread requestlist.max values.
502
503       total.requestlist.overwritten
504              summed over threads.
505
506       total.requestlist.exceeded
507              summed over threads.
508
509       total.requestlist.current.all
510              summed over threads.
511
512       total.recursion.time.median
513              averaged over threads.
514
515       total.tcpusage
516              summed over threads.
517
518       time.now
519              current time in seconds since 1970.
520
521       time.up
522              uptime since server boot in seconds.
523
524       time.elapsed
525              time since last statistics printout, in seconds.
526

EXTENDED STATISTICS

528       mem.cache.rrset
529              Memory in bytes in use by the RRset cache.
530
531       mem.cache.message
532              Memory in bytes in use by the message cache.
533
534       mem.cache.dnscrypt_shared_secret
535              Memory in bytes in use by the dnscrypt shared secrets cache.
536
537       mem.cache.dnscrypt_nonce
538              Memory in bytes in use by the dnscrypt nonce cache.
539
540       mem.mod.iterator
541              Memory in bytes in use by the iterator module.
542
543       mem.mod.validator
544              Memory in bytes in use by the validator module. Includes the key
545              cache and negative cache.
546
547       mem.streamwait
548              Memory  in bytes in used by the TCP and TLS stream wait buffers.
549              These are answers waiting to be written back to the clients.
550
551       mem.http.query_buffer
552              Memory in bytes used by the  HTTP/2  query  buffers.  Containing
553              (partial) DNS queries waiting for request stream completion.
554
555       mem.http.response_buffer
556              Memory  in bytes used by the HTTP/2 response buffers. Containing
557              DNS responses waiting to be written back to the clients.
558
559       histogram.<sec>.<usec>.to.<sec>.<usec>
560              Shows a histogram, summed over all threads. Every element counts
561              the recursive queries whose reply time fit between the lower and
562              upper bound.  Times larger  or  equal  to  the  lowerbound,  and
563              smaller than the upper bound.  There are 40 buckets, with bucket
564              sizes doubling.
565
566       num.query.type.A
567              The total number of queries over all threads with query type  A.
568              Printed  for  the  other  query  types as well, but only for the
569              types for which queries were received, thus =0 entries are omit‐
570              ted for brevity.
571
572       num.query.type.other
573              Number of queries with query types 256-65535.
574
575       num.query.class.IN
576              The total number of queries over all threads with query class IN
577              (internet).  Also printed for other classes (such as CH  (CHAOS)
578              sometimes used for debugging), or NONE, ANY, used by dynamic up‐
579              date.  num.query.class.other is printed for classes 256-65535.
580
581       num.query.opcode.QUERY
582              The total number of queries over all threads with  query  opcode
583              QUERY.  Also printed for other opcodes, UPDATE, ...
584
585       num.query.tcp
586              Number  of  queries that were made using TCP towards the Unbound
587              server.
588
589       num.query.tcpout
590              Number of queries that the Unbound server made using TCP  outgo‐
591              ing towards other servers.
592
593       num.query.udpout
594              Number  of queries that the Unbound server made using UDP outgo‐
595              ing towards other servers.
596
597       num.query.tls
598              Number of queries that were made using TLS towards  the  Unbound
599              server.   These  are  also counted in num.query.tcp, because TLS
600              uses TCP.
601
602       num.query.tls.resume
603              Number of TLS session resumptions, these are  queries  over  TLS
604              towards  the  Unbound  server  where the client negotiated a TLS
605              session resumption key.
606
607       num.query.https
608              Number of queries that were made using HTTPS towards the Unbound
609              server.    These   are   also   counted   in  num.query.tcp  and
610              num.query.tls, because HTTPS uses TLS and TCP.
611
612       num.query.ipv6
613              Number of queries that were made using IPv6 towards the  Unbound
614              server.
615
616       num.query.flags.RD
617              The  number  of  queries that had the RD flag set in the header.
618              Also printed for flags QR, AA, TC, RA, Z,  AD,  CD.   Note  that
619              queries  with  flags QR, AA or TC may have been rejected because
620              of that.
621
622       num.query.edns.present
623              number of queries that had an EDNS OPT record present.
624
625       num.query.edns.DO
626              number of queries that had  an  EDNS  OPT  record  with  the  DO
627              (DNSSEC  OK)  bit  set.   These queries are also included in the
628              num.query.edns.present number.
629
630       num.query.ratelimited
631              The number of queries that are turned away from  being  send  to
632              nameserver due to ratelimiting.
633
634       num.query.dnscrypt.shared_secret.cachemiss
635              The number of dnscrypt queries that did not find a shared secret
636              in the cache.  The can be use to compute the shared  secret  hi‐
637              trate.
638
639       num.query.dnscrypt.replay
640              The  number  of  dnscrypt  queries that found a nonce hit in the
641              nonce cache and hence are considered a query replay.
642
643       num.answer.rcode.NXDOMAIN
644              The number of answers to queries, from cache or from  recursion,
645              that  had  the  return code NXDOMAIN. Also printed for the other
646              return codes.
647
648       num.answer.rcode.nodata
649              The number of answers to queries that had the pseudo return code
650              nodata.   This means the actual return code was NOERROR, but ad‐
651              ditionally, no data was carried in the answer  (making  what  is
652              called  a  NOERROR/NODATA  answer).   These queries are also in‐
653              cluded in the num.answer.rcode.NOERROR number.  Common for  AAAA
654              lookups when an A record exists, and no AAAA.
655
656       num.answer.secure
657              Number  of  answers that were secure.  The answer validated cor‐
658              rectly.  The AD bit might have been set in  some  of  these  an‐
659              swers,  where  the  client  signalled  (with DO or AD bit in the
660              query) that they were ready to accept the AD bit in the answer.
661
662       num.answer.bogus
663              Number of answers that were bogus.  These  answers  resulted  in
664              SERVFAIL to the client because the answer failed validation.
665
666       num.rrset.bogus
667              The  number  of rrsets marked bogus by the validator.  Increased
668              for every RRset inspection that fails.
669
670       unwanted.queries
671              Number of queries that were  refused  or  dropped  because  they
672              failed the access control settings.
673
674       unwanted.replies
675              Replies that were unwanted or unsolicited.  Could have been ran‐
676              dom traffic, delayed duplicates, very late answers, or could  be
677              spoofing  attempts.   Some low level of late answers and delayed
678              duplicates are to be expected with the UDP protocol.  Very  high
679              values could indicate a threat (spoofing).
680
681       msg.cache.count
682              The number of items (DNS replies) in the message cache.
683
684       rrset.cache.count
685              The  number  of RRsets in the rrset cache.  This includes rrsets
686              used by the messages in the message cache, but  also  delegation
687              information.
688
689       infra.cache.count
690              The  number of items in the infra cache.  These are IP addresses
691              with their timing and protocol support information.
692
693       key.cache.count
694              The number of items in the key cache.  These  are  DNSSEC  keys,
695              one item per delegation point, and their validation status.
696
697       dnscrypt_shared_secret.cache.count
698              The  number  of items in the shared secret cache. These are pre‐
699              computed shared secrets for a given client public key/server se‐
700              cret  key  pair. Shared secrets are CPU intensive and this cache
701              allows Unbound to avoid recomputing the shared secret when  mul‐
702              tiple dnscrypt queries are sent from the same client.
703
704       dnscrypt_nonce.cache.count
705              The  number  of  items  in the client nonce cache. This cache is
706              used to prevent dnscrypt queries replay. The client  nonce  must
707              be  unique  for  each  client public key/server secret key pair.
708              This cache should be able to host QPS * `replay window` interval
709              keys  to  prevent  replay of a query during `replay window` sec‐
710              onds.
711
712       num.query.authzone.up
713              The number of queries answered  from  auth-zone  data,  upstream
714              queries.   These  queries  would  otherwise have been sent (with
715              fallback enabled) to the internet, but are now answered from the
716              auth zone.
717
718       num.query.authzone.down
719              The  number  of  queries  for downstream answered from auth-zone
720              data.  These queries are from downstream clients, and  have  had
721              an answer from the data in the auth zone.
722
723       num.query.aggressive.NOERROR
724              The  number  of  queries answered using cached NSEC records with
725              NODATA RCODE.  These queries would otherwise have been  sent  to
726              the internet, but are now answered using cached data.
727
728       num.query.aggressive.NXDOMAIN
729              The  number  of  queries answered using cached NSEC records with
730              NXDOMAIN RCODE.  These queries would otherwise have been sent to
731              the internet, but are now answered using cached data.
732
733       num.query.subnet
734              Number  of queries that got an answer that contained EDNS client
735              subnet data.
736
737       num.query.subnet_cache
738              Number of queries answered from the edns  client  subnet  cache.
739              These are counted as cachemiss by the main counters, but hit the
740              client subnet specific cache, after  getting  processed  by  the
741              edns client subnet module.
742
743       num.rpz.action.<rpz_action>
744              Number  of queries answered using configured RPZ policy, per RPZ
745              action type.  Possible actions are: nxdomain, nodata,  passthru,
746              drop, tcp-only, local-data, disabled, and cname-override.
747

FILES

749       /etc/unbound/unbound.conf
750              Unbound configuration file.
751
752       /etc/unbound
753              directory with private keys (unbound_server.key and unbound_con‐
754              trol.key) and self-signed certificates  (unbound_server.pem  and
755              unbound_control.pem).
756

SEE ALSO

758       unbound.conf(5), unbound(8).
759
760
761
762NLnet Labs                       Jan 12, 2023               unbound-control(8)
Impressum