config_file Struct Reference

The configuration options. More...

#include <config_file.h>

Data Fields

int verbosity
 verbosity level as specified in the config file
 
int stat_interval
 statistics interval (in seconds)
 
int stat_cumulative
 if false, statistics values are reset after printing them
 
int stat_extended
 if true, the statistics are kept in greater detail
 
int num_threads
 number of threads to create
 
int port
 port on which queries are answered.
 
int do_ip4
 do ip4 query support.
 
int do_ip6
 do ip6 query support.
 
int prefer_ip4
 prefer ip4 upstream queries.
 
int prefer_ip6
 prefer ip6 upstream queries.
 
int do_udp
 do udp query support.
 
int do_tcp
 do tcp query support.
 
size_t max_reuse_tcp_queries
 max number of queries on a reuse connection.
 
int tcp_reuse_timeout
 timeout for REUSE entries in milliseconds.
 
int tcp_auth_query_timeout
 timeout in milliseconds for TCP queries to auth servers.
 
int tcp_upstream
 tcp upstream queries (no UDP upstream queries)
 
int udp_upstream_without_downstream
 udp upstream enabled when no UDP downstream is enabled (do_udp no)
 
int tcp_mss
 maximum segment size of tcp socket which queries are answered
 
int outgoing_tcp_mss
 maximum segment size of tcp socket for outgoing queries
 
int tcp_idle_timeout
 tcp idle timeout, in msec
 
int do_tcp_keepalive
 do edns tcp keepalive
 
int tcp_keepalive_timeout
 tcp keepalive timeout, in msec
 
struct config_strlistproxy_protocol_port
 proxy protocol ports
 
char * ssl_service_key
 private key file for dnstcp-ssl service (enabled if not NULL)
 
char * ssl_service_pem
 public key file for dnstcp-ssl service
 
int ssl_port
 port on which to provide ssl service
 
int ssl_upstream
 if outgoing tcp connections use SSL
 
char * tls_cert_bundle
 cert bundle for outgoing connections
 
int tls_win_cert
 should the system certificate store get added to the cert bundle
 
struct config_strlisttls_additional_port
 additional tls ports
 
struct config_strlist_head tls_session_ticket_keys
 secret key used to encrypt and decrypt TLS session ticket
 
char * tls_ciphers
 TLS ciphers.
 
char * tls_ciphersuites
 TLS chiphersuites (TLSv1.3)
 
int tls_use_sni
 if SNI is to be used
 
int https_port
 port on which to provide DNS over HTTPS service
 
char * http_endpoint
 endpoint for HTTP service
 
uint32_t http_max_streams
 MAX_CONCURRENT_STREAMS HTTP/2 setting.
 
size_t http_query_buffer_size
 maximum size of all HTTP2 query buffers combined.
 
size_t http_response_buffer_size
 maximum size of all HTTP2 response buffers combined.
 
int http_nodelay
 set TCP_NODELAY option for http sockets
 
int http_notls_downstream
 Disable TLS for http sockets downstream.
 
int outgoing_num_ports
 outgoing port range number of ports (per thread)
 
size_t outgoing_num_tcp
 number of outgoing tcp buffers per (per thread)
 
size_t incoming_num_tcp
 number of incoming tcp buffers per (per thread)
 
int * outgoing_avail_ports
 allowed udp port numbers, array with 0 if not allowed
 
size_t edns_buffer_size
 EDNS buffer size to use.
 
size_t stream_wait_size
 size of the stream wait buffers, max
 
size_t msg_buffer_size
 number of bytes buffer size for DNS messages
 
size_t msg_cache_size
 size of the message cache
 
size_t msg_cache_slabs
 slabs in the message cache.
 
size_t num_queries_per_thread
 number of queries every thread can service
 
size_t jostle_time
 number of msec to wait before items can be jostled out
 
size_t rrset_cache_size
 size of the rrset cache
 
size_t rrset_cache_slabs
 slabs in the rrset cache
 
int host_ttl
 host cache ttl in seconds
 
size_t infra_cache_slabs
 number of slabs in the infra host cache
 
size_t infra_cache_numhosts
 max number of hosts in the infra cache
 
int infra_cache_min_rtt
 min value for infra cache rtt (min retransmit timeout)
 
int infra_cache_max_rtt
 max value for infra cache rtt (max retransmit timeout)
 
int infra_keep_probing
 keep probing hosts that are down
 
int delay_close
 delay close of udp-timeouted ports, if 0 no delayclose. More...
 
