| unbound.conf.5.in (368129) | unbound.conf.5.in (368693) |
|---|---|
| 1.TH "unbound.conf" "5" "Oct 8, 2020" "NLnet Labs" "unbound 1.12.0" | 1.TH "unbound.conf" "5" "Dec 3, 2020" "NLnet Labs" "unbound 1.13.0" |
| 2.\" 3.\" unbound.conf.5 -- unbound.conf manual 4.\" 5.\" Copyright (c) 2007, NLnet Labs. All rights reserved. 6.\" 7.\" See LICENSE for the license. 8.\" 9.\" --- 259 unchanged lines hidden (view full) --- 269Extra delay for timeouted UDP ports before they are closed, in msec. 270Default is 0, and that disables it. This prevents very delayed answer 271packets from the upstream (recursive) servers from bouncing against 272closed ports and setting off all sort of close-port counters, with 273eg. 1500 msec. When timeouts happen you need extra sockets, it checks 274the ID and remote IP of packets, and unwanted packets are added to the 275unwanted packet counter. 276.TP | 2.\" 3.\" unbound.conf.5 -- unbound.conf manual 4.\" 5.\" Copyright (c) 2007, NLnet Labs. All rights reserved. 6.\" 7.\" See LICENSE for the license. 8.\" 9.\" --- 259 unchanged lines hidden (view full) --- 269Extra delay for timeouted UDP ports before they are closed, in msec. 270Default is 0, and that disables it. This prevents very delayed answer 271packets from the upstream (recursive) servers from bouncing against 272closed ports and setting off all sort of close-port counters, with 273eg. 1500 msec. When timeouts happen you need extra sockets, it checks 274the ID and remote IP of packets, and unwanted packets are added to the 275unwanted packet counter. 276.TP |
| 277.B udp\-connect: \fI<yes or no> 278Perform connect for UDP sockets that mitigates ICMP side channel leakage. 279Default is yes. 280.TP |
|
| 277.B unknown\-server\-time\-limit: \fI<msec> 278The wait time in msec for waiting for an unknown server to reply. 279Increase this if you are behind a slow satellite link, to eg. 1128. 280That would then avoid re\-querying every initial query because it times out. 281Default is 376 msec. 282.TP 283.B so\-rcvbuf: \fI<number> 284If not 0, then set the SO_RCVBUF socket option to get more buffer --- 92 unchanged lines hidden (view full) --- 377.B infra\-cache\-numhosts: \fI<number> 378Number of hosts for which information is cached. Default is 10000. 379.TP 380.B infra\-cache\-min\-rtt: \fI<msec> 381Lower limit for dynamic retransmit timeout calculation in infrastructure 382cache. Default is 50 milliseconds. Increase this value if using forwarders 383needing more time to do recursive name resolution. 384.TP | 281.B unknown\-server\-time\-limit: \fI<msec> 282The wait time in msec for waiting for an unknown server to reply. 283Increase this if you are behind a slow satellite link, to eg. 1128. 284That would then avoid re\-querying every initial query because it times out. 285Default is 376 msec. 286.TP 287.B so\-rcvbuf: \fI<number> 288If not 0, then set the SO_RCVBUF socket option to get more buffer --- 92 unchanged lines hidden (view full) --- 381.B infra\-cache\-numhosts: \fI<number> 382Number of hosts for which information is cached. Default is 10000. 383.TP 384.B infra\-cache\-min\-rtt: \fI<msec> 385Lower limit for dynamic retransmit timeout calculation in infrastructure 386cache. Default is 50 milliseconds. Increase this value if using forwarders 387needing more time to do recursive name resolution. 388.TP |
| 389.B infra\-keep\-probing: \fI<yes or no> 390If enabled the server keeps probing hosts that are down, in the one probe 391at a time regime. Default is no. Hosts that are down, eg. they did 392not respond during the one probe at a time period, are marked as down and 393it may take \fBinfra\-host\-ttl\fR time to get probed again. 394.TP |
|
| 385.B define\-tag: \fI<"list of tags"> 386Define the tags that can be used with local\-zone and access\-control. 387Enclose the list between quotes ("") and put spaces between tags. 388.TP 389.B do\-ip4: \fI<yes or no> 390Enable or disable whether ip4 queries are answered or issued. Default is yes. 391.TP 392.B do\-ip6: \fI<yes or no> --- 118 unchanged lines hidden (view full) --- 511.TP 512.B ssl\-port: \fI<number> 513Alternate syntax for \fBtls\-port\fR. 514.TP 515.B tls\-cert\-bundle: \fI<file> 516If null or "", no file is used. Set it to the certificate bundle file, 517for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used 518for authenticating connections made to outside peers. For example auth\-zone | 395.B define\-tag: \fI<"list of tags"> 396Define the tags that can be used with local\-zone and access\-control. 397Enclose the list between quotes ("") and put spaces between tags. 398.TP 399.B do\-ip4: \fI<yes or no> 400Enable or disable whether ip4 queries are answered or issued. Default is yes. 401.TP 402.B do\-ip6: \fI<yes or no> --- 118 unchanged lines hidden (view full) --- 521.TP 522.B ssl\-port: \fI<number> 523Alternate syntax for \fBtls\-port\fR. 524.TP 525.B tls\-cert\-bundle: \fI<file> 526If null or "", no file is used. Set it to the certificate bundle file, 527for example "/etc/pki/tls/certs/ca\-bundle.crt". These certificates are used 528for authenticating connections made to outside peers. For example auth\-zone |
| 519urls, and also DNS over TLS connections. | 529urls, and also DNS over TLS connections. It is read at start up before 530permission drop and chroot. |
| 520.TP 521.B ssl\-cert\-bundle: \fI<file> 522Alternate syntax for \fBtls\-cert\-bundle\fR. 523.TP 524.B tls\-win\-cert: \fI<yes or no> 525Add the system certificates to the cert bundle certificates for authentication. 526If no cert bundle, it uses only these certificates. Default is no. 527On windows this option uses the certificates from the cert store. Use --- 54 unchanged lines hidden (view full) --- 582An RST_STREAM frame will be send to streams exceeding this limit. Default is 4 583megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, 584megabytes or gigabytes (1024*1024 bytes in a megabyte). 585.TP 586.B http\-nodelay: \fI<yes or no> 587Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service. 588Ignored if the option is not available. Default is yes. 589.TP | 531.TP 532.B ssl\-cert\-bundle: \fI<file> 533Alternate syntax for \fBtls\-cert\-bundle\fR. 534.TP 535.B tls\-win\-cert: \fI<yes or no> 536Add the system certificates to the cert bundle certificates for authentication. 537If no cert bundle, it uses only these certificates. Default is no. 538On windows this option uses the certificates from the cert store. Use --- 54 unchanged lines hidden (view full) --- 593An RST_STREAM frame will be send to streams exceeding this limit. Default is 4 594megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, 595megabytes or gigabytes (1024*1024 bytes in a megabyte). 596.TP 597.B http\-nodelay: \fI<yes or no> 598Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service. 599Ignored if the option is not available. Default is yes. 600.TP |
| 601.B http\-notls\-downstream: \fI<yes or no> 602Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for 603local back end servers. Default is no. 604.TP |
|
| 590.B use\-systemd: \fI<yes or no> 591Enable or disable systemd socket activation. 592Default is no. 593.TP 594.B do\-daemonize: \fI<yes or no> 595Enable or disable whether the unbound server forks into the background as 596a daemon. Set the value to \fIno\fR when unbound runs as systemd service. 597Default is yes. --- 932 unchanged lines hidden (view full) --- 1530\fBfast\-server\-num\fR option can be used to specify the size of the fastest 1531servers set. The default for fast\-server\-permil is 0. 1532.TP 5 1533.B fast\-server\-num: \fI<number> 1534Set the number of servers that should be used for fast server selection. Only 1535use the fastest specified number of servers with the fast\-server\-permil 1536option, that turns this on or off. The default is to use the fastest 3 servers. 1537.TP 5 | 605.B use\-systemd: \fI<yes or no> 606Enable or disable systemd socket activation. 607Default is no. 608.TP 609.B do\-daemonize: \fI<yes or no> 610Enable or disable whether the unbound server forks into the background as 611a daemon. Set the value to \fIno\fR when unbound runs as systemd service. 612Default is yes. --- 932 unchanged lines hidden (view full) --- 1545\fBfast\-server\-num\fR option can be used to specify the size of the fastest 1546servers set. The default for fast\-server\-permil is 0. 1547.TP 5 1548.B fast\-server\-num: \fI<number> 1549Set the number of servers that should be used for fast server selection. Only 1550use the fastest specified number of servers with the fast\-server\-permil 1551option, that turns this on or off. The default is to use the fastest 3 servers. 1552.TP 5 |
| 1538.B edns\-client\-tag: \fI<IP netblock> <tag data> 1539Include an edns-client-tag option in queries with destination address matching 1540the configured IP netblock. This configuration option can be used multiple 1541times. The most specific match will be used. The tag data is configured in 1542decimal format, from 0 to 65535. | 1553.B edns\-client\-string: \fI<IP netblock> <string> 1554Include an EDNS0 option containing configured ascii string in queries with 1555destination address matching the configured IP netblock. This configuration 1556option can be used multiple times. The most specific match will be used. |
| 1543.TP 5 | 1557.TP 5 |
| 1544.B edns\-client\-tag\-opcode: \fI<opcode> 1545EDNS0 option code for the edns-client-tag option, from 0 to 65535. Default is 154616, as assigned by IANA. | 1558.B edns\-client\-string\-opcode: \fI<opcode> 1559EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535. 1560A value from the `Reserved for Local/Experimental` range (65001-65534) should 1561be used. Default is 65001. |
| 1547.SS "Remote Control Options" 1548In the 1549.B remote\-control: 1550clause are the declarations for the remote control facility. If this is 1551enabled, the \fIunbound\-control\fR(8) utility can be used to send 1552commands to the running unbound server. The server uses these clauses 1553to setup TLSv1 security for the connection. The 1554\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR --- 866 unchanged lines hidden --- | 1562.SS "Remote Control Options" 1563In the 1564.B remote\-control: 1565clause are the declarations for the remote control facility. If this is 1566enabled, the \fIunbound\-control\fR(8) utility can be used to send 1567commands to the running unbound server. The server uses these clauses 1568to setup TLSv1 security for the connection. The 1569\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR --- 866 unchanged lines hidden --- |