|
|
|
@ -121,7 +121,8 @@ Advanced
|
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
|
|
Although the default settings should be reasonable for most setups, some need more tuning or require specific options
|
|
|
|
|
set.
|
|
|
|
|
set. Some of these settings are enabled and given a default value by Unbound,
|
|
|
|
|
refer to `unbound.conf(5) <https://nlnetlabs.nl/documentation/unbound/unbound.conf/>`__ for the defaults.
|
|
|
|
|
|
|
|
|
|
=====================================================================================================================
|
|
|
|
|
|
|
|
|
@ -140,48 +141,99 @@ Harden DNSSEC data DNSSEC data is required for trust-anchored
|
|
|
|
|
If this is disabled and no DNSSEC data is received,
|
|
|
|
|
then the zone is made insecure.
|
|
|
|
|
Serve expired responses Serve expired responses from the cache with a TTL of 0
|
|
|
|
|
without waiting for the actual resolution to finish.
|
|
|
|
|
Message Cache Size Size of the message cache. The message cache stores DNS rcodes
|
|
|
|
|
and validation statuses. The RRSet cache will automatically be
|
|
|
|
|
set to twice this amount.
|
|
|
|
|
The RRSet cache contains the actual RR data. The default is 4 megabytes.
|
|
|
|
|
without waiting for the actual resolution to finish. When checked,
|
|
|
|
|
multiple options to customize the behaviour regarding expired responses
|
|
|
|
|
will appear.
|
|
|
|
|
Expired Record Reply TTL Value TTL value to use when replying with expired data.
|
|
|
|
|
If "Client Expired Response Timeout" is also used then it is recommended
|
|
|
|
|
to use 30 as the default value as per RFC 8767.
|
|
|
|
|
Only applicable when "Serve expired responses" is checked.
|
|
|
|
|
TTL for Expired Responses Limits the serving of expired responses to the configured amount of seconds
|
|
|
|
|
after expiration. A value of 0 disables the limit. A suggested value
|
|
|
|
|
as per RFC 8767 is between 86400 (1 day) and 259200 (3 days).
|
|
|
|
|
Only applicable when "Serve expired responses" is checked.
|
|
|
|
|
Reset Expired Record TTL Set the TTL of expired records to the "TTL for Expired Responses" value
|
|
|
|
|
after a failed attempt to retrieve the record from an upstream server.
|
|
|
|
|
This makes sure that the expired records will be served as long as
|
|
|
|
|
there are queries for it.
|
|
|
|
|
Only applicable when "Serve expired responses" is checked.
|
|
|
|
|
Client Expired Response Timeout Time in milliseconds before replying to the client with expired data.
|
|
|
|
|
This essentially enables the serve- stable behavior as specified in RFC 8767
|
|
|
|
|
that first tries to resolve before immediately responding with expired data.
|
|
|
|
|
A recommended value per RF 8767 is 1800. Setting this to 0 will disable this behavior.
|
|
|
|
|
Only applicable when "Serve expired responses" is checked.
|
|
|
|
|
Strict QNAME Minimisation Send minimum amount of information to upstream servers to enhance privacy.
|
|
|
|
|
Do not fall-back to sending full QNAME to potentially broken nameservers.
|
|
|
|
|
A lot of domains will not be resolvable when this option in enabled.
|
|
|
|
|
Only use if you know what you are doing.
|
|
|
|
|
Extended Statistics If enabled, extended statistics are printed to syslog.
|
|
|
|
|
Log Queries If enabled, prints one line per query to the log, with the log timestamp
|
|
|
|
|
and IP address, name, type and class. Note that it takes time to print these lines,
|
|
|
|
|
which makes the server (significantly) slower. Odd (non-printable) characters
|
|
|
|
|
in names are printed as '?'.
|
|
|
|
|
Log Replies If enabled, prints one line per reply to the log, with the log timestamp
|
|
|
|
|
and IP address, name, type, class, return code, time to resolve,
|
|
|
|
|
whether the reply is from the cache and the response size.
|
|
|
|
|
Note that it takes time to print these lines, which makes the server (significantly) slower.
|
|
|
|
|
Odd (non-printable) characters in names are printed as '?'.
|
|
|
|
|
Tag Queries and Replies If enabled, prints the word 'query: ' and 'reply: ' with logged queries and replies.
|
|
|
|
|
This makes filtering logs easier.
|
|
|
|
|
Log level verbosity Select the log verbosity. Level 0 means no verbosity, only errors.
|
|
|
|
|
Level 1 gives operational information. Level 2 gives detailed
|
|
|
|
|
operational information. Level 3 gives query level information,
|
|
|
|
|
output per query. Level 4 gives algorithm level information.
|
|
|
|
|
Level 5 logs client identification for cache misses. Default is level 1.
|
|
|
|
|
Private Domains List of domains to mark as private. These domains and all its subdomains
|
|
|
|
|
are allowed to contain private addresses.
|
|
|
|
|
Rebind Protection networks These are addresses on your private network, and are not allowed to
|
|
|
|
|
be returned for public internet names. Any occurrence of such addresses
|
|
|
|
|
are removed from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus.
|
|
|
|
|
This protects against so-called DNS Rebinding.
|
|
|
|
|
(Only applicable when DNS rebind check is enabled in
|
|
|
|
|
`Administration <settingsmenu.html#administration>`__)
|
|
|
|
|
Insecure Domains List of domains to mark as insecure. DNSSEC chain of trust is ignored towards the domain name.
|
|
|
|
|
Message Cache Size Size of the message cache. The message cache stores DNS rcodes and validation statuses.
|
|
|
|
|
The RRSet cache (which contains the actual RR data) will automatically be set to twice this amount.
|
|
|
|
|
Valid input is plain bytes, optionally appended with 'k', 'm', or 'g' for kilobytes,
|
|
|
|
|
megabytes or gigabytes respectively.
|
|
|
|
|
RRset Cache Size Size of the RRset cache. Contains the actual RR data. Valid input is plain bytes,
|
|
|
|
|
optionally appended with 'k', 'm', or 'g' for kilobytes, megabytes or gigabytes respectively.
|
|
|
|
|
Automatically set to twice the amount of the Message Cache Size when empty, but can be manually
|
|
|
|
|
modified.
|
|
|
|
|
Outgoing TCP Buffers The number of outgoing TCP buffers to allocate per thread.
|
|
|
|
|
The default value is 10. If 0 is selected then no TCP queries,
|
|
|
|
|
to authoritative servers, are done.
|
|
|
|
|
If 0 is selected then no TCP queries to authoritative servers are done.
|
|
|
|
|
Incoming TCP Buffers The number of incoming TCP buffers to allocate per thread.
|
|
|
|
|
The default value is 10. If 0 is selected then no TCP queries,
|
|
|
|
|
from clients, are accepted.
|
|
|
|
|
If 0 is selected then no TCP queries from clients are accepted.
|
|
|
|
|
Number of queries per thread The number of queries that every thread will service simultaneously.
|
|
|
|
|
If more queries arrive that need to be serviced,
|
|
|
|
|
and no queries can be jostled, then these queries are dropped.
|
|
|
|
|
If more queries arrive that need to be serviced, and no queries can be jostled out (see "Jostle Timeout"),
|
|
|
|
|
then these queries are dropped. This forces the client to resend after a timeout,
|
|
|
|
|
allowing the server time to work on the existing queries.
|
|
|
|
|
Outgoing Range The number of ports to open. This number of file descriptors can be opened per thread.
|
|
|
|
|
Larger numbers need extra resources from the operating system.
|
|
|
|
|
For performance a very large value is best. For reference,
|
|
|
|
|
usually double the amount of queries per thread is used.
|
|
|
|
|
Jostle Timeout This timeout is used for when the server is very busy.
|
|
|
|
|
This protects against denial of service by slow queries or
|
|
|
|
|
high query rates. The default value is 200 milliseconds.
|
|
|
|
|
Maximum TTL for RRsets and messages Configure a maximum Time to live for RRsets and messages in the cache.
|
|
|
|
|
The default is 86400 seconds (1 day). When the internal TTL expires
|
|
|
|
|
the cache item is expired. This can be configured to force the
|
|
|
|
|
resolver to query for data more often and not trust (very large) TTL values.
|
|
|
|
|
Minimum TTL for RRsets and messages Configure a minimum Time to live for RRsets and messages in the cache.
|
|
|
|
|
The default is 0 seconds. If the minimum value kicks in,
|
|
|
|
|
the data is cached for longer than the domain owner intended,
|
|
|
|
|
and thus less queries are made to look up the data.
|
|
|
|
|
The 0 value ensures the data in the cache is as the domain owner intended.
|
|
|
|
|
High values can lead to trouble as the data in the cache might not match up
|
|
|
|
|
with the actual data anymore.
|
|
|
|
|
TTL for Host cache entries Time to live for entries in the host cache.
|
|
|
|
|
The host cache contains roundtrip timing and
|
|
|
|
|
EDNS support information. The default is 15 minutes.
|
|
|
|
|
Number of Hosts to cache Number of hosts for which information is cached. The default is 10000.
|
|
|
|
|
Set to a value that usually results in one round-trip to the authority servers.
|
|
|
|
|
If too many queries arrive, then 50% of the queries are allowed to run to completion,
|
|
|
|
|
and the other 50% are replaced with the new incoming query if they have already spent
|
|
|
|
|
more than their allowed time. This protects against denial of service by
|
|
|
|
|
slow queries or high query rates.
|
|
|
|
|
Maximum TTL for RRsets and messages Configure a maximum Time to live in seconds for RRsets and messages in the cache.
|
|
|
|
|
When the internal TTL expires the cache item is expired.
|
|
|
|
|
This can be configured to force the resolver to query for
|
|
|
|
|
data more often and not trust (very large) TTL values.
|
|
|
|
|
Minimum TTL for RRsets and messages Configure