| unbound.conf.5 (268839) | unbound.conf.5 (276605) |
|---|---|
| 1.TH "unbound.conf" "5" "Mar 12, 2014" "NLnet Labs" "unbound 1.4.22" | 1.TH "unbound.conf" "5" "Dec 8, 2014" "NLnet Labs" "unbound 1.5.1" |
| 2.\" 3.\" unbound.conf.5 -- unbound.conf manual 4.\" 5.\" Copyright (c) 2007, NLnet Labs. All rights reserved. 6.\" 7.\" See LICENSE for the license. 8.\" 9.\" 10.SH "NAME" | 2.\" 3.\" unbound.conf.5 -- unbound.conf manual 4.\" 5.\" Copyright (c) 2007, NLnet Labs. All rights reserved. 6.\" 7.\" See LICENSE for the license. 8.\" 9.\" 10.SH "NAME" |
| 11.LP | |
| 12.B unbound.conf 13\- Unbound configuration file. 14.SH "SYNOPSIS" | 11.B unbound.conf 12\- Unbound configuration file. 13.SH "SYNOPSIS" |
| 15.LP | |
| 16.B unbound.conf 17.SH "DESCRIPTION" | 14.B unbound.conf 15.SH "DESCRIPTION" |
| 18.LP | |
| 19.B unbound.conf 20is used to configure 21\fIunbound\fR(8). 22The file format has attributes and values. Some attributes have attributes inside them. 23The notation is: attribute: value. 24.P 25Comments start with # and last to the end of line. Empty lines are 26ignored as is whitespace at the beginning of a line. --- 33 unchanged lines hidden (view full) --- 60 # verbosity: 1 # uncomment and increase to get more logging. 61 # listen on all interfaces, answer queries from the local subnet. 62 interface: 0.0.0.0 63 interface: ::0 64 access\-control: 10.0.0.0/8 allow 65 access\-control: 2001:DB8::/64 allow 66.fi 67.SH "FILE FORMAT" | 16.B unbound.conf 17is used to configure 18\fIunbound\fR(8). 19The file format has attributes and values. Some attributes have attributes inside them. 20The notation is: attribute: value. 21.P 22Comments start with # and last to the end of line. Empty lines are 23ignored as is whitespace at the beginning of a line. --- 33 unchanged lines hidden (view full) --- 57 # verbosity: 1 # uncomment and increase to get more logging. 58 # listen on all interfaces, answer queries from the local subnet. 59 interface: 0.0.0.0 60 interface: ::0 61 access\-control: 10.0.0.0/8 allow 62 access\-control: 2001:DB8::/64 allow 63.fi 64.SH "FILE FORMAT" |
| 68.LP | |
| 69There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute 70is followed by its containing attributes, or a value. 71.P 72Files can be included using the 73.B include: 74directive. It can appear anywhere, it accepts a single file name as argument. 75Processing continues as if the text from the included file was copied into 76the config file at that point. If also using chroot, using full path names --- 87 unchanged lines hidden (view full) --- 164Do not permit unbound to open this port or range of ports for use to send 165queries. Use this to make sure unbound does not grab a port that another 166daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. 167By default only ports above 1024 that have not been assigned by IANA are used. 168Give a port number or a range of the form "low\-high", without spaces. 169.TP 170.B outgoing\-num\-tcp: \fI<number> 171Number of outgoing TCP buffers to allocate per thread. Default is 10. If set | 65There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute 66is followed by its containing attributes, or a value. 67.P 68Files can be included using the 69.B include: 70directive. It can appear anywhere, it accepts a single file name as argument. 71Processing continues as if the text from the included file was copied into 72the config file at that point. If also using chroot, using full path names --- 87 unchanged lines hidden (view full) --- 160Do not permit unbound to open this port or range of ports for use to send 161queries. Use this to make sure unbound does not grab a port that another 162daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. 163By default only ports above 1024 that have not been assigned by IANA are used. 164Give a port number or a range of the form "low\-high", without spaces. 165.TP 166.B outgoing\-num\-tcp: \fI<number> 167Number of outgoing TCP buffers to allocate per thread. Default is 10. If set |
| 172to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done. | 168to 0, or if do\-tcp is "no", no TCP queries to authoritative servers are done. |
| 173.TP 174.B incoming\-num\-tcp: \fI<number> 175Number of incoming TCP buffers to allocate per thread. Default is 10. If set | 169.TP 170.B incoming\-num\-tcp: \fI<number> 171Number of incoming TCP buffers to allocate per thread. Default is 10. If set |
| 176to 0, or if do_tcp is "no", no TCP queries from clients are accepted. | 172to 0, or if do\-tcp is "no", no TCP queries from clients are accepted. |
| 177.TP 178.B edns\-buffer\-size: \fI<number> 179Number of bytes size to advertise as the EDNS reassembly buffer size. 180This is the value put into datagrams over UDP towards peers. The actual 181buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do 182not set higher than that value. Default is 4096 which is RFC recommended. 183If you have fragmentation reassembly problems, usually seen as timeouts, 184then a value of 1480 can fix it. Setting to 512 bypasses even the most --- 72 unchanged lines hidden (view full) --- 257for, try "4m" on a very busy server. The OS caps it at a maximum, on 258linux unbound needs root permission to bypass the limit, or the admin 259can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar 260to so\-rcvbuf. 261.TP 262.B so\-reuseport: \fI<yes or no> 263If yes, then open dedicated listening sockets for incoming queries for each 264thread and try to set the SO_REUSEPORT socket option on each socket. May | 173.TP 174.B edns\-buffer\-size: \fI<number> 175Number of bytes size to advertise as the EDNS reassembly buffer size. 176This is the value put into datagrams over UDP towards peers. The actual 177buffer size is determined by msg\-buffer\-size (both for TCP and UDP). Do 178not set higher than that value. Default is 4096 which is RFC recommended. 179If you have fragmentation reassembly problems, usually seen as timeouts, 180then a value of 1480 can fix it. Setting to 512 bypasses even the most --- 72 unchanged lines hidden (view full) --- 253for, try "4m" on a very busy server. The OS caps it at a maximum, on 254linux unbound needs root permission to bypass the limit, or the admin 255can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar 256to so\-rcvbuf. 257.TP 258.B so\-reuseport: \fI<yes or no> 259If yes, then open dedicated listening sockets for incoming queries for each 260thread and try to set the SO_REUSEPORT socket option on each socket. May |
| 265distribute incoming queries to threads more evenly. Default is no. Only 266supported on Linux >= 3.9. You can enable it (on any platform and kernel), | 261distribute incoming queries to threads more evenly. Default is no. On Linux 262it is supported in kernels >= 3.9. On other systems, FreeBSD, OSX it may 263also work. You can enable it (on any platform and kernel), |
| 267it then attempts to open the port and passes the option if it was available 268at compile time, if that works it is used, if it fails, it continues 269silently (unless verbosity 3) without the option. 270.TP 271.B rrset\-cache\-size: \fI<number> 272Number of bytes size of the RRset cache. Default is 4 megabytes. 273A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 274or gigabytes (1024*1024 bytes in a megabyte). --- 30 unchanged lines hidden (view full) --- 305Number of hosts for which information is cached. Default is 10000. 306.TP 307.B do\-ip4: \fI<yes or no> 308Enable or disable whether ip4 queries are answered or issued. Default is yes. 309.TP 310.B do\-ip6: \fI<yes or no> 311Enable or disable whether ip6 queries are answered or issued. Default is yes. 312If disabled, queries are not answered on IPv6, and queries are not sent on | 264it then attempts to open the port and passes the option if it was available 265at compile time, if that works it is used, if it fails, it continues 266silently (unless verbosity 3) without the option. 267.TP 268.B rrset\-cache\-size: \fI<number> 269Number of bytes size of the RRset cache. Default is 4 megabytes. 270A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes 271or gigabytes (1024*1024 bytes in a megabyte). --- 30 unchanged lines hidden (view full) --- 302Number of hosts for which information is cached. Default is 10000. 303.TP 304.B do\-ip4: \fI<yes or no> 305Enable or disable whether ip4 queries are answered or issued. Default is yes. 306.TP 307.B do\-ip6: \fI<yes or no> 308Enable or disable whether ip6 queries are answered or issued. Default is yes. 309If disabled, queries are not answered on IPv6, and queries are not sent on |
| 313IPv6 to the internet nameservers. | 310IPv6 to the internet nameservers. With this option you can disable the 311ipv6 transport for sending DNS traffic, it does not impact the contents of 312the DNS traffic, which may have ip4 and ip6 addresses in it. |