int udp_connect
 udp_connect enable uses UDP connect to mitigate ICMP side channel
 
char * target_fetch_policy
 the target fetch policy for the iterator
 
int fast_server_permil
 percent*10, how many times in 1000 to pick from the fastest destinations
 
size_t fast_server_num
 number of fastest server to select from
 
int if_automatic
 automatic interface for incoming messages. More...
 
char * if_automatic_ports
 extra ports to open if if_automatic enabled, or NULL for default
 
size_t so_rcvbuf
 SO_RCVBUF size to set on port 53 UDP socket.
 
size_t so_sndbuf
 SO_SNDBUF size to set on port 53 UDP socket.
 
int so_reuseport
 SO_REUSEPORT requested on port 53 sockets.
 
int ip_transparent
 IP_TRANSPARENT socket option requested on port 53 sockets.
 
int ip_freebind
 IP_FREEBIND socket option request on port 53 sockets.
 
int ip_dscp
 IP_TOS socket option requested on port 53 sockets.
 
int num_ifs
 number of interfaces to open. More...
 
char ** ifs
 interface description strings (IP addresses)
 
int num_out_ifs
 number of outgoing interfaces to open. More...
 
char ** out_ifs
 outgoing interface description strings (IP addresses)
 
struct config_strlistroot_hints
 the root hints
 
struct config_stubstubs
 the stub definitions, linked list
 
struct config_stubforwards
 the forward zone definitions, linked list
 
struct config_authauths
 the auth zone definitions, linked list
 
struct config_viewviews
 the views definitions, linked list
 
struct config_strlistdonotqueryaddrs
 list of donotquery addresses, linked list
 
struct config_str2listacls
 list of access control entries, linked list
 
int donotquery_localhost
 use default localhost donotqueryaddr entries
 
struct config_str2listtcp_connection_limits
 list of tcp connection limitss, linked list
 
int harden_short_bufsize
 harden against very small edns buffer sizes
 
int harden_large_queries
 harden against very large query sizes
 
int harden_glue
 harden against spoofed glue (out of zone data)
 
int harden_dnssec_stripped
 harden against receiving no DNSSEC data for trust anchor
 
int harden_below_nxdomain
 harden against queries that fall under known nxdomain names
 
int harden_referral_path
 harden the referral path, query for NS,A,AAAA and validate
 
int harden_algo_downgrade
 harden against algorithm downgrade
 
int use_caps_bits_for_id
 use 0x20 bits in query as random ID bits
 
struct config_strlistcaps_whitelist
 0x20 whitelist, domains that do not use capsforid
 
struct config_strlistprivate_address
 strip away these private addrs from answers, no DNS Rebinding
 
struct config_strlistprivate_domain
 allow domain (and subdomains) to use private address space
 
size_t unwanted_threshold
 what threshold for unwanted action.
 
int max_ttl
 the number of seconds maximal TTL used for RRsets and messages
 
int min_ttl
 the number of seconds minimum TTL used for RRsets and messages
 
int max_negative_ttl
 the number of seconds maximal negative TTL for SOA in auth
 
int prefetch
 if prefetching of messages should be performed.
 
int prefetch_key
 if prefetching of DNSKEYs should be performed.
 
int deny_any
 deny queries of type ANY with an empty answer
 
char * chrootdir
 chrootdir, if not "" or chroot will be done
 
char * username
 username to change to, if not "".
 
char * directory
 working directory
 
char * logfile
 filename to log to.
 
char * pidfile
 pidfile to write pid to.
 
int use_syslog
 should log messages be sent to syslogd
 
int log_time_ascii
 log timestamp in ascii UTC
 
int log_queries
 log queries with one line per query
 
int log_replies
 log replies with one line per reply
 
int log_tag_queryreply
 tag log_queries and log_replies for filtering
 
int log_local_actions
 log every local-zone hit
 
int log_servfail
 log servfails with a reason
 
char * log_identity
 log identity to report
 
int hide_identity
 do not report identity (id.server, hostname.bind)
 
int hide_version
 do not report version (version.server, version.bind)
 
int hide_trustanchor
 do not report trustanchor (trustanchor.unbound)
 
int hide_http_user_agent
 do not report the User-Agent HTTP header
 
char * identity
 identity, hostname is returned if "".
 
