1.TH "unbound.conf" "5" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22"
2.\"
3.\" unbound.conf.5 -- unbound.conf manual
4.\"
5.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
6.\"
7.\" See LICENSE for the license.
8.\"
9.\"
10.SH "NAME"
11.LP
12.B unbound.conf
13\- Unbound configuration file.
14.SH "SYNOPSIS"
15.LP
16.B unbound.conf
17.SH "DESCRIPTION"
18.LP
19.B unbound.conf
20is used to configure
21\fIunbound\fR(8).
22The file format has attributes and values. Some attributes have attributes inside them.
23The notation is: attribute: value.
24.P
25Comments start with # and last to the end of line. Empty lines are
26ignored as is whitespace at the beginning of a line.
--- 33 unchanged lines hidden (view full) ---
60 # verbosity: 1 # uncomment and increase to get more logging.
61 # listen on all interfaces, answer queries from the local subnet.
62 interface: 0.0.0.0
63 interface: ::0
64 access\-control: 10.0.0.0/8 allow
65 access\-control: 2001:DB8::/64 allow
66.fi
67.SH "FILE FORMAT"
68.LP
69There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
70is followed by its containing attributes, or a value.
71.P
72Files can be included using the
73.B include:
74directive. It can appear anywhere, it accepts a single file name as argument.
75Processing continues as if the text from the included file was copied into
76the config file at that point. If also using chroot, using full path names
--- 87 unchanged lines hidden (view full) ---
164Do not permit unbound to open this port or range of ports for use to send
165queries. Use this to make sure unbound does not grab a port that another
166daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
167By default only ports above 1024 that have not been assigned by IANA are used.
168Give a port number or a range of the form "low\-high", without spaces.
169.TP
170.B outgoing\-num\-tcp: \fI<number>
171Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
172to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done.
173.TP
174.B incoming\-num\-tcp: \fI<number>
175Number of incoming TCP buffers to allocate per thread. Default is 10. If set
176to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
177.TP
178.B edns\-buffer\-size: \fI<number>
179Number of bytes size to advertise as the EDNS reassembly buffer size.
180This is the value put into datagrams over UDP towards peers. The actual
181buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
182not set higher than that value. Default is 4096 which is RFC recommended.
183If you have fragmentation reassembly problems, usually seen as timeouts,
184then a value of 1480 can fix it. Setting to 512 bypasses even the most
--- 72 unchanged lines hidden (view full) ---
257for, try "4m" on a very busy server. The OS caps it at a maximum, on
258linux unbound needs root permission to bypass the limit, or the admin
259can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
260to so\-rcvbuf.
261.TP
262.B so\-reuseport: \fI<yes or no>
263If yes, then open dedicated listening sockets for incoming queries for each
264thread and try to set the SO_REUSEPORT socket option on each socket. May
265distribute incoming queries to threads more evenly. Default is no. Only
266supported on Linux >= 3.9. You can enable it (on any platform and kernel),
267it then attempts to open the port and passes the option if it was available
268at compile time, if that works it is used, if it fails, it continues
269silently (unless verbosity 3) without the option.
270.TP
271.B rrset\-cache\-size: \fI<number>
272Number of bytes size of the RRset cache. Default is 4 megabytes.
273A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
274or gigabytes (1024*1024 bytes in a megabyte).
--- 30 unchanged lines hidden (view full) ---
305Number of hosts for which information is cached. Default is 10000.
306.TP
307.B do\-ip4: \fI<yes or no>
308Enable or disable whether ip4 queries are answered or issued. Default is yes.
309.TP
310.B do\-ip6: \fI<yes or no>
311Enable or disable whether ip6 queries are answered or issued. Default is yes.
312If disabled, queries are not answered on IPv6, and queries are not sent on
313IPv6 to the internet nameservers.
314.TP
315.B do\-udp: \fI<yes or no>
316Enable or disable whether UDP queries are answered or issued. Default is yes.
317.TP
318.B do\-tcp: \fI<yes or no>
319Enable or disable whether TCP queries are answered or issued. Default is yes.
320.TP
321.B tcp\-upstream: \fI<yes or no>
--- 578 unchanged lines hidden (view full) ---
90031.172.in\-addr.arpa, 168.192.in\-addr.arpa.
901The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
902records are provided.
903.TP 10
904\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
905Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
9062.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
907113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
908.TP 10
909\h'5'\fIreverse RFC4291 IP6 unspecified\fR
910Reverse data for zone
911.nf
9120.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
9130.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
914.fi
915.TP 10
--- 161 unchanged lines hidden (view full) ---
1077clause gives the settings for the \fIpython\fR(1) script module. This module
1078acts like the iterator and validator modules do, on queries and answers.
1079To enable the script module it has to be compiled into the daemon,
1080and the word "python" has to be put in the \fBmodule\-config:\fR option
1081(usually first, or between the validator and iterator).
1082.TP
1083.B python\-script: \fI<python file>\fR
1084The script file to load.
1085.SH "MEMORY CONTROL EXAMPLE"
1086In the example config settings below memory usage is reduced. Some service
1087levels are lower, notable very large data and a high TCP load are no longer
1088supported. Very large data and high TCP loads are exceptional for the DNS.
1089DNSSEC validation is enabled, just add trust anchors.
