unbound-control(8) unbound 1.18.0 unbound-control(8)

unbound-control(8) unbound 1.18.0 unbound-control(8) #

unbound-control(8) unbound 1.18.0 unbound-control(8)

NNAAMMEE #

 uunnbboouunndd--ccoonnttrrooll,, uunnbboouunndd--ccoonnttrrooll--sseettuupp - Unbound remote server control
 utility.

SSYYNNOOPPSSIISS #

 uunnbboouunndd--ccoonnttrrooll [--hhqq] [--cc _c_f_g_f_i_l_e] [--ss _s_e_r_v_e_r] _c_o_m_m_a_n_d

DDEESSCCRRIIPPTTIIOONN #

 UUnnbboouunndd--ccoonnttrrooll performs remote administration on the _u_n_b_o_u_n_d(8) DNS
 server.  It reads the configuration file, contacts the Unbound server
 over SSL sends the command and displays the result.

 The available options are:

 --hh     Show the version and commandline option help.

 --cc _c_f_g_f_i_l_e
        The config file to read with settings.  If not given the default
        config file /var/unbound/etc/unbound.conf is used.

 --ss _s_e_r_v_e_r_[_@_p_o_r_t_]
        IPv4 or IPv6 address of the server to contact.  If not given, the
        address is read from the config file.

 --qq     quiet, if the option is given it does not print anything if it
        works ok.

CCOOMMMMAANNDDSS #

 There are several commands that the server understands.

 ssttaarrtt  Start the server. Simply execs _u_n_b_o_u_n_d(8).  The Unbound executable
        is searched for in the PPAATTHH set in the environment.  It is started
        with the config file specified using _-_c or the default config
        file.

 ssttoopp   Stop the server. The server daemon exits.

 rreellooaadd Reload the server. This flushes the cache and reads the config
        file fresh.

 rreellooaadd__kkeeeepp__ccaacchhee
        Reload the server but try to keep the RRset and message cache if
        (re)configuration allows for it.  That means the caches sizes and
        the number of threads must not change between reloads.

 vveerrbboossiittyy _n_u_m_b_e_r
        Change verbosity value for logging. Same values as vveerrbboossiittyy
        keyword in _u_n_b_o_u_n_d_._c_o_n_f(5).  This new setting lasts until the
        server is issued a reload (taken from config file again), or the
        next verbosity control command.

 lloogg__rreeooppeenn
        Reopen the logfile, close and open it.  Useful for logrotation to
        make the daemon release the file it is logging to.  If you are
        using syslog it will attempt to close and open the syslog (which
        may not work if chrooted).

 ssttaattss  Print statistics. Resets the internal counters to zero, this can
        be controlled using the ssttaattiissttiiccss--ccuummuullaattiivvee config statement.
        Statistics are printed with one [name]: [value] per line.

 ssttaattss__nnoorreesseett
        Peek at statistics. Prints them like the ssttaattss command does, but
        does not reset the internal counters to zero.

 ssttaattuuss Display server status. Exit code 3 if not running (the connection
        to the port is refused), 1 on error, 0 if running.

 llooccaall__zzoonnee _n_a_m_e _t_y_p_e
        Add new local zone with name and type. Like llooccaall--zzoonnee config
        statement.  If the zone already exists, the type is changed to the
        given argument.

 llooccaall__zzoonnee__rreemmoovvee _n_a_m_e
        Remove the local zone with the given name.  Removes all local data
        inside it.  If the zone does not exist, the command succeeds.

 llooccaall__ddaattaa _R_R _d_a_t_a_._._.
        Add new local data, the given resource record. Like llooccaall--ddaattaa
        config statement, except for when no covering zone exists.  In
        that case this remote control command creates a transparent zone
        with the same name as this record.

 llooccaall__ddaattaa__rreemmoovvee _n_a_m_e
        Remove all RR data from local name.  If the name already has no
        items, nothing happens.  Often results in NXDOMAIN for the name
        (in a static zone), but if the name has become an empty
        nonterminal (there is still data in domain names below the removed
        name), NOERROR nodata answers are the result for that name.

 llooccaall__zzoonneess
        Add local zones read from stdin of unbound-control. Input is read
        per line, with name space type on a line. For bulk additions.

 llooccaall__zzoonneess__rreemmoovvee
        Remove local zones read from stdin of unbound-control. Input is
        one name per line. For bulk removals.

 llooccaall__ddaattaass
        Add local data RRs read from stdin of unbound-control. Input is
        one RR per line. For bulk additions.