char * version
 version, package version returned if "".
 
char * http_user_agent
 User-Agent for HTTP header.
 
char * nsid_cfg_str
 nsid
 
uint8_t * nsid
 
uint16_t nsid_len
 
char * module_conf
 the module configuration string
 
struct config_strlisttrust_anchor_file_list
 files with trusted DS and DNSKEYs in zonefile format, list
 
struct config_strlisttrust_anchor_list
 list of trustanchor keys, linked list
 
struct config_strlistauto_trust_anchor_file_list
 files with 5011 autotrust tracked keys
 
struct config_strlisttrusted_keys_file_list
 files with trusted DNSKEYs in named.conf format, list
 
struct config_strlistdomain_insecure
 insecure domain list
 
int trust_anchor_signaling
 send key tag query
 
int root_key_sentinel
 enable root key sentinel
 
int32_t val_date_override
 if not 0, this value is the validation date for RRSIGs
 
int32_t val_sig_skew_min
 the minimum for signature clock skew
 
int32_t val_sig_skew_max
 the maximum for signature clock skew
 
int32_t val_max_restart
 max number of query restarts, number of IPs to probe
 
int bogus_ttl
 this value sets the number of seconds before revalidating bogus
 
int val_clean_additional
 should validator clean additional section for secure msgs
 
int val_log_level
 log bogus messages by the validator
 
int val_log_squelch
 squelch val_log_level to log - this is library goes to callback
 
int val_permissive_mode
 should validator allow bogus messages to go through
 
int aggressive_nsec
 use cached NSEC records to synthesise (negative) answers
 
int ignore_cd
 ignore the CD flag in incoming queries and refuse them bogus data
 
int serve_expired
 serve expired entries and prefetch them
 
int serve_expired_ttl
 serve expired entries until TTL after expiration
 
int serve_expired_ttl_reset
 reset serve expired TTL after failed update attempt
 
int serve_expired_reply_ttl
 TTL for the serve expired replies.
 
int serve_expired_client_timeout
 serve expired entries only after trying to update the entries and this timeout (in milliseconds) is reached
 
int ede_serve_expired
 serve EDE code 3 - Stale Answer (RFC8914) for expired entries
 
int serve_original_ttl
 serve original TTLs rather than decrementing ones
 
char * val_nsec3_key_iterations
 nsec3 maximum iterations per key size, string
 
int zonemd_permissive_mode
 if zonemd failures are permitted, only logged
 
unsigned int add_holddown
 autotrust add holddown time, in seconds
 
unsigned int del_holddown
 autotrust del holddown time, in seconds
 
unsigned int keep_missing
 autotrust keep_missing time, in seconds. More...
 
int permit_small_holddown
 permit small holddown values, allowing 5011 rollover very fast
 
size_t key_cache_size
 size of the key cache
 
size_t key_cache_slabs
 slabs in the key cache.
 
size_t neg_cache_size
 size of the neg cache
 
struct config_str2listlocal_zones
 local zones config
 
struct config_strlistlocal_zones_nodefault
 local zones nodefault list
 
int local_zones_disable_default
 do not add any default local zone
 
struct config_strlistlocal_data
 local data RRs configured
 
struct config_str3listlocal_zone_overrides
 local zone override types per netblock
 
int unblock_lan_zones
 unblock lan zones (reverse lookups for AS112 zones)
 
int insecure_lan_zones
 insecure lan zones (don't validate AS112 zones)
 
struct config_strbytelistlocal_zone_tags
 list of zonename, tagbitlist
 
struct config_strbytelistacl_tags
 list of aclname, tagbitlist
 
struct config_str3listacl_tag_actions
 list of aclname, tagname, localzonetype
 
struct config_str3listacl_tag_datas
 list of aclname, tagname, redirectdata
 
struct config_str2listacl_view
 list of aclname, view
 
struct config_str2listinterface_actions
 list of interface action entries, linked list
 
struct config_strbytelistinterface_tags
 list of interface, tagbitlist
 
struct config_str3listinterface_tag_actions
 list of interface, tagname, localzonetype
 
struct config_str3listinterface_tag_datas
 list of interface, tagname, redirectdata
 
struct config_str2listinterface_view
 list of interface, view
 
struct config_strbytelistrespip_tags
 list of IP-netblock, tagbitlist
 
struct config_str2listrespip_actions
 list of response-driven access control entries, linked list
 
struct config_str2listrespip_data
 RRs configured for response-driven access controls.
 
