| unbound.conf.5 (256281) | unbound.conf.5 (269257) |
|---|---|
| 1.TH "unbound.conf" "5" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20" | 1.TH "unbound.conf" "5" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" |
| 2.\" 3.\" unbound.conf.5 -- unbound.conf manual 4.\" 5.\" Copyright (c) 2007, NLnet Labs. All rights reserved. 6.\" 7.\" See LICENSE for the license. 8.\" 9.\" --- 107 unchanged lines hidden (view full) --- 117for queries from clients, and answers to clients are given from it. 118Can be given multiple times to work on several interfaces. If none are 119given the default is to listen to localhost. 120The interfaces are not changed on a reload (kill \-HUP) but only on restart. 121A port number can be specified with @port (without spaces between 122interface and port number), if not specified the default port (from 123\fBport\fR) is used. 124.TP | 2.\" 3.\" unbound.conf.5 -- unbound.conf manual 4.\" 5.\" Copyright (c) 2007, NLnet Labs. All rights reserved. 6.\" 7.\" See LICENSE for the license. 8.\" 9.\" --- 107 unchanged lines hidden (view full) --- 117for queries from clients, and answers to clients are given from it. 118Can be given multiple times to work on several interfaces. If none are 119given the default is to listen to localhost. 120The interfaces are not changed on a reload (kill \-HUP) but only on restart. 121A port number can be specified with @port (without spaces between 122interface and port number), if not specified the default port (from 123\fBport\fR) is used. 124.TP |
| 125.B ip\-address: \fI<ip address[@port]> 126Same as interface: (for easy of compatibility with nsd.conf). 127.TP |
|
| 125.B interface\-automatic: \fI<yes or no> 126Detect source interface on UDP queries and copy them to replies. This 127feature is experimental, and needs support in your OS for particular socket 128options. Default value is no. 129.TP 130.B outgoing\-interface: \fI<ip address> 131Interface to use to connect to the network. This interface is used to send 132queries to authoritative servers and receive their replies. Can be given --- 45 unchanged lines hidden (view full) --- 178buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do 179not set higher than that value. Default is 4096 which is RFC recommended. 180If you have fragmentation reassembly problems, usually seen as timeouts, 181then a value of 1480 can fix it. Setting to 512 bypasses even the most 182stringent path MTU problems, but is seen as extreme, since the amount 183of TCP fallback generated is excessive (probably also for this resolver, 184consider tuning the outgoing tcp number). 185.TP | 128.B interface\-automatic: \fI<yes or no> 129Detect source interface on UDP queries and copy them to replies. This 130feature is experimental, and needs support in your OS for particular socket 131options. Default value is no. 132.TP 133.B outgoing\-interface: \fI<ip address> 134Interface to use to connect to the network. This interface is used to send 135queries to authoritative servers and receive their replies. Can be given --- 45 unchanged lines hidden (view full) --- 181buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do 182not set higher than that value. Default is 4096 which is RFC recommended. 183If you have fragmentation reassembly problems, usually seen as timeouts, 184then a value of 1480 can fix it. Setting to 512 bypasses even the most 185stringent path MTU problems, but is seen as extreme, since the amount 186of TCP fallback generated is excessive (probably also for this resolver, 187consider tuning the outgoing tcp number). 188.TP |
| 189.B max\-udp\-size: \fI<number> 190Maximum UDP response size (not applied to TCP response). 65536 disables the 191udp response size maximum, and uses the choice from the client, always. 192Suggested values are 512 to 4096. Default is 4096. 193.TP |
|
| 186.B msg\-buffer\-size: \fI<number> 187Number of bytes size of the message buffers. Default is 65552 bytes, enough 188for 64 Kb packets, the maximum DNS message size. No message larger than this 189can be sent or received. Can be reduced to use less memory, but some requests 190for DNS data, such as for huge resource records, will result in a SERVFAIL 191reply to the client. 192.TP 193.B msg\-cache\-size: \fI<number> --- 21 unchanged lines hidden (view full) --- 215spent more than their allowed time. This protects against denial of 216service by slow queries or high query rates. Default 200 milliseconds. 217The effect is that the qps for long-lasting queries is about 218(numqueriesperthread / 2) / (average time for such long queries) qps. 219The qps for short queries can be about (numqueriesperthread / 2) 220/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 221qps by default. 222.TP | 194.B msg\-buffer\-size: \fI<number> 195Number of bytes size of the message buffers. Default is 65552 bytes, enough 196for 64 Kb packets, the maximum DNS message size. No message larger than this 197can be sent or received. Can be reduced to use less memory, but some requests 198for DNS data, such as for huge resource records, will result in a SERVFAIL 199reply to the client. 200.TP 201.B msg\-cache\-size: \fI<number> --- 21 unchanged lines hidden (view full) --- 223spent more than their allowed time. This protects against denial of 224service by slow queries or high query rates. Default 200 milliseconds. 225The effect is that the qps for long-lasting queries is about 226(numqueriesperthread / 2) / (average time for such long queries) qps. 227The qps for short queries can be about (numqueriesperthread / 2) 228/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560 229qps by default. 230.TP |
| 231.B delay\-close: \fI<msec> 232Extra delay for timeouted UDP ports before they are closed, in msec. 233Default is 0, and that disables it. This prevents very delayed answer 234packets from the upstream (recursive) servers from bouncing against 235closed ports and setting off all sort of close-port counters, with 236eg. 1500 msec. When timeouts happen you need extra sockets, it checks 237the ID and remote IP of packets, and unwanted packets are added to the 238unwanted packet counter. 239.TP |
|
| 223.B so\-rcvbuf: \fI<number> 224If not 0, then set the SO_RCVBUF socket option to get more buffer 225space on UDP port 53 incoming queries. So that short spikes on busy 226servers do not drop packets (see counter in netstat \-su). Default is 2270 (use system value). Otherwise, the number of bytes to ask for, try 228"4m" on a busy server. The OS caps it at a maximum, on linux unbound 229needs root permission to bypass the limit, or the admin can use sysctl 230net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. --- 6 unchanged lines hidden (view full) --- 237in answer traffic, otherwise 'send: resource temporarily unavailable' 238can get logged, the buffer overrun is also visible by netstat \-su. 239Default is 0 (use system value). Specify the number of bytes to ask 240for, try "4m" on a very busy server. The OS caps it at a maximum, on 241linux unbound needs root permission to bypass the limit, or the admin 242can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar 243to so\-rcvbuf. 244.TP | 240.B so\-rcvbuf: \fI<number> 241If not 0, then set the SO_RCVBUF socket option to get more buffer 242space on UDP port 53 incoming queries. So that short spikes on busy 243servers do not drop packets (see counter in netstat \-su). Default is 2440 (use system value). Otherwise, the number of bytes to ask for, try 245"4m" on a busy server. The OS caps it at a maximum, on linux unbound 246needs root permission to bypass the limit, or the admin can use sysctl 247net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. --- 6 unchanged lines hidden (view full) --- 254in answer traffic, otherwise 'send: resource temporarily unavailable' 255can get logged, the buffer overrun is also visible by netstat \-su. 256Default is 0 (use system value). Specify the number of bytes to ask 257for, try "4m" on a very busy server. The OS caps it at a maximum, on 258linux unbound needs root permission to bypass the limit, or the admin 259can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar 260to so\-rcvbuf. 261.TP |
| 262.B so\-reuseport: \fI<yes or no> 263If yes, then open dedicated listening sockets for incoming queries for each 264thread and try to set the SO_REUSEPORT socket option on each socket. May 265distribute incoming queries to threads more evenly. Default is no. Only 266supported on Linux >= 3.9. You can enable it (on any platform and kernel), 267it then attempts to open the port and passes the option if it was available 268at compile time, if that works it is used, if it fails, it continues 269silently (unless verbosity 3) without the option. 270.TP |
|
| 245.B rrset\-cache\-size: \fI<number> 246Number of bytes size of the RRset cache. Default is 4 megabytes. 247A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 248or gigabytes (1024*1024 bytes in a megabyte). 249.TP 250.B rrset\-cache\-slabs: \fI<number> 251Number of slabs in the RRset cache. Slabs reduce lock contention by threads. 252Must be set to a power of 2. --- 68 unchanged lines hidden (view full) --- 321.TP 322.B do\-daemonize: \fI<yes or no> 323Enable or disable whether the unbound server forks into the background as 324a daemon. Default is yes. 325.TP 326.B access\-control: \fI<IP netblock> <action> 327The netblock is given as an IP4 or IP6 address with /size appended for a 328classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, | 271.B rrset\-cache\-size: \fI<number> 272Number of bytes size of the RRset cache. Default is 4 megabytes. 273A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 274or gigabytes (1024*1024 bytes in a megabyte). 275.TP 276.B rrset\-cache\-slabs: \fI<number> 277Number of slabs in the RRset cache. Slabs reduce lock contention by threads. 278Must be set to a power of 2. --- 68 unchanged lines hidden (view full) --- 347.TP 348.B do\-daemonize: \fI<yes or no> 349Enable or disable whether the unbound server forks into the background as 350a daemon. Default is yes. 351.TP 352.B access\-control: \fI<IP netblock> <action> 353The netblock is given as an IP4 or IP6 address with /size appended for a 354classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, |
| 329\fIallow\fR or \fIallow_snoop\fR. | 355\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. |
| 330.IP 331The action \fIdeny\fR stops queries from hosts from that netblock. 332.IP 333The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED 334error message back. 335.IP 336The action \fIallow\fR gives access to clients from that netblock. 337It gives only access for recursion clients (which is --- 12 unchanged lines hidden (view full) --- 350the cache contents (for malicious acts). However, nonrecursive queries can 351also be a valuable debugging tool (when you want to examine the cache 352contents). In that case use \fIallow_snoop\fR for your administration host. 353.IP 354By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. 355The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 356protocol is not designed to handle dropped packets due to policy, and 357dropping may result in (possibly excessive) retried queries. | 356.IP 357The action \fIdeny\fR stops queries from hosts from that netblock. 358.IP 359The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED 360error message back. 361.IP 362The action \fIallow\fR gives access to clients from that netblock. 363It gives only access for recursion clients (which is --- 12 unchanged lines hidden (view full) --- 376the cache contents (for malicious acts). However, nonrecursive queries can 377also be a valuable debugging tool (when you want to examine the cache 378contents). In that case use \fIallow_snoop\fR for your administration host. 379.IP 380By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. 381The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 382protocol is not designed to handle dropped packets due to policy, and 383dropping may result in (possibly excessive) retried queries. |
| 384.IP 385The deny_non_local and refuse_non_local settings are for hosts that are 386only allowed to query for the authoritative local\-data, they are not 387allowed full recursion but only the static data. With deny_non_local, 388messages that are disallowed are dropped, with refuse_non_local they 389receive error code REFUSED. |
|
| 358.TP 359.B chroot: \fI<directory> 360If chroot is enabled, you should pass the configfile (from the 361commandline) as a full path from the original root. After the 362chroot has been performed the now defunct portion of the config 363file path is removed to be able to reread the config after a reload. 364.IP 365All other file paths (working dir, logfile, roothints, and --- 121 unchanged lines hidden (view full) --- 487(or the DNSKEY data fails to validate), then the zone is made insecure, 488this behaves like there is no trust anchor. You could turn this off if 489you are sometimes behind an intrusive firewall (of some sort) that 490removes DNSSEC data from packets, or a zone changes from signed to 491unsigned to badly signed often. If turned off you run the risk of a 492downgrade attack that disables security for a zone. Default is on. 493.TP 494.B harden\-below\-nxdomain: \fI<yes or no> | 390.TP 391.B chroot: \fI<directory> 392If chroot is enabled, you should pass the configfile (from the 393commandline) as a full path from the original root. After the 394chroot has been performed the now defunct portion of the config 395file path is removed to be able to reread the config after a reload. 