 llooccaall__ddaattaass__rreemmoovvee
        Remove local data RRs read from stdin of unbound-control. Input is
        one name per line. For bulk removals.

 dduummpp__ccaacchhee
        The contents of the cache is printed in a text format to stdout.
        You can redirect it to a file to store the cache in a file.

 llooaadd__ccaacchhee
        The contents of the cache is loaded from stdin.  Uses the same
        format as dump_cache uses.  Loading the cache with old, or wrong
        data can result in old or wrong data returned to clients.  Loading
        data into the cache in this way is supported in order to aid with
        debugging.

 llooookkuupp _n_a_m_e
        Print to stdout the name servers that would be used to look up the
        name specified.

 fflluusshh _n_a_m_e
        Remove the name from the cache. Removes the types A, AAAA, NS,
        SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, SVCB and HTTPS.  Because
        that is fast to do. Other record types can be removed using
        fflluusshh__ttyyppee or fflluusshh__zzoonnee.

 fflluusshh__ttyyppee _n_a_m_e _t_y_p_e
        Remove the name, type information from the cache.

 fflluusshh__zzoonnee _n_a_m_e
        Remove all information at or below the name from the cache.  The
        rrsets and key entries are removed so that new lookups will be
        performed.  This needs to walk and inspect the entire cache, and
        is a slow operation.  The entries are set to expired in the
        implementation of this command (so, with serve-expired enabled,
        it'll serve that information but schedule a prefetch for new
        information).

 fflluusshh__bboogguuss
        Remove all bogus data from the cache.

 fflluusshh__nneeggaattiivvee
        Remove all negative data from the cache.  This is nxdomain
        answers, nodata answers and servfail answers.  Also removes bad
        key entries (which could be due to failed lookups) from the dnssec
        key cache, and iterator last-resort lookup failures from the rrset
        cache.

 fflluusshh__ssttaattss
        Reset statistics to zero.

 fflluusshh__rreeqquueessttlliisstt
        Drop the queries that are worked on.  Stops working on the queries
        that the server is working on now.  The cache is unaffected.  No
        reply is sent for those queries, probably making those users
        request again later.  Useful to make the server restart working on
        queries with new settings, such as a higher verbosity level.

 dduummpp__rreeqquueessttlliisstt
        Show what is worked on.  Prints all queries that the server is
        currently working on.  Prints the time that users have been
        waiting.  For internal requests, no time is printed.  And then
        prints out the module status.  This prints the queries from the
        first thread, and not queries that are being serviced from other
        threads.

 fflluusshh__iinnffrraa _a_l_l_|_I_P
        If all then entire infra cache is emptied.  If a specific IP
        address, the entry for that address is removed from the cache.  It
        contains EDNS, ping and lameness data.

 dduummpp__iinnffrraa
        Show the contents of the infra cache.

 sseett__ooppttiioonn _o_p_t_: _v_a_l
        Set the option to the given value without a reload.  The cache is
        therefore not flushed.  The option must end with a ':' and
        whitespace must be between the option and the value.  Some values
        may not have an effect if set this way, the new values are not
        written to the config file, not all options are supported.  This
        is different from the set_option call in libunbound, where all
        values work because Unbound has not been initialized.

        The values that work are: statistics-interval,
        statistics-cumulative, do-not-query-localhost,
        harden-short-bufsize, harden-large-queries, harden-glue,
        harden-dnssec-stripped, harden-below-nxdomain,
        harden-referral-path, prefetch, prefetch-key, log-queries,
        hide-identity, hide-version, identity, version, val-log-level,
        val-log-squelch, ignore-cd-flag, add-holddown, del-holddown,
        keep-missing, tcp-upstream, ssl-upstream, max-udp-size, ratelimit,
        ip-ratelimit, cache-max-ttl, cache-min-ttl,
        cache-max-negative-ttl.

 ggeett__ooppttiioonn _o_p_t
        Get the value of the option.  Give the option name without a
        trailing ':'.  The value is printed.  If the value is "", nothing
        is printed and the connection closes.  On error 'error ...' is
        printed (it gives a syntax error on unknown option).  For some
        options a list of values, one on each line, is printed.  The
        options are shown from the config file as modified with
        set_option.  For some options an override may have been taken that
        does not show up with this command, not results from e.g. the
        verbosity and forward control commands.  Not all options work, see
        list_stubs, list_forwards, list_local_zones and list_local_data
        for those.

 lliisstt__ssttuubbss
        List the stub zones in use.  These are printed one by one to the
        output.  This includes the root hints in use.

