unbound-control(8) unbound 1.18.0 unbound-control(8) #
unbound-control(8) unbound 1.18.0 unbound-control(8)
NNAAMMEE #
uunnbboouunndd--ccoonnttrrooll,, uunnbboouunndd--ccoonnttrrooll--sseettuupp - Unbound remote server control
utility.
SSYYNNOOPPSSIISS #
uunnbboouunndd--ccoonnttrrooll [--hhqq] [--cc _c_f_g_f_i_l_e] [--ss _s_e_r_v_e_r] _c_o_m_m_a_n_d
DDEESSCCRRIIPPTTIIOONN #
UUnnbboouunndd--ccoonnttrrooll performs remote administration on the _u_n_b_o_u_n_d(8) DNS
server. It reads the configuration file, contacts the Unbound server
over SSL sends the command and displays the result.
The available options are:
--hh Show the version and commandline option help.
--cc _c_f_g_f_i_l_e
The config file to read with settings. If not given the default
config file /var/unbound/etc/unbound.conf is used.
--ss _s_e_r_v_e_r_[_@_p_o_r_t_]
IPv4 or IPv6 address of the server to contact. If not given, the
address is read from the config file.
--qq quiet, if the option is given it does not print anything if it
works ok.
CCOOMMMMAANNDDSS #
There are several commands that the server understands.
ssttaarrtt Start the server. Simply execs _u_n_b_o_u_n_d(8). The Unbound executable
is searched for in the PPAATTHH set in the environment. It is started
with the config file specified using _-_c or the default config
file.
ssttoopp Stop the server. The server daemon exits.
rreellooaadd Reload the server. This flushes the cache and reads the config
file fresh.
rreellooaadd__kkeeeepp__ccaacchhee
Reload the server but try to keep the RRset and message cache if
(re)configuration allows for it. That means the caches sizes and
the number of threads must not change between reloads.
vveerrbboossiittyy _n_u_m_b_e_r
Change verbosity value for logging. Same values as vveerrbboossiittyy
keyword in _u_n_b_o_u_n_d_._c_o_n_f(5). This new setting lasts until the
server is issued a reload (taken from config file again), or the
next verbosity control command.
lloogg__rreeooppeenn
Reopen the logfile, close and open it. Useful for logrotation to
make the daemon release the file it is logging to. If you are
using syslog it will attempt to close and open the syslog (which
may not work if chrooted).
ssttaattss Print statistics. Resets the internal counters to zero, this can
be controlled using the ssttaattiissttiiccss--ccuummuullaattiivvee config statement.
Statistics are printed with one [name]: [value] per line.
ssttaattss__nnoorreesseett
Peek at statistics. Prints them like the ssttaattss command does, but
does not reset the internal counters to zero.
ssttaattuuss Display server status. Exit code 3 if not running (the connection
to the port is refused), 1 on error, 0 if running.
llooccaall__zzoonnee _n_a_m_e _t_y_p_e
Add new local zone with name and type. Like llooccaall--zzoonnee config
statement. If the zone already exists, the type is changed to the
given argument.
llooccaall__zzoonnee__rreemmoovvee _n_a_m_e
Remove the local zone with the given name. Removes all local data
inside it. If the zone does not exist, the command succeeds.
llooccaall__ddaattaa _R_R _d_a_t_a_._._.
Add new local data, the given resource record. Like llooccaall--ddaattaa
config statement, except for when no covering zone exists. In
that case this remote control command creates a transparent zone
with the same name as this record.
llooccaall__ddaattaa__rreemmoovvee _n_a_m_e
Remove all RR data from local name. If the name already has no
items, nothing happens. Often results in NXDOMAIN for the name
(in a static zone), but if the name has become an empty
nonterminal (there is still data in domain names below the removed
name), NOERROR nodata answers are the result for that name.
llooccaall__zzoonneess
Add local zones read from stdin of unbound-control. Input is read
per line, with name space type on a line. For bulk additions.
llooccaall__zzoonneess__rreemmoovvee
Remove local zones read from stdin of unbound-control. Input is
one name per line. For bulk removals.
llooccaall__ddaattaass
Add local data RRs read from stdin of unbound-control. Input is
one RR per line. For bulk additions.
llooccaall__ddaattaass__rreemmoovvee
Remove local data RRs read from stdin of unbound-control. Input is
one name per line. For bulk removals.
dduummpp__ccaacchhee
The contents of the cache is printed in a text format to stdout.