396.IP 397All other file paths (working dir, logfile, roothints, and --- 121 unchanged lines hidden (view full) --- 519(or the DNSKEY data fails to validate), then the zone is made insecure, 520this behaves like there is no trust anchor. You could turn this off if 521you are sometimes behind an intrusive firewall (of some sort) that 522removes DNSSEC data from packets, or a zone changes from signed to 523unsigned to badly signed often. If turned off you run the risk of a 524downgrade attack that disables security for a zone. Default is on. 525.TP 526.B harden\-below\-nxdomain: \fI<yes or no> |
| 495From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name | 527From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name |
| 496below another name that is already known to be nxdomain. DNSSEC mandates 497noerror for empty nonterminals, hence this is possible. Very old software 498might return nxdomain for empty nonterminals (that usually happen for reverse 499IP address lookups), and thus may be incompatible with this. To try to avoid 500this only DNSSEC-secure nxdomains are used, because the old software does not 501have DNSSEC. Default is off. 502.TP 503.B harden\-referral\-path: \fI<yes or no> --- 237 unchanged lines hidden (view full) --- 741Must be set to a power of 2. Setting (close) to the number of cpus is a 742reasonable guess. 743.TP 744.B neg\-cache\-size: \fI<number> 745Number of bytes size of the aggressive negative cache. Default is 1 megabyte. 746A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 747or gigabytes (1024*1024 bytes in a megabyte). 748.TP | 528below another name that is already known to be nxdomain. DNSSEC mandates 529noerror for empty nonterminals, hence this is possible. Very old software 530might return nxdomain for empty nonterminals (that usually happen for reverse 531IP address lookups), and thus may be incompatible with this. To try to avoid 532this only DNSSEC-secure nxdomains are used, because the old software does not 533have DNSSEC. Default is off. 534.TP 535.B harden\-referral\-path: \fI<yes or no> --- 237 unchanged lines hidden (view full) --- 773Must be set to a power of 2. Setting (close) to the number of cpus is a 774reasonable guess. 775.TP 776.B neg\-cache\-size: \fI<number> 777Number of bytes size of the aggressive negative cache. Default is 1 megabyte. 778A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 779or gigabytes (1024*1024 bytes in a megabyte). 780.TP |
| 781.B unblock\-lan\-zones: \fI<yesno> 782Default is disabled. If enabled, then for private address space, 783the reverse lookups are no longer filtered. This allows unbound when 784running as dns service on a host where it provides service for that host, 785to put out all of the queries for the 'lan' upstream. When enabled, 786only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured 787with default local zones. Disable the option when unbound is running 788as a (DHCP-) DNS network resolver for a group of machines, where such 789lookups should be filtered (RFC compliance), this also stops potential 790data leakage about the local network to the upstream DNS servers. 791.TP |
|
| 749.B local\-zone: \fI<zone> <type> 750Configure a local zone. The type determines the answer to give if 751there is no match from local\-data. The types are deny, refuse, static, 752transparent, redirect, nodefault, typetransparent, and are explained 753below. After that the default settings are listed. Use local\-data: to 754enter data into the local zone. Answers for local zones are authoritative 755DNS answers. By default the zones are class IN. 756.IP --- 342 unchanged lines hidden --- | 792.B local\-zone: \fI<zone> <type> 793Configure a local zone. The type determines the answer to give if 794there is no match from local\-data. The types are deny, refuse, static, 795transparent, redirect, nodefault, typetransparent, and are explained 796below. After that the default settings are listed. Use local\-data: to 797enter data into the local zone. Answers for local zones are authoritative 798DNS answers. By default the zones are class IN. 799.IP --- 342 unchanged lines hidden --- |