The configuration options. More...
#include <config_file.h>
Data Fields | |
| int | verbosity |
| verbosity level as specified in the config file | |
| int | stat_interval |
| statistics interval (in seconds) | |
| int | stat_cumulative |
| if false, statistics values are reset after printing them | |
| int | stat_extended |
| if true, the statistics are kept in greater detail | |
| int | stat_inhibit_zero |
| if true, inhibits a lot of =0 lines from the extended stats output | |
| int | num_threads |
| number of threads to create | |
| int | port |
| port on which queries are answered. | |
| int | do_ip4 |
| do ip4 query support. | |
| int | do_ip6 |
| do ip6 query support. | |
| int | do_nat64 |
| do nat64 on queries | |
| int | prefer_ip4 |
| prefer ip4 upstream queries. | |
| int | prefer_ip6 |
| prefer ip6 upstream queries. | |
| int | do_udp |
| do udp query support. | |
| int | do_tcp |
| do tcp query support. | |
| size_t | max_reuse_tcp_queries |
| max number of queries on a reuse connection. | |
| int | tcp_reuse_timeout |
| timeout for REUSE entries in milliseconds. | |
| int | tcp_auth_query_timeout |
| timeout in milliseconds for TCP queries to auth servers. | |
| int | tcp_upstream |
| tcp upstream queries (no UDP upstream queries) | |
| int | udp_upstream_without_downstream |
| udp upstream enabled when no UDP downstream is enabled (do_udp no) | |
| int | tcp_mss |
| maximum segment size of tcp socket which queries are answered | |
| int | outgoing_tcp_mss |
| maximum segment size of tcp socket for outgoing queries | |
| int | tcp_idle_timeout |
| tcp idle timeout, in msec | |
| int | do_tcp_keepalive |
| do edns tcp keepalive | |
| int | tcp_keepalive_timeout |
| tcp keepalive timeout, in msec | |
| int | sock_queue_timeout |
| timeout of packets sitting in the socket queue | |
| struct config_strlist * | proxy_protocol_port |
| proxy protocol ports | |
| char * | ssl_service_key |
| private key file for dnstcp-ssl service (enabled if not NULL) | |
| char * | ssl_service_pem |
| public key file for dnstcp-ssl service | |
| int | ssl_port |
| port on which to provide ssl service | |
| int | ssl_upstream |
| if outgoing tcp connections use SSL | |
| char * | tls_cert_bundle |
| cert bundle for outgoing connections | |
| int | tls_win_cert |
| should the system certificate store get added to the cert bundle | |
| struct config_strlist * | tls_additional_port |
| additional tls ports | |
| struct config_strlist_head | tls_session_ticket_keys |
| secret key used to encrypt and decrypt TLS session ticket | |
| char * | tls_ciphers |
| TLS ciphers. | |
| char * | tls_ciphersuites |
| TLS chiphersuites (TLSv1.3) | |
| int | tls_use_sni |
| if SNI is to be used | |
| int | https_port |
| port on which to provide DNS over HTTPS service | |
| char * | http_endpoint |
| endpoint for HTTP service | |
| uint32_t | http_max_streams |
| MAX_CONCURRENT_STREAMS HTTP/2 setting. | |
| size_t | http_query_buffer_size |
| maximum size of all HTTP2 query buffers combined. | |
| size_t | http_response_buffer_size |
| maximum size of all HTTP2 response buffers combined. | |
| int | http_nodelay |
| set TCP_NODELAY option for http sockets | |
| int | http_notls_downstream |
| Disable TLS for http sockets downstream. | |
| int | outgoing_num_ports |
| outgoing port range number of ports (per thread) | |
| size_t | outgoing_num_tcp |
| number of outgoing tcp buffers per (per thread) | |
| size_t | incoming_num_tcp |
| number of incoming tcp buffers per (per thread) | |
| int * | outgoing_avail_ports |
| allowed udp port numbers, array with 0 if not allowed | |
| size_t | edns_buffer_size |
| EDNS buffer size to use. | |
| size_t | stream_wait_size |
| size of the stream wait buffers, max | |
| size_t | msg_buffer_size |
| number of bytes buffer size for DNS messages | |
| size_t | msg_cache_size |
| size of the message cache | |
| size_t | msg_cache_slabs |
| slabs in the message cache. | |