You can redirect it to a file to store the cache in a file.
llooaadd__ccaacchhee
The contents of the cache is loaded from stdin. Uses the same
format as dump_cache uses. Loading the cache with old, or wrong
data can result in old or wrong data returned to clients. Loading
data into the cache in this way is supported in order to aid with
debugging.
llooookkuupp _n_a_m_e
Print to stdout the name servers that would be used to look up the
name specified.
fflluusshh _n_a_m_e
Remove the name from the cache. Removes the types A, AAAA, NS,
SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, SVCB and HTTPS. Because
that is fast to do. Other record types can be removed using
fflluusshh__ttyyppee or fflluusshh__zzoonnee.
fflluusshh__ttyyppee _n_a_m_e _t_y_p_e
Remove the name, type information from the cache.
fflluusshh__zzoonnee _n_a_m_e
Remove all information at or below the name from the cache. The
rrsets and key entries are removed so that new lookups will be
performed. This needs to walk and inspect the entire cache, and
is a slow operation. The entries are set to expired in the
implementation of this command (so, with serve-expired enabled,
it'll serve that information but schedule a prefetch for new
information).
fflluusshh__bboogguuss
Remove all bogus data from the cache.
fflluusshh__nneeggaattiivvee
Remove all negative data from the cache. This is nxdomain
answers, nodata answers and servfail answers. Also removes bad
key entries (which could be due to failed lookups) from the dnssec
key cache, and iterator last-resort lookup failures from the rrset
cache.
fflluusshh__ssttaattss
Reset statistics to zero.
fflluusshh__rreeqquueessttlliisstt
Drop the queries that are worked on. Stops working on the queries
that the server is working on now. The cache is unaffected. No
reply is sent for those queries, probably making those users
request again later. Useful to make the server restart working on
queries with new settings, such as a higher verbosity level.
dduummpp__rreeqquueessttlliisstt
Show what is worked on. Prints all queries that the server is
currently working on. Prints the time that users have been
waiting. For internal requests, no time is printed. And then
prints out the module status. This prints the queries from the
first thread, and not queries that are being serviced from other
threads.
fflluusshh__iinnffrraa _a_l_l_|_I_P
If all then entire infra cache is emptied. If a specific IP
address, the entry for that address is removed from the cache. It
contains EDNS, ping and lameness data.
dduummpp__iinnffrraa
Show the contents of the infra cache.
sseett__ooppttiioonn _o_p_t_: _v_a_l
Set the option to the given value without a reload. The cache is
therefore not flushed. The option must end with a ':' and
whitespace must be between the option and the value. Some values
may not have an effect if set this way, the new values are not
written to the config file, not all options are supported. This
is different from the set_option call in libunbound, where all
values work because Unbound has not been initialized.
The values that work are: statistics-interval,
statistics-cumulative, do-not-query-localhost,
harden-short-bufsize, harden-large-queries, harden-glue,
harden-dnssec-stripped, harden-below-nxdomain,
harden-referral-path, prefetch, prefetch-key, log-queries,
hide-identity, hide-version, identity, version, val-log-level,
val-log-squelch, ignore-cd-flag, add-holddown, del-holddown,
keep-missing, tcp-upstream, ssl-upstream, max-udp-size, ratelimit,
ip-ratelimit, cache-max-ttl, cache-min-ttl,
cache-max-negative-ttl.
ggeett__ooppttiioonn _o_p_t
Get the value of the option. Give the option name without a
trailing ':'. The value is printed. If the value is "", nothing
is printed and the connection closes. On error 'error ...' is
printed (it gives a syntax error on unknown option). For some
options a list of values, one on each line, is printed. The
options are shown from the config file as modified with
set_option. For some options an override may have been taken that
does not show up with this command, not results from e.g. the
verbosity and forward control commands. Not all options work, see
list_stubs, list_forwards, list_local_zones and list_local_data
for those.
lliisstt__ssttuubbss
List the stub zones in use. These are printed one by one to the
output. This includes the root hints in use.
lliisstt__ffoorrwwaarrddss
List the forward zones in use. These are printed zone by zone to
the output.
lliisstt__iinnsseeccuurree
List the zones with domain-insecure.
lliisstt__llooccaall__zzoonneess
List the local zones in use. These are printed one per line with
zone type.
lliisstt__llooccaall__ddaattaa
List the local data RRs in use. The resource records are printed.
iinnsseeccuurree__aadddd _z_o_n_e
Add a ddoommaaiinn--iinnsseeccuurree for the given zone, like the statement in
unbound.conf. Adds to the running Unbound without affecting the
cache contents (which may still be bogus, use fflluusshh__zzoonnee to remove
it), does not affect the config file.
iinnsseeccuurree__rreemmoovvee _z_o_n_e
Removes domain-insecure for the given zone.
ffoorrwwaarrdd__aadddd [_+_i] _z_o_n_e _a_d_d_r _._._.