 lliisstt__ffoorrwwaarrddss
        List the forward zones in use.  These are printed zone by zone to
        the output.

 lliisstt__iinnsseeccuurree
        List the zones with domain-insecure.

 lliisstt__llooccaall__zzoonneess
        List the local zones in use.  These are printed one per line with
        zone type.

 lliisstt__llooccaall__ddaattaa
        List the local data RRs in use.  The resource records are printed.

 iinnsseeccuurree__aadddd _z_o_n_e
        Add a ddoommaaiinn--iinnsseeccuurree for the given zone, like the statement in
        unbound.conf.  Adds to the running Unbound without affecting the
        cache contents (which may still be bogus, use fflluusshh__zzoonnee to remove
        it), does not affect the config file.

 iinnsseeccuurree__rreemmoovvee _z_o_n_e
        Removes domain-insecure for the given zone.

 ffoorrwwaarrdd__aadddd [_+_i] _z_o_n_e _a_d_d_r _._._.
        Add a new forward zone to running Unbound.  With +i option also
        adds a _d_o_m_a_i_n_-_i_n_s_e_c_u_r_e for the zone (so it can resolve insecurely
        if you have a DNSSEC root trust anchor configured for other
        names).  The addr can be IP4, IP6 or nameserver names, like
        _f_o_r_w_a_r_d_-_z_o_n_e config in unbound.conf.

 ffoorrwwaarrdd__rreemmoovvee [_+_i] _z_o_n_e
        Remove a forward zone from running Unbound.  The +i also removes a
        _d_o_m_a_i_n_-_i_n_s_e_c_u_r_e for the zone.

 ssttuubb__aadddd [_+_i_p] _z_o_n_e _a_d_d_r _._._.
        Add a new stub zone to running Unbound.  With +i option also adds
        a _d_o_m_a_i_n_-_i_n_s_e_c_u_r_e for the zone.  With +p the stub zone is set to
        prime, without it it is set to notprime.  The addr can be IP4, IP6
        or nameserver names, like the _s_t_u_b_-_z_o_n_e config in unbound.conf.

 ssttuubb__rreemmoovvee [_+_i] _z_o_n_e
        Remove a stub zone from running Unbound.  The +i also removes a
        _d_o_m_a_i_n_-_i_n_s_e_c_u_r_e for the zone.

 ffoorrwwaarrdd [_o_f_f | _a_d_d_r _._._. ]
        Setup forwarding mode.  Configures if the server should ask other
        upstream nameservers, should go to the internet root nameservers
        itself, or show the current config.  You could pass the
        nameservers after a DHCP update.

        Without arguments the current list of addresses used to forward
        all queries to is printed.  On startup this is from the
        forward-zone "." configuration.  Afterwards it shows the status.
        It prints off when no forwarding is used.

        If _o_f_f is passed, forwarding is disabled and the root nameservers
        are used.  This can be used to avoid to avoid buggy or non-DNSSEC
        supporting nameservers returned from DHCP.  But may not work in
        hotels or hotspots.

        If one or more IPv4 or IPv6 addresses are given, those are then
        used to forward queries to.  The addresses must be separated with
        spaces.  With '@port' the port number can be set explicitly
        (default port is 53 (DNS)).

        By default the forwarder information from the config file for the
        root "." is used.  The config file is not changed, so after a
        reload these changes are gone.  Other forward zones from the
        config file are not affected by this command.

 rraatteelliimmiitt__lliisstt [_+_a]
        List the domains that are ratelimited.  Printed one per line with
        current estimated qps and qps limit from config.  With +a it
        prints all domains, not just the ratelimited domains, with their
        estimated qps.  The ratelimited domains return an error for
        uncached (new) queries, but cached queries work as normal.

 iipp__rraatteelliimmiitt__lliisstt [_+_a]
        List the ip addresses that are ratelimited.  Printed one per line
        with current estimated qps and qps limit from config.  With +a it
        prints all ips, not just the ratelimited ips, with their estimated
        qps.  The ratelimited ips are dropped before checking the cache.

 lliisstt__aauutthh__zzoonneess
        List the auth zones that are configured.  Printed one per line
        with a status, indicating if the zone is expired and current
        serial number.  Configured RPZ zones are included.

 aauutthh__zzoonnee__rreellooaadd _z_o_n_e
        Reload the auth zone (or RPZ zone) from zonefile.  The zonefile is
        read in overwriting the current contents of the zone in memory.
        This changes the auth zone contents itself, not the cache
        contents.  Such cache contents exists if you set Unbound to
        validate with for-upstream yes and that can be cleared with
        fflluusshh__zzoonnee _z_o_n_e.

 aauutthh__zzoonnee__ttrraannssffeerr _z_o_n_e
        Transfer the auth zone (or RPZ zone) from master.  The auth zone
        probe sequence is started, where the masters are probed to see if
        they have an updated zone (with the SOA serial check).  And then
        the zone is transferred for a newer zone version.

 rrppzz__eennaabbllee _z_o_n_e
        Enable the RPZ zone if it had previously been disabled.

 rrppzz__ddiissaabbllee _z_o_n_e
        Disable the RPZ zone.

 vviieeww__lliisstt__llooccaall__zzoonneess _v_i_e_w
        _l_i_s_t___l_o_c_a_l___z_o_n_e_s for given view.

 vviieeww__llooccaall__zzoonnee _v_i_e_w _n_a_m_e _t_y_p_e
        _l_o_c_a_l___z_o_n_e for given view.

 vviieeww__llooccaall__zzoonnee__rreemmoovvee _v_i_e_w _n_a_m_e
        _l_o_c_a_l___z_o_n_e___r_e_m_o_v_e for given view.

 vviieeww__lliisstt__llooccaall__ddaattaa _v_i_e_w
        _l_i_s_t___l_o_c_a_l___d_a_t_a for given view.

 vviieeww__llooccaall__ddaattaa _v_i_e_w _R_R _d_a_t_a_._._.
        _l_o_c_a_l___d_a_t_a for given view.

 vviieeww__llooccaall__ddaattaa__rreemmoovvee _v_i_e_w _n_a_m_e
        _l_o_c_a_l___d_a_t_a___r_e_m_o_v_e for given view.

 vviieeww__llooccaall__ddaattaass__rreemmoovvee _v_i_e_w
        Remove a list of _l_o_c_a_l___d_a_t_a for given view from stdin. Like
        local_datas_remove.

 vviieeww__llooccaall__ddaattaass _v_i_e_w
        Add a list of _l_o_c_a_l___d_a_t_a for given view from stdin.  Like
        local_datas.

EEXXIITT CCOODDEE #

 The unbound-control program exits with status code 1 on error, 0 on
 success.

SSEETT UUPP #

 The setup requires a self-signed certificate and private keys for both
 the server and client.  The script _u_n_b_o_u_n_d_-_c_o_n_t_r_o_l_-_s_e_t_u_p generates these
 in the default run directory, or with -d in another directory.  If you
 change the access control permissions on the key files you can decide who
 can use unbound-control, by default owner and group but not all users.
 Run the script under the same username as you have configured in
 unbound.conf or as root, so that the daemon is permitted to read the
 files, for example with:
     sudo -u unbound unbound-control-setup
 If you have not configured a username in unbound.conf, the keys need read
 permission for the user credentials under which the daemon is started.
 The script preserves private keys present in the directory.  After
 running the script as root, turn on ccoonnttrrooll--eennaabbllee in _u_n_b_o_u_n_d_._c_o_n_f.

SSTTAATTIISSTTIICC CCOOUUNNTTEERRSS #

 The _s_t_a_t_s command shows a number of statistic counters.

 _t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s
        number of queries received by thread

 _t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___i_p___r_a_t_e_l_i_m_i_t_e_d
        number of queries rate limited by thread

 _t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___v_a_l_i_d
        number of queries with a valid DNS Cookie by thread

 _t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___c_l_i_e_n_t
        number of queries with a client part only DNS Cookie by thread

 _t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___i_n_v_a_l_i_d
        number of queries with an invalid DNS Cookie by thread

 _t_h_r_e_a_d_X_._n_u_m_._c_a_c_h_e_h_i_t_s
        number of queries that were successfully answered using a cache
        lookup

 _t_h_r_e_a_d_X_._n_u_m_._c_a_c_h_e_m_i_s_s
        number of queries that needed recursive processing

 _t_h_r_e_a_d_X_._n_u_m_._d_n_s_c_r_y_p_t_._c_r_y_p_t_e_d
        number of queries that were encrypted and successfully
        decapsulated by dnscrypt.

 _t_h_r_e_a_d_X_._n_u_m_._d_n_s_c_r_y_p_t_._c_e_r_t
        number of queries that were requesting dnscrypt certificates.

 _t_h_r_e_a_d_X_._n_u_m_._d_n_s_c_r_y_p_t_._c_l_e_a_r_t_e_x_t
        number of queries received on dnscrypt port that were cleartext
        and not a request for certificates.

 _t_h_r_e_a_d_X_._n_u_m_._d_n_s_c_r_y_p_t_._m_a_l_f_o_r_m_e_d
        number of request that were neither cleartext, not valid dnscrypt
        messages.

 _t_h_r_e_a_d_X_._n_u_m_._p_r_e_f_e_t_c_h
        number of cache prefetches performed.  This number is included in
        cachehits, as the original query had the unprefetched answer from
        cache, and resulted in recursive processing, taking a slot in the
        requestlist.  Not part of the recursivereplies (or the histogram
        thereof) or cachemiss, as a cache response was sent.

 _t_h_r_e_a_d_X_._n_u_m_._e_x_p_i_r_e_d
        number of replies that served an expired cache entry.

 _t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___t_i_m_e_d___o_u_t
        number of queries that are dropped because they waited in the UDP
        socket buffer for too long.

 _t_h_r_e_a_d_X_._q_u_e_r_y_._q_u_e_u_e___t_i_m_e___u_s_._m_a_x
        The maximum wait time for packets in the socket buffer, in
        microseconds. This is only reported when sock-queue-timeout is
        enabled.

 _t_h_r_e_a_d_X_._n_u_m_._r_e_c_u_r_s_i_v_e_r_e_p_l_i_e_s
        The number of replies sent to queries that needed recursive
        processing. Could be smaller than threadX.num.cachemiss if due to
        timeouts no replies were sent for some queries.

 _t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._a_v_g
        The average number of requests in the internal recursive
        processing request list on insert of a new incoming recursive
        processing query.

 _t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._m_a_x
        Maximum size attained by the internal recursive processing request
        list.

 _t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._o_v_e_r_w_r_i_t_t_e_n
        Number of requests in the request list that were overwritten by
        newer entries. This happens if there is a flood of queries that
        recursive processing and the server has a hard time.

 _t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._e_x_c_e_e_d_e_d
        Queries that were dropped because the request list was full. This
        happens if a flood of queries need recursive processing, and the
        server can not keep up.

 _t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._c_u_r_r_e_n_t_._a_l_l
        Current size of the request list, includes internally generated
        queries (such as priming queries and glue lookups).

 _t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._c_u_r_r_e_n_t_._u_s_e_r
        Current size of the request list, only the requests from client
        queries.

 _t_h_r_e_a_d_X_._r_e_c_u_r_s_i_o_n_._t_i_m_e_._a_v_g
        Average time it took to answer queries that needed recursive
        processing. Note that queries that were answered from the cache
        are not in this average.

 _t_h_r_e_a_d_X_._r_e_c_u_r_s_i_o_n_._t_i_m_e_._m_e_d_i_a_n
        The median of the time it took to answer queries that needed
        recursive processing.  The median means that 50% of the user
        queries were answered in less than this time.  Because of big
        outliers (usually queries to non responsive servers), the average
        can be bigger than the median.  This median has been calculated by
        interpolation from a histogram.

 _t_h_r_e_a_d_X_._t_c_p_u_s_a_g_e
        The currently held tcp buffers for incoming connections.  A spot
        value on the time of the request.  This helps you spot if the
        incoming-num-tcp buffers are full.

 _t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s
        summed over threads.

 _t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___i_p___r_a_t_e_l_i_m_i_t_e_d
        summed over threads.

 _t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___v_a_l_i_d
        summed over threads.

 _t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___c_l_i_e_n_t
        summed over threads.

 _t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___i_n_v_a_l_i_d
        summed over threads.

 _t_o_t_a_l_._n_u_m_._c_a_c_h_e_h_i_t_s
        summed over threads.

 _t_o_t_a_l_._n_u_m_._c_a_c_h_e_m_i_s_s
        summed over threads.

 _t_o_t_a_l_._n_u_m_._d_n_s_c_r_y_p_t_._c_r_y_p_t_e_d
        summed over threads.

 _t_o_t_a_l_._n_u_m_._d_n_s_c_r_y_p_t_._c_e_r_t
        summed over threads.

 _t_o_t_a_l_._n_u_m_._d_n_s_c_r_y_p_t_._c_l_e_a_r_t_e_x_t
        summed over threads.

 _t_o_t_a_l_._n_u_m_._d_n_s_c_r_y_p_t_._m_a_l_f_o_r_m_e_d
        summed over threads.

 _t_o_t_a_l_._n_u_m_._p_r_e_f_e_t_c_h
        summed over threads.

 _t_o_t_a_l_._n_u_m_._e_x_p_i_r_e_d
        summed over threads.

 _t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___t_i_m_e_d___o_u_t
        summed over threads.

 _t_o_t_a_l_._q_u_e_r_y_._q_u_e_u_e___t_i_m_e___u_s_._m_a_x
        the maximum of the thread values.

 _t_o_t_a_l_._n_u_m_._r_e_c_u_r_s_i_v_e_r_e_p_l_i_e_s
        summed over threads.

 _t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._a_v_g
        averaged over threads.

 _t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._m_a_x
        the maximum of the thread requestlist.max values.

 _t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._o_v_e_r_w_r_i_t_t_e_n
        summed over threads.

 _t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._e_x_c_e_e_d_e_d
        summed over threads.

 _t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._c_u_r_r_e_n_t_._a_l_l
        summed over threads.

 _t_o_t_a_l_._r_e_c_u_r_s_i_o_n_._t_i_m_e_._m_e_d_i_a_n
        averaged over threads.

 _t_o_t_a_l_._t_c_p_u_s_a_g_e
        summed over threads.

 _t_i_m_e_._n_o_w
        current time in seconds since 1970.

 _t_i_m_e_._u_p
        uptime since server boot in seconds.

 _t_i_m_e_._e_l_a_p_s_e_d
        time since last statistics printout, in seconds.

EEXXTTEENNDDEEDD SSTTAATTIISSTTIICCSS #

 _m_e_m_._c_a_c_h_e_._r_r_s_e_t
        Memory in bytes in use by the RRset cache.

 _m_e_m_._c_a_c_h_e_._m_e_s_s_a_g_e
        Memory in bytes in use by the message cache.

 _m_e_m_._c_a_c_h_e_._d_n_s_c_r_y_p_t___s_h_a_r_e_d___s_e_c_r_e_t
        Memory in bytes in use by the dnscrypt shared secrets cache.

 _m_e_m_._c_a_c_h_e_._d_n_s_c_r_y_p_t___n_o_n_c_e
        Memory in bytes in use by the dnscrypt nonce cache.

 _m_e_m_._m_o_d_._i_t_e_r_a_t_o_r
        Memory in bytes in use by the iterator module.

 _m_e_m_._m_o_d_._v_a_l_i_d_a_t_o_r
        Memory in bytes in use by the validator module. Includes the key
        cache and negative cache.

 _m_e_m_._s_t_r_e_a_m_w_a_i_t
        Memory in bytes in used by the TCP and TLS stream wait buffers.
        These are answers waiting to be written back to the clients.

 _m_e_m_._h_t_t_p_._q_u_e_r_y___b_u_f_f_e_r
        Memory in bytes used by the HTTP/2 query buffers. Containing
        (partial) DNS queries waiting for request stream completion.

 _m_e_m_._h_t_t_p_._r_e_s_p_o_n_s_e___b_u_f_f_e_r
        Memory in bytes used by the HTTP/2 response buffers. Containing
        DNS responses waiting to be written back to the clients.

 _h_i_s_t_o_g_r_a_m_._<_s_e_c_>_._<_u_s_e_c_>_._t_o_._<_s_e_c_>_._<_u_s_e_c_>
        Shows a histogram, summed over all threads. Every element counts
        the recursive queries whose reply time fit between the lower and
        upper bound.  Times larger or equal to the lowerbound, and smaller
        than the upper bound.  There are 40 buckets, with bucket sizes
        doubling.

 _n_u_m_._q_u_e_r_y_._t_y_p_e_._A
        The total number of queries over all threads with query type A.
        Printed for the other query types as well, but only for the types
        for which queries were received, thus =0 entries are omitted for
        brevity.

 _n_u_m_._q_u_e_r_y_._t_y_p_e_._o_t_h_e_r
        Number of queries with query types 256-65535.

 _n_u_m_._q_u_e_r_y_._c_l_a_s_s_._I_N
        The total number of queries over all threads with query class IN
        (internet).  Also printed for other classes (such as CH (CHAOS)
        sometimes used for debugging), or NONE, ANY, used by dynamic
        update.  num.query.class.other is printed for classes 256-65535.

 _n_u_m_._q_u_e_r_y_._o_p_c_o_d_e_._Q_U_E_R_Y
        The total number of queries over all threads with query opcode
        QUERY.  Also printed for other opcodes, UPDATE, ...

 _n_u_m_._q_u_e_r_y_._t_c_p
        Number of queries that were made using TCP towards the Unbound
        server.

 _n_u_m_._q_u_e_r_y_._t_c_p_o_u_t
        Number of queries that the Unbound server made using TCP outgoing
        towards other servers.

 _n_u_m_._q_u_e_r_y_._u_d_p_o_u_t
        Number of queries that the Unbound server made using UDP outgoing
        towards other servers.

 _n_u_m_._q_u_e_r_y_._t_l_s
        Number of queries that were made using TLS towards the Unbound
        server.  These are also counted in num.query.tcp, because TLS uses

TCP. #

 _n_u_m_._q_u_e_r_y_._t_l_s_._r_e_s_u_m_e
        Number of TLS session resumptions, these are queries over TLS
        towards the Unbound server where the client negotiated a TLS
        session resumption key.

 _n_u_m_._q_u_e_r_y_._h_t_t_p_s
        Number of queries that were made using HTTPS towards the Unbound
        server.  These are also counted in num.query.tcp and
        num.query.tls, because HTTPS uses TLS and TCP.

 _n_u_m_._q_u_e_r_y_._i_p_v_6
        Number of queries that were made using IPv6 towards the Unbound
        server.

 _n_u_m_._q_u_e_r_y_._f_l_a_g_s_._R_D
        The number of queries that had the RD flag set in the header.
        Also printed for flags QR, AA, TC, RA, Z, AD, CD.  Note that
        queries with flags QR, AA or TC may have been rejected because of
        that.

 _n_u_m_._q_u_e_r_y_._e_d_n_s_._p_r_e_s_e_n_t
        number of queries that had an EDNS OPT record present.

 _n_u_m_._q_u_e_r_y_._e_d_n_s_._D_O
        number of queries that had an EDNS OPT record with the DO (DNSSEC
        OK) bit set.  These queries are also included in the
        num.query.edns.present number.

 _n_u_m_._q_u_e_r_y_._r_a_t_e_l_i_m_i_t_e_d
        The number of queries that are turned away from being send to
        nameserver due to ratelimiting.

 _n_u_m_._q_u_e_r_y_._d_n_s_c_r_y_p_t_._s_h_a_r_e_d___s_e_c_r_e_t_._c_a_c_h_e_m_i_s_s
        The number of dnscrypt queries that did not find a shared secret
        in the cache.  This can be used to compute the shared secret
        hitrate.

 _n_u_m_._q_u_e_r_y_._d_n_s_c_r_y_p_t_._r_e_p_l_a_y
        The number of dnscrypt queries that found a nonce hit in the nonce
        cache and hence are considered a query replay.

 _n_u_m_._a_n_s_w_e_r_._r_c_o_d_e_._N_X_D_O_M_A_I_N
        The number of answers to queries, from cache or from recursion,
        that had the return code NXDOMAIN. Also printed for the other
        return codes.

 _n_u_m_._a_n_s_w_e_r_._r_c_o_d_e_._n_o_d_a_t_a
        The number of answers to queries that had the pseudo return code
        nodata.  This means the actual return code was NOERROR, but
        additionally, no data was carried in the answer (making what is
        called a NOERROR/NODATA answer).  These queries are also included
        in the num.answer.rcode.NOERROR number.  Common for AAAA lookups
        when an A record exists, and no AAAA.

 _n_u_m_._a_n_s_w_e_r_._s_e_c_u_r_e
        Number of answers that were secure.  The answer validated
        correctly.  The AD bit might have been set in some of these
        answers, where the client signalled (with DO or AD bit in the
        query) that they were ready to accept the AD bit in the answer.

 _n_u_m_._a_n_s_w_e_r_._b_o_g_u_s
        Number of answers that were bogus.  These answers resulted in
        SERVFAIL to the client because the answer failed validation.

 _n_u_m_._r_r_s_e_t_._b_o_g_u_s
        The number of rrsets marked bogus by the validator.  Increased for
        every RRset inspection that fails.

 _u_n_w_a_n_t_e_d_._q_u_e_r_i_e_s
        Number of queries that were refused or dropped because they failed
        the access control settings.

 _u_n_w_a_n_t_e_d_._r_e_p_l_i_e_s
        Replies that were unwanted or unsolicited.  Could have been random
        traffic, delayed duplicates, very late answers, or could be
        spoofing attempts.  Some low level of late answers and delayed
        duplicates are to be expected with the UDP protocol.  Very high
        values could indicate a threat (spoofing).

 _m_s_g_._c_a_c_h_e_._c_o_u_n_t
        The number of items (DNS replies) in the message cache.

 _r_r_s_e_t_._c_a_c_h_e_._c_o_u_n_t
        The number of RRsets in the rrset cache.  This includes rrsets
        used by the messages in the message cache, but also delegation
        information.