char ** tagname
 tag list, array with tagname[i] is malloced string
 
int num_tags
 number of items in the taglist
 
int remote_control_enable
 remote control section. More...
 
struct config_strlist_head control_ifs
 the interfaces the remote control should listen on
 
int control_use_cert
 if the use-cert option is set
 
int control_port
 port number for the control port
 
char * server_key_file
 private key file for server
 
char * server_cert_file
 certificate file for server
 
char * control_key_file
 private key file for unbound-control
 
char * control_cert_file
 certificate file for unbound-control
 
struct config_strlistpython_script
 Python script file.
 
struct config_strlistdynlib_file
 Dynamic library file.
 
int use_systemd
 Use systemd socket activation.
 
int do_daemonize
 daemonize, i.e. More...
 
int minimal_responses
 
int rrset_roundrobin
 
int unknown_server_time_limit
 
size_t max_udp_size
 
char * dns64_prefix
 
int dns64_synthall
 
struct config_strlistdns64_ignore_aaaa
 ignore AAAAs for these domain names and use A record anyway
 
int dnstap
 true to enable dnstap support
 
int dnstap_bidirectional
 using bidirectional frame streams if true
 
char * dnstap_socket_path
 dnstap socket path
 
char * dnstap_ip
 dnstap IP
 
int dnstap_tls
 dnstap TLS enable
 
char * dnstap_tls_server_name
 dnstap tls server authentication name
 
char * dnstap_tls_cert_bundle
 dnstap server cert bundle
 
char * dnstap_tls_client_key_file
 dnstap client key for client authentication
 
char * dnstap_tls_client_cert_file
 dnstap client cert for client authentication
 
int dnstap_send_identity
 true to send "identity" via dnstap
 
int dnstap_send_version
 true to send "version" via dnstap
 
char * dnstap_identity
 dnstap "identity", hostname is used if "".
 
char * dnstap_version
 dnstap "version", package version is used if "".
 
int dnstap_log_resolver_query_messages
 true to log dnstap RESOLVER_QUERY message events
 
int dnstap_log_resolver_response_messages
 true to log dnstap RESOLVER_RESPONSE message events
 
int dnstap_log_client_query_messages
 true to log dnstap CLIENT_QUERY message events
 
int dnstap_log_client_response_messages
 true to log dnstap CLIENT_RESPONSE message events
 
int dnstap_log_forwarder_query_messages
 true to log dnstap FORWARDER_QUERY message events
 
int dnstap_log_forwarder_response_messages
 true to log dnstap FORWARDER_RESPONSE message events
 
int disable_dnssec_lame_check
 true to disable DNSSEC lameness check in iterator
 
int ip_ratelimit
 ratelimit for ip addresses. More...
 
size_t ip_ratelimit_slabs
 number of slabs for ip_ratelimit cache
 
size_t ip_ratelimit_size
 memory size in bytes for ip_ratelimit cache
 
int ip_ratelimit_factor
 ip_ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic
 
int ip_ratelimit_backoff
 ratelimit backoff, when on, if the limit is reached it is considered an attack and it backs off until 'demand' decreases over the RATE_WINDOW.
 
int ratelimit
 ratelimit for domains. More...
 
size_t ratelimit_slabs
 number of slabs for ratelimit cache
 
size_t ratelimit_size
 memory size in bytes for ratelimit cache
 
struct config_str2listratelimit_for_domain
 ratelimits for domain (exact match)
 
struct config_str2listratelimit_below_domain
 ratelimits below domain
 
int ratelimit_factor
 ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic
 
int ratelimit_backoff
 ratelimit backoff, when on, if the limit is reached it is considered an attack and it backs off until 'demand' decreases over the RATE_WINDOW.
 
int outbound_msg_retry
 number of retries on outgoing queries
 
int qname_minimisation
 minimise outgoing QNAME and hide original QTYPE if possible
 
int qname_minimisation_strict
 minimise QNAME in strict mode, minimise according to RFC. More...
 
int shm_enable
 SHM data - true if shm is enabled.
 