Add a new forward zone to running Unbound. With +i option also
adds a _d_o_m_a_i_n_-_i_n_s_e_c_u_r_e for the zone (so it can resolve insecurely
if you have a DNSSEC root trust anchor configured for other
names). The addr can be IP4, IP6 or nameserver names, like
_f_o_r_w_a_r_d_-_z_o_n_e config in unbound.conf.
ffoorrwwaarrdd__rreemmoovvee [_+_i] _z_o_n_e
Remove a forward zone from running Unbound. The +i also removes a
_d_o_m_a_i_n_-_i_n_s_e_c_u_r_e for the zone.
ssttuubb__aadddd [_+_i_p] _z_o_n_e _a_d_d_r _._._.
Add a new stub zone to running Unbound. With +i option also adds
a _d_o_m_a_i_n_-_i_n_s_e_c_u_r_e for the zone. With +p the stub zone is set to
prime, without it it is set to notprime. The addr can be IP4, IP6
or nameserver names, like the _s_t_u_b_-_z_o_n_e config in unbound.conf.
ssttuubb__rreemmoovvee [_+_i] _z_o_n_e
Remove a stub zone from running Unbound. The +i also removes a
_d_o_m_a_i_n_-_i_n_s_e_c_u_r_e for the zone.
ffoorrwwaarrdd [_o_f_f | _a_d_d_r _._._. ]
Setup forwarding mode. Configures if the server should ask other
upstream nameservers, should go to the internet root nameservers
itself, or show the current config. You could pass the
nameservers after a DHCP update.
Without arguments the current list of addresses used to forward
all queries to is printed. On startup this is from the
forward-zone "." configuration. Afterwards it shows the status.
It prints off when no forwarding is used.
If _o_f_f is passed, forwarding is disabled and the root nameservers
are used. This can be used to avoid to avoid buggy or non-DNSSEC
supporting nameservers returned from DHCP. But may not work in
hotels or hotspots.
If one or more IPv4 or IPv6 addresses are given, those are then
used to forward queries to. The addresses must be separated with
spaces. With '@port' the port number can be set explicitly
(default port is 53 (DNS)).
By default the forwarder information from the config file for the
root "." is used. The config file is not changed, so after a
reload these changes are gone. Other forward zones from the
config file are not affected by this command.
rraatteelliimmiitt__lliisstt [_+_a]
List the domains that are ratelimited. Printed one per line with
current estimated qps and qps limit from config. With +a it
prints all domains, not just the ratelimited domains, with their
estimated qps. The ratelimited domains return an error for
uncached (new) queries, but cached queries work as normal.
iipp__rraatteelliimmiitt__lliisstt [_+_a]
List the ip addresses that are ratelimited. Printed one per line
with current estimated qps and qps limit from config. With +a it
prints all ips, not just the ratelimited ips, with their estimated
qps. The ratelimited ips are dropped before checking the cache.
lliisstt__aauutthh__zzoonneess
List the auth zones that are configured. Printed one per line
with a status, indicating if the zone is expired and current
serial number. Configured RPZ zones are included.
aauutthh__zzoonnee__rreellooaadd _z_o_n_e
Reload the auth zone (or RPZ zone) from zonefile. The zonefile is
read in overwriting the current contents of the zone in memory.
This changes the auth zone contents itself, not the cache
contents. Such cache contents exists if you set Unbound to
validate with for-upstream yes and that can be cleared with
fflluusshh__zzoonnee _z_o_n_e.
aauutthh__zzoonnee__ttrraannssffeerr _z_o_n_e
Transfer the auth zone (or RPZ zone) from master. The auth zone
probe sequence is started, where the masters are probed to see if
they have an updated zone (with the SOA serial check). And then
the zone is transferred for a newer zone version.
rrppzz__eennaabbllee _z_o_n_e
Enable the RPZ zone if it had previously been disabled.
rrppzz__ddiissaabbllee _z_o_n_e
Disable the RPZ zone.
vviieeww__lliisstt__llooccaall__zzoonneess _v_i_e_w
_l_i_s_t___l_o_c_a_l___z_o_n_e_s for given view.
vviieeww__llooccaall__zzoonnee _v_i_e_w _n_a_m_e _t_y_p_e
_l_o_c_a_l___z_o_n_e for given view.
vviieeww__llooccaall__zzoonnee__rreemmoovvee _v_i_e_w _n_a_m_e
_l_o_c_a_l___z_o_n_e___r_e_m_o_v_e for given view.
vviieeww__lliisstt__llooccaall__ddaattaa _v_i_e_w
_l_i_s_t___l_o_c_a_l___d_a_t_a for given view.
vviieeww__llooccaall__ddaattaa _v_i_e_w _R_R _d_a_t_a_._._.
_l_o_c_a_l___d_a_t_a for given view.
vviieeww__llooccaall__ddaattaa__rreemmoovvee _v_i_e_w _n_a_m_e
_l_o_c_a_l___d_a_t_a___r_e_m_o_v_e for given view.
vviieeww__llooccaall__ddaattaass__rreemmoovvee _v_i_e_w
Remove a list of _l_o_c_a_l___d_a_t_a for given view from stdin. Like
local_datas_remove.
vviieeww__llooccaall__ddaattaass _v_i_e_w
Add a list of _l_o_c_a_l___d_a_t_a for given view from stdin. Like
local_datas.
EEXXIITT CCOODDEE #
The unbound-control program exits with status code 1 on error, 0 on
success.
SSEETT UUPP #
The setup requires a self-signed certificate and private keys for both
the server and client. The script _u_n_b_o_u_n_d_-_c_o_n_t_r_o_l_-_s_e_t_u_p generates these
in the default run directory, or with -d in another directory. If you
change the access control permissions on the key files you can decide who
can use unbound-control, by default owner and group but not all users.
Run the script under the same username as you have configured in
unbound.conf or as root, so that the daemon is permitted to read the
files, for example with:
sudo -u unbound unbound-control-setup
If you have not configured a username in unbound.conf, the keys need read
permission for the user credentials under which the daemon is started.
The script preserves private keys present in the directory. After
running the script as root, turn on ccoonnttrrooll--eennaabbllee in _u_n_b_o_u_n_d_._c_o_n_f.
SSTTAATTIISSTTIICC CCOOUUNNTTEERRSS #
The _s_t_a_t_s command shows a number of statistic counters.
_t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s
number of queries received by thread
_t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___i_p___r_a_t_e_l_i_m_i_t_e_d
number of queries rate limited by thread
_t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___v_a_l_i_d
number of queries with a valid DNS Cookie by thread
_t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___c_l_i_e_n_t
number of queries with a client part only DNS Cookie by thread
_t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___i_n_v_a_l_i_d
number of queries with an invalid DNS Cookie by thread
_t_h_r_e_a_d_X_._n_u_m_._c_a_c_h_e_h_i_t_s
number of queries that were successfully answered using a cache
lookup
_t_h_r_e_a_d_X_._n_u_m_._c_a_c_h_e_m_i_s_s
number of queries that needed recursive processing
_t_h_r_e_a_d_X_._n_u_m_._d_n_s_c_r_y_p_t_._c_r_y_p_t_e_d
number of queries that were encrypted and successfully
decapsulated by dnscrypt.
_t_h_r_e_a_d_X_._n_u_m_._d_n_s_c_r_y_p_t_._c_e_r_t
number of queries that were requesting dnscrypt certificates.
_t_h_r_e_a_d_X_._n_u_m_._d_n_s_c_r_y_p_t_._c_l_e_a_r_t_e_x_t
number of queries received on dnscrypt port that were cleartext
and not a request for certificates.
_t_h_r_e_a_d_X_._n_u_m_._d_n_s_c_r_y_p_t_._m_a_l_f_o_r_m_e_d
number of request that were neither cleartext, not valid dnscrypt
messages.
_t_h_r_e_a_d_X_._n_u_m_._p_r_e_f_e_t_c_h
number of cache prefetches performed. This number is included in
cachehits, as the original query had the unprefetched answer from
cache, and resulted in recursive processing, taking a slot in the
requestlist. Not part of the recursivereplies (or the histogram
thereof) or cachemiss, as a cache response was sent.
_t_h_r_e_a_d_X_._n_u_m_._e_x_p_i_r_e_d
number of replies that served an expired cache entry.
_t_h_r_e_a_d_X_._n_u_m_._q_u_e_r_i_e_s___t_i_m_e_d___o_u_t
number of queries that are dropped because they waited in the UDP
socket buffer for too long.
_t_h_r_e_a_d_X_._q_u_e_r_y_._q_u_e_u_e___t_i_m_e___u_s_._m_a_x
The maximum wait time for packets in the socket buffer, in
microseconds. This is only reported when sock-queue-timeout is
enabled.
_t_h_r_e_a_d_X_._n_u_m_._r_e_c_u_r_s_i_v_e_r_e_p_l_i_e_s
The number of replies sent to queries that needed recursive
processing. Could be smaller than threadX.num.cachemiss if due to
timeouts no replies were sent for some queries.
_t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._a_v_g
The average number of requests in the internal recursive
processing request list on insert of a new incoming recursive
processing query.
_t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._m_a_x
Maximum size attained by the internal recursive processing request
list.
_t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._o_v_e_r_w_r_i_t_t_e_n
Number of requests in the request list that were overwritten by
newer entries. This happens if there is a flood of queries that
recursive processing and the server has a hard time.
_t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._e_x_c_e_e_d_e_d
Queries that were dropped because the request list was full. This
happens if a flood of queries need recursive processing, and the
server can not keep up.
_t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._c_u_r_r_e_n_t_._a_l_l
Current size of the request list, includes internally generated
queries (such as priming queries and glue lookups).
_t_h_r_e_a_d_X_._r_e_q_u_e_s_t_l_i_s_t_._c_u_r_r_e_n_t_._u_s_e_r
Current size of the request list, only the requests from client
queries.
_t_h_r_e_a_d_X_._r_e_c_u_r_s_i_o_n_._t_i_m_e_._a_v_g
Average time it took to answer queries that needed recursive
processing. Note that queries that were answered from the cache
are not in this average.
_t_h_r_e_a_d_X_._r_e_c_u_r_s_i_o_n_._t_i_m_e_._m_e_d_i_a_n
The median of the time it took to answer queries that needed
recursive processing. The median means that 50% of the user
queries were answered in less than this time. Because of big
outliers (usually queries to non responsive servers), the average
can be bigger than the median. This median has been calculated by
interpolation from a histogram.
_t_h_r_e_a_d_X_._t_c_p_u_s_a_g_e
The currently held tcp buffers for incoming connections. A spot
value on the time of the request. This helps you spot if the
incoming-num-tcp buffers are full.
_t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s
summed over threads.
_t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___i_p___r_a_t_e_l_i_m_i_t_e_d
summed over threads.
_t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___v_a_l_i_d
summed over threads.
_t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___c_l_i_e_n_t
summed over threads.
_t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___c_o_o_k_i_e___i_n_v_a_l_i_d
summed over threads.
_t_o_t_a_l_._n_u_m_._c_a_c_h_e_h_i_t_s
summed over threads.
_t_o_t_a_l_._n_u_m_._c_a_c_h_e_m_i_s_s
summed over threads.
_t_o_t_a_l_._n_u_m_._d_n_s_c_r_y_p_t_._c_r_y_p_t_e_d
summed over threads.
_t_o_t_a_l_._n_u_m_._d_n_s_c_r_y_p_t_._c_e_r_t
summed over threads.
_t_o_t_a_l_._n_u_m_._d_n_s_c_r_y_p_t_._c_l_e_a_r_t_e_x_t
summed over threads.
_t_o_t_a_l_._n_u_m_._d_n_s_c_r_y_p_t_._m_a_l_f_o_r_m_e_d
summed over threads.
_t_o_t_a_l_._n_u_m_._p_r_e_f_e_t_c_h
summed over threads.
_t_o_t_a_l_._n_u_m_._e_x_p_i_r_e_d
summed over threads.
_t_o_t_a_l_._n_u_m_._q_u_e_r_i_e_s___t_i_m_e_d___o_u_t
summed over threads.
_t_o_t_a_l_._q_u_e_r_y_._q_u_e_u_e___t_i_m_e___u_s_._m_a_x
the maximum of the thread values.
_t_o_t_a_l_._n_u_m_._r_e_c_u_r_s_i_v_e_r_e_p_l_i_e_s
summed over threads.
_t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._a_v_g
averaged over threads.
_t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._m_a_x
the maximum of the thread requestlist.max values.
_t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._o_v_e_r_w_r_i_t_t_e_n
summed over threads.
_t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._e_x_c_e_e_d_e_d
summed over threads.
_t_o_t_a_l_._r_e_q_u_e_s_t_l_i_s_t_._c_u_r_r_e_n_t_._a_l_l
summed over threads.
_t_o_t_a_l_._r_e_c_u_r_s_i_o_n_._t_i_m_e_._m_e_d_i_a_n
averaged over threads.
_t_o_t_a_l_._t_c_p_u_s_a_g_e
summed over threads.
_t_i_m_e_._n_o_w
current time in seconds since 1970.
_t_i_m_e_._u_p
uptime since server boot in seconds.
_t_i_m_e_._e_l_a_p_s_e_d
time since last statistics printout, in seconds.
EEXXTTEENNDDEEDD SSTTAATTIISSTTIICCSS #
_m_e_m_._c_a_c_h_e_._r_r_s_e_t
Memory in bytes in use by the RRset cache.
_m_e_m_._c_a_c_h_e_._m_e_s_s_a_g_e
Memory in bytes in use by the message cache.
_m_e_m_._c_a_c_h_e_._d_n_s_c_r_y_p_t___s_h_a_r_e_d___s_e_c_r_e_t
Memory in bytes in use by the dnscrypt shared secrets cache.
_m_e_m_._c_a_c_h_e_._d_n_s_c_r_y_p_t___n_o_n_c_e
Memory in bytes in use by the dnscrypt nonce cache.
_m_e_m_._m_o_d_._i_t_e_r_a_t_o_r
Memory in bytes in use by the iterator module.
_m_e_m_._m_o_d_._v_a_l_i_d_a_t_o_r
Memory in bytes in use by the validator module. Includes the key
cache and negative cache.
_m_e_m_._s_t_r_e_a_m_w_a_i_t
Memory in bytes in used by the TCP and TLS stream wait buffers.
These are answers waiting to be written back to the clients.
_m_e_m_._h_t_t_p_._q_u_e_r_y___b_u_f_f_e_r
Memory in bytes used by the HTTP/2 query buffers. Containing
(partial) DNS queries waiting for request stream completion.
_m_e_m_._h_t_t_p_._r_e_s_p_o_n_s_e___b_u_f_f_e_r
Memory in bytes used by the HTTP/2 response buffers. Containing
DNS responses waiting to be written back to the clients.
_h_i_s_t_o_g_r_a_m_._<_s_e_c_>_._<_u_s_e_c_>_._t_o_._<_s_e_c_>_._<_u_s_e_c_>
Shows a histogram, summed over all threads. Every element counts
the recursive queries whose reply time fit between the lower and
upper bound. Times larger or equal to the lowerbound, and smaller
than the upper bound. There are 40 buckets, with bucket sizes
doubling.
_n_u_m_._q_u_e_r_y_._t_y_p_e_._A
The total number of queries over all threads with query type A.
Printed for the other query types as well, but only for the types
for which queries were received, thus =0 entries are omitted for
brevity.
_n_u_m_._q_u_e_r_y_._t_y_p_e_._o_t_h_e_r
Number of queries with query types 256-65535.
_n_u_m_._q_u_e_r_y_._c_l_a_s_s_._I_N
The total number of queries over all threads with query class IN
(internet). Also printed for other classes (such as CH (CHAOS)
sometimes used for debugging), or NONE, ANY, used by dynamic
update. num.query.class.other is printed for classes 256-65535.
_n_u_m_._q_u_e_r_y_._o_p_c_o_d_e_._Q_U_E_R_Y
The total number of queries over all threads with query opcode
QUERY. Also printed for other opcodes, UPDATE, ...
_n_u_m_._q_u_e_r_y_._t_c_p
Number of queries that were made using TCP towards the Unbound
server.
_n_u_m_._q_u_e_r_y_._t_c_p_o_u_t
Number of queries that the Unbound server made using TCP outgoing
towards other servers.
_n_u_m_._q_u_e_r_y_._u_d_p_o_u_t
Number of queries that the Unbound server made using UDP outgoing
towards other servers.
_n_u_m_._q_u_e_r_y_._t_l_s
Number of queries that were made using TLS towards the Unbound
server. These are also counted in num.query.tcp, because TLS uses
TCP. #
_n_u_m_._q_u_e_r_y_._t_l_s_._r_e_s_u_m_e
Number of TLS session resumptions, these are queries over TLS
towards the Unbound server where the client negotiated a TLS
session resumption key.
_n_u_m_._q_u_e_r_y_._h_t_t_p_s
Number of queries that were made using HTTPS towards the Unbound
server. These are also counted in num.query.tcp and
num.query.tls, because HTTPS uses TLS and TCP.
_n_u_m_._q_u_e_r_y_._i_p_v_6
Number of queries that were made using IPv6 towards the Unbound
server.
_n_u_m_._q_u_e_r_y_._f_l_a_g_s_._R_D
The number of queries that had the RD flag set in the header.
Also printed for flags QR, AA, TC, RA, Z, AD, CD. Note that
queries with flags QR, AA or TC may have been rejected because of
that.
_n_u_m_._q_u_e_r_y_._e_d_n_s_._p_r_e_s_e_n_t
number of queries that had an EDNS OPT record present.
_n_u_m_._q_u_e_r_y_._e_d_n_s_._D_O
number of queries that had an EDNS OPT record with the DO (DNSSEC
OK) bit set. These queries are also included in the
num.query.edns.present number.
_n_u_m_._q_u_e_r_y_._r_a_t_e_l_i_m_i_t_e_d
The number of queries that are turned away from being send to
nameserver due to ratelimiting.
_n_u_m_._q_u_e_r_y_._d_n_s_c_r_y_p_t_._s_h_a_r_e_d___s_e_c_r_e_t_._c_a_c_h_e_m_i_s_s
The number of dnscrypt queries that did not find a shared secret
in the cache. This can be used to compute the shared secret
hitrate.
_n_u_m_._q_u_e_r_y_._d_n_s_c_r_y_p_t_._r_e_p_l_a_y
The number of dnscrypt queries that found a nonce hit in the nonce
cache and hence are considered a query replay.
_n_u_m_._a_n_s_w_e_r_._r_c_o_d_e_._N_X_D_O_M_A_I_N
The number of answers to queries, from cache or from recursion,
that had the return code NXDOMAIN. Also printed for the other
return codes.
_n_u_m_._a_n_s_w_e_r_._r_c_o_d_e_._n_o_d_a_t_a
The number of answers to queries that had the pseudo return code
nodata. This means the actual return code was NOERROR, but
additionally, no data was carried in the answer (making what is
called a NOERROR/NODATA answer). These queries are also included
in the num.answer.rcode.NOERROR number. Common for AAAA lookups
when an A record exists, and no AAAA.
_n_u_m_._a_n_s_w_e_r_._s_e_c_u_r_e
Number of answers that were secure. The answer validated
correctly. The AD bit might have been set in some of these
answers, where the client signalled (with DO or AD bit in the
query) that they were ready to accept the AD bit in the answer.
_n_u_m_._a_n_s_w_e_r_._b_o_g_u_s
Number of answers that were bogus. These answers resulted in
SERVFAIL to the client because the answer failed validation.
_n_u_m_._r_r_s_e_t_._b_o_g_u_s
The number of rrsets marked bogus by the validator. Increased for
every RRset inspection that fails.
_u_n_w_a_n_t_e_d_._q_u_e_r_i_e_s
Number of queries that were refused or dropped because they failed
the access control settings.
_u_n_w_a_n_t_e_d_._r_e_p_l_i_e_s
Replies that were unwanted or unsolicited. Could have been random
traffic, delayed duplicates, very late answers, or could be
spoofing attempts. Some low level of late answers and delayed
duplicates are to be expected with the UDP protocol. Very high
values could indicate a threat (spoofing).
_m_s_g_._c_a_c_h_e_._c_o_u_n_t
The number of items (DNS replies) in the message cache.
_r_r_s_e_t_._c_a_c_h_e_._c_o_u_n_t
The number of RRsets in the rrset cache. This includes rrsets
used by the messages in the message cache, but also delegation
information.
_i_n_f_r_a_._c_a_c_h_e_._c_o_u_n_t
The number of items in the infra cache. These are IP addresses
with their timing and protocol support information.
_k_e_y_._c_a_c_h_e_._c_o_u_n_t
The number of items in the key cache. These are DNSSEC keys, one
item per delegation point, and their validation status.
_m_s_g_._c_a_c_h_e_._m_a_x___c_o_l_l_i_s_i_o_n_s
The maximum number of hash table collisions in the msg cache. This
is the number of hashes that are identical when a new element is
inserted in the hash table. If the value is very large, like
hundreds, something is wrong with the performance of the hash
table, hash values are incorrect or malicious.
_r_r_s_e_t_._c_a_c_h_e_._m_a_x___c_o_l_l_i_s_i_o_n_s
The maximum number of hash table collisions in the rrset cache.
This is the number of hashes that are identical when a new element
is inserted in the hash table. If the value is very large, like
hundreds, something is wrong with the performance of the hash
table, hash values are incorrect or malicious.
_d_n_s_c_r_y_p_t___s_h_a_r_e_d___s_e_c_r_e_t_._c_a_c_h_e_._c_o_u_n_t
The number of items in the shared secret cache. These are
precomputed shared secrets for a given client public key/server
secret key pair. Shared secrets are CPU intensive and this cache
allows Unbound to avoid recomputing the shared secret when
multiple dnscrypt queries are sent from the same client.
_d_n_s_c_r_y_p_t___n_o_n_c_e_._c_a_c_h_e_._c_o_u_n_t
The number of items in the client nonce cache. This cache is used
to prevent dnscrypt queries replay. The client nonce must be
unique for each client public key/server secret key pair. This
cache should be able to host QPS * `replay window` interval keys
to prevent replay of a query during `replay window` seconds.
_n_u_m_._q_u_e_r_y_._a_u_t_h_z_o_n_e_._u_p
The number of queries answered from auth-zone data, upstream
queries. These queries would otherwise have been sent (with
fallback enabled) to the internet, but are now answered from the
auth zone.
_n_u_m_._q_u_e_r_y_._a_u_t_h_z_o_n_e_._d_o_w_n
The number of queries for downstream answered from auth-zone data.
These queries are from downstream clients, and have had an answer
from the data in the auth zone.
_n_u_m_._q_u_e_r_y_._a_g_g_r_e_s_s_i_v_e_._N_O_E_R_R_O_R
The number of queries answered using cached NSEC records with
NODATA RCODE. These queries would otherwise have been sent to the
internet, but are now answered using cached data.
_n_u_m_._q_u_e_r_y_._a_g_g_r_e_s_s_i_v_e_._N_X_D_O_M_A_I_N
The number of queries answered using cached NSEC records with
NXDOMAIN RCODE. These queries would otherwise have been sent to
the internet, but are now answered using cached data.
_n_u_m_._q_u_e_r_y_._s_u_b_n_e_t
Number of queries that got an answer that contained EDNS client
subnet data.
_n_u_m_._q_u_e_r_y_._s_u_b_n_e_t___c_a_c_h_e
Number of queries answered from the edns client subnet cache.
These are counted as cachemiss by the main counters, but hit the
client subnet specific cache after getting processed by the edns
client subnet module.
_n_u_m_._q_u_e_r_y_._c_a_c_h_e_d_b
Number of queries answered from the external cache of cachedb.
These are counted as cachemiss by the main counters, but hit the
cachedb external cache after getting processed by the cachedb
module.
_n_u_m_._r_p_z_._a_c_t_i_o_n_._<_r_p_z___a_c_t_i_o_n_>
Number of queries answered using configured RPZ policy, per RPZ
action type. Possible actions are: nxdomain, nodata, passthru,
drop, tcp-only, local-data, disabled, and cname-override.
FFIILLEESS #
_/_v_a_r_/_u_n_b_o_u_n_d_/_e_t_c_/_u_n_b_o_u_n_d_._c_o_n_f
Unbound configuration file.
_/_v_a_r_/_u_n_b_o_u_n_d_/_e_t_c
directory with private keys (unbound_server.key and
unbound_control.key) and self-signed certificates
(unbound_server.pem and unbound_control.pem).
SSEEEE AALLSSOO #
_u_n_b_o_u_n_d_._c_o_n_f(5), _u_n_b_o_u_n_d(8).
NLnet Labs August 30, 2023 unbound-control(8)