| size_t | num_queries_per_thread |
| number of queries every thread can service | |
| size_t | jostle_time |
| number of msec to wait before items can be jostled out | |
| size_t | rrset_cache_size |
| size of the rrset cache | |
| size_t | rrset_cache_slabs |
| slabs in the rrset cache | |
| int | host_ttl |
| host cache ttl in seconds | |
| size_t | infra_cache_slabs |
| number of slabs in the infra host cache | |
| size_t | infra_cache_numhosts |
| max number of hosts in the infra cache | |
| int | infra_cache_min_rtt |
| min value for infra cache rtt (min retransmit timeout) | |
| int | infra_cache_max_rtt |
| max value for infra cache rtt (max retransmit timeout) | |
| int | infra_keep_probing |
| keep probing hosts that are down | |
| int | delay_close |
| delay close of udp-timeouted ports, if 0 no delayclose. More... | |
| int | udp_connect |
| udp_connect enable uses UDP connect to mitigate ICMP side channel | |
| char * | target_fetch_policy |
| the target fetch policy for the iterator | |
| int | fast_server_permil |
| percent*10, how many times in 1000 to pick from the fastest destinations | |
| size_t | fast_server_num |
| number of fastest server to select from | |
| int | if_automatic |
| automatic interface for incoming messages. More... | |
| char * | if_automatic_ports |
| extra ports to open if if_automatic enabled, or NULL for default | |
| size_t | so_rcvbuf |
| SO_RCVBUF size to set on port 53 UDP socket. | |
| size_t | so_sndbuf |
| SO_SNDBUF size to set on port 53 UDP socket. | |
| int | so_reuseport |
| SO_REUSEPORT requested on port 53 sockets. | |
| int | ip_transparent |
| IP_TRANSPARENT socket option requested on port 53 sockets. | |
| int | ip_freebind |
| IP_FREEBIND socket option request on port 53 sockets. | |
| int | ip_dscp |
| IP_TOS socket option requested on port 53 sockets. | |
| int | num_ifs |
| number of interfaces to open. More... | |
| char ** | ifs |
| interface description strings (IP addresses) | |
| int | num_out_ifs |
| number of outgoing interfaces to open. More... | |
| char ** | out_ifs |
| outgoing interface description strings (IP addresses) | |
| struct config_strlist * | root_hints |
| the root hints | |
| struct config_stub * | stubs |
| the stub definitions, linked list | |
| struct config_stub * | forwards |
| the forward zone definitions, linked list | |
| struct config_auth * | auths |
| the auth zone definitions, linked list | |
| struct config_view * | views |
| the views definitions, linked list | |
| struct config_strlist * | donotqueryaddrs |
| list of donotquery addresses, linked list | |
| struct config_str2list * | acls |
| list of access control entries, linked list | |
| int | donotquery_localhost |
| use default localhost donotqueryaddr entries | |
| struct config_str2list * | tcp_connection_limits |
| list of tcp connection limitss, linked list | |
| int | harden_short_bufsize |
| harden against very small edns buffer sizes | |
| int | harden_large_queries |
| harden against very large query sizes | |
| int | harden_glue |
| harden against spoofed glue (out of zone data) | |
| int | harden_dnssec_stripped |
| harden against receiving no DNSSEC data for trust anchor | |
| int | harden_below_nxdomain |
| harden against queries that fall under known nxdomain names | |
| int | harden_referral_path |
| harden the referral path, query for NS,A,AAAA and validate | |
| int | harden_algo_downgrade |
| harden against algorithm downgrade | |
| int | harden_unknown_additional |
| harden against unknown records in the authority section and in the additional section | |
| int | use_caps_bits_for_id |
| use 0x20 bits in query as random ID bits | |
| struct config_strlist * | caps_whitelist |
| 0x20 whitelist, domains that do not use capsforid | |
| struct config_strlist * | private_address |
| strip away these private addrs from answers, no DNS Rebinding | |
| struct config_strlist * | private_domain |
| allow domain (and subdomains) to use private address space | |
| size_t | unwanted_threshold |
| what threshold for unwanted action. | |
| int | max_ttl |
| the number of seconds maximal TTL used for RRsets and messages | |
| int | min_ttl |
| the number of seconds minimum TTL used for RRsets and messages | |
| int | max_negative_ttl |
| the number of seconds maximal negative TTL for SOA in auth | |
| int | prefetch |
| if prefetching of messages should be performed. | |
| int | prefetch_key |
| if prefetching of DNSKEYs should be performed. | |
| int | deny_any |
| deny queries of type ANY with an empty answer | |
| char * | chrootdir |
| chrootdir, if not "" or chroot will be done | |
| char * | username |
| username to change to, if not "". | |
| char * | directory |
| working directory | |
| char * | logfile |
| filename to log to. | |
| char * | pidfile |
| pidfile to write pid to. | |
| int | use_syslog |
| should log messages be sent to syslogd | |
| int | log_time_ascii |
| log timestamp in ascii UTC | |
| int | log_queries |
| log queries with one line per query | |
| int | log_replies |
| log replies with one line per reply | |
| int | log_tag_queryreply |
| tag log_queries and log_replies for filtering | |
| int | log_local_actions |
| log every local-zone hit | |
| int | log_servfail |
| log servfails with a reason | |
| char * | log_identity |
| log identity to report | |
| int | log_destaddr |
| log dest addr for log_replies | |
| int | hide_identity |
| do not report identity (id.server, hostname.bind) | |
| int | hide_version |
| do not report version (version.server, version.bind) | |
| int | hide_trustanchor |
| do not report trustanchor (trustanchor.unbound) | |
| int | hide_http_user_agent |
| do not report the User-Agent HTTP header | |
| char * | identity |
| identity, hostname is returned if "". | |
| char * | version |
| version, package version returned if "". | |
| char * | http_user_agent |
| User-Agent for HTTP header. | |
| char * | nsid_cfg_str |
| nsid | |
| uint8_t * | nsid |
| uint16_t | nsid_len |
| char * | module_conf |
| the module configuration string | |
| struct config_strlist * | trust_anchor_file_list |
| files with trusted DS and DNSKEYs in zonefile format, list | |
| struct config_strlist * | trust_anchor_list |
| list of trustanchor keys, linked list | |
| struct config_strlist * | auto_trust_anchor_file_list |
| files with 5011 autotrust tracked keys | |
| struct config_strlist * | trusted_keys_file_list |
| files with trusted DNSKEYs in named.conf format, list | |
| struct config_strlist * | domain_insecure |
| insecure domain list | |
| int | trust_anchor_signaling |
| send key tag query | |
| int | root_key_sentinel |
| enable root key sentinel | |
| int32_t | val_date_override |
| if not 0, this value is the validation date for RRSIGs | |
| int32_t | val_sig_skew_min |
| the minimum for signature clock skew | |
| int32_t | val_sig_skew_max |
| the maximum for signature clock skew | |
| int32_t | val_max_restart |
| max number of query restarts, number of IPs to probe | |
| int | bogus_ttl |
| this value sets the number of seconds before revalidating bogus | |
| int | val_clean_additional |
| should validator clean additional section for secure msgs | |
| int | val_log_level |
| log bogus messages by the validator | |
| int | val_log_squelch |
| squelch val_log_level to log - this is library goes to callback | |
| int | val_permissive_mode |
| should validator allow bogus messages to go through | |
| int | aggressive_nsec |
| use cached NSEC records to synthesise (negative) answers | |
| int | ignore_cd |
| ignore the CD flag in incoming queries and refuse them bogus data | |
| int | disable_edns_do |
| disable EDNS DO flag in outgoing requests | |
| int | serve_expired |
| serve expired entries and prefetch them | |
| int | serve_expired_ttl |
| serve expired entries until TTL after expiration | |
| int | serve_expired_ttl_reset |
| reset serve expired TTL after failed update attempt | |
| int | serve_expired_reply_ttl |
| TTL for the serve expired replies. | |
| int | serve_expired_client_timeout |
| serve expired entries only after trying to update the entries and this timeout (in milliseconds) is reached | |
| int | ede_serve_expired |
| serve EDE code 3 - Stale Answer (RFC8914) for expired entries | |
| int | serve_original_ttl |
| serve original TTLs rather than decrementing ones | |
| char * | val_nsec3_key_iterations |
| nsec3 maximum iterations per key size, string | |
| int | zonemd_permissive_mode |
| if zonemd failures are permitted, only logged | |
| unsigned int | add_holddown |
| autotrust add holddown time, in seconds | |
| unsigned int | del_holddown |
| autotrust del holddown time, in seconds | |
| unsigned int | keep_missing |
| autotrust keep_missing time, in seconds. More... | |
| int | permit_small_holddown |
| permit small holddown values, allowing 5011 rollover very fast | |
| size_t | key_cache_size |
| size of the key cache | |
| size_t | key_cache_slabs |
| slabs in the key cache. | |
| size_t | neg_cache_size |
| size of the neg cache | |
| struct config_str2list * | local_zones |
| local zones config | |
| struct config_strlist * | local_zones_nodefault |
| local zones nodefault list | |
| int | local_zones_disable_default |
| do not add any default local zone | |
| struct config_strlist * | local_data |
| local data RRs configured | |
| struct config_str3list * | local_zone_overrides |
| local zone override types per netblock | |
| int | unblock_lan_zones |
| unblock lan zones (reverse lookups for AS112 zones) | |
| int | insecure_lan_zones |
| insecure lan zones (don't validate AS112 zones) | |
| struct config_strbytelist * | local_zone_tags |
| list of zonename, tagbitlist | |
| struct config_strbytelist * | acl_tags |
| list of aclname, tagbitlist | |
| struct config_str3list * | acl_tag_actions |
| list of aclname, tagname, localzonetype | |
| struct config_str3list * | acl_tag_datas |
| list of aclname, tagname, redirectdata | |
| struct config_str2list * | acl_view |
| list of aclname, view | |
| struct config_str2list * | interface_actions |
| list of interface action entries, linked list | |
| struct config_strbytelist * | interface_tags |
| list of interface, tagbitlist | |
| struct config_str3list * | interface_tag_actions |
| list of interface, tagname, localzonetype | |
| struct config_str3list * | interface_tag_datas |
| list of interface, tagname, redirectdata | |
| struct config_str2list * | interface_view |
| list of interface, view | |
| struct config_strbytelist * | respip_tags |
| list of IP-netblock, tagbitlist | |
| struct config_str2list * | respip_actions |
| list of response-driven access control entries, linked list | |
| struct config_str2list * | respip_data |
| RRs configured for response-driven access controls. | |
| char ** | tagname |
| tag list, array with tagname[i] is malloced string | |
| int | num_tags |
| number of items in the taglist | |
| int | remote_control_enable |
| remote control section. More... | |
| struct config_strlist_head | control_ifs |
| the interfaces the remote control should listen on | |
| int | control_use_cert |
| if the use-cert option is set | |
| int | control_port |
| port number for the control port | |
| char * | server_key_file |
| private key file for server | |
| char * | server_cert_file |
| certificate file for server | |
| char * | control_key_file |
| private key file for unbound-control | |
| char * | control_cert_file |
| certificate file for unbound-control | |
| struct config_strlist * | python_script |
| Python script file. | |
| struct config_strlist * | dynlib_file |
| Dynamic library file. | |
| int | use_systemd |
| Use systemd socket activation. | |
| int | do_daemonize |
| daemonize, i.e. More... | |
| int | minimal_responses |
| int | rrset_roundrobin |
| int | unknown_server_time_limit |
| size_t | max_udp_size |
| char * | dns64_prefix |
| int | dns64_synthall |
| struct config_strlist * | dns64_ignore_aaaa |
| ignore AAAAs for these domain names and use A record anyway | |
| char * | nat64_prefix |
| int | dnstap |
| true to enable dnstap support | |
| int | dnstap_bidirectional |
| using bidirectional frame streams if true | |
| char * | dnstap_socket_path |
| dnstap socket path | |
| char * | dnstap_ip |
| dnstap IP | |
| int | dnstap_tls |
| dnstap TLS enable | |
| char * | dnstap_tls_server_name |
| dnstap tls server authentication name | |
| char * | dnstap_tls_cert_bundle |
| dnstap server cert bundle | |
| char * | dnstap_tls_client_key_file |
| dnstap client key for client authentication | |
| char * | dnstap_tls_client_cert_file |
| dnstap client cert for client authentication | |
| int | dnstap_send_identity |
| true to send "identity" via dnstap | |
| int | dnstap_send_version |
| true to send "version" via dnstap | |
| char * | dnstap_identity |
| dnstap "identity", hostname is used if "". | |
| char * | dnstap_version |
| dnstap "version", package version is used if "". | |
| int | dnstap_log_resolver_query_messages |
| true to log dnstap RESOLVER_QUERY message events | |
| int | dnstap_log_resolver_response_messages |
| true to log dnstap RESOLVER_RESPONSE message events | |
| int | dnstap_log_client_query_messages |
| true to log dnstap CLIENT_QUERY message events | |
| int | dnstap_log_client_response_messages |
| true to log dnstap CLIENT_RESPONSE message events | |
| int | dnstap_log_forwarder_query_messages |
| true to log dnstap FORWARDER_QUERY message events | |
| int | dnstap_log_forwarder_response_messages |
| true to log dnstap FORWARDER_RESPONSE message events | |
| int | disable_dnssec_lame_check |
| true to disable DNSSEC lameness check in iterator | |
| int | ip_ratelimit |
| ratelimit for ip addresses. More... | |
| int | ip_ratelimit_cookie |
| ratelimit for ip addresses with a valid DNS Cookie. More... | |
| size_t | ip_ratelimit_slabs |
| number of slabs for ip_ratelimit cache | |
| size_t | ip_ratelimit_size |
| memory size in bytes for ip_ratelimit cache | |
| int | ip_ratelimit_factor |
| ip_ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic | |
| int | ip_ratelimit_backoff |
| ratelimit backoff, when on, if the limit is reached it is considered an attack and it backs off until 'demand' decreases over the RATE_WINDOW. | |
| int | ratelimit |
| ratelimit for domains. More... | |
| size_t | ratelimit_slabs |
| number of slabs for ratelimit cache | |
| size_t | ratelimit_size |
| memory size in bytes for ratelimit cache | |
| struct config_str2list * | ratelimit_for_domain |
| ratelimits for domain (exact match) | |
| struct config_str2list * | ratelimit_below_domain |
| ratelimits below domain | |
| int | ratelimit_factor |
| ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic | |
| int | ratelimit_backoff |
| ratelimit backoff, when on, if the limit is reached it is considered an attack and it backs off until 'demand' decreases over the RATE_WINDOW. | |
| int | outbound_msg_retry |
| number of retries on outgoing queries | |
| int | max_sent_count |
| max sent queries per qstate; resets on query restarts (e.g., CNAMES) and referrals | |
| int | max_query_restarts |
| max number of query restarts; determines max length of CNAME chain | |
| int | qname_minimisation |
| minimise outgoing QNAME and hide original QTYPE if possible | |
| int | qname_minimisation_strict |
| minimise QNAME in strict mode, minimise according to RFC. More... | |
| int | shm_enable |
| SHM data - true if shm is enabled. | |
| int | shm_key |
| SHM data - key for the shm. | |
| struct config_str2list * | edns_client_strings |
| list of EDNS client string entries, linked list | |
| uint16_t | edns_client_string_opcode |
| EDNS opcode to use for EDNS client strings. | |
| int | dnscrypt |
| DNSCrypt. More... | |
| int | dnscrypt_port |
| port on which to provide dnscrypt service | |
| char * | dnscrypt_provider |
| provider name 2.dnscrypt-cert.example.com | |
| struct config_strlist * | dnscrypt_secret_key |
| dnscrypt secret keys 1.key | |
| struct config_strlist * | dnscrypt_provider_cert |
| dnscrypt provider certs 1.cert | |
| struct config_strlist * | dnscrypt_provider_cert_rotated |
| dnscrypt provider certs 1.cert which have been rotated and should not be advertised through DNS's providername TXT record but are required to be able to handle existing traffic using the old cert. | |
| size_t | dnscrypt_shared_secret_cache_size |
| memory size in bytes for dnscrypt shared secrets cache | |
| size_t | dnscrypt_shared_secret_cache_slabs |
| number of slabs for dnscrypt shared secrets cache | |
| size_t | dnscrypt_nonce_cache_size |
| memory size in bytes for dnscrypt nonces cache | |
| size_t | dnscrypt_nonce_cache_slabs |
| number of slabs for dnscrypt nonces cache | |
| int | pad_responses |
| EDNS padding according to RFC7830 and RFC8467. More... | |
| size_t | pad_responses_block_size |
| block size with which to pad encrypted responses (default: 468) | |
| int | pad_queries |
| true to enable padding of queries (default: on) | |
| size_t | pad_queries_block_size |
| block size with which to pad encrypted queries (default: 128) | |
| int | do_answer_cookie |
| IPsec module. More... | |
| uint8_t | cookie_secret [40] |
| cookie secret | |
| size_t | cookie_secret_len |
| cookie secret length | |
| int | ede |
| respond with Extended DNS Errors (RFC8914) | |
The configuration options.
Strings are malloced.
| int config_file::delay_close |
delay close of udp-timeouted ports, if 0 no delayclose.
in msec
Referenced by config_create(), and config_set_option().
| int config_file::if_automatic |
automatic interface for incoming messages.
Uses ipv6 remapping, and recvmsg/sendmsg ancillary data to detect interfaces, boolean
Referenced by checkrlimits(), config_create(), config_set_option(), and listening_ports_open().
| int config_file::num_ifs |
number of interfaces to open.
If 0 default all interfaces.
Referenced by cfg_has_https(), checkrlimits(), config_create(), config_delete(), daemon_open_shared_ports(), and interfacechecks().
| int config_file::num_out_ifs |
number of outgoing interfaces to open.
If 0 default all interfaces.
Referenced by config_create(), config_delete(), and config_set_option().
| unsigned int config_file::keep_missing |
| int config_file::remote_control_enable |
remote control section.
enable toggle.
Referenced by config_set_option(), daemon_remote_create(), daemon_remote_open_ports(), and options_remote_is_address().
| int config_file::do_daemonize |
daemonize, i.e.
fork into the background.
Referenced by apply_settings(), config_create(), and config_set_option().
| int config_file::ip_ratelimit |
ratelimit for ip addresses.
0 is off, otherwise qps (unless overridden)
Referenced by checkrlimits(), config_set_option(), infra_adjust(), and infra_create().
| int config_file::ip_ratelimit_cookie |
ratelimit for ip addresses with a valid DNS Cookie.
0 is off, otherwise qps (unless overridden)
Referenced by config_set_option().
| int config_file::ratelimit |
ratelimit for domains.
0 is off, otherwise qps (unless overridden)
Referenced by checkrlimits(), config_set_option(), infra_adjust(), and infra_create().
| int config_file::qname_minimisation_strict |
minimise QNAME in strict mode, minimise according to RFC.
Do not apply fallback
Referenced by config_set_option().
| int config_file::dnscrypt |
DNSCrypt.
true to enable dnscrypt
Referenced by checkrlimits(), config_read(), and config_set_option().
| int config_file::pad_responses |
EDNS padding according to RFC7830 and RFC8467.
true to enable padding of responses (default: on)
Referenced by config_set_option().
| int config_file::do_answer_cookie |
IPsec module.
Downstream DNS Cookies do answer with server cookie when request contained cookie option