 _i_n_f_r_a_._c_a_c_h_e_._c_o_u_n_t
        The number of items in the infra cache.  These are IP addresses
        with their timing and protocol support information.

 _k_e_y_._c_a_c_h_e_._c_o_u_n_t
        The number of items in the key cache.  These are DNSSEC keys, one
        item per delegation point, and their validation status.

 _m_s_g_._c_a_c_h_e_._m_a_x___c_o_l_l_i_s_i_o_n_s
        The maximum number of hash table collisions in the msg cache. This
        is the number of hashes that are identical when a new element is
        inserted in the hash table. If the value is very large, like
        hundreds, something is wrong with the performance of the hash
        table, hash values are incorrect or malicious.

 _r_r_s_e_t_._c_a_c_h_e_._m_a_x___c_o_l_l_i_s_i_o_n_s
        The maximum number of hash table collisions in the rrset cache.
        This is the number of hashes that are identical when a new element
        is inserted in the hash table. If the value is very large, like
        hundreds, something is wrong with the performance of the hash
        table, hash values are incorrect or malicious.

 _d_n_s_c_r_y_p_t___s_h_a_r_e_d___s_e_c_r_e_t_._c_a_c_h_e_._c_o_u_n_t
        The number of items in the shared secret cache. These are
        precomputed shared secrets for a given client public key/server
        secret key pair. Shared secrets are CPU intensive and this cache
        allows Unbound to avoid recomputing the shared secret when
        multiple dnscrypt queries are sent from the same client.

 _d_n_s_c_r_y_p_t___n_o_n_c_e_._c_a_c_h_e_._c_o_u_n_t
        The number of items in the client nonce cache. This cache is used
        to prevent dnscrypt queries replay. The client nonce must be
        unique for each client public key/server secret key pair. This
        cache should be able to host QPS * `replay window` interval keys
        to prevent replay of a query during `replay window` seconds.

 _n_u_m_._q_u_e_r_y_._a_u_t_h_z_o_n_e_._u_p
        The number of queries answered from auth-zone data, upstream
        queries.  These queries would otherwise have been sent (with
        fallback enabled) to the internet, but are now answered from the
        auth zone.

 _n_u_m_._q_u_e_r_y_._a_u_t_h_z_o_n_e_._d_o_w_n
        The number of queries for downstream answered from auth-zone data.
        These queries are from downstream clients, and have had an answer
        from the data in the auth zone.

 _n_u_m_._q_u_e_r_y_._a_g_g_r_e_s_s_i_v_e_._N_O_E_R_R_O_R
        The number of queries answered using cached NSEC records with
        NODATA RCODE.  These queries would otherwise have been sent to the
        internet, but are now answered using cached data.

 _n_u_m_._q_u_e_r_y_._a_g_g_r_e_s_s_i_v_e_._N_X_D_O_M_A_I_N
        The number of queries answered using cached NSEC records with
        NXDOMAIN RCODE.  These queries would otherwise have been sent to
        the internet, but are now answered using cached data.

 _n_u_m_._q_u_e_r_y_._s_u_b_n_e_t
        Number of queries that got an answer that contained EDNS client
        subnet data.

 _n_u_m_._q_u_e_r_y_._s_u_b_n_e_t___c_a_c_h_e
        Number of queries answered from the edns client subnet cache.
        These are counted as cachemiss by the main counters, but hit the
        client subnet specific cache after getting processed by the edns
        client subnet module.

 _n_u_m_._q_u_e_r_y_._c_a_c_h_e_d_b
        Number of queries answered from the external cache of cachedb.
        These are counted as cachemiss by the main counters, but hit the
        cachedb external cache after getting processed by the cachedb
        module.

 _n_u_m_._r_p_z_._a_c_t_i_o_n_._<_r_p_z___a_c_t_i_o_n_>
        Number of queries answered using configured RPZ policy, per RPZ
        action type.  Possible actions are: nxdomain, nodata, passthru,
        drop, tcp-only, local-data, disabled, and cname-override.

FFIILLEESS #

 _/_v_a_r_/_u_n_b_o_u_n_d_/_e_t_c_/_u_n_b_o_u_n_d_._c_o_n_f
        Unbound configuration file.

 _/_v_a_r_/_u_n_b_o_u_n_d_/_e_t_c
        directory with private keys (unbound_server.key and
        unbound_control.key) and self-signed certificates
        (unbound_server.pem and unbound_control.pem).

SSEEEE AALLSSOO #

 _u_n_b_o_u_n_d_._c_o_n_f(5), _u_n_b_o_u_n_d(8).

NLnet Labs August 30, 2023 unbound-control(8)