| 314.TP 315.B do\-udp: \fI<yes or no> 316Enable or disable whether UDP queries are answered or issued. Default is yes. 317.TP 318.B do\-tcp: \fI<yes or no> 319Enable or disable whether TCP queries are answered or issued. Default is yes. 320.TP 321.B tcp\-upstream: \fI<yes or no> --- 578 unchanged lines hidden (view full) --- 90031.172.in\-addr.arpa, 168.192.in\-addr.arpa. 901The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS 902records are provided. 903.TP 10 904\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR 905Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 9062.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2), 907113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa. | 313.TP 314.B do\-udp: \fI<yes or no> 315Enable or disable whether UDP queries are answered or issued. Default is yes. 316.TP 317.B do\-tcp: \fI<yes or no> 318Enable or disable whether TCP queries are answered or issued. Default is yes. 319.TP 320.B tcp\-upstream: \fI<yes or no> --- 578 unchanged lines hidden (view full) --- 89931.172.in\-addr.arpa, 168.192.in\-addr.arpa. 900The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS 901records are provided. 902.TP 10 903\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR 904Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 9052.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2), 906113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa. |
| 907And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space). |
|
| 908.TP 10 909\h'5'\fIreverse RFC4291 IP6 unspecified\fR 910Reverse data for zone 911.nf 9120.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 9130.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 914.fi 915.TP 10 --- 161 unchanged lines hidden (view full) --- 1077clause gives the settings for the \fIpython\fR(1) script module. This module 1078acts like the iterator and validator modules do, on queries and answers. 1079To enable the script module it has to be compiled into the daemon, 1080and the word "python" has to be put in the \fBmodule\-config:\fR option 1081(usually first, or between the validator and iterator). 1082.TP 1083.B python\-script: \fI<python file>\fR 1084The script file to load. | 908.TP 10 909\h'5'\fIreverse RFC4291 IP6 unspecified\fR 910Reverse data for zone 911.nf 9120.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 9130.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 914.fi 915.TP 10 --- 161 unchanged lines hidden (view full) --- 1077clause gives the settings for the \fIpython\fR(1) script module. This module 1078acts like the iterator and validator modules do, on queries and answers. 1079To enable the script module it has to be compiled into the daemon, 1080and the word "python" has to be put in the \fBmodule\-config:\fR option 1081(usually first, or between the validator and iterator). 1082.TP 1083.B python\-script: \fI<python file>\fR 1084The script file to load. |
| 1085.SS "DNS64 Module Options" 1086.LP 1087The dns64 module must be configured in the \fBmodule\-config:\fR "dns64 1088validator iterator" directive and be compiled into the daemon to be 1089enabled. These settings go in the \fBserver:\fR section. 1090.TP 1091.B dns64\-prefix: \fI<IPv6 prefix>\fR 1092This sets the DNS64 prefix to use to synthesize AAAA records with. 1093It must be /96 or shorter. The default prefix is 64:ff9b::/96. 1094.TP 1095.B dns64\-synthall: \fI<yes or no>\fR 1096Debug option, default no. If enabled, synthesize all AAAA records 1097despite the presence of actual AAAA records. |
|
| 1085.SH "MEMORY CONTROL EXAMPLE" 1086In the example config settings below memory usage is reduced. Some service 1087levels are lower, notable very large data and a high TCP load are no longer 1088supported. Very large data and high TCP loads are exceptional for the DNS. 1089DNSSEC validation is enabled, just add trust anchors. 1090If you do not have to worry about programs using more than 3 Mb of memory, 1091the below example is not for you. Use the defaults to receive full service, 1092which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. --- 49 unchanged lines hidden --- | 1098.SH "MEMORY CONTROL EXAMPLE" 1099In the example config settings below memory usage is reduced. Some service 1100levels are lower, notable very large data and a high TCP load are no longer 1101supported. Very large data and high TCP loads are exceptional for the DNS. 1102DNSSEC validation is enabled, just add trust anchors. 1103If you do not have to worry about programs using more than 3 Mb of memory, 1104the below example is not for you. Use the defaults to receive full service, 1105which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. --- 49 unchanged lines hidden --- |