1090If you do not have to worry about programs using more than 3 Mb of memory,
1091the below example is not for you. Use the defaults to receive full service,
1092which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
--- 49 unchanged lines hidden ---
2.\"
3.\" unbound.conf.5 -- unbound.conf manual
4.\"
5.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
6.\"
7.\" See LICENSE for the license.
8.\"
9.\"
10.SH "NAME"
11.LP
12.B unbound.conf
13\- Unbound configuration file.
14.SH "SYNOPSIS"
15.LP
16.B unbound.conf
17.SH "DESCRIPTION"
18.LP
19.B unbound.conf
20is used to configure
21\fIunbound\fR(8).
22The file format has attributes and values. Some attributes have attributes inside them.
23The notation is: attribute: value.
24.P
25Comments start with # and last to the end of line. Empty lines are
26ignored as is whitespace at the beginning of a line.
--- 33 unchanged lines hidden (view full) ---
60 # verbosity: 1 # uncomment and increase to get more logging.
61 # listen on all interfaces, answer queries from the local subnet.
62 interface: 0.0.0.0
63 interface: ::0
64 access\-control: 10.0.0.0/8 allow
65 access\-control: 2001:DB8::/64 allow
66.fi
67.SH "FILE FORMAT"
68.LP
69There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
70is followed by its containing attributes, or a value.
71.P
72Files can be included using the
73.B include:
74directive. It can appear anywhere, it accepts a single file name as argument.
75Processing continues as if the text from the included file was copied into
76the config file at that point. If also using chroot, using full path names
--- 87 unchanged lines hidden (view full) ---
164Do not permit unbound to open this port or range of ports for use to send
165queries. Use this to make sure unbound does not grab a port that another
166daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
167By default only ports above 1024 that have not been assigned by IANA are used.
168Give a port number or a range of the form "low\-high", without spaces.
169.TP
170.B outgoing\-num\-tcp: \fI<number>
171Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
172to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done.
173.TP
174.B incoming\-num\-tcp: \fI<number>
175Number of incoming TCP buffers to allocate per thread. Default is 10. If set
176to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
177.TP
178.B edns\-buffer\-size: \fI<number>
179Number of bytes size to advertise as the EDNS reassembly buffer size.
180This is the value put into datagrams over UDP towards peers. The actual
181buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do
182not set higher than that value. Default is 4096 which is RFC recommended.
183If you have fragmentation reassembly problems, usually seen as timeouts,
184then a value of 1480 can fix it. Setting to 512 bypasses even the most
--- 72 unchanged lines hidden (view full) ---
257for, try "4m" on a very busy server. The OS caps it at a maximum, on
258linux unbound needs root permission to bypass the limit, or the admin
259can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar
260to so\-rcvbuf.
261.TP
262.B so\-reuseport: \fI<yes or no>
263If yes, then open dedicated listening sockets for incoming queries for each
264thread and try to set the SO_REUSEPORT socket option on each socket. May
265distribute incoming queries to threads more evenly. Default is no. Only
266supported on Linux >= 3.9. You can enable it (on any platform and kernel),
267it then attempts to open the port and passes the option if it was available
268at compile time, if that works it is used, if it fails, it continues
269silently (unless verbosity 3) without the option.
270.TP
271.B rrset\-cache\-size: \fI<number>
272Number of bytes size of the RRset cache. Default is 4 megabytes.
273A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
274or gigabytes (1024*1024 bytes in a megabyte).
--- 30 unchanged lines hidden (view full) ---
305Number of hosts for which information is cached. Default is 10000.
306.TP
307.B do\-ip4: \fI<yes or no>
308Enable or disable whether ip4 queries are answered or issued. Default is yes.
309.TP
310.B do\-ip6: \fI<yes or no>
311Enable or disable whether ip6 queries are answered or issued. Default is yes.
312If disabled, queries are not answered on IPv6, and queries are not sent on
313IPv6 to the internet nameservers.
314.TP
315.B do\-udp: \fI<yes or no>
316Enable or disable whether UDP queries are answered or issued. Default is yes.
317.TP
318.B do\-tcp: \fI<yes or no>
319Enable or disable whether TCP queries are answered or issued. Default is yes.
320.TP
321.B tcp\-upstream: \fI<yes or no>
--- 578 unchanged lines hidden (view full) ---
90031.172.in\-addr.arpa, 168.192.in\-addr.arpa.
901The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
902records are provided.
903.TP 10
904\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
905Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
9062.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
907113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
908.TP 10
909\h'5'\fIreverse RFC4291 IP6 unspecified\fR
910Reverse data for zone
911.nf
9120.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
9130.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
914.fi
915.TP 10
--- 161 unchanged lines hidden (view full) ---
1077clause gives the settings for the \fIpython\fR(1) script module. This module
1078acts like the iterator and validator modules do, on queries and answers.
1079To enable the script module it has to be compiled into the daemon,
1080and the word "python" has to be put in the \fBmodule\-config:\fR option
1081(usually first, or between the validator and iterator).
1082.TP
1083.B python\-script: \fI<python file>\fR
1084The script file to load.
1085.SH "MEMORY CONTROL EXAMPLE"
1086In the example config settings below memory usage is reduced. Some service
1087levels are lower, notable very large data and a high TCP load are no longer
1088supported. Very large data and high TCP loads are exceptional for the DNS.
1089DNSSEC validation is enabled, just add trust anchors.
1090If you do not have to worry about programs using more than 3 Mb of memory,
1091the below example is not for you. Use the defaults to receive full service,
1092which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
--- 49 unchanged lines hidden ---