int shm_key
 SHM data - key for the shm.
 
struct config_str2listedns_client_strings
 list of EDNS client string entries, linked list
 
uint16_t edns_client_string_opcode
 EDNS opcode to use for EDNS client strings.
 
int dnscrypt
 DNSCrypt. More...
 
int dnscrypt_port
 port on which to provide dnscrypt service
 
char * dnscrypt_provider
 provider name 2.dnscrypt-cert.example.com
 
struct config_strlistdnscrypt_secret_key
 dnscrypt secret keys 1.key
 
struct config_strlistdnscrypt_provider_cert
 dnscrypt provider certs 1.cert
 
struct config_strlistdnscrypt_provider_cert_rotated
 dnscrypt provider certs 1.cert which have been rotated and should not be advertised through DNS's providername TXT record but are required to be able to handle existing traffic using the old cert.
 
size_t dnscrypt_shared_secret_cache_size
 memory size in bytes for dnscrypt shared secrets cache
 
size_t dnscrypt_shared_secret_cache_slabs
 number of slabs for dnscrypt shared secrets cache
 
size_t dnscrypt_nonce_cache_size
 memory size in bytes for dnscrypt nonces cache
 
size_t dnscrypt_nonce_cache_slabs
 number of slabs for dnscrypt nonces cache
 
int pad_responses
 EDNS padding according to RFC7830 and RFC8467. More...
 
size_t pad_responses_block_size
 block size with which to pad encrypted responses (default: 468)
 
int pad_queries
 true to enable padding of queries (default: on)
 
size_t pad_queries_block_size
 block size with which to pad encrypted queries (default: 128)
 
int ede
 IPsec module. More...
 

Detailed Description

The configuration options.

Strings are malloced.

Field Documentation

◆ delay_close

int config_file::delay_close

delay close of udp-timeouted ports, if 0 no delayclose.

in msec

Referenced by config_create(), and config_set_option().

◆ if_automatic

int config_file::if_automatic

automatic interface for incoming messages.

Uses ipv6 remapping, and recvmsg/sendmsg ancillary data to detect interfaces, boolean

Referenced by checkrlimits(), config_create(), config_set_option(), and listening_ports_open().

◆ num_ifs

int config_file::num_ifs

number of interfaces to open.

If 0 default all interfaces.

Referenced by cfg_has_https(), checkrlimits(), config_create(), config_delete(), daemon_open_shared_ports(), and interfacechecks().

◆ num_out_ifs

int config_file::num_out_ifs

number of outgoing interfaces to open.

If 0 default all interfaces.

Referenced by config_create(), config_delete(), and config_set_option().

◆ keep_missing

unsigned int config_file::keep_missing

autotrust keep_missing time, in seconds.

0 is forever.

Referenced by config_set_option().

◆ remote_control_enable

int config_file::remote_control_enable

remote control section.

enable toggle.

Referenced by config_set_option(), daemon_remote_create(), daemon_remote_open_ports(), and options_remote_is_address().

◆ do_daemonize

int config_file::do_daemonize

daemonize, i.e.

fork into the background.

Referenced by apply_settings(), config_create(), and config_set_option().

◆ ip_ratelimit

int config_file::ip_ratelimit

ratelimit for ip addresses.

0 is off, otherwise qps (unless overridden)

Referenced by checkrlimits(), config_set_option(), infra_adjust(), and infra_create().

◆ ratelimit

int config_file::ratelimit

ratelimit for domains.

0 is off, otherwise qps (unless overridden)

Referenced by checkrlimits(), config_set_option(), infra_adjust(), and infra_create().

◆ qname_minimisation_strict

int config_file::qname_minimisation_strict

minimise QNAME in strict mode, minimise according to RFC.

Do not apply fallback

Referenced by config_set_option().

◆ dnscrypt

int config_file::dnscrypt

DNSCrypt.

true to enable dnscrypt

Referenced by checkrlimits(), config_read(), and config_set_option().

◆ pad_responses

int config_file::pad_responses

EDNS padding according to RFC7830 and RFC8467.

true to enable padding of responses (default: on)

Referenced by config_set_option().

◆ ede

int config_file::ede

IPsec module.

respond with Extended DNS Errors (RFC8914)

Referenced by config_set_option().


The documentation for this struct was generated from the following file: