1unbound.conf(5) unbound 1.19.0 unbound.conf(5)
2
3
4
6 unbound.conf - Unbound configuration file.
7
9 unbound.conf
10
12 unbound.conf is used to configure unbound(8). The file format has at‐
13 tributes and values. Some attributes have attributes inside them. The
14 notation is: attribute: value.
15
16 Comments start with # and last to the end of line. Empty lines are ig‐
17 nored as is whitespace at the beginning of a line.
18
19 The utility unbound-checkconf(8) can be used to check unbound.conf
20 prior to usage.
21
23 An example config file is shown below. Copy this to /etc/unbound/un‐
24 bound.conf and start the server with:
25
26 $ unbound -c /etc/unbound/unbound.conf
27
28 Most settings are the defaults. Stop the server with:
29
30 $ kill `cat /etc/unbound/unbound.pid`
31
32 Below is a minimal config file. The source distribution contains an ex‐
33 tensive example.conf file with all the options.
34
35 # unbound.conf(5) config file for unbound(8).
36 server:
37 directory: "/etc/unbound"
38 username: unbound
39 # make sure unbound can access entropy from inside the chroot.
40 # e.g. on linux the use these commands (on BSD, devfs(8) is used):
41 # mount --bind -n /dev/urandom /etc/unbound/dev/urandom
42 # and mount --bind -n /dev/log /etc/unbound/dev/log
43 chroot: "/etc/unbound"
44 # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.
45 pidfile: "/etc/unbound/unbound.pid"
46 # verbosity: 1 # uncomment and increase to get more logging.
47 # listen on all interfaces, answer queries from the local subnet.
48 interface: 0.0.0.0
49 interface: ::0
50 access-control: 10.0.0.0/8 allow
51 access-control: 2001:DB8::/64 allow
52
54 There must be whitespace between keywords. Attribute keywords end with
55 a colon ':'. An attribute is followed by a value, or its containing
56 attributes in which case it is referred to as a clause. Clauses can be
57 repeated throughout the file (or included files) to group attributes
58 under the same clause.
59
60 Files can be included using the include: directive. It can appear any‐
61 where, it accepts a single file name as argument. Processing continues
62 as if the text from the included file was copied into the config file
63 at that point. If also using chroot, using full path names for the in‐
64 cluded files works, relative pathnames for the included names work if
65 the directory where the daemon is started equals its chroot/working di‐
66 rectory or is specified before the include statement with directory:
67 dir. Wildcards can be used to include multiple files, see glob(7).
68
69 For a more structural include option, the include-toplevel: directive
70 can be used. This closes whatever clause is currently active (if any)
71 and forces the use of clauses in the included files and right after
72 this directive.
73
74 Server Options
75 These options are part of the server: clause.
76
77 verbosity: <number>
78 The verbosity number, level 0 means no verbosity, only errors.
79 Level 1 gives operational information. Level 2 gives detailed
80 operational information including short information per query.
81 Level 3 gives query level information, output per query. Level
82 4 gives algorithm level information. Level 5 logs client iden‐
83 tification for cache misses. Default is level 1. The verbosity
84 can also be increased from the commandline, see unbound(8).
85
86 statistics-interval: <seconds>
87 The number of seconds between printing statistics to the log for
88 every thread. Disable with value 0 or "". Default is disabled.
89 The histogram statistics are only printed if replies were sent
90 during the statistics interval, requestlist statistics are
91 printed for every interval (but can be 0). This is because the
92 median calculation requires data to be present.
93
94 statistics-cumulative: <yes or no>
95 If enabled, statistics are cumulative since starting Unbound,
96 without clearing the statistics counters after logging the sta‐
97 tistics. Default is no.
98
99 extended-statistics: <yes or no>
100 If enabled, extended statistics are printed from unbound-con‐
101 trol(8). Default is off, because keeping track of more statis‐
102 tics takes time. The counters are listed in unbound-control(8).
103
104 statistics-inhibit-zero: <yes or no>
105 If enabled, selected extended statistics with a value of 0 are
106 inhibited from printing with unbound-control(8). These are
107 query types, query classes, query opcodes, answer rcodes (except
108 NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, REFUSED) and RPZ
109 actions. Default is on.
110
111 num-threads: <number>
112 The number of threads to create to serve clients. Use 1 for no
113 threading.
114
115 port: <port number>
116 The port number, default 53, on which the server responds to
117 queries.
118
119 interface: <ip address or interface name [@port]>
120 Interface to use to connect to the network. This interface is
121 listened to for queries from clients, and answers to clients are
122 given from it. Can be given multiple times to work on several
123 interfaces. If none are given the default is to listen to local‐
124 host. If an interface name is used instead of an ip address,
125 the list of ip addresses on that interface are used. The inter‐
126 faces are not changed on a reload (kill -HUP) but only on
127 restart. A port number can be specified with @port (without
128 spaces between interface and port number), if not specified the
129 default port (from port) is used.
130
131 ip-address: <ip address or interface name [@port]>
132 Same as interface: (for ease of compatibility with nsd.conf).
133
134 interface-automatic: <yes or no>
135 Listen on all addresses on all (current and future) interfaces,
136 detect the source interface on UDP queries and copy them to
137 replies. This is a lot like ip-transparent, but this option
138 services all interfaces whilst with ip-transparent you can se‐
139 lect which (future) interfaces Unbound provides service on.
140 This feature is experimental, and needs support in your OS for
141 particular socket options. Default value is no.
142
143 interface-automatic-ports: <string>
144 List the port numbers that interface-automatic listens on. If
145 empty, the default port is listened on. The port numbers are
146 separated by spaces in the string. Default is "".
147
148 This can be used to have interface automatic to deal with the
149 interface, and listen on the normal port number, by including it
150 in the list, and also https or dns over tls port numbers by
151 putting them in the list as well.
152
153 outgoing-interface: <ip address or ip6 netblock>
154 Interface to use to connect to the network. This interface is
155 used to send queries to authoritative servers and receive their
156 replies. Can be given multiple times to work on several inter‐
157 faces. If none are given the default (all) is used. You can
158 specify the same interfaces in interface: and outgoing-inter‐
159 face: lines, the interfaces are then used for both purposes.
160 Outgoing queries are sent via a random outgoing interface to
161 counter spoofing.
162
163 If an IPv6 netblock is specified instead of an individual IPv6
164 address, outgoing UDP queries will use a randomised source ad‐
165 dress taken from the netblock to counter spoofing. Requires the
166 IPv6 netblock to be routed to the host running Unbound, and re‐
167 quires OS support for unprivileged non-local binds (currently
168 only supported on Linux). Several netblocks may be specified
169 with multiple outgoing-interface: options, but do not specify
170 both an individual IPv6 address and an IPv6 netblock, or the
171 randomisation will be compromised. Consider combining with pre‐
172 fer-ip6: yes to increase the likelihood of IPv6 nameservers be‐
173 ing selected for queries. On Linux you need these two commands
174 to be able to use the freebind socket option to receive traffic
175 for the ip6 netblock: ip -6 addr add mynetblock/64 dev lo && ip
176 -6 route add local mynetblock/64 dev lo
177
178 outgoing-range: <number>
179 Number of ports to open. This number of file descriptors can be
180 opened per thread. Must be at least 1. Default depends on com‐
181 pile options. Larger numbers need extra resources from the oper‐
182 ating system. For performance a very large value is best, use
183 libevent to make this possible.
184
185 outgoing-port-permit: <port number or range>
186 Permit Unbound to open this port or range of ports for use to
187 send queries. A larger number of permitted outgoing ports in‐
188 creases resilience against spoofing attempts. Make sure these
189 ports are not needed by other daemons. By default only ports
190 above 1024 that have not been assigned by IANA are used. Give a
191 port number or a range of the form "low-high", without spaces.
192
193 The outgoing-port-permit and outgoing-port-avoid statements are
194 processed in the line order of the config file, adding the per‐
195 mitted ports and subtracting the avoided ports from the set of
196 allowed ports. The processing starts with the non IANA allo‐
197 cated ports above 1024 in the set of allowed ports.
198
199 outgoing-port-avoid: <port number or range>
200 Do not permit Unbound to open this port or range of ports for
201 use to send queries. Use this to make sure Unbound does not grab
202 a port that another daemon needs. The port is avoided on all
203 outgoing interfaces, both IP4 and IP6. By default only ports
204 above 1024 that have not been assigned by IANA are used. Give a
205 port number or a range of the form "low-high", without spaces.
206
207 outgoing-num-tcp: <number>
208 Number of outgoing TCP buffers to allocate per thread. Default
209 is 10. If set to 0, or if do-tcp is "no", no TCP queries to au‐
210 thoritative servers are done. For larger installations increas‐
211 ing this value is a good idea.
212
213 incoming-num-tcp: <number>
214 Number of incoming TCP buffers to allocate per thread. Default
215 is 10. If set to 0, or if do-tcp is "no", no TCP queries from
216 clients are accepted. For larger installations increasing this
217 value is a good idea.
218
219 edns-buffer-size: <number>
220 Number of bytes size to advertise as the EDNS reassembly buffer
221 size. This is the value put into datagrams over UDP towards
222 peers. The actual buffer size is determined by msg-buffer-size
223 (both for TCP and UDP). Do not set higher than that value. De‐
224 fault is 1232 which is the DNS Flag Day 2020 recommendation.
225 Setting to 512 bypasses even the most stringent path MTU prob‐
226 lems, but is seen as extreme, since the amount of TCP fallback
227 generated is excessive (probably also for this resolver, con‐
228 sider tuning the outgoing tcp number).
229
230 max-udp-size: <number>
231 Maximum UDP response size (not applied to TCP response). 65536
232 disables the udp response size maximum, and uses the choice from
233 the client, always. Suggested values are 512 to 4096. Default
234 is 1232. The default value is the same as the default for
235 edns-buffer-size.
236
237 stream-wait-size: <number>
238 Number of bytes size maximum to use for waiting stream buffers.
239 Default is 4 megabytes. A plain number is in bytes, append 'k',
240 'm' or 'g' for kilobytes, megabytes or gigabytes (1024*1024
241 bytes in a megabyte). As TCP and TLS streams queue up multiple
242 results, the amount of memory used for these buffers does not
243 exceed this number, otherwise the responses are dropped. This
244 manages the total memory usage of the server (under heavy use),
245 the number of requests that can be queued up per connection is
246 also limited, with further requests waiting in TCP buffers.
247
248 msg-buffer-size: <number>
249 Number of bytes size of the message buffers. Default is 65552
250 bytes, enough for 64 Kb packets, the maximum DNS message size.
251 No message larger than this can be sent or received. Can be re‐
252 duced to use less memory, but some requests for DNS data, such
253 as for huge resource records, will result in a SERVFAIL reply to
254 the client.
255
256 msg-cache-size: <number>
257 Number of bytes size of the message cache. Default is 4
258 megabytes. A plain number is in bytes, append 'k', 'm' or 'g'
259 for kilobytes, megabytes or gigabytes (1024*1024 bytes in a
260 megabyte).
261
262 msg-cache-slabs: <number>
263 Number of slabs in the message cache. Slabs reduce lock con‐
264 tention by threads. Must be set to a power of 2. Setting
265 (close) to the number of cpus is a reasonable guess.
266
267 num-queries-per-thread: <number>
268 The number of queries that every thread will service simultane‐
269 ously. If more queries arrive that need servicing, and no
270 queries can be jostled out (see jostle-timeout), then the
271 queries are dropped. This forces the client to resend after a
272 timeout; allowing the server time to work on the existing
273 queries. Default depends on compile options, 512 or 1024.
274
275 jostle-timeout: <msec>
276 Timeout used when the server is very busy. Set to a value that
277 usually results in one roundtrip to the authority servers. If
278 too many queries arrive, then 50% of the queries are allowed to
279 run to completion, and the other 50% are replaced with the new
280 incoming query if they have already spent more than their al‐
281 lowed time. This protects against denial of service by slow
282 queries or high query rates. Default 200 milliseconds. The ef‐
283 fect is that the qps for long-lasting queries is about (num‐
284 queriesperthread / 2) / (average time for such long queries)
285 qps. The qps for short queries can be about (numqueries‐
286 perthread / 2) / (jostletimeout in whole seconds) qps per
287 thread, about (1024/2)*5 = 2560 qps by default.
288
289 delay-close: <msec>
290 Extra delay for timeouted UDP ports before they are closed, in
291 msec. Default is 0, and that disables it. This prevents very
292 delayed answer packets from the upstream (recursive) servers
293 from bouncing against closed ports and setting off all sort of
294 close-port counters, with eg. 1500 msec. When timeouts happen
295 you need extra sockets, it checks the ID and remote IP of pack‐
296 ets, and unwanted packets are added to the unwanted packet
297 counter.
298
299 udp-connect: <yes or no>
300 Perform connect for UDP sockets that mitigates ICMP side channel
301 leakage. Default is yes.
302
303 unknown-server-time-limit: <msec>
304 The wait time in msec for waiting for an unknown server to re‐
305 ply. Increase this if you are behind a slow satellite link, to
306 eg. 1128. That would then avoid re-querying every initial query
307 because it times out. Default is 376 msec.
308
309 so-rcvbuf: <number>
310 If not 0, then set the SO_RCVBUF socket option to get more buf‐
311 fer space on UDP port 53 incoming queries. So that short spikes
312 on busy servers do not drop packets (see counter in netstat
313 -su). Default is 0 (use system value). Otherwise, the number
314 of bytes to ask for, try "4m" on a busy server. The OS caps it
315 at a maximum, on linux Unbound needs root permission to bypass
316 the limit, or the admin can use sysctl net.core.rmem_max. On
317 BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. On OpenBSD
318 change header and recompile kernel. On Solaris ndd -set /dev/udp
319 udp_max_buf 8388608.
320
321 so-sndbuf: <number>
322 If not 0, then set the SO_SNDBUF socket option to get more buf‐
323 fer space on UDP port 53 outgoing queries. This for very busy
324 servers handles spikes in answer traffic, otherwise 'send: re‐
325 source temporarily unavailable' can get logged, the buffer over‐
326 run is also visible by netstat -su. Default is 0 (use system
327 value). Specify the number of bytes to ask for, try "4m" on a
328 very busy server. The OS caps it at a maximum, on linux Unbound
329 needs root permission to bypass the limit, or the admin can use
330 sysctl net.core.wmem_max. On BSD, Solaris changes are similar
331 to so-rcvbuf.
332
333 so-reuseport: <yes or no>
334 If yes, then open dedicated listening sockets for incoming
335 queries for each thread and try to set the SO_REUSEPORT socket
336 option on each socket. May distribute incoming queries to
337 threads more evenly. Default is yes. On Linux it is supported
338 in kernels >= 3.9. On other systems, FreeBSD, OSX it may also
339 work. You can enable it (on any platform and kernel), it then
340 attempts to open the port and passes the option if it was avail‐
341 able at compile time, if that works it is used, if it fails, it
342 continues silently (unless verbosity 3) without the option. At
343 extreme load it could be better to turn it off to distribute the
344 queries evenly, reported for Linux systems (4.4.x).
345
346 ip-transparent: <yes or no>
347 If yes, then use IP_TRANSPARENT socket option on sockets where
348 Unbound is listening for incoming traffic. Default no. Allows
349 you to bind to non-local interfaces. For example for non-exis‐
350 tent IP addresses that are going to exist later on, with host
351 failover configuration. This is a lot like interface-automatic,
352 but that one services all interfaces and with this option you
353 can select which (future) interfaces Unbound provides service
354 on. This option needs Unbound to be started with root permis‐
355 sions on some systems. The option uses IP_BINDANY on FreeBSD
356 systems and SO_BINDANY on OpenBSD systems.
357
358 ip-freebind: <yes or no>
359 If yes, then use IP_FREEBIND socket option on sockets where Un‐
360 bound is listening to incoming traffic. Default no. Allows you
361 to bind to IP addresses that are nonlocal or do not exist, like
362 when the network interface or IP address is down. Exists only
363 on Linux, where the similar ip-transparent option is also avail‐
364 able.
365
366 ip-dscp: <number>
367 The value of the Differentiated Services Codepoint (DSCP) in the
368 differentiated services field (DS) of the outgoing IP packet
369 headers. The field replaces the outdated IPv4 Type-Of-Service
370 field and the IPv6 traffic class field.
371
372 rrset-cache-size: <number>
373 Number of bytes size of the RRset cache. Default is 4 megabytes.
374 A plain number is in bytes, append 'k', 'm' or 'g' for kilo‐
375 bytes, megabytes or gigabytes (1024*1024 bytes in a megabyte).
376
377 rrset-cache-slabs: <number>
378 Number of slabs in the RRset cache. Slabs reduce lock contention
379 by threads. Must be set to a power of 2.
380
381 cache-max-ttl: <seconds>
382 Time to live maximum for RRsets and messages in the cache. De‐
383 fault is 86400 seconds (1 day). When the TTL expires, the cache
384 item has expired. Can be set lower to force the resolver to
385 query for data often, and not trust (very large) TTL values.
386 Downstream clients also see the lower TTL.
387
388 cache-min-ttl: <seconds>
389 Time to live minimum for RRsets and messages in the cache. De‐
390 fault is 0. If the minimum kicks in, the data is cached for
391 longer than the domain owner intended, and thus less queries are
392 made to look up the data. Zero makes sure the data in the cache
393 is as the domain owner intended, higher values, especially more
394 than an hour or so, can lead to trouble as the data in the cache
395 does not match up with the actual data any more.
396
397 cache-max-negative-ttl: <seconds>
398 Time to live maximum for negative responses, these have a SOA in
399 the authority section that is limited in time. Default is 3600.
400 This applies to nxdomain and nodata answers.
401
402 infra-host-ttl: <seconds>
403 Time to live for entries in the host cache. The host cache con‐
404 tains roundtrip timing, lameness and EDNS support information.
405 Default is 900.
406
407 infra-cache-slabs: <number>
408 Number of slabs in the infrastructure cache. Slabs reduce lock
409 contention by threads. Must be set to a power of 2.
410
411 infra-cache-numhosts: <number>
412 Number of hosts for which information is cached. Default is
413 10000.
414
415 infra-cache-min-rtt: <msec>
416 Lower limit for dynamic retransmit timeout calculation in infra‐
417 structure cache. Default is 50 milliseconds. Increase this value
418 if using forwarders needing more time to do recursive name reso‐
419 lution.
420
421 infra-cache-max-rtt: <msec>
422 Upper limit for dynamic retransmit timeout calculation in infra‐
423 structure cache. Default is 2 minutes.
424
425 infra-keep-probing: <yes or no>
426 If enabled the server keeps probing hosts that are down, in the
427 one probe at a time regime. Default is no. Hosts that are
428 down, eg. they did not respond during the one probe at a time
429 period, are marked as down and it may take infra-host-ttl time
430 to get probed again.
431
432 define-tag: <"list of tags">
433 Define the tags that can be used with local-zone and access-con‐
434 trol. Enclose the list between quotes ("") and put spaces be‐
435 tween tags.
436
437 do-ip4: <yes or no>
438 Enable or disable whether ip4 queries are answered or issued.
439 Default is yes.
440
441 do-ip6: <yes or no>
442 Enable or disable whether ip6 queries are answered or issued.
443 Default is yes. If disabled, queries are not answered on IPv6,
444 and queries are not sent on IPv6 to the internet nameservers.
445 With this option you can disable the IPv6 transport for sending
446 DNS traffic, it does not impact the contents of the DNS traffic,
447 which may have ip4 and ip6 addresses in it.
448
449 prefer-ip4: <yes or no>
450 If enabled, prefer IPv4 transport for sending DNS queries to in‐
451 ternet nameservers. Default is no. Useful if the IPv6 netblock
452 the server has, the entire /64 of that is not owned by one oper‐
453 ator and the reputation of the netblock /64 is an issue, using
454 IPv4 then uses the IPv4 filters that the upstream servers have.
455
456 prefer-ip6: <yes or no>
457 If enabled, prefer IPv6 transport for sending DNS queries to in‐
458 ternet nameservers. Default is no.
459
460 do-udp: <yes or no>
461 Enable or disable whether UDP queries are answered or issued.
462 Default is yes.
463
464 do-tcp: <yes or no>
465 Enable or disable whether TCP queries are answered or issued.
466 Default is yes.
467
468 tcp-mss: <number>
469 Maximum segment size (MSS) of TCP socket on which the server re‐
470 sponds to queries. Value lower than common MSS on Ethernet (1220
471 for example) will address path MTU problem. Note that not all
472 platform supports socket option to set MSS (TCP_MAXSEG). De‐
473 fault is system default MSS determined by interface MTU and ne‐
474 gotiation between server and client.
475
476 outgoing-tcp-mss: <number>
477 Maximum segment size (MSS) of TCP socket for outgoing queries
478 (from Unbound to other servers). Value lower than common MSS on
479 Ethernet (1220 for example) will address path MTU problem. Note
480 that not all platform supports socket option to set MSS
481 (TCP_MAXSEG). Default is system default MSS determined by in‐
482 terface MTU and negotiation between Unbound and other servers.
483
484 tcp-idle-timeout: <msec>
485 The period Unbound will wait for a query on a TCP connection.
486 If this timeout expires Unbound closes the connection. This op‐
487 tion defaults to 30000 milliseconds. When the number of free
488 incoming TCP buffers falls below 50% of the total number config‐
489 ured, the option value used is progressively reduced, first to
490 1% of the configured value, then to 0.2% of the configured value
491 if the number of free buffers falls below 35% of the total num‐
492 ber configured, and finally to 0 if the number of free buffers
493 falls below 20% of the total number configured. A minimum time‐
494 out of 200 milliseconds is observed regardless of the option
495 value used.
496
497 tcp-reuse-timeout: <msec>
498 The period Unbound will keep TCP persistent connections open to
499 authority servers. This option defaults to 60000 milliseconds.
500
501 max-reuse-tcp-queries: <number>
502 The maximum number of queries that can be sent on a persistent
503 TCP connection. This option defaults to 200 queries.
504
505 tcp-auth-query-timeout: <number>
506 Timeout in milliseconds for TCP queries to auth servers. This
507 option defaults to 3000 milliseconds.
508
509 edns-tcp-keepalive: <yes or no>
510 Enable or disable EDNS TCP Keepalive. Default is no.
511
512 edns-tcp-keepalive-timeout: <msec>
513 The period Unbound will wait for a query on a TCP connection
514 when EDNS TCP Keepalive is active. If this timeout expires Un‐
515 bound closes the connection. If the client supports the EDNS TCP
516 Keepalive option, Unbound sends the timeout value to the client
517 to encourage it to close the connection before the server times
518 out. This option defaults to 120000 milliseconds. When the
519 number of free incoming TCP buffers falls below 50% of the total
520 number configured, the advertised timeout is progressively re‐
521 duced to 1% of the configured value, then to 0.2% of the config‐
522 ured value if the number of free buffers falls below 35% of the
523 total number configured, and finally to 0 if the number of free
524 buffers falls below 20% of the total number configured. A mini‐
525 mum actual timeout of 200 milliseconds is observed regardless of
526 the advertised timeout.
527
528 sock-queue-timeout: <sec>
529 UDP queries that have waited in the socket buffer for a long
530 time can be dropped. Default is 0, disabled. The time is set in
531 seconds, 3 could be a good value to ignore old queries that
532 likely the client does not need a reply for any more. This could
533 happen if the host has not been able to service the queries for
534 a while, i.e. Unbound is not running, and then is enabled again.
535 It uses timestamp socket options.
536
537 tcp-upstream: <yes or no>
538 Enable or disable whether the upstream queries use TCP only for
539 transport. Default is no. Useful in tunneling scenarios. If
540 set to no you can specify TCP transport only for selected for‐
541 ward or stub zones using forward-tcp-upstream or stub-tcp-up‐
542 stream respectively.
543
544 udp-upstream-without-downstream: <yes or no>
545 Enable udp upstream even if do-udp is no. Default is no, and
546 this does not change anything. Useful for TLS service
547 providers, that want no udp downstream but use udp to fetch data
548 upstream.
549
550 tls-upstream: <yes or no>
551 Enabled or disable whether the upstream queries use TLS only for
552 transport. Default is no. Useful in tunneling scenarios. The
553 TLS contains plain DNS in TCP wireformat. The other server must
554 support this (see tls-service-key). If you enable this, also
555 configure a tls-cert-bundle or use tls-win-cert or tls-sys‐
556 tem-cert to load CA certs, otherwise the connections cannot be
557 authenticated. This option enables TLS for all of them, but if
558 you do not set this you can configure TLS specifically for some
559 forward zones with forward-tls-upstream. And also with
560 stub-tls-upstream.
561
562 ssl-upstream: <yes or no>
563 Alternate syntax for tls-upstream. If both are present in the
564 config file the last is used.
565
566 tls-service-key: <file>
567 If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS
568 service on the TCP ports marked implicitly or explicitly for
569 these services with tls-port or https-port. The file must con‐
570 tain the private key for the TLS session, the public certificate
571 is in the tls-service-pem file and it must also be specified if
572 tls-service-key is specified. The default is "", turned off.
573 Enabling or disabling this service requires a restart (a reload
574 is not enough), because the key is read while root permissions
575 are held and before chroot (if any). The ports enabled implic‐
576 itly or explicitly via tls-port: and https-port: do not provide
577 normal DNS TCP service. Unbound needs to be compiled with lib‐
578 nghttp2 in order to provide DNS-over-HTTPS.
579
580 ssl-service-key: <file>
581 Alternate syntax for tls-service-key.
582
583 tls-service-pem: <file>
584 The public key certificate pem file for the tls service. De‐
585 fault is "", turned off.
586
587 ssl-service-pem: <file>
588 Alternate syntax for tls-service-pem.
589
590 tls-port: <number>
591 The port number on which to provide TCP TLS service, default
592 853, only interfaces configured with that port number as @number
593 get the TLS service.
594
595 ssl-port: <number>
596 Alternate syntax for tls-port.
597
598 tls-cert-bundle: <file>
599 If null or "", no file is used. Set it to the certificate bun‐
600 dle file, for example "/etc/pki/tls/certs/ca-bundle.crt". These
601 certificates are used for authenticating connections made to
602 outside peers. For example auth-zone urls, and also DNS over
603 TLS connections. It is read at start up before permission drop
604 and chroot.
605
606 ssl-cert-bundle: <file>
607 Alternate syntax for tls-cert-bundle.
608
609 tls-win-cert: <yes or no>
610 Add the system certificates to the cert bundle certificates for
611 authentication. If no cert bundle, it uses only these certifi‐
612 cates. Default is no. On windows this option uses the certifi‐
613 cates from the cert store. Use the tls-cert-bundle option on
614 other systems. On other systems, this option enables the system
615 certificates.
616
617 tls-system-cert: <yes or no>
618 This the same setting as the tls-win-cert setting, under a dif‐
619 ferent name. Because it is not windows specific.
620
621 tls-additional-port: <portnr>
622 List portnumbers as tls-additional-port, and when interfaces are
623 defined, eg. with the @port suffix, as this port number, they
624 provide dns over TLS service. Can list multiple, each on a new
625 statement.
626
627 tls-session-ticket-keys: <file>
628 If not "", lists files with 80 bytes of random contents that are
629 used to perform TLS session resumption for clients using the Un‐
630 bound server. These files contain the secret key for the TLS
631 session tickets. First key use to encrypt and decrypt TLS ses‐
632 sion tickets. Other keys use to decrypt only. With this you
633 can roll over to new keys, by generating a new first file and
634 allowing decrypt of the old file by listing it after the first
635 file for some time, after the wait clients are not using the old
636 key any more and the old key can be removed. One way to create
637 the file is dd if=/dev/random bs=1 count=80 of=ticket.dat The
638 first 16 bytes should be different from the old one if you cre‐
639 ate a second key, that is the name used to identify the key.
640 Then there is 32 bytes random data for an AES key and then 32
641 bytes random data for the HMAC key.
642
643 tls-ciphers: <string with cipher list>
644 Set the list of ciphers to allow when serving TLS. Use "" for
645 defaults, and that is the default.
646
647 tls-ciphersuites: <string with ciphersuites list>
648 Set the list of ciphersuites to allow when serving TLS. This is
649 for newer TLS 1.3 connections. Use "" for defaults, and that is
650 the default.
651
652 pad-responses: <yes or no>
653 If enabled, TLS serviced queries that contained an EDNS Padding
654 option will cause responses padded to the closest multiple of
655 the size specified in pad-responses-block-size. Default is yes.
656
657 pad-responses-block-size: <number>
658 The block size with which to pad responses serviced over TLS.
659 Only responses to padded queries will be padded. Default is
660 468.
661
662 pad-queries: <yes or no>
663 If enabled, all queries sent over TLS upstreams will be padded
664 to the closest multiple of the size specified in
665 pad-queries-block-size. Default is yes.
666
667 pad-queries-block-size: <number>
668 The block size with which to pad queries sent over TLS up‐
669 streams. Default is 128.
670
671 tls-use-sni: <yes or no>
672 Enable or disable sending the SNI extension on TLS connections.
673 Default is yes. Changing the value requires a reload.
674
675 https-port: <number>
676 The port number on which to provide DNS-over-HTTPS service, de‐
677 fault 443, only interfaces configured with that port number as
678 @number get the HTTPS service.
679
680 http-endpoint: <endpoint string>
681 The HTTP endpoint to provide DNS-over-HTTPS service on. Default
682 "/dns-query".
683
684 http-max-streams: <number of streams>
685 Number used in the SETTINGS_MAX_CONCURRENT_STREAMS parameter in
686 the HTTP/2 SETTINGS frame for DNS-over-HTTPS connections. De‐
687 fault 100.
688
689 http-query-buffer-size: <size in bytes>
690 Maximum number of bytes used for all HTTP/2 query buffers com‐
691 bined. These buffers contain (partial) DNS queries waiting for
692 request stream completion. An RST_STREAM frame will be send to
693 streams exceeding this limit. Default is 4 megabytes. A plain
694 number is in bytes, append 'k', 'm' or 'g' for kilobytes,
695 megabytes or gigabytes (1024*1024 bytes in a megabyte).
696
697 http-response-buffer-size: <size in bytes>
698 Maximum number of bytes used for all HTTP/2 response buffers
699 combined. These buffers contain DNS responses waiting to be
700 written back to the clients. An RST_STREAM frame will be send
701 to streams exceeding this limit. Default is 4 megabytes. A plain
702 number is in bytes, append 'k', 'm' or 'g' for kilobytes,
703 megabytes or gigabytes (1024*1024 bytes in a megabyte).
704
705 http-nodelay: <yes or no>
706 Set TCP_NODELAY socket option on sockets used to provide DNS-
707 over-HTTPS service. Ignored if the option is not available. De‐
708 fault is yes.
709
710 http-notls-downstream: <yes or no>
711 Disable use of TLS for the downstream DNS-over-HTTP connections.
712 Useful for local back end servers. Default is no.
713
714 proxy-protocol-port: <portnr>
715 List port numbers as proxy-protocol-port, and when interfaces
716 are defined, eg. with the @port suffix, as this port number,
717 they support and expect PROXYv2. In this case the proxy address
718 will only be used for the network communication and initial ACL
719 (check if the proxy itself is denied/refused by configuration).
720 The proxied address (if any) will then be used as the true
721 client address and will be used where applicable for logging,
722 ACL, DNSTAP, RPZ and IP ratelimiting. PROXYv2 is supported for
723 UDP and TCP/TLS listening interfaces. There is no support for
724 PROXYv2 on a DoH or DNSCrypt listening interface. Can list mul‐
725 tiple, each on a new statement.
726
727 use-systemd: <yes or no>
728 Enable or disable systemd socket activation. Default is no.
729
730 do-daemonize: <yes or no>
731 Enable or disable whether the Unbound server forks into the
732 background as a daemon. Set the value to no when Unbound runs
733 as systemd service. Default is yes.
734
735 tcp-connection-limit: <IP netblock> <limit>
736 Allow up to limit simultaneous TCP connections from the given
737 netblock. When at the limit, further connections are accepted
738 but closed immediately. This option is experimental at this
739 time.
740
741 access-control: <IP netblock> <action>
742 The netblock is given as an IP4 or IP6 address with /size ap‐
743 pended for a classless network block. The action can be deny,
744 refuse, allow, allow_setrd, allow_snoop, allow_cookie,
745 deny_non_local or refuse_non_local. The most specific netblock
746 match is used, if none match refuse is used. The order of the
747 access-control statements therefore does not matter.
748
749 The deny action stops queries from hosts from that netblock.
750
751 The refuse action stops queries too, but sends a DNS rcode RE‐
752 FUSED error message back.
753
754 The allow action gives access to clients from that netblock. It
755 gives only access for recursion clients (which is what almost
756 all clients need). Nonrecursive queries are refused.
757
758 The allow action does allow nonrecursive queries to access the
759 local-data that is configured. The reason is that this does not
760 involve the Unbound server recursive lookup algorithm, and
761 static data is served in the reply. This supports normal opera‐
762 tions where nonrecursive queries are made for the authoritative
763 data. For nonrecursive queries any replies from the dynamic
764 cache are refused.
765
766 The allow_setrd action ignores the recursion desired (RD) bit
767 and treats all requests as if the recursion desired bit is set.
768 Note that this behavior violates RFC 1034 which states that a
769 name server should never perform recursive service unless asked
770 via the RD bit since this interferes with trouble shooting of
771 name servers and their databases. This prohibited behavior may
772 be useful if another DNS server must forward requests for spe‐
773 cific zones to a resolver DNS server, but only supports stub do‐
774 mains and sends queries to the resolver DNS server with the RD
775 bit cleared.
776
777 The allow_snoop action gives nonrecursive access too. This give
778 both recursive and non recursive access. The name allow_snoop
779 refers to cache snooping, a technique to use nonrecursive
780 queries to examine the cache contents (for malicious acts).
781 However, nonrecursive queries can also be a valuable debugging
782 tool (when you want to examine the cache contents). In that case
783 use allow_snoop for your administration host.
784
785 The allow_cookie action allows access to UDP queries that con‐
786 tain a valid DNS Cookie as specified in RFC 7873 and RFC 9018,
787 when the answer-cookie option is enabled. UDP queries contain‐
788 ing only a DNS Client Cookie and no Server Cookie, or an invalid
789 DNS Cookie, will receive a BADCOOKIE response including a newly
790 generated DNS Cookie, allowing clients to retry with that DNS
791 Cookie. The allow_cookie action will also accept requests over
792 stateful transports, regardless of the presence of an DNS Cookie
793 and regardless of the answer-cookie setting. If ip-ratelimit is
794 used, clients with a valid DNS Cookie will bypass the ratelimit.
795 If a ratelimit for such clients is still needed, ip-rate‐
796 limit-cookie can be used instead.
797
798 By default only localhost is allowed, the rest is refused. The
799 default is refused, because that is protocol-friendly. The DNS
800 protocol is not designed to handle dropped packets due to pol‐
801 icy, and dropping may result in (possibly excessive) retried
802 queries.
803
804 The deny_non_local and refuse_non_local settings are for hosts
805 that are only allowed to query for the authoritative local-data,
806 they are not allowed full recursion but only the static data.
807 With deny_non_local, messages that are disallowed are dropped,
808 with refuse_non_local they receive error code REFUSED.
809
810 access-control-tag: <IP netblock> <"list of tags">
811 Assign tags to access-control elements. Clients using this ac‐
812 cess control element use localzones that are tagged with one of
813 these tags. Tags must be defined in define-tags. Enclose list
814 of tags in quotes ("") and put spaces between tags. If ac‐
815 cess-control-tag is configured for a netblock that does not have
816 an access-control, an access-control element with action allow
817 is configured for this netblock.
818
819 access-control-tag-action: <IP netblock> <tag> <action>
820 Set action for particular tag for given access control element.
821 If you have multiple tag values, the tag used to lookup the ac‐
822 tion is the first tag match between access-control-tag and lo‐
823 cal-zone-tag where "first" comes from the order of the define-
824 tag values.
825
826 access-control-tag-data: <IP netblock> <tag> <"resource record string">
827 Set redirect data for particular tag for given access control
828 element.
829
830 access-control-view: <IP netblock> <view name>
831 Set view for given access control element.
832
833 interface-action: <ip address or interface name [@port]> <action>
834 Similar to access-control: but for interfaces.
835
836 The action is the same as the ones defined under access-con‐
837 trol:. Interfaces are refused by default. By default only lo‐
838 calhost (the IP netblock, not the loopback interface) is allowed
839 through the default access-control: behavior.
840
841 Note that the interface needs to be already specified with in‐
842 terface: and that any access-control*: setting overrides all in‐
843 terface-*: settings for targeted clients.
844
845 interface-tag: <ip address or interface name [@port]> <"list of tags">
846 Similar to access-control-tag: but for interfaces.
847
848 Note that the interface needs to be already specified with in‐
849 terface: and that any access-control*: setting overrides all in‐
850 terface-*: settings for targeted clients.
851
852 interface-tag-action: <ip address or interface name [@port]> <tag> <ac‐
853 tion>
854 Similar to access-control-tag-action: but for interfaces.
855
856 Note that the interface needs to be already specified with in‐
857 terface: and that any access-control*: setting overrides all in‐
858 terface-*: settings for targeted clients.
859
860 interface-tag-data: <ip address or interface name [@port]> <tag> <"re‐
861 source record string">
862 Similar to access-control-tag-data: but for interfaces.
863
864 Note that the interface needs to be already specified with in‐
865 terface: and that any access-control*: setting overrides all in‐
866 terface-*: settings for targeted clients.
867
868 interface-view: <ip address or interface name [@port]> <view name>
869 Similar to access-control-view: but for interfaces.
870
871 Note that the interface needs to be already specified with in‐
872 terface: and that any access-control*: setting overrides all in‐
873 terface-*: settings for targeted clients.
874
875 chroot: <directory>
876 If chroot is enabled, you should pass the configfile (from the
877 commandline) as a full path from the original root. After the
878 chroot has been performed the now defunct portion of the config
879 file path is removed to be able to reread the config after a
880 reload.
881
882 All other file paths (working dir, logfile, roothints, and key
883 files) can be specified in several ways: as an absolute path
884 relative to the new root, as a relative path to the working di‐
885 rectory, or as an absolute path relative to the original root.
886 In the last case the path is adjusted to remove the unused por‐
887 tion.
888
889 The pidfile can be either a relative path to the working direc‐
890 tory, or an absolute path relative to the original root. It is
891 written just prior to chroot and dropping permissions. This al‐
892 lows the pidfile to be /var/run/unbound.pid and the chroot to be
893 /var/unbound, for example. Note that Unbound is not able to re‐
894 move the pidfile after termination when it is located outside of
895 the chroot directory.
896
897 Additionally, Unbound may need to access /dev/urandom (for en‐
898 tropy) from inside the chroot.
899
900 If given a chroot is done to the given directory. By default ch‐
901 root is enabled and the default is "/etc/unbound". If you give
902 "" no chroot is performed.
903
904 username: <name>
905 If given, after binding the port the user privileges are
906 dropped. Default is "unbound". If you give username: "" no user
907 change is performed.
908
909 If this user is not capable of binding the port, reloads (by
910 signal HUP) will still retain the opened ports. If you change
911 the port number in the config file, and that new port number re‐
912 quires privileges, then a reload will fail; a restart is needed.
913
914 directory: <directory>
915 Sets the working directory for the program. Default is "/etc/un‐
916 bound". On Windows the string "%EXECUTABLE%" tries to change to
917 the directory that unbound.exe resides in. If you give a
918 server: directory: dir before include: file statements then
919 those includes can be relative to the working directory.
920
921 logfile: <filename>
922 If "" is given, logging goes to stderr, or nowhere once daemo‐
923 nized. The logfile is appended to, in the following format:
924 [seconds since 1970] unbound[pid:tid]: type: message.
925 If this option is given, the use-syslog is option is set to
926 "no". The logfile is reopened (for append) when the config file
927 is reread, on SIGHUP.
928
929 use-syslog: <yes or no>
930 Sets Unbound to send log messages to the syslogd, using sys‐
931 log(3). The log facility LOG_DAEMON is used, with identity "un‐
932 bound". The logfile setting is overridden when use-syslog is
933 turned on. The default is to log to syslog.
934
935 log-identity: <string>
936 If "" is given (default), then the name of the executable, usu‐
937 ally "unbound" is used to report to the log. Enter a string to
938 override it with that, which is useful on systems that run more
939 than one instance of Unbound, with different configurations, so
940 that the logs can be easily distinguished against.
941
942 log-time-ascii: <yes or no>
943 Sets logfile lines to use a timestamp in UTC ascii. Default is
944 no, which prints the seconds since 1970 in brackets. No effect
945 if using syslog, in that case syslog formats the timestamp
946 printed into the log files.
947
948 log-queries: <yes or no>
949 Prints one line per query to the log, with the log timestamp and
950 IP address, name, type and class. Default is no. Note that it
951 takes time to print these lines which makes the server (signifi‐
952 cantly) slower. Odd (nonprintable) characters in names are
953 printed as '?'.
954
955 log-replies: <yes or no>
956 Prints one line per reply to the log, with the log timestamp and
957 IP address, name, type, class, return code, time to resolve,
958 from cache and response size. Default is no. Note that it
959 takes time to print these lines which makes the server (signifi‐
960 cantly) slower. Odd (nonprintable) characters in names are
961 printed as '?'.
962
963 log-tag-queryreply: <yes or no>
964 Prints the word 'query' and 'reply' with log-queries and
965 log-replies. This makes filtering logs easier. The default is
966 off (for backwards compatibility).
967
968 log-local-actions: <yes or no>
969 Print log lines to inform about local zone actions. These lines
970 are like the local-zone type inform prints out, but they are
971 also printed for the other types of local zones.
972
973 log-servfail: <yes or no>
974 Print log lines that say why queries return SERVFAIL to clients.
975 This is separate from the verbosity debug logs, much smaller,
976 and printed at the error level, not the info level of debug info
977 from verbosity.
978
979 pidfile: <filename>
980 The process id is written to the file. Default is "/run/un‐
981 bound/unbound.pid". So,
982 kill -HUP `cat /run/unbound/unbound.pid`
983 triggers a reload,
984 kill -TERM `cat /run/unbound/unbound.pid`
985 gracefully terminates.
986
987 root-hints: <filename>
988 Read the root hints from this file. Default is nothing, using
989 builtin hints for the IN class. The file has the format of zone
990 files, with root nameserver names and addresses only. The de‐
991 fault may become outdated, when servers change, therefore it is
992 good practice to use a root-hints file.
993
994 hide-identity: <yes or no>
995 If enabled id.server and hostname.bind queries are refused.
996
997 identity: <string>
998 Set the identity to report. If set to "", the default, then the
999 hostname of the server is returned.
1000
1001 hide-version: <yes or no>
1002 If enabled version.server and version.bind queries are refused.
1003
1004 version: <string>
1005 Set the version to report. If set to "", the default, then the
1006 package version is returned.
1007
1008 hide-http-user-agent: <yes or no>
1009 If enabled the HTTP header User-Agent is not set. Use with cau‐
1010 tion as some webserver configurations may reject HTTP requests
1011 lacking this header. If needed, it is better to explicitly set
1012 the http-user-agent below.
1013
1014 http-user-agent: <string>
1015 Set the HTTP User-Agent header for outgoing HTTP requests. If
1016 set to "", the default, then the package name and version are
1017 used.
1018
1019 nsid: <string>
1020 Add the specified nsid to the EDNS section of the answer when
1021 queried with an NSID EDNS enabled packet. As a sequence of hex
1022 characters or with ascii_ prefix and then an ascii string.
1023
1024 hide-trustanchor: <yes or no>
1025 If enabled trustanchor.unbound queries are refused.
1026
1027 target-fetch-policy: <"list of numbers">
1028 Set the target fetch policy used by Unbound to determine if it
1029 should fetch nameserver target addresses opportunistically. The
1030 policy is described per dependency depth.
1031
1032 The number of values determines the maximum dependency depth
1033 that Unbound will pursue in answering a query. A value of -1
1034 means to fetch all targets opportunistically for that dependency
1035 depth. A value of 0 means to fetch on demand only. A positive
1036 value fetches that many targets opportunistically.
1037
1038 Enclose the list between quotes ("") and put spaces between num‐
1039 bers. The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0
1040 0" gives behaviour closer to that of BIND 9, while setting "-1
1041 -1 -1 -1 -1" gives behaviour rumoured to be closer to that of
1042 BIND 8.
1043
1044 harden-short-bufsize: <yes or no>
1045 Very small EDNS buffer sizes from queries are ignored. Default
1046 is on, as described in the standard.
1047
1048 harden-large-queries: <yes or no>
1049 Very large queries are ignored. Default is off, since it is le‐
1050 gal protocol wise to send these, and could be necessary for op‐
1051 eration if TSIG or EDNS payload is very large.
1052
1053 harden-glue: <yes or no>
1054 Will trust glue only if it is within the servers authority. De‐
1055 fault is yes.
1056
1057 harden-dnssec-stripped: <yes or no>
1058 Require DNSSEC data for trust-anchored zones, if such data is
1059 absent, the zone becomes bogus. If turned off, and no DNSSEC
1060 data is received (or the DNSKEY data fails to validate), then
1061 the zone is made insecure, this behaves like there is no trust
1062 anchor. You could turn this off if you are sometimes behind an
1063 intrusive firewall (of some sort) that removes DNSSEC data from
1064 packets, or a zone changes from signed to unsigned to badly
1065 signed often. If turned off you run the risk of a downgrade at‐
1066 tack that disables security for a zone. Default is yes.
1067
1068 harden-below-nxdomain: <yes or no>
1069 From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Un‐
1070 derneath"), returns nxdomain to queries for a name below another
1071 name that is already known to be nxdomain. DNSSEC mandates no‐
1072 error for empty nonterminals, hence this is possible. Very old
1073 software might return nxdomain for empty nonterminals (that usu‐
1074 ally happen for reverse IP address lookups), and thus may be in‐
1075 compatible with this. To try to avoid this only DNSSEC-secure
1076 nxdomains are used, because the old software does not have
1077 DNSSEC. Default is yes. The nxdomain must be secure, this
1078 means nsec3 with optout is insufficient.
1079
1080 harden-referral-path: <yes or no>
1081 Harden the referral path by performing additional queries for
1082 infrastructure data. Validates the replies if trust anchors are
1083 configured and the zones are signed. This enforces DNSSEC vali‐
1084 dation on nameserver NS sets and the nameserver addresses that
1085 are encountered on the referral path to the answer. Default no,
1086 because it burdens the authority servers, and it is not RFC
1087 standard, and could lead to performance problems because of the
1088 extra query load that is generated. Experimental option. If
1089 you enable it consider adding more numbers after the tar‐
1090 get-fetch-policy to increase the max depth that is checked to.
1091
1092 harden-algo-downgrade: <yes or no>
1093 Harden against algorithm downgrade when multiple algorithms are
1094 advertised in the DS record. If no, allows the weakest algo‐
1095 rithm to validate the zone. Default is no. Zone signers must
1096 produce zones that allow this feature to work, but sometimes
1097 they do not, and turning this option off avoids that validation
1098 failure.
1099
1100 harden-unknown-additional: <yes or no>
1101 Harden against unknown records in the authority section and ad‐
1102 ditional section. Default is no. If no, such records are copied
1103 from the upstream and presented to the client together with the
1104 answer. If yes, it could hamper future protocol developments
1105 that want to add records.
1106
1107 use-caps-for-id: <yes or no>
1108 Use 0x20-encoded random bits in the query to foil spoof at‐
1109 tempts. This perturbs the lowercase and uppercase of query
1110 names sent to authority servers and checks if the reply still
1111 has the correct casing. Disabled by default. This feature is
1112 an experimental implementation of draft dns-0x20.
1113
1114 caps-exempt: <domain>
1115 Exempt the domain so that it does not receive caps-for-id per‐
1116 turbed queries. For domains that do not support 0x20 and also
1117 fail with fallback because they keep sending different answers,
1118 like some load balancers. Can be given multiple times, for dif‐
1119 ferent domains.
1120
1121 caps-whitelist: <yes or no>
1122 Alternate syntax for caps-exempt.
1123
1124 qname-minimisation: <yes or no>
1125 Send minimum amount of information to upstream servers to en‐
1126 hance privacy. Only send minimum required labels of the QNAME
1127 and set QTYPE to A when possible. Best effort approach; full
1128 QNAME and original QTYPE will be sent when upstream replies with
1129 a RCODE other than NOERROR, except when receiving NXDOMAIN from
1130 a DNSSEC signed zone. Default is yes.
1131
1132 qname-minimisation-strict: <yes or no>
1133 QNAME minimisation in strict mode. Do not fall-back to sending
1134 full QNAME to potentially broken nameservers. A lot of domains
1135 will not be resolvable when this option in enabled. Only use if
1136 you know what you are doing. This option only has effect when
1137 qname-minimisation is enabled. Default is no.
1138
1139 aggressive-nsec: <yes or no>
1140 Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDO‐
1141 MAIN and other denials, using information from previous NXDO‐
1142 MAINs answers. Default is yes. It helps to reduce the query
1143 rate towards targets that get a very high nonexistent name
1144 lookup rate.
1145
1146 private-address: <IP address or subnet>
1147 Give IPv4 of IPv6 addresses or classless subnets. These are ad‐
1148 dresses on your private network, and are not allowed to be re‐
1149 turned for public internet names. Any occurrence of such ad‐
1150 dresses are removed from DNS answers. Additionally, the DNSSEC
1151 validator may mark the answers bogus. This protects against
1152 so-called DNS Rebinding, where a user browser is turned into a
1153 network proxy, allowing remote access through the browser to
1154 other parts of your private network. Some names can be allowed
1155 to contain your private addresses, by default all the local-data
1156 that you configured is allowed to, and you can specify addi‐
1157 tional names using private-domain. No private addresses are en‐
1158 abled by default. We consider to enable this for the RFC1918
1159 private IP address space by default in later releases. That
1160 would enable private addresses for 10.0.0.0/8 172.16.0.0/12
1161 192.168.0.0/16 169.254.0.0/16 fd00::/8 and fe80::/10, since the
1162 RFC standards say these addresses should not be visible on the
1163 public internet. Turning on 127.0.0.0/8 would hinder many spam‐
1164 blocklists as they use that. Adding ::ffff:0:0/96 stops
1165 IPv4-mapped IPv6 addresses from bypassing the filter.
1166
1167 private-domain: <domain name>
1168 Allow this domain, and all its subdomains to contain private ad‐
1169 dresses. Give multiple times to allow multiple domain names to
1170 contain private addresses. Default is none.
1171
1172 unwanted-reply-threshold: <number>
1173 If set, a total number of unwanted replies is kept track of in
1174 every thread. When it reaches the threshold, a defensive action
1175 is taken and a warning is printed to the log. The defensive ac‐
1176 tion is to clear the rrset and message caches, hopefully flush‐
1177 ing away any poison. A value of 10 million is suggested. De‐
1178 fault is 0 (turned off).
1179
1180 do-not-query-address: <IP address>
1181 Do not query the given IP address. Can be IP4 or IP6. Append
1182 /num to indicate a classless delegation netblock, for example
1183 like 10.2.3.4/24 or 2001::11/64.
1184
1185 do-not-query-localhost: <yes or no>
1186 If yes, localhost is added to the do-not-query-address entries,
1187 both IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be
1188 used to send queries to. Default is yes.
1189
1190 prefetch: <yes or no>
1191 If yes, message cache elements are prefetched before they expire
1192 to keep the cache up to date. Default is no. Turning it on
1193 gives about 10 percent more traffic and load on the machine, but
1194 popular items do not expire from the cache.
1195
1196 prefetch-key: <yes or no>
1197 If yes, fetch the DNSKEYs earlier in the validation process,
1198 when a DS record is encountered. This lowers the latency of re‐
1199 quests. It does use a little more CPU. Also if the cache is
1200 set to 0, it is no use. Default is no.
1201
1202 deny-any: <yes or no>
1203 If yes, deny queries of type ANY with an empty response. De‐
1204 fault is no. If disabled, Unbound responds with a short list of
1205 resource records if some can be found in the cache and makes the
1206 upstream type ANY query if there are none.
1207
1208 rrset-roundrobin: <yes or no>
1209 If yes, Unbound rotates RRSet order in response (the random num‐
1210 ber is taken from the query ID, for speed and thread safety).
1211 Default is yes.
1212
1213 minimal-responses: <yes or no>
1214 If yes, Unbound does not insert authority/additional sections
1215 into response messages when those sections are not required.
1216 This reduces response size significantly, and may avoid TCP
1217 fallback for some responses. This may cause a slight speedup.
1218 The default is yes, even though the DNS protocol RFCs mandate
1219 these sections, and the additional content could be of use and
1220 save roundtrips for clients. Because they are not used, and the
1221 saved roundtrips are easier saved with prefetch, whilst this is
1222 faster.
1223
1224 disable-dnssec-lame-check: <yes or no>
1225 If true, disables the DNSSEC lameness check in the iterator.
1226 This check sees if RRSIGs are present in the answer, when dnssec
1227 is expected, and retries another authority if RRSIGs are unex‐
1228 pectedly missing. The validator will insist in RRSIGs for
1229 DNSSEC signed domains regardless of this setting, if a trust an‐
1230 chor is loaded.
1231
1232 module-config: <"module names">
1233 Module configuration, a list of module names separated by spa‐
1234 ces, surround the string with quotes (""). The modules can be
1235 respip, validator, or iterator (and possibly more, see below).
1236 Setting this to just "iterator" will result in a non-validating
1237 server. Setting this to "validator iterator" will turn on
1238 DNSSEC validation. The ordering of the modules is significant,
1239 the order decides the order of processing. You must also set
1240 trust-anchors for validation to be useful. Adding respip to the
1241 front will cause RPZ processing to be done on all queries. The
1242 default is "validator iterator".
1243
1244 When the server is built with EDNS client subnet support the de‐
1245 fault is "subnetcache validator iterator". Most modules that
1246 need to be listed here have to be listed at the beginning of the
1247 line. The subnetcachedb module has to be listed just before the
1248 iterator. The python module can be listed in different places,
1249 it then processes the output of the module it is just before.
1250 The dynlib module can be listed pretty much anywhere, it is only
1251 a very thin wrapper that allows dynamic libraries to run in its
1252 place.
1253
1254 trust-anchor-file: <filename>
1255 File with trusted keys for validation. Both DS and DNSKEY en‐
1256 tries can appear in the file. The format of the file is the
1257 standard DNS Zone file format. Default is "", or no trust an‐
1258 chor file.
1259
1260 auto-trust-anchor-file: <filename>
1261 File with trust anchor for one zone, which is tracked with
1262 RFC5011 probes. The probes are run several times per month,
1263 thus the machine must be online frequently. The initial file
1264 can be one with contents as described in trust-anchor-file. The
1265 file is written to when the anchor is updated, so the Unbound
1266 user must have write permission. Write permission to the file,
1267 but also to the directory it is in (to create a temporary file,
1268 which is necessary to deal with filesystem full events), it must
1269 also be inside the chroot (if that is used).
1270
1271 trust-anchor: <"Resource Record">
1272 A DS or DNSKEY RR for a key to use for validation. Multiple en‐
1273 tries can be given to specify multiple trusted keys, in addition
1274 to the trust-anchor-files. The resource record is entered in
1275 the same format as 'dig' or 'drill' prints them, the same format
1276 as in the zone file. Has to be on a single line, with "" around
1277 it. A TTL can be specified for ease of cut and paste, but is ig‐
1278 nored. A class can be specified, but class IN is default.
1279
1280 trusted-keys-file: <filename>
1281 File with trusted keys for validation. Specify more than one
1282 file with several entries, one file per entry. Like trust-an‐
1283 chor-file but has a different file format. Format is BIND-9
1284 style format, the trusted-keys { name flag proto algo "key"; };
1285 clauses are read. It is possible to use wildcards with this
1286 statement, the wildcard is expanded on start and on reload.
1287
1288 trust-anchor-signaling: <yes or no>
1289 Send RFC8145 key tag query after trust anchor priming. Default
1290 is yes.
1291
1292 root-key-sentinel: <yes or no>
1293 Root key trust anchor sentinel. Default is yes.
1294
1295 domain-insecure: <domain name>
1296 Sets domain name to be insecure, DNSSEC chain of trust is ig‐
1297 nored towards the domain name. So a trust anchor above the do‐
1298 main name can not make the domain secure with a DS record, such
1299 a DS record is then ignored. Can be given multiple times to
1300 specify multiple domains that are treated as if unsigned. If
1301 you set trust anchors for the domain they override this setting
1302 (and the domain is secured).
1303
1304 This can be useful if you want to make sure a trust anchor for
1305 external lookups does not affect an (unsigned) internal domain.
1306 A DS record externally can create validation failures for that
1307 internal domain.
1308
1309 val-override-date: <rrsig-style date spec>
1310 Default is "" or "0", which disables this debugging feature. If
1311 enabled by giving a RRSIG style date, that date is used for ver‐
1312 ifying RRSIG inception and expiration dates, instead of the cur‐
1313 rent date. Do not set this unless you are debugging signature
1314 inception and expiration. The value -1 ignores the date alto‐
1315 gether, useful for some special applications.
1316
1317 val-sig-skew-min: <seconds>
1318 Minimum number of seconds of clock skew to apply to validated
1319 signatures. A value of 10% of the signature lifetime (expira‐
1320 tion - inception) is used, capped by this setting. Default is
1321 3600 (1 hour) which allows for daylight savings differences.
1322 Lower this value for more strict checking of short lived signa‐
1323 tures.
1324
1325 val-sig-skew-max: <seconds>
1326 Maximum number of seconds of clock skew to apply to validated
1327 signatures. A value of 10% of the signature lifetime (expira‐
1328 tion - inception) is used, capped by this setting. Default is
1329 86400 (24 hours) which allows for timezone setting problems in
1330 stable domains. Setting both min and max very low disables the
1331 clock skew allowances. Setting both min and max very high makes
1332 the validator check the signature timestamps less strictly.
1333
1334 val-max-restart: <number>
1335 The maximum number the validator should restart validation with
1336 another authority in case of failed validation. Default is 5.
1337
1338 val-bogus-ttl: <number>
1339 The time to live for bogus data. This is data that has failed
1340 validation; due to invalid signatures or other checks. The TTL
1341 from that data cannot be trusted, and this value is used in‐
1342 stead. The value is in seconds, default 60. The time interval
1343 prevents repeated revalidation of bogus data.
1344
1345 val-clean-additional: <yes or no>
1346 Instruct the validator to remove data from the additional sec‐
1347 tion of secure messages that are not signed properly. Messages
1348 that are insecure, bogus, indeterminate or unchecked are not af‐
1349 fected. Default is yes. Use this setting to protect the users
1350 that rely on this validator for authentication from potentially
1351 bad data in the additional section.
1352
1353 val-log-level: <number>
1354 Have the validator print validation failures to the log. Re‐
1355 gardless of the verbosity setting. Default is 0, off. At 1,
1356 for every user query that fails a line is printed to the logs.
1357 This way you can monitor what happens with validation. Use a
1358 diagnosis tool, such as dig or drill, to find out why validation
1359 is failing for these queries. At 2, not only the query that
1360 failed is printed but also the reason why Unbound thought it was
1361 wrong and which server sent the faulty data.
1362
1363 val-permissive-mode: <yes or no>
1364 Instruct the validator to mark bogus messages as indeterminate.
1365 The security checks are performed, but if the result is bogus
1366 (failed security), the reply is not withheld from the client
1367 with SERVFAIL as usual. The client receives the bogus data. For
1368 messages that are found to be secure the AD bit is set in
1369 replies. Also logging is performed as for full validation. The
1370 default value is "no".
1371
1372 ignore-cd-flag: <yes or no>
1373 Instruct Unbound to ignore the CD flag from clients and refuse
1374 to return bogus answers to them. Thus, the CD (Checking Dis‐
1375 abled) flag does not disable checking any more. This is useful
1376 if legacy (w2008) servers that set the CD flag but cannot vali‐
1377 date DNSSEC themselves are the clients, and then Unbound pro‐
1378 vides them with DNSSEC protection. The default value is "no".
1379
1380 disable-edns-do: <yes or no>
1381 Disable the EDNS DO flag in upstream requests. It breaks DNSSEC
1382 validation for Unbound's clients. This results in the upstream
1383 name servers to not include DNSSEC records in their replies and
1384 could be helpful for devices that cannot handle DNSSEC informa‐
1385 tion. When the option is enabled, clients that set the DO flag
1386 receive no EDNS record in the response to indicate the lack of
1387 support to them. If this option is enabled but Unbound is al‐
1388 ready configured for DNSSEC validation (i.e., the validator mod‐
1389 ule is enabled; default) this option is implicitly turned off
1390 with a warning as to not break DNSSEC validation in Unbound.
1391 Default is no.
1392
1393 serve-expired: <yes or no>
1394 If enabled, Unbound attempts to serve old responses from cache
1395 with a TTL of serve-expired-reply-ttl in the response without
1396 waiting for the actual resolution to finish. The actual resolu‐
1397 tion answer ends up in the cache later on. Default is "no".
1398
1399 serve-expired-ttl: <seconds>
1400 Limit serving of expired responses to configured seconds after
1401 expiration. 0 disables the limit. This option only applies when
1402 serve-expired is enabled. A suggested value per RFC 8767 is be‐
1403 tween 86400 (1 day) and 259200 (3 days). The default is 0.
1404
1405 serve-expired-ttl-reset: <yes or no>
1406 Set the TTL of expired records to the serve-expired-ttl value
1407 after a failed attempt to retrieve the record from upstream.
1408 This makes sure that the expired records will be served as long
1409 as there are queries for it. Default is "no".
1410
1411 serve-expired-reply-ttl: <seconds>
1412 TTL value to use when replying with expired data. If serve-ex‐
1413 pired-client-timeout is also used then it is RECOMMENDED to use
1414 30 as the value (RFC 8767). The default is 30.
1415
1416 serve-expired-client-timeout: <msec>
1417 Time in milliseconds before replying to the client with expired
1418 data. This essentially enables the serve-stale behavior as
1419 specified in RFC 8767 that first tries to resolve before immedi‐
1420 ately responding with expired data. A recommended value per RFC
1421 8767 is 1800. Setting this to 0 will disable this behavior.
1422 Default is 0.
1423
1424 serve-original-ttl: <yes or no>
1425 If enabled, Unbound will always return the original TTL as re‐
1426 ceived from the upstream name server rather than the decrement‐
1427 ing TTL as stored in the cache. This feature may be useful if
1428 Unbound serves as a front-end to a hidden authoritative name
1429 server. Enabling this feature does not impact cache expiry, it
1430 only changes the TTL Unbound embeds in responses to queries.
1431 Note that enabling this feature implicitly disables enforcement
1432 of the configured minimum and maximum TTL, as it is assumed
1433 users who enable this feature do not want Unbound to change the
1434 TTL obtained from an upstream server. Thus, the values set us‐
1435 ing cache-min-ttl and cache-max-ttl are ignored. Default is
1436 "no".
1437
1438 val-nsec3-keysize-iterations: <"list of values">
1439 List of keysize and iteration count values, separated by spaces,
1440 surrounded by quotes. Default is "1024 150 2048 150 4096 150".
1441 This determines the maximum allowed NSEC3 iteration count before
1442 a message is simply marked insecure instead of performing the
1443 many hashing iterations. The list must be in ascending order and
1444 have at least one entry. If you set it to "1024 65535" there is
1445 no restriction to NSEC3 iteration values. This table must be
1446 kept short; a very long list could cause slower operation.
1447
1448 zonemd-permissive-mode: <yes or no>
1449 If enabled the ZONEMD verification failures are only logged and
1450 do not cause the zone to be blocked and only return servfail.
1451 Useful for testing out if it works, or if the operator only
1452 wants to be notified of a problem without disrupting service.
1453 Default is no.
1454
1455 add-holddown: <seconds>
1456 Instruct the auto-trust-anchor-file probe mechanism for RFC5011
1457 autotrust updates to add new trust anchors only after they have
1458 been visible for this time. Default is 30 days as per the RFC.
1459
1460 del-holddown: <seconds>
1461 Instruct the auto-trust-anchor-file probe mechanism for RFC5011
1462 autotrust updates to remove revoked trust anchors after they
1463 have been kept in the revoked list for this long. Default is 30
1464 days as per the RFC.
1465
1466 keep-missing: <seconds>
1467 Instruct the auto-trust-anchor-file probe mechanism for RFC5011
1468 autotrust updates to remove missing trust anchors after they
1469 have been unseen for this long. This cleans up the state file
1470 if the target zone does not perform trust anchor revocation, so
1471 this makes the auto probe mechanism work with zones that perform
1472 regular (non-5011) rollovers. The default is 366 days. The
1473 value 0 does not remove missing anchors, as per the RFC.
1474
1475 permit-small-holddown: <yes or no>
1476 Debug option that allows the autotrust 5011 rollover timers to
1477 assume very small values. Default is no.
1478
1479 key-cache-size: <number>
1480 Number of bytes size of the key cache. Default is 4 megabytes.
1481 A plain number is in bytes, append 'k', 'm' or 'g' for kilo‐
1482 bytes, megabytes or gigabytes (1024*1024 bytes in a megabyte).
1483
1484 key-cache-slabs: <number>
1485 Number of slabs in the key cache. Slabs reduce lock contention
1486 by threads. Must be set to a power of 2. Setting (close) to the
1487 number of cpus is a reasonable guess.
1488
1489 neg-cache-size: <number>
1490 Number of bytes size of the aggressive negative cache. Default
1491 is 1 megabyte. A plain number is in bytes, append 'k', 'm' or
1492 'g' for kilobytes, megabytes or gigabytes (1024*1024 bytes in a
1493 megabyte).
1494
1495 unblock-lan-zones: <yes or no>
1496 Default is disabled. If enabled, then for private address
1497 space, the reverse lookups are no longer filtered. This allows
1498 Unbound when running as dns service on a host where it provides
1499 service for that host, to put out all of the queries for the
1500 'lan' upstream. When enabled, only localhost, 127.0.0.1 reverse
1501 and ::1 reverse zones are configured with default local zones.
1502 Disable the option when Unbound is running as a (DHCP-) DNS net‐
1503 work resolver for a group of machines, where such lookups should
1504 be filtered (RFC compliance), this also stops potential data
1505 leakage about the local network to the upstream DNS servers.
1506
1507 insecure-lan-zones: <yes or no>
1508 Default is disabled. If enabled, then reverse lookups in pri‐
1509 vate address space are not validated. This is usually required
1510 whenever unblock-lan-zones is used.
1511
1512 local-zone: <zone> <type>
1513 Configure a local zone. The type determines the answer to give
1514 if there is no match from local-data. The types are deny,
1515 refuse, static, transparent, redirect, nodefault, typetranspar‐
1516 ent, inform, inform_deny, inform_redirect, always_transparent,
1517 block_a, always_refuse, always_nxdomain, always_null, noview,
1518 and are explained below. After that the default settings are
1519 listed. Use local-data: to enter data into the local zone. An‐
1520 swers for local zones are authoritative DNS answers. By default
1521 the zones are class IN.
1522
1523 If you need more complicated authoritative data, with referrals,
1524 wildcards, CNAME/DNAME support, or DNSSEC authoritative service,
1525 setup a stub-zone for it as detailed in the stub zone section
1526 below. A stub-zone can be used to have unbound send queries to
1527 another server, an authoritative server, to fetch the informa‐
1528 tion. With a forward-zone, unbound sends queries to a server
1529 that is a recursive server to fetch the information. With an
1530 auth-zone a zone can be loaded from file and used, it can be
1531 used like a local-zone for users downstream, or the auth-zone
1532 information can be used to fetch information from when resolving
1533 like it is an upstream server. The forward-zone and auth-zone
1534 options are described in their sections below. If you want to
1535 perform filtering of the information that the users can fetch,
1536 the local-zone and local-data statements allow for this, but
1537 also the rpz functionality can be used, described in the RPZ
1538 section.
1539
1540 deny Do not send an answer, drop the query. If there is a match
1541 from local data, the query is answered.
1542
1543 refuse
1544 Send an error message reply, with rcode REFUSED. If there is
1545 a match from local data, the query is answered.
1546
1547 static
1548 If there is a match from local data, the query is answered.
1549 Otherwise, the query is answered with nodata or nxdomain.
1550 For a negative answer a SOA is included in the answer if
1551 present as local-data for the zone apex domain.
1552
1553 transparent
1554 If there is a match from local data, the query is answered.
1555 Otherwise if the query has a different name, the query is re‐
1556 solved normally. If the query is for a name given in local‐
1557 data but no such type of data is given in localdata, then a
1558 noerror nodata answer is returned. If no local-zone is given
1559 local-data causes a transparent zone to be created by de‐
1560 fault.
1561
1562 typetransparent
1563 If there is a match from local data, the query is answered.
1564 If the query is for a different name, or for the same name
1565 but for a different type, the query is resolved normally.
1566 So, similar to transparent but types that are not listed in
1567 local data are resolved normally, so if an A record is in the
1568 local data that does not cause a nodata reply for AAAA
1569 queries.
1570
1571 redirect
1572 The query is answered from the local data for the zone name.
1573 There may be no local data beneath the zone name. This an‐
1574 swers queries for the zone, and all subdomains of the zone
1575 with the local data for the zone. It can be used to redirect
1576 a domain to return a different address record to the end
1577 user, with local-zone: "example.com." redirect and lo‐
1578 cal-data: "example.com. A 127.0.0.1" queries for www.exam‐
1579 ple.com and www.foo.example.com are redirected, so that users
1580 with web browsers cannot access sites with suffix exam‐
1581 ple.com.
1582
1583 inform
1584 The query is answered normally, same as transparent. The
1585 client IP address (@portnumber) is printed to the logfile.
1586 The log message is: timestamp, unbound-pid, info: zonename
1587 inform IP@port queryname type class. This option can be used
1588 for normal resolution, but machines looking up infected names
1589 are logged, eg. to run antivirus on them.
1590
1591 inform_deny
1592 The query is dropped, like 'deny', and logged, like 'inform'.
1593 Ie. find infected machines without answering the queries.
1594
1595 inform_redirect
1596 The query is redirected, like 'redirect', and logged, like
1597 'inform'. Ie. answer queries with fixed data and also log
1598 the machines that ask.
1599
1600 always_transparent
1601 Like transparent, but ignores local data and resolves nor‐
1602 mally.
1603
1604 block_a
1605 Like transparent, but ignores local data and resolves nor‐
1606 mally all query types excluding A. For A queries it uncondi‐
1607 tionally returns NODATA. Useful in cases when there is a
1608 need to explicitly force all apps to use IPv6 protocol and
1609 avoid any queries to IPv4.
1610
1611 always_refuse
1612 Like refuse, but ignores local data and refuses the query.
1613
1614 always_nxdomain
1615 Like static, but ignores local data and returns nxdomain for
1616 the query.
1617
1618 always_nodata
1619 Like static, but ignores local data and returns nodata for
1620 the query.
1621
1622 always_deny
1623 Like deny, but ignores local data and drops the query.
1624
1625 always_null
1626 Always returns 0.0.0.0 or ::0 for every name in the zone.
1627 Like redirect with zero data for A and AAAA. Ignores local
1628 data in the zone. Used for some block lists.
1629
1630 noview
1631 Breaks out of that view and moves towards the global local
1632 zones for answer to the query. If the view first is no,
1633 it'll resolve normally. If view first is enabled, it'll
1634 break perform that step and check the global answers. For
1635 when the view has view specific overrides but some zone has
1636 to be answered from global local zone contents.
1637
1638 nodefault
1639 Used to turn off default contents for AS112 zones. The other
1640 types also turn off default contents for the zone. The 'node‐
1641 fault' option has no other effect than turning off default
1642 contents for the given zone. Use nodefault if you use ex‐
1643 actly that zone, if you want to use a subzone, use transpar‐
1644 ent.
1645
1646 The default zones are localhost, reverse 127.0.0.1 and ::1, the
1647 home.arpa, the onion, test, invalid and the AS112 zones. The AS112
1648 zones are reverse DNS zones for private use and reserved IP addresses
1649 for which the servers on the internet cannot provide correct answers.
1650 They are configured by default to give nxdomain (no reverse informa‐
1651 tion) answers. The defaults can be turned off by specifying your own
1652 local-zone of that name, or using the 'nodefault' type. Below is a list
1653 of the default zone contents.
1654
1655 localhost
1656 The IP4 and IP6 localhost information is given. NS and SOA
1657 records are provided for completeness and to satisfy some DNS
1658 update tools. Default content:
1659 local-zone: "localhost." redirect
1660 local-data: "localhost. 10800 IN NS localhost."
1661 local-data: "localhost. 10800 IN
1662 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
1663 local-data: "localhost. 10800 IN A 127.0.0.1"
1664 local-data: "localhost. 10800 IN AAAA ::1"
1665
1666 reverse IPv4 loopback
1667 Default content:
1668 local-zone: "127.in-addr.arpa." static
1669 local-data: "127.in-addr.arpa. 10800 IN NS localhost."
1670 local-data: "127.in-addr.arpa. 10800 IN
1671 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
1672 local-data: "1.0.0.127.in-addr.arpa. 10800 IN
1673 PTR localhost."
1674
1675 reverse IPv6 loopback
1676 Default content:
1677 local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1678 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
1679 local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1680 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
1681 NS localhost."
1682 local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1683 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
1684 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
1685 local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1686 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
1687 PTR localhost."
1688
1689 home.arpa (RFC 8375)
1690 Default content:
1691 local-zone: "home.arpa." static
1692 local-data: "home.arpa. 10800 IN NS localhost."
1693 local-data: "home.arpa. 10800 IN
1694 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
1695
1696 onion (RFC 7686)
1697 Default content:
1698 local-zone: "onion." static
1699 local-data: "onion. 10800 IN NS localhost."
1700 local-data: "onion. 10800 IN
1701 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
1702
1703 test (RFC 6761)
1704 Default content:
1705 local-zone: "test." static
1706 local-data: "test. 10800 IN NS localhost."
1707 local-data: "test. 10800 IN
1708 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
1709
1710 invalid (RFC 6761)
1711 Default content:
1712 local-zone: "invalid." static
1713 local-data: "invalid. 10800 IN NS localhost."
1714 local-data: "invalid. 10800 IN
1715 SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
1716
1717 reverse RFC1918 local use zones
1718 Reverse data for zones 10.in-addr.arpa, 16.172.in-addr.arpa
1719 to 31.172.in-addr.arpa, 168.192.in-addr.arpa. The lo‐
1720 cal-zone: is set static and as local-data: SOA and NS records
1721 are provided.
1722
1723 reverse RFC3330 IP4 this, link-local, testnet and broadcast
1724 Reverse data for zones 0.in-addr.arpa, 254.169.in-addr.arpa,
1725 2.0.192.in-addr.arpa (TEST NET 1), 100.51.198.in-addr.arpa
1726 (TEST NET 2), 113.0.203.in-addr.arpa (TEST NET 3),
1727 255.255.255.255.in-addr.arpa. And from 64.100.in-addr.arpa
1728 to 127.100.in-addr.arpa (Shared Address Space).
1729
1730 reverse RFC4291 IP6 unspecified
1731 Reverse data for zone
1732 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
1733 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
1734
1735 reverse RFC4193 IPv6 Locally Assigned Local Addresses
1736 Reverse data for zone D.F.ip6.arpa.
1737
1738 reverse RFC4291 IPv6 Link Local Addresses
1739 Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
1740
1741 reverse IPv6 Example Prefix
1742 Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is
1743 used for tutorials and examples. You can remove the block on
1744 this zone with:
1745 local-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
1746 You can also selectively unblock a part of the zone by making
1747 that part transparent with a local-zone statement. This also
1748 works with the other default zones.
1749
1750 local-data: "<resource record string>"
1751 Configure local data, which is served in reply to queries for it.
1752 The query has to match exactly unless you configure the local-zone
1753 as redirect. If not matched exactly, the local-zone type deter‐
1754 mines further processing. If local-data is configured that is not
1755 a subdomain of a local-zone, a transparent local-zone is config‐
1756 ured. For record types such as TXT, use single quotes, as in lo‐
1757 cal-data: 'example. TXT "text"'.
1758
1759 If you need more complicated authoritative data, with referrals,
1760 wildcards, CNAME/DNAME support, or DNSSEC authoritative service,
1761 setup a stub-zone for it as detailed in the stub zone section be‐
1762 low.
1763
1764 local-data-ptr: "IPaddr name"
1765 Configure local data shorthand for a PTR record with the reversed
1766 IPv4 or IPv6 address and the host name. For example "192.0.2.4
1767 www.example.com". TTL can be inserted like this: "2001:DB8::4
1768 7200 www.example.com"
1769
1770 local-zone-tag: <zone> <"list of tags">
1771 Assign tags to localzones. Tagged localzones will only be applied
1772 when the used access-control element has a matching tag. Tags must
1773 be defined in define-tags. Enclose list of tags in quotes ("")
1774 and put spaces between tags. When there are multiple tags it
1775 checks if the intersection of the list of tags for the query and
1776 local-zone-tag is non-empty.
1777
1778 local-zone-override: <zone> <IP netblock> <type>
1779 Override the localzone type for queries from addresses matching
1780 netblock. Use this localzone type, regardless the type configured
1781 for the local-zone (both tagged and untagged) and regardless the
1782 type configured using access-control-tag-action.
1783
1784 response-ip: <IP-netblock> <action>
1785 This requires use of the "respip" module.
1786
1787 If the IP address in an AAAA or A RR in the answer section of a
1788 response matches the specified IP netblock, the specified action
1789 will apply. <action> has generally the same semantics as that for
1790 access-control-tag-action, but there are some exceptions.
1791
1792 Actions for response-ip are different from those for local-zone in
1793 that in case of the former there is no point of such conditions as
1794 "the query matches it but there is no local data". Because of
1795 this difference, the semantics of response-ip actions are modified
1796 or simplified as follows: The static, refuse, transparent, type‐
1797 transparent, and nodefault actions are invalid for response-ip.
1798 Using any of these will cause the configuration to be rejected as
1799 faulty. The deny action is non-conditional, i.e. it always results
1800 in dropping the corresponding query. The resolution result before
1801 applying the deny action is still cached and can be used for other
1802 queries.
1803
1804 response-ip-data: <IP-netblock> <"resource record string">
1805 This requires use of the "respip" module.
1806
1807 This specifies the action data for response-ip with action being
1808 to redirect as specified by "resource record string". "Resource
1809 record string" is similar to that of access-control-tag-action,
1810 but it must be of either AAAA, A or CNAME types. If the IP-net‐
1811 block is an IPv6/IPv4 prefix, the record must be AAAA/A respec‐
1812 tively, unless it is a CNAME (which can be used for both versions
1813 of IP netblocks). If it is CNAME there must not be more than one
1814 response-ip-data for the same IP-netblock. Also, CNAME and other
1815 types of records must not coexist for the same IP-netblock, fol‐
1816 lowing the normal rules for CNAME records. The textual domain
1817 name for the CNAME does not have to be explicitly terminated with
1818 a dot ("."); the root name is assumed to be the origin for the
1819 name.
1820
1821 response-ip-tag: <IP-netblock> <"list of tags">
1822 This requires use of the "respip" module.
1823
1824 Assign tags to response IP-netblocks. If the IP address in an
1825 AAAA or A RR in the answer section of a response matches the spec‐
1826 ified IP-netblock, the specified tags are assigned to the IP ad‐
1827 dress. Then, if an access-control-tag is defined for the client
1828 and it includes one of the tags for the response IP, the corre‐
1829 sponding access-control-tag-action will apply. Tag matching rule
1830 is the same as that for access-control-tag and local-zones. Un‐
1831 like local-zone-tag, response-ip-tag can be defined for an IP-net‐
1832 block even if no response-ip is defined for that netblock. If
1833 multiple response-ip-tag options are specified for the same IP-
1834 netblock in different statements, all but the first will be ig‐
1835 nored. However, this will not be flagged as a configuration er‐
1836 ror, but the result is probably not what was intended.
1837
1838 Actions specified in an access-control-tag-action that has a
1839 matching tag with response-ip-tag can be those that are "invalid"
1840 for response-ip listed above, since access-control-tag-actions can
1841 be shared with local zones. For these actions, if they behave
1842 differently depending on whether local data exists or not in case
1843 of local zones, the behavior for response-ip-data will generally
1844 result in NOERROR/NODATA instead of NXDOMAIN, since the response-
1845 ip data are inherently type specific, and non-existence of data
1846 does not indicate anything about the existence or non-existence of
1847 the qname itself. For example, if the matching tag action is
1848 static but there is no data for the corresponding response-ip con‐
1849 figuration, then the result will be NOERROR/NODATA. The only case
1850 where NXDOMAIN is returned is when an always_nxdomain action ap‐
1851 plies.
1852
1853 ratelimit: <number or 0>
1854 Enable ratelimiting of queries sent to nameserver for performing
1855 recursion. If 0, the default, it is disabled. This option is ex‐
1856 perimental at this time. The ratelimit is in queries per second
1857 that are allowed. More queries are turned away with an error
1858 (servfail). This stops recursive floods, eg. random query names,
1859 but not spoofed reflection floods. Cached responses are not rate‐
1860 limited by this setting. The zone of the query is determined by
1861 examining the nameservers for it, the zone name is used to keep
1862 track of the rate. For example, 1000 may be a suitable value to
1863 stop the server from being overloaded with random names, and keeps
1864 Unbound from sending traffic to the nameservers for those zones.
1865 Configured forwarders are excluded from ratelimiting.
1866
1867 ratelimit-size: <memory size>
1868 Give the size of the data structure in which the current ongoing
1869 rates are kept track in. Default 4m. In bytes or use m(mega),
1870 k(kilo), g(giga). The ratelimit structure is small, so this data
1871 structure likely does not need to be large.
1872
1873 ratelimit-slabs: <number>
1874 Give power of 2 number of slabs, this is used to reduce lock con‐
1875 tention in the ratelimit tracking data structure. Close to the
1876 number of cpus is a fairly good setting.
1877
1878 ratelimit-factor: <number>
1879 Set the amount of queries to rate limit when the limit is ex‐
1880 ceeded. If set to 0, all queries are dropped for domains where
1881 the limit is exceeded. If set to another value, 1 in that number
1882 is allowed through to complete. Default is 10, allowing 1/10
1883 traffic to flow normally. This can make ordinary queries complete
1884 (if repeatedly queried for), and enter the cache, whilst also mit‐
1885 igating the traffic flow by the factor given.
1886
1887 ratelimit-backoff: <yes or no>
1888 If enabled, the ratelimit is treated as a hard failure instead of
1889 the default maximum allowed constant rate. When the limit is
1890 reached, traffic is ratelimited and demand continues to be kept
1891 track of for a 2 second rate window. No traffic is allowed, ex‐
1892 cept for ratelimit-factor, until demand decreases below the con‐
1893 figured ratelimit for a 2 second rate window. Useful to set rate‐
1894 limit to a suspicious rate to aggressively limit unusually high
1895 traffic. Default is off.
1896
1897 ratelimit-for-domain: <domain> <number qps or 0>
1898 Override the global ratelimit for an exact match domain name with
1899 the listed number. You can give this for any number of names.
1900 For example, for a top-level-domain you may want to have a higher
1901 limit than other names. A value of 0 will disable ratelimiting
1902 for that domain.
1903
1904 ratelimit-below-domain: <domain> <number qps or 0>
1905 Override the global ratelimit for a domain name that ends in this
1906 name. You can give this multiple times, it then describes differ‐
1907 ent settings in different parts of the namespace. The closest
1908 matching suffix is used to determine the qps limit. The rate for
1909 the exact matching domain name is not changed, use rate‐
1910 limit-for-domain to set that, you might want to use different set‐
1911 tings for a top-level-domain and subdomains. A value of 0 will
1912 disable ratelimiting for domain names that end in this name.
1913
1914 ip-ratelimit: <number or 0>
1915 Enable global ratelimiting of queries accepted per IP address.
1916 This option is experimental at this time. The ratelimit is in
1917 queries per second that are allowed. More queries are completely
1918 dropped and will not receive a reply, SERVFAIL or otherwise. IP
1919 ratelimiting happens before looking in the cache. This may be use‐
1920 ful for mitigating amplification attacks. Default is 0 (dis‐
1921 abled).
1922
1923 ip-ratelimit-cookie: <number or 0>
1924 Enable global ratelimiting of queries accepted per IP address with
1925 a valid DNS Cookie. This option is experimental at this time.
1926 The ratelimit is in queries per second that are allowed. More
1927 queries are completely dropped and will not receive a reply, SERV‐
1928 FAIL or otherwise. IP ratelimiting happens before looking in the
1929 cache. This option could be useful in combination with al‐
1930 low_cookie in an attempt to mitigate other amplification attacks
1931 than UDP reflections (e.g., attacks targeting Unbound itself)
1932 which are already handled with DNS Cookies. If used, the value is
1933 suggested to be higher than ip-ratelimit e.g., tenfold. Default
1934 is 0 (disabled).
1935
1936 ip-ratelimit-size: <memory size>
1937 Give the size of the data structure in which the current ongoing
1938 rates are kept track in. Default 4m. In bytes or use m(mega),
1939 k(kilo), g(giga). The ip ratelimit structure is small, so this
1940 data structure likely does not need to be large.
1941
1942 ip-ratelimit-slabs: <number>
1943 Give power of 2 number of slabs, this is used to reduce lock con‐
1944 tention in the ip ratelimit tracking data structure. Close to the
1945 number of cpus is a fairly good setting.
1946
1947 ip-ratelimit-factor: <number>
1948 Set the amount of queries to rate limit when the limit is ex‐
1949 ceeded. If set to 0, all queries are dropped for addresses where
1950 the limit is exceeded. If set to another value, 1 in that number
1951 is allowed through to complete. Default is 10, allowing 1/10
1952 traffic to flow normally. This can make ordinary queries complete
1953 (if repeatedly queried for), and enter the cache, whilst also mit‐
1954 igating the traffic flow by the factor given.
1955
1956 ip-ratelimit-backoff: <yes or no>
1957 If enabled, the ratelimit is treated as a hard failure instead of
1958 the default maximum allowed constant rate. When the limit is
1959 reached, traffic is ratelimited and demand continues to be kept
1960 track of for a 2 second rate window. No traffic is allowed, ex‐
1961 cept for ip-ratelimit-factor, until demand decreases below the
1962 configured ratelimit for a 2 second rate window. Useful to set
1963 ip-ratelimit to a suspicious rate to aggressively limit unusually
1964 high traffic. Default is off.
1965
1966 outbound-msg-retry: <number>
1967 The number of retries, per upstream nameserver in a delegation,
1968 that Unbound will attempt in case a throwaway response is re‐
1969 ceived. No response (timeout) contributes to the retry counter.
1970 If a forward/stub zone is used, this is the number of retries per
1971 nameserver in the zone. Default is 5.
1972
1973 max-sent-count: <number>
1974 Hard limit on the number of outgoing queries Unbound will make
1975 while resolving a name, making sure large NS sets do not loop.
1976 Results in SERVFAIL when reached. It resets on query restarts
1977 (e.g., CNAME) and referrals. Default is 32.
1978
1979 max-query-restarts: <number>
1980 Hard limit on the number of times Unbound is allowed to restart a
1981 query upon encountering a CNAME record. Results in SERVFAIL when
1982 reached. Changing this value needs caution as it can allow long
1983 CNAME chains to be accepted, where Unbound needs to verify (re‐
1984 solve) each link individually. Default is 11.
1985
1986 fast-server-permil: <number>
1987 Specify how many times out of 1000 to pick from the set of fastest
1988 servers. 0 turns the feature off. A value of 900 would pick from
1989 the fastest servers 90 percent of the time, and would perform nor‐
1990 mal exploration of random servers for the remaining time. When
1991 prefetch is enabled (or serve-expired), such prefetches are not
1992 sped up, because there is no one waiting for it, and it presents a
1993 good moment to perform server exploration. The fast-server-num op‐
1994 tion can be used to specify the size of the fastest servers set.
1995 The default for fast-server-permil is 0.
1996
1997 fast-server-num: <number>
1998 Set the number of servers that should be used for fast server se‐
1999 lection. Only use the fastest specified number of servers with the
2000 fast-server-permil option, that turns this on or off. The default
2001 is to use the fastest 3 servers.
2002
2003 answer-cookie: <yes or no>
2004 If enabled, Unbound will answer to requests containing DNS Cookies
2005 as specified in RFC 7873 and RFC 9018. Default is no.
2006
2007 cookie-secret: <128 bit hex string>
2008 Server's secret for DNS Cookie generation. Useful to explicitly
2009 set for servers in an anycast deployment that need to share the
2010 secret in order to verify each other's Server Cookies. An example
2011 hex string would be "000102030405060708090a0b0c0d0e0f". Default
2012 is a 128 bits random secret generated at startup time.
2013
2014 edns-client-string: <IP netblock> <string>
2015 Include an EDNS0 option containing configured ascii string in
2016 queries with destination address matching the configured IP net‐
2017 block. This configuration option can be used multiple times. The
2018 most specific match will be used.
2019
2020 edns-client-string-opcode: <opcode>
2021 EDNS0 option code for the edns-client-string option, from 0 to
2022 65535. A value from the `Reserved for Local/Experimental` range
2023 (65001-65534) should be used. Default is 65001.
2024
2025 ede: <yes or no>
2026 If enabled, Unbound will respond with Extended DNS Error codes
2027 (RFC8914). These EDEs attach informative error messages to a re‐
2028 sponse for various errors. Default is "no".
2029
2030 When the val-log-level option is also set to 2, responses with Ex‐
2031 tended DNS Errors concerning DNSSEC failures that are not served
2032 from cache, will also contain a descriptive text message about the
2033 reason for the failure.
2034
2035 ede-serve-expired: <yes or no>
2036 If enabled, Unbound will attach an Extended DNS Error (RFC8914)
2037 Code 3 - Stale Answer as EDNS0 option to the expired response.
2038 Note that this will not attach the EDE code without setting the
2039 global ede option to "yes" as well. Default is "no".
2040
2041 Remote Control Options
2042 In the remote-control: clause are the declarations for the remote con‐
2043 trol facility. If this is enabled, the unbound-control(8) utility can
2044 be used to send commands to the running Unbound server. The server
2045 uses these clauses to setup TLSv1 security for the connection. The un‐
2046 bound-control(8) utility also reads the remote-control section for op‐
2047 tions. To setup the correct self-signed certificates use the un‐
2048 bound-control-setup(8) utility.
2049
2050 control-enable: <yes or no>
2051 The option is used to enable remote control, default is "no". If
2052 turned off, the server does not listen for control commands.
2053
2054 control-interface: <ip address or interface name or path>
2055 Give IPv4 or IPv6 addresses or local socket path to listen on for
2056 control commands. If an interface name is used instead of an ip
2057 address, the list of ip addresses on that interface are used. By
2058 default localhost (127.0.0.1 and ::1) is listened to. Use 0.0.0.0
2059 and ::0 to listen to all interfaces. If you change this and per‐
2060 missions have been dropped, you must restart the server for the
2061 change to take effect.
2062
2063 If you set it to an absolute path, a unix domain socket is used.
2064 This socket does not use the certificates and keys, so those files
2065 need not be present. To restrict access, Unbound sets permissions
2066 on the file to the user and group that is configured, the access
2067 bits are set to allow the group members to access the control
2068 socket file. Put users that need to access the socket in the that
2069 group. To restrict access further, create a directory to put the
2070 control socket in and restrict access to that directory.
2071
2072 control-port: <port number>
2073 The port number to listen on for IPv4 or IPv6 control interfaces,
2074 default is 8953. If you change this and permissions have been
2075 dropped, you must restart the server for the change to take ef‐
2076 fect.
2077
2078 control-use-cert: <yes or no>
2079 For localhost control-interface you can disable the use of TLS by
2080 setting this option to "no", default is "yes". For local sockets,
2081 TLS is disabled and the value of this option is ignored.
2082
2083 server-key-file: <private key file>
2084 Path to the server private key, by default unbound_server.key.
2085 This file is generated by the unbound-control-setup utility. This
2086 file is used by the Unbound server, but not by unbound-control.
2087
2088 server-cert-file: <certificate file.pem>
2089 Path to the server self signed certificate, by default un‐
2090 bound_server.pem. This file is generated by the unbound-con‐
2091 trol-setup utility. This file is used by the Unbound server, and
2092 also by unbound-control.
2093
2094 control-key-file: <private key file>
2095 Path to the control client private key, by default unbound_con‐
2096 trol.key. This file is generated by the unbound-control-setup
2097 utility. This file is used by unbound-control.
2098
2099 control-cert-file: <certificate file.pem>
2100 Path to the control client certificate, by default unbound_con‐
2101 trol.pem. This certificate has to be signed with the server cer‐
2102 tificate. This file is generated by the unbound-control-setup
2103 utility. This file is used by unbound-control.
2104
2105 Stub Zone Options
2106 There may be multiple stub-zone: clauses. Each with a name: and zero or
2107 more hostnames or IP addresses. For the stub zone this list of name‐
2108 servers is used. Class IN is assumed. The servers should be authority
2109 servers, not recursors; Unbound performs the recursive processing it‐
2110 self for stub zones.
2111
2112 The stub zone can be used to configure authoritative data to be used by
2113 the resolver that cannot be accessed using the public internet servers.
2114 This is useful for company-local data or private zones. Setup an au‐
2115 thoritative server on a different host (or different port). Enter a
2116 config entry for Unbound with stub-addr: <ip address of host[@port]>.
2117 The Unbound resolver can then access the data, without referring to the
2118 public internet for it.
2119
2120 This setup allows DNSSEC signed zones to be served by that authorita‐
2121 tive server, in which case a trusted key entry with the public key can
2122 be put in config, so that Unbound can validate the data and set the AD
2123 bit on replies for the private zone (authoritative servers do not set
2124 the AD bit). This setup makes Unbound capable of answering queries for
2125 the private zone, and can even set the AD bit ('authentic'), but the AA
2126 ('authoritative') bit is not set on these replies.
2127
2128 Consider adding server: statements for domain-insecure: and for lo‐
2129 cal-zone: name nodefault for the zone if it is a locally served zone.
2130 The insecure clause stops DNSSEC from invalidating the zone. The local
2131 zone nodefault (or transparent) clause makes the (reverse-) zone bypass
2132 Unbound's filtering of RFC1918 zones.
2133
2134 name: <domain name>
2135 Name of the stub zone. This is the full domain name of the zone.
2136
2137 stub-host: <domain name>
2138 Name of stub zone nameserver. Is itself resolved before it is
2139 used. To use a nondefault port for DNS communication append '@'
2140 with the port number. If tls is enabled, then you can append a
2141 '#' and a name, then it'll check the tls authentication certifi‐
2142 cates with that name. If you combine the '@' and '#', the '@'
2143 comes first. If only '#' is used the default port is the con‐
2144 figured tls-port.
2145
2146 stub-addr: <IP address>
2147 IP address of stub zone nameserver. Can be IP 4 or IP 6. To use
2148 a nondefault port for DNS communication append '@' with the port
2149 number. If tls is enabled, then you can append a '#' and a
2150 name, then it'll check the tls authentication certificates with
2151 that name. If you combine the '@' and '#', the '@' comes first.
2152 If only '#' is used the default port is the configured tls-port.
2153
2154 stub-prime: <yes or no>
2155 This option is by default no. If enabled it performs NS set
2156 priming, which is similar to root hints, where it starts using
2157 the list of nameservers currently published by the zone. Thus,
2158 if the hint list is slightly outdated, the resolver picks up a
2159 correct list online.
2160
2161 stub-first: <yes or no>
2162 If enabled, a query is attempted without the stub clause if it
2163 fails. The data could not be retrieved and would have caused
2164 SERVFAIL because the servers are unreachable, instead it is
2165 tried without this clause. The default is no.
2166
2167 stub-tls-upstream: <yes or no>
2168 Enabled or disable whether the queries to this stub use TLS for
2169 transport. Default is no.
2170
2171 stub-ssl-upstream: <yes or no>
2172 Alternate syntax for stub-tls-upstream.
2173
2174 stub-tcp-upstream: <yes or no>
2175 If it is set to "yes" then upstream queries use TCP only for
2176 transport regardless of global flag tcp-upstream. Default is
2177 no.
2178
2179 stub-no-cache: <yes or no>
2180 Default is no. If enabled, data inside the stub is not cached.
2181 This is useful when you want immediate changes to be visible.
2182
2183 Forward Zone Options
2184 There may be multiple forward-zone: clauses. Each with a name: and zero
2185 or more hostnames or IP addresses. For the forward zone this list of
2186 nameservers is used to forward the queries to. The servers listed as
2187 forward-host: and forward-addr: have to handle further recursion for
2188 the query. Thus, those servers are not authority servers, but are
2189 (just like Unbound is) recursive servers too; Unbound does not perform
2190 recursion itself for the forward zone, it lets the remote server do it.
2191 Class IN is assumed. CNAMEs are chased by Unbound itself, asking the
2192 remote server for every name in the indirection chain, to protect the
2193 local cache from illegal indirect referenced items. A forward-zone en‐
2194 try with name "." and a forward-addr target will forward all queries to
2195 that other server (unless it can answer from the cache).
2196
2197 name: <domain name>
2198 Name of the forward zone. This is the full domain name of the
2199 zone.
2200
2201 forward-host: <domain name>
2202 Name of server to forward to. Is itself resolved before it is
2203 used. To use a nondefault port for DNS communication append '@'
2204 with the port number. If tls is enabled, then you can append a
2205 '#' and a name, then it'll check the tls authentication certifi‐
2206 cates with that name. If you combine the '@' and '#', the '@'
2207 comes first. If only '#' is used the default port is the con‐
2208 figured tls-port.
2209
2210 forward-addr: <IP address>
2211 IP address of server to forward to. Can be IP 4 or IP 6. To use
2212 a nondefault port for DNS communication append '@' with the port
2213 number. If tls is enabled, then you can append a '#' and a
2214 name, then it'll check the tls authentication certificates with
2215 that name. If you combine the '@' and '#', the '@' comes first.
2216 If only '#' is used the default port is the configured tls-port.
2217
2218 At high verbosity it logs the TLS certificate, with TLS enabled.
2219 If you leave out the '#' and auth name from the forward-addr,
2220 any name is accepted. The cert must also match a CA from the
2221 tls-cert-bundle.
2222
2223 forward-first: <yes or no>
2224 If a forwarded query is met with a SERVFAIL error, and this op‐
2225 tion is enabled, Unbound will fall back to normal recursive res‐
2226 olution for this query as if no query forwarding had been speci‐
2227 fied. The default is "no".
2228
2229 forward-tls-upstream: <yes or no>
2230 Enabled or disable whether the queries to this forwarder use TLS
2231 for transport. Default is no. If you enable this, also config‐
2232 ure a tls-cert-bundle or use tls-win-cert to load CA certs, oth‐
2233 erwise the connections cannot be authenticated.
2234
2235 forward-ssl-upstream: <yes or no>
2236 Alternate syntax for forward-tls-upstream.
2237
2238 forward-tcp-upstream: <yes or no>
2239 If it is set to "yes" then upstream queries use TCP only for
2240 transport regardless of global flag tcp-upstream. Default is
2241 no.
2242
2243 forward-no-cache: <yes or no>
2244 Default is no. If enabled, data inside the forward is not
2245 cached. This is useful when you want immediate changes to be
2246 visible.
2247
2248 Authority Zone Options
2249 Authority zones are configured with auth-zone:, and each one must have
2250 a name:. There can be multiple ones, by listing multiple auth-zone
2251 clauses, each with a different name, pertaining to that part of the
2252 namespace. The authority zone with the name closest to the name looked
2253 up is used. Authority zones can be processed on two distinct, non-ex‐
2254 clusive, configurable stages.
2255
2256 With for-downstream: yes (default), authority zones are processed after
2257 local-zones and before cache. When used in this manner, Unbound re‐
2258 sponds like an authority server with no further processing other than
2259 returning an answer from the zone contents. A notable example, in this
2260 case, is CNAME records which are returned verbatim to downstream
2261 clients without further resolution.
2262
2263 With for-upstream: yes (default), authority zones are processed after
2264 the cache lookup, just before going to the network to fetch information
2265 for recursion. When used in this manner they provide a local copy of
2266 an authority server that speeds up lookups for that data during resolv‐
2267 ing.
2268
2269 If both options are enabled (default), client queries for an authority
2270 zone are answered authoritatively from Unbound, while internal queries
2271 that require data from the authority zone consult the local zone data
2272 instead of going to the network.
2273
2274 An interesting configuration is for-downstream: no, for-upstream: yes
2275 that allows for hyperlocal behavior where both client and internal
2276 queries consult the local zone data while resolving. In this case, the
2277 aforementioned CNAME example will result in a thoroughly resolved an‐
2278 swer.
2279
2280 Authority zones can be read from zonefile. And can be kept updated via
2281 AXFR and IXFR. After update the zonefile is rewritten. The update
2282 mechanism uses the SOA timer values and performs SOA UDP queries to de‐
2283 tect zone changes.
2284
2285 If the update fetch fails, the timers in the SOA record are used to
2286 time another fetch attempt. Until the SOA expiry timer is reached.
2287 Then the zone is expired. When a zone is expired, queries are SERV‐
2288 FAIL, and any new serial number is accepted from the primary (even if
2289 older), and if fallback is enabled, the fallback activates to fetch
2290 from the upstream instead of the SERVFAIL.
2291
2292 name: <zone name>
2293 Name of the authority zone.
2294
2295 primary: <IP address or host name>
2296 Where to download a copy of the zone from, with AXFR and IXFR.
2297 Multiple primaries can be specified. They are all tried if one
2298 fails. To use a nondefault port for DNS communication append
2299 '@' with the port number. You can append a '#' and a name, then
2300 AXFR over TLS can be used and the tls authentication certifi‐
2301 cates will be checked with that name. If you combine the '@'
2302 and '#', the '@' comes first. If you point it at another Un‐
2303 bound instance, it would not work because that does not support
2304 AXFR/IXFR for the zone, but if you used url: to download the
2305 zonefile as a text file from a webserver that would work. If
2306 you specify the hostname, you cannot use the domain from the
2307 zonefile, because it may not have that when retrieving that
2308 data, instead use a plain IP address to avoid a circular depen‐
2309 dency on retrieving that IP address.
2310
2311 master: <IP address or host name>
2312 Alternate syntax for primary.
2313
2314 url: <url to zonefile>
2315 Where to download a zonefile for the zone. With http or https.
2316 An example for the url is "http://www.example.com/exam‐
2317 ple.org.zone". Multiple url statements can be given, they are
2318 tried in turn. If only urls are given the SOA refresh timer is
2319 used to wait for making new downloads. If also primaries are
2320 listed, the primaries are first probed with UDP SOA queries to
2321 see if the SOA serial number has changed, reducing the number of
2322 downloads. If none of the urls work, the primaries are tried
2323 with IXFR and AXFR. For https, the tls-cert-bundle and the
2324 hostname from the url are used to authenticate the connection.
2325 If you specify a hostname in the URL, you cannot use the domain
2326 from the zonefile, because it may not have that when retrieving
2327 that data, instead use a plain IP address to avoid a circular
2328 dependency on retrieving that IP address. Avoid dependencies on
2329 name lookups by using a notation like "http://192.0.2.1/unbound-
2330 primaries/example.com.zone", with an explicit IP address.
2331
2332 allow-notify: <IP address or host name or netblockIP/prefix>
2333 With allow-notify you can specify additional sources of noti‐
2334 fies. When notified, the server attempts to first probe and
2335 then zone transfer. If the notify is from a primary, it first
2336 attempts that primary. Otherwise other primaries are attempted.
2337 If there are no primaries, but only urls, the file is downloaded
2338 when notified. The primaries from primary: and url: statements
2339 are allowed notify by default.
2340
2341 fallback-enabled: <yes or no>
2342 Default no. If enabled, Unbound falls back to querying the in‐
2343 ternet as a resolver for this zone when lookups fail. For exam‐
2344 ple for DNSSEC validation failures.
2345
2346 for-downstream: <yes or no>
2347 Default yes. If enabled, Unbound serves authority responses to
2348 downstream clients for this zone. This option makes Unbound be‐
2349 have, for the queries with names in this zone, like one of the
2350 authority servers for that zone. Turn it off if you want Un‐
2351 bound to provide recursion for the zone but have a local copy of
2352 zone data. If for-downstream is no and for-upstream is yes,
2353 then Unbound will DNSSEC validate the contents of the zone be‐
2354 fore serving the zone contents to clients and store validation
2355 results in the cache.
2356
2357 for-upstream: <yes or no>
2358 Default yes. If enabled, Unbound fetches data from this data
2359 collection for answering recursion queries. Instead of sending
2360 queries over the internet to the authority servers for this
2361 zone, it'll fetch the data directly from the zone data. Turn it
2362 on when you want Unbound to provide recursion for downstream
2363 clients, and use the zone data as a local copy to speed up
2364 lookups.
2365
2366 zonemd-check: <yes or no>
2367 Enable this option to check ZONEMD records in the zone. Default
2368 is disabled. The ZONEMD record is a checksum over the zone
2369 data. This includes glue in the zone and data from the zone
2370 file, and excludes comments from the zone file. When there is a
2371 DNSSEC chain of trust, DNSSEC signatures are checked too.
2372
2373 zonemd-reject-absence: <yes or no>
2374 Enable this option to reject the absence of the ZONEMD record.
2375 Without it, when zonemd is not there it is not checked. It is
2376 useful to enable for a nonDNSSEC signed zone where the operator
2377 wants to require the verification of a ZONEMD, hence a missing
2378 ZONEMD is a failure. The action upon failure is controlled by
2379 the zonemd-permissive-mode option, for log only or also block
2380 the zone. The default is no.
2381
2382 Without the option absence of a ZONEMD is only a failure when
2383 the zone is DNSSEC signed, and we have a trust anchor, and the
2384 DNSSEC verification of the absence of the ZONEMD fails. With
2385 the option enabled, the absence of a ZONEMD is always a failure,
2386 also for nonDNSSEC signed zones.
2387
2388 zonefile: <filename>
2389 The filename where the zone is stored. If not given then no
2390 zonefile is used. If the file does not exist or is empty, Un‐
2391 bound will attempt to fetch zone data (eg. from the primary
2392 servers).
2393
2394 View Options
2395 There may be multiple view: clauses. Each with a name: and zero or more
2396 local-zone and local-data elements. Views can also contain view-first,
2397 response-ip, response-ip-data and local-data-ptr elements. View can be
2398 mapped to requests by specifying the view name in an access-con‐
2399 trol-view element. Options from matching views will override global op‐
2400 tions. Global options will be used if no matching view is found, or
2401 when the matching view does not have the option specified.
2402
2403 name: <view name>
2404 Name of the view. Must be unique. This name is used in ac‐
2405 cess-control-view elements.
2406
2407 local-zone: <zone> <type>
2408 View specific local-zone elements. Has the same types and behav‐
2409 iour as the global local-zone elements. When there is at least
2410 one local-zone specified and view-first is no, the default lo‐
2411 cal-zones will be added to this view. Defaults can be disabled
2412 using the nodefault type. When view-first is yes or when a view
2413 does not have a local-zone, the global local-zone will be used
2414 including it's default zones.
2415
2416 local-data: "<resource record string>"
2417 View specific local-data elements. Has the same behaviour as the
2418 global local-data elements.
2419
2420 local-data-ptr: "IPaddr name"
2421 View specific local-data-ptr elements. Has the same behaviour as
2422 the global local-data-ptr elements.
2423
2424 view-first: <yes or no>
2425 If enabled, it attempts to use the global local-zone and lo‐
2426 cal-data if there is no match in the view specific options. The
2427 default is no.
2428
2429 Python Module Options
2430 The python: clause gives the settings for the python(1) script module.
2431 This module acts like the iterator and validator modules do, on queries
2432 and answers. To enable the script module it has to be compiled into
2433 the daemon, and the word "python" has to be put in the module-config:
2434 option (usually first, or between the validator and iterator). Multiple
2435 instances of the python module are supported by adding the word
2436 "python" more than once.
2437
2438 If the chroot: option is enabled, you should make sure Python's library
2439 directory structure is bind mounted in the new root environment, see
2440 mount(8). Also the python-script: path should be specified as an abso‐
2441 lute path relative to the new root, or as a relative path to the work‐
2442 ing directory.
2443
2444 python-script: <python file>
2445 The script file to load. Repeat this option for every python
2446 module instance added to the module-config: option.
2447
2448 Dynamic Library Module Options
2449 The dynlib: clause gives the settings for the dynlib module. This mod‐
2450 ule is only a very small wrapper that allows dynamic modules to be
2451 loaded on runtime instead of being compiled into the application. To
2452 enable the dynlib module it has to be compiled into the daemon, and the
2453 word "dynlib" has to be put in the module-config: option. Multiple in‐
2454 stances of dynamic libraries are supported by adding the word "dynlib"
2455 more than once.
2456
2457 The dynlib-file: path should be specified as an absolute path relative
2458 to the new path set by chroot: option, or as a relative path to the
2459 working directory.
2460
2461 dynlib-file: <dynlib file>
2462 The dynamic library file to load. Repeat this option for every
2463 dynlib module instance added to the module-config: option.
2464
2465 DNS64 Module Options
2466 The dns64 module must be configured in the module-config: "dns64 val‐
2467 idator iterator" directive and be compiled into the daemon to be en‐
2468 abled. These settings go in the server: section.
2469
2470 dns64-prefix: <IPv6 prefix>
2471 This sets the DNS64 prefix to use to synthesize AAAA records
2472 with. It must be /96 or shorter. The default prefix is
2473 64:ff9b::/96.
2474
2475 dns64-synthall: <yes or no>
2476 Debug option, default no. If enabled, synthesize all AAAA
2477 records despite the presence of actual AAAA records.
2478
2479 dns64-ignore-aaaa: <name>
2480 List domain for which the AAAA records are ignored and the A
2481 record is used by dns64 processing instead. Can be entered mul‐
2482 tiple times, list a new domain for which it applies, one per
2483 line. Applies also to names underneath the name given.
2484
2485 NAT64 Operation
2486 NAT64 operation allows using a NAT64 prefix for outbound requests to
2487 IPv4-only servers. It is controlled by two options in the server: sec‐
2488 tion:
2489
2490 do-nat64: <yes or no>
2491 Use NAT64 to reach IPv4-only servers. Consider also enabling
2492 prefer-ip6 to prefer native IPv6 connections to nameservers.
2493 Default no.
2494
2495 nat64-prefix: <IPv6 prefix>
2496 Use a specific NAT64 prefix to reach IPv4-only servers. De‐
2497 faults to using the prefix configured in dns64-prefix, which in
2498 turn defaults to 64:ff9b::/96. The prefix length must be one of
2499 /32, /40, /48, /56, /64 or /96.
2500
2501 DNSCrypt Options
2502 The dnscrypt: clause gives the settings of the dnscrypt channel. While
2503 those options are available, they are only meaningful if Unbound was
2504 compiled with --enable-dnscrypt. Currently certificate and secret/pub‐
2505 lic keys cannot be generated by Unbound. You can use dnscrypt-wrapper
2506 to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/mas‐
2507 ter/README.md#usage
2508
2509 dnscrypt-enable: <yes or no>
2510 Whether or not the dnscrypt config should be enabled. You may
2511 define configuration but not activate it. The default is no.
2512
2513 dnscrypt-port: <port number>
2514 On which port should dnscrypt should be activated. Note that you
2515 should have a matching interface option defined in the server
2516 section for this port.
2517
2518 dnscrypt-provider: <provider name>
2519 The provider name to use to distribute certificates. This is of
2520 the form: 2.dnscrypt-cert.example.com.. The name MUST end with a
2521 dot.
2522
2523 dnscrypt-secret-key: <path to secret key file>
2524 Path to the time limited secret key file. This option may be
2525 specified multiple times.
2526
2527 dnscrypt-provider-cert: <path to cert file>
2528 Path to the certificate related to the dnscrypt-secret-keys.
2529 This option may be specified multiple times.
2530
2531 dnscrypt-provider-cert-rotated: <path to cert file>
2532 Path to a certificate that we should be able to serve existing
2533 connection from but do not want to advertise over
2534 dnscrypt-provider's TXT record certs distribution. A typical
2535 use case is when rotating certificates, existing clients may
2536 still use the client magic from the old cert in their queries
2537 until they fetch and update the new cert. Likewise, it would al‐
2538 low one to prime the new cert/key without distributing the new
2539 cert yet, this can be useful when using a network of servers us‐
2540 ing anycast and on which the configuration may not get updated
2541 at the exact same time. By priming the cert, the servers can
2542 handle both old and new certs traffic while distributing only
2543 one. This option may be specified multiple times.
2544
2545 dnscrypt-shared-secret-cache-size: <memory size>
2546 Give the size of the data structure in which the shared secret
2547 keys are kept in. Default 4m. In bytes or use m(mega),
2548 k(kilo), g(giga). The shared secret cache is used when a same
2549 client is making multiple queries using the same public key. It
2550 saves a substantial amount of CPU.
2551
2552 dnscrypt-shared-secret-cache-slabs: <number>
2553 Give power of 2 number of slabs, this is used to reduce lock
2554 contention in the dnscrypt shared secrets cache. Close to the
2555 number of cpus is a fairly good setting.
2556
2557 dnscrypt-nonce-cache-size: <memory size>
2558 Give the size of the data structure in which the client nonces
2559 are kept in. Default 4m. In bytes or use m(mega), k(kilo),
2560 g(giga). The nonce cache is used to prevent dnscrypt message
2561 replaying. Client nonce should be unique for any pair of client
2562 pk/server sk.
2563
2564 dnscrypt-nonce-cache-slabs: <number>
2565 Give power of 2 number of slabs, this is used to reduce lock
2566 contention in the dnscrypt nonce cache. Close to the number of
2567 cpus is a fairly good setting.
2568
2569 EDNS Client Subnet Module Options
2570 The ECS module must be configured in the module-config: "subnetcache
2571 validator iterator" directive and be compiled into the daemon to be en‐
2572 abled. These settings go in the server: section.
2573
2574 If the destination address is allowed in the configuration Unbound will
2575 add the EDNS0 option to the query containing the relevant part of the
2576 client's address. When an answer contains the ECS option the response
2577 and the option are placed in a specialized cache. If the authority in‐
2578 dicated no support, the response is stored in the regular cache.
2579
2580 Additionally, when a client includes the option in its queries, Unbound
2581 will forward the option when sending the query to addresses that are
2582 explicitly allowed in the configuration using send-client-subnet. The
2583 option will always be forwarded, regardless the allowed addresses, if
2584 client-subnet-always-forward is set to yes. In this case the lookup in
2585 the regular cache is skipped.
2586
2587 The maximum size of the ECS cache is controlled by 'msg-cache-size' in
2588 the configuration file. On top of that, for each query only 100 differ‐
2589 ent subnets are allowed to be stored for each address family. Exceeding
2590 that number, older entries will be purged from cache.
2591
2592 This module does not interact with the serve-expired* and prefetch: op‐
2593 tions.
2594
2595 send-client-subnet: <IP address>
2596 Send client source address to this authority. Append /num to in‐
2597 dicate a classless delegation netblock, for example like
2598 10.2.3.4/24 or 2001::11/64. Can be given multiple times. Author‐
2599 ities not listed will not receive edns-subnet information, un‐
2600 less domain in query is specified in client-subnet-zone.
2601
2602 client-subnet-zone: <domain>
2603 Send client source address in queries for this domain and its
2604 subdomains. Can be given multiple times. Zones not listed will
2605 not receive edns-subnet information, unless hosted by authority
2606 specified in send-client-subnet.
2607
2608 client-subnet-always-forward: <yes or no>
2609 Specify whether the ECS address check (configured using
2610 send-client-subnet) is applied for all queries, even if the
2611 triggering query contains an ECS record, or only for queries for
2612 which the ECS record is generated using the querier address (and
2613 therefore did not contain ECS data in the client query). If en‐
2614 abled, the address check is skipped when the client query con‐
2615 tains an ECS record. And the lookup in the regular cache is
2616 skipped. Default is no.
2617
2618 max-client-subnet-ipv6: <number>
2619 Specifies the maximum prefix length of the client source address
2620 we are willing to expose to third parties for IPv6. Defaults to
2621 56.
2622
2623 max-client-subnet-ipv4: <number>
2624 Specifies the maximum prefix length of the client source address
2625 we are willing to expose to third parties for IPv4. Defaults to
2626 24.
2627
2628 min-client-subnet-ipv6: <number>
2629 Specifies the minimum prefix length of the IPv6 source mask we
2630 are willing to accept in queries. Shorter source masks result in
2631 REFUSED answers. Source mask of 0 is always accepted. Default is
2632 0.
2633
2634 min-client-subnet-ipv4: <number>
2635 Specifies the minimum prefix length of the IPv4 source mask we
2636 are willing to accept in queries. Shorter source masks result in
2637 REFUSED answers. Source mask of 0 is always accepted. Default is
2638 0.
2639
2640 max-ecs-tree-size-ipv4: <number>
2641 Specifies the maximum number of subnets ECS answers kept in the
2642 ECS radix tree. This number applies for each qname/qclass/qtype
2643 tuple. Defaults to 100.
2644
2645 max-ecs-tree-size-ipv6: <number>
2646 Specifies the maximum number of subnets ECS answers kept in the
2647 ECS radix tree. This number applies for each qname/qclass/qtype
2648 tuple. Defaults to 100.
2649
2650 Opportunistic IPsec Support Module Options
2651 The IPsec module must be configured in the module-config: "ipsecmod
2652 validator iterator" directive and be compiled into Unbound by using
2653 --enable-ipsecmod to be enabled. These settings go in the server: sec‐
2654 tion.
2655
2656 When Unbound receives an A/AAAA query that is not in the cache and
2657 finds a valid answer, it will withhold returning the answer and instead
2658 will generate an IPSECKEY subquery for the same domain name. If an an‐
2659 swer was found, Unbound will call an external hook passing the follow‐
2660 ing arguments:
2661
2662 QNAME
2663 Domain name of the A/AAAA and IPSECKEY query. In string for‐
2664 mat.
2665
2666 IPSECKEY TTL
2667 TTL of the IPSECKEY RRset.
2668
2669 A/AAAA
2670 String of space separated IP addresses present in the A/AAAA
2671 RRset. The IP addresses are in string format.
2672
2673 IPSECKEY
2674 String of space separated IPSECKEY RDATA present in the
2675 IPSECKEY RRset. The IPSECKEY RDATA are in DNS presentation
2676 format.
2677
2678 The A/AAAA answer is then cached and returned to the client. If the
2679 external hook was called the TTL changes to ensure it doesn't surpass
2680 ipsecmod-max-ttl.
2681
2682 The same procedure is also followed when prefetch: is used, but the
2683 A/AAAA answer is given to the client before the hook is called. ipsec‐
2684 mod-max-ttl ensures that the A/AAAA answer given from cache is still
2685 relevant for opportunistic IPsec.
2686
2687 ipsecmod-enabled: <yes or no>
2688 Specifies whether the IPsec module is enabled or not. The IPsec
2689 module still needs to be defined in the module-config: direc‐
2690 tive. This option facilitates turning on/off the module without
2691 restarting/reloading Unbound. Defaults to yes.
2692
2693 ipsecmod-hook: <filename>
2694 Specifies the external hook that Unbound will call with sys‐
2695 tem(3). The file can be specified as an absolute/relative path.
2696 The file needs the proper permissions to be able to be executed
2697 by the same user that runs Unbound. It must be present when the
2698 IPsec module is defined in the module-config: directive.
2699
2700 ipsecmod-strict: <yes or no>
2701 If enabled Unbound requires the external hook to return a suc‐
2702 cess value of 0. Failing to do so Unbound will reply with SERV‐
2703 FAIL. The A/AAAA answer will also not be cached. Defaults to
2704 no.
2705
2706 ipsecmod-max-ttl: <seconds>
2707 Time to live maximum for A/AAAA cached records after calling the
2708 external hook. Defaults to 3600.
2709
2710 ipsecmod-ignore-bogus: <yes or no>
2711 Specifies the behaviour of Unbound when the IPSECKEY answer is
2712 bogus. If set to yes, the hook will be called and the A/AAAA
2713 answer will be returned to the client. If set to no, the hook
2714 will not be called and the answer to the A/AAAA query will be
2715 SERVFAIL. Mainly used for testing. Defaults to no.
2716
2717 ipsecmod-allow: <domain>
2718 Allow the ipsecmod functionality for the domain so that the mod‐
2719 ule logic will be executed. Can be given multiple times, for
2720 different domains. If the option is not specified, all domains
2721 are treated as being allowed (default).
2722
2723 ipsecmod-whitelist: <yes or no>
2724 Alternate syntax for ipsecmod-allow.
2725
2726 Cache DB Module Options
2727 The Cache DB module must be configured in the module-config: "validator
2728 cachedb iterator" directive and be compiled into the daemon with --en‐
2729 able-cachedb. If this module is enabled and configured, the specified
2730 backend database works as a second level cache: When Unbound cannot
2731 find an answer to a query in its built-in in-memory cache, it consults
2732 the specified backend. If it finds a valid answer in the backend, Un‐
2733 bound uses it to respond to the query without performing iterative DNS
2734 resolution. If Unbound cannot even find an answer in the backend, it
2735 resolves the query as usual, and stores the answer in the backend.
2736
2737 This module interacts with the serve-expired-* options and will reply
2738 with expired data if Unbound is configured for that. Currently the use
2739 of serve-expired-client-timeout: and serve-expired-reply-ttl: is not
2740 consistent for data originating from the external cache as these will
2741 result in a reply with 0 TTL without trying to update the data first,
2742 ignoring the configured values.
2743
2744 If Unbound was built with --with-libhiredis on a system that has in‐
2745 stalled the hiredis C client library of Redis, then the "redis" backend
2746 can be used. This backend communicates with the specified Redis server
2747 over a TCP connection to store and retrieve cache data. It can be used
2748 as a persistent and/or shared cache backend. It should be noted that
2749 Unbound never removes data stored in the Redis server, even if some
2750 data have expired in terms of DNS TTL or the Redis server has cached
2751 too much data; if necessary the Redis server must be configured to
2752 limit the cache size, preferably with some kind of least-recently-used
2753 eviction policy. Additionally, the redis-expire-records option can be
2754 used in order to set the relative DNS TTL of the message as timeout to
2755 the Redis records; keep in mind that some additional memory is used per
2756 key and that the expire information is stored as absolute Unix time‐
2757 stamps in Redis (computer time must be stable). This backend uses syn‐
2758 chronous communication with the Redis server based on the assumption
2759 that the communication is stable and sufficiently fast. The thread
2760 waiting for a response from the Redis server cannot handle other DNS
2761 queries. Although the backend has the ability to reconnect to the
2762 server when the connection is closed unexpectedly and there is a con‐
2763 figurable timeout in case the server is overly slow or hangs up, these
2764 cases are assumed to be very rare. If connection close or timeout hap‐
2765 pens too often, Unbound will be effectively unusable with this backend.
2766 It's the administrator's responsibility to make the assumption hold.
2767
2768 The cachedb: clause gives custom settings of the cache DB module.
2769
2770 backend: <backend name>
2771 Specify the backend database name. The default database is the
2772 in-memory backend named "testframe", which, as the name sug‐
2773 gests, is not of any practical use. Depending on the build-time
2774 configuration, "redis" backend may also be used as described
2775 above.
2776
2777 secret-seed: <"secret string">
2778 Specify a seed to calculate a hash value from query information.
2779 This value will be used as the key of the corresponding answer
2780 for the backend database and can be customized if the hash
2781 should not be predictable operationally. If the backend data‐
2782 base is shared by multiple Unbound instances, all instances must
2783 use the same secret seed. This option defaults to "default".
2784
2785 cachedb-no-store: <yes or no>
2786 If the backend should be read from, but not written to. This
2787 makes this instance not store dns messages in the backend. But
2788 if data is available it is retrieved. The default is no.
2789
2790 The following cachedb options are specific to the redis backend.
2791
2792 redis-server-host: <server address or name>
2793 The IP (either v6 or v4) address or domain name of the Redis
2794 server. In general an IP address should be specified as other‐
2795 wise Unbound will have to resolve the name of the server every
2796 time it establishes a connection to the server. This option de‐
2797 faults to "127.0.0.1".
2798
2799 redis-server-port: <port number>
2800 The TCP port number of the Redis server. This option defaults
2801 to 6379.
2802
2803 redis-server-path: <unix socket path>
2804 The unix socket path to connect to the redis server. Off by de‐
2805 fault, and it can be set to "" to turn this off. Unix sockets
2806 may have better throughput than the IP address option.
2807
2808 redis-server-password: "<password>"
2809 The Redis AUTH password to use for the redis server. Only rele‐
2810 vant if Redis is configured for client password authorisation.
2811 Off by default, and it can be set to "" to turn this off.
2812
2813 redis-timeout: <msec>
2814 The period until when Unbound waits for a response from the Re‐
2815 dis sever. If this timeout expires Unbound closes the connec‐
2816 tion, treats it as if the Redis server does not have the re‐
2817 quested data, and will try to re-establish a new connection
2818 later. This option defaults to 100 milliseconds.
2819
2820 redis-expire-records: <yes or no>
2821 If Redis record expiration is enabled. If yes, Unbound sets
2822 timeout for Redis records so that Redis can evict keys that have
2823 expired automatically. If Unbound is configured with serve-ex‐
2824 pired and serve-expired-ttl is 0, this option is internally re‐
2825 verted to "no". Redis SETEX support is required for this option
2826 (Redis >= 2.0.0). This option defaults to no.
2827
2828 redis-logical-db: <logical database index>
2829 The logical database in Redis to use. These are databases in
2830 the same Redis instance sharing the same configuration and per‐
2831 sisted in the same RDB/AOF file. If unsure about using this op‐
2832 tion, Redis documentation (https://redis.io/commands/select/)
2833 suggests not to use a single Redis instance for multiple unre‐
2834 lated applications. The default database in Redis is 0 while
2835 other logical databases need to be explicitly SELECT'ed upon
2836 connecting. This option defaults to 0.
2837
2838 DNSTAP Logging Options
2839 DNSTAP support, when compiled in by using --enable-dnstap, is enabled
2840 in the dnstap: section. This starts an extra thread (when compiled
2841 with threading) that writes the log information to the destination. If
2842 Unbound is compiled without threading it does not spawn a thread, but
2843 connects per-process to the destination.
2844
2845 dnstap-enable: <yes or no>
2846 If dnstap is enabled. Default no. If yes, it connects to the
2847 dnstap server and if any of the dnstap-log-..-messages options
2848 is enabled it sends logs for those messages to the server.
2849
2850 dnstap-bidirectional: <yes or no>
2851 Use frame streams in bidirectional mode to transfer DNSTAP mes‐
2852 sages. Default is yes.
2853
2854 dnstap-socket-path: <file name>
2855 Sets the unix socket file name for connecting to the server that
2856 is listening on that socket. Default is "/etc/un‐
2857 bound/dnstap.sock".
2858
2859 dnstap-ip: <IPaddress[@port]>
2860 If "", the unix socket is used, if set with an IP address (IPv4
2861 or IPv6) that address is used to connect to the server.
2862
2863 dnstap-tls: <yes or no>
2864 Set this to use TLS to connect to the server specified in
2865 dnstap-ip. The default is yes. If set to no, TCP is used to
2866 connect to the server.
2867
2868 dnstap-tls-server-name: <name of TLS authentication>
2869 The TLS server name to authenticate the server with. Used when
2870 dnstap-tls is enabled. If "" it is ignored, default "".
2871
2872 dnstap-tls-cert-bundle: <file name of cert bundle>
2873 The pem file with certs to verify the TLS server certificate. If
2874 "" the server default cert bundle is used, or the windows cert
2875 bundle on windows. Default is "".
2876
2877 dnstap-tls-client-key-file: <file name>
2878 The client key file for TLS client authentication. If "" client
2879 authentication is not used. Default is "".
2880
2881 dnstap-tls-client-cert-file: <file name>
2882 The client cert file for TLS client authentication. Default is
2883 "".
2884
2885 dnstap-send-identity: <yes or no>
2886 If enabled, the server identity is included in the log messages.
2887 Default is no.
2888
2889 dnstap-send-version: <yes or no>
2890 If enabled, the server version if included in the log messages.
2891 Default is no.
2892
2893 dnstap-identity: <string>
2894 The identity to send with messages, if "" the hostname is used.
2895 Default is "".
2896
2897 dnstap-version: <string>
2898 The version to send with messages, if "" the package version is
2899 used. Default is "".
2900
2901 dnstap-log-resolver-query-messages: <yes or no>
2902 Enable to log resolver query messages. Default is no. These
2903 are messages from Unbound to upstream servers.
2904
2905 dnstap-log-resolver-response-messages: <yes or no>
2906 Enable to log resolver response messages. Default is no. These
2907 are replies from upstream servers to Unbound.
2908
2909 dnstap-log-client-query-messages: <yes or no>
2910 Enable to log client query messages. Default is no. These are
2911 client queries to Unbound.
2912
2913 dnstap-log-client-response-messages: <yes or no>
2914 Enable to log client response messages. Default is no. These
2915 are responses from Unbound to clients.
2916
2917 dnstap-log-forwarder-query-messages: <yes or no>
2918 Enable to log forwarder query messages. Default is no.
2919
2920 dnstap-log-forwarder-response-messages: <yes or no>
2921 Enable to log forwarder response messages. Default is no.
2922
2923 Response Policy Zone Options
2924 Response Policy Zones are configured with rpz:, and each one must have
2925 a name:. There can be multiple ones, by listing multiple rpz clauses,
2926 each with a different name. RPZ clauses are applied in order of config‐
2927 uration. The respip module needs to be added to the module-config,
2928 e.g.: module-config: "respip validator iterator".
2929
2930 QNAME, Response IP Address, nsdname, nsip and clientip triggers are
2931 supported. Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP,
2932 Local Data, tcp-only and drop. RPZ QNAME triggers are applied after
2933 local-zones and before auth-zones.
2934
2935 The rpz zone is formatted with a SOA start record as usual. The items
2936 in the zone are entries, that specify what to act on (the trigger) and
2937 what to do (the action). The trigger to act on is recorded in the
2938 name, the action to do is recorded as the resource record. The names
2939 all end in the zone name, so you could type the trigger names without a
2940 trailing dot in the zonefile.
2941
2942 An example RPZ record, that answers example.com with NXDOMAIN
2943 example.com CNAME .
2944
2945 The triggers are encoded in the name on the left
2946 name query name
2947 netblock.rpz-client-ip client IP address
2948 netblock.rpz-ip response IP address in the answer
2949 name.rpz-nsdname nameserver name
2950 netblock.rpz-nsip nameserver IP address
2951 The netblock is written as <netblocklen>.<ip address in reverse>. For
2952 IPv6 use 'zz' for '::'. Specify individual addresses with scope length
2953 of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24
2954 and 32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32.
2955
2956 The actions are specified with the record on the right
2957 CNAME . nxdomain reply
2958 CNAME *. nodata reply
2959 CNAME rpz-passthru. do nothing, allow to continue
2960 CNAME rpz-drop. the query is dropped
2961 CNAME rpz-tcp-only. answer over TCP
2962 A 192.0.2.1 answer with this IP address
2963 Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be
2964 used to answer queries with that content.
2965
2966 The RPZ zones can be configured in the config file with these settings
2967 in the rpz: block.
2968
2969 name: <zone name>
2970 Name of the authority zone.
2971
2972 primary: <IP address or host name>
2973 Where to download a copy of the zone from, with AXFR and IXFR.
2974 Multiple primaries can be specified. They are all tried if one
2975 fails. To use a nondefault port for DNS communication append
2976 '@' with the port number. You can append a '#' and a name, then
2977 AXFR over TLS can be used and the tls authentication certifi‐
2978 cates will be checked with that name. If you combine the '@'
2979 and '#', the '@' comes first. If you point it at another Un‐
2980 bound instance, it would not work because that does not support
2981 AXFR/IXFR for the zone, but if you used url: to download the
2982 zonefile as a text file from a webserver that would work. If
2983 you specify the hostname, you cannot use the domain from the
2984 zonefile, because it may not have that when retrieving that
2985 data, instead use a plain IP address to avoid a circular depen‐
2986 dency on retrieving that IP address.
2987
2988 master: <IP address or host name>
2989 Alternate syntax for primary.
2990
2991 url: <url to zonefile>
2992 Where to download a zonefile for the zone. With http or https.
2993 An example for the url is "http://www.example.com/exam‐
2994 ple.org.zone". Multiple url statements can be given, they are
2995 tried in turn. If only urls are given the SOA refresh timer is
2996 used to wait for making new downloads. If also primaries are
2997 listed, the primaries are first probed with UDP SOA queries to
2998 see if the SOA serial number has changed, reducing the number of
2999 downloads. If none of the urls work, the primaries are tried
3000 with IXFR and AXFR. For https, the tls-cert-bundle and the
3001 hostname from the url are used to authenticate the connection.
3002
3003 allow-notify: <IP address or host name or netblockIP/prefix>
3004 With allow-notify you can specify additional sources of noti‐
3005 fies. When notified, the server attempts to first probe and
3006 then zone transfer. If the notify is from a primary, it first
3007 attempts that primary. Otherwise other primaries are attempted.
3008 If there are no primaries, but only urls, the file is downloaded
3009 when notified. The primaries from primary: and url: statements
3010 are allowed notify by default.
3011
3012 zonefile: <filename>
3013 The filename where the zone is stored. If not given then no
3014 zonefile is used. If the file does not exist or is empty, Un‐
3015 bound will attempt to fetch zone data (eg. from the primary
3016 servers).
3017
3018 rpz-action-override: <action>
3019 Always use this RPZ action for matching triggers from this zone.
3020 Possible action are: nxdomain, nodata, passthru, drop, disabled
3021 and cname.
3022
3023 rpz-cname-override: <domain>
3024 The CNAME target domain to use if the cname action is configured
3025 for rpz-action-override.
3026
3027 rpz-log: <yes or no>
3028 Log all applied RPZ actions for this RPZ zone. Default is no.
3029
3030 rpz-log-name: <name>
3031 Specify a string to be part of the log line, for easy referenc‐
3032 ing.
3033
3034 rpz-signal-nxdomain-ra: <yes or no>
3035 Signal when a query is blocked by the RPZ with NXDOMAIN with an
3036 unset RA flag. This allows certain clients, like dnsmasq, to
3037 infer that the domain is externally blocked. Default is no.
3038
3039 for-downstream: <yes or no>
3040 If enabled the zone is authoritatively answered for and queries
3041 for the RPZ zone information are answered to downstream clients.
3042 This is useful for monitoring scripts, that can then access the
3043 SOA information to check if the rpz information is up to date.
3044 Default is no.
3045
3046 tags: <list of tags>
3047 Limit the policies from this RPZ clause to clients with a match‐
3048 ing tag. Tags need to be defined in define-tag and can be as‐
3049 signed to client addresses using access-control-tag. Enclose
3050 list of tags in quotes ("") and put spaces between tags. If no
3051 tags are specified the policies from this clause will be applied
3052 for all clients.
3053
3055 In the example config settings below memory usage is reduced. Some ser‐
3056 vice levels are lower, notable very large data and a high TCP load are
3057 no longer supported. Very large data and high TCP loads are exceptional
3058 for the DNS. DNSSEC validation is enabled, just add trust anchors. If
3059 you do not have to worry about programs using more than 3 Mb of memory,
3060 the below example is not for you. Use the defaults to receive full ser‐
3061 vice, which on BSD-32bit tops out at 30-40 Mb after heavy usage.
3062
3063 # example settings that reduce memory usage
3064 server:
3065 num-threads: 1
3066 outgoing-num-tcp: 1 # this limits TCP service, uses less buffers.
3067 incoming-num-tcp: 1
3068 outgoing-range: 60 # uses less memory, but less performance.
3069 msg-buffer-size: 8192 # note this limits service, 'no huge stuff'.
3070 msg-cache-size: 100k
3071 msg-cache-slabs: 1
3072 rrset-cache-size: 100k
3073 rrset-cache-slabs: 1
3074 infra-cache-numhosts: 200
3075 infra-cache-slabs: 1
3076 key-cache-size: 100k
3077 key-cache-slabs: 1
3078 neg-cache-size: 10k
3079 num-queries-per-thread: 30
3080 target-fetch-policy: "2 1 0 0 0 0"
3081 harden-large-queries: "yes"
3082 harden-short-bufsize: "yes"
3083
3085 /etc/unbound
3086 default Unbound working directory.
3087
3088 /etc/unbound
3089 default chroot(2) location.
3090
3091 /etc/unbound/unbound.conf
3092 Unbound configuration file.
3093
3094 /run/unbound/unbound.pid
3095 default Unbound pidfile with process ID of the running daemon.
3096
3097 unbound.log
3098 Unbound log file. default is to log to syslog(3).
3099
3101 unbound(8), unbound-checkconf(8).
3102
3104 Unbound was written by NLnet Labs. Please see CREDITS file in the dis‐
3105 tribution for further details.
3106
3107
3108
3109NLnet Labs Nov 8, 2023 unbound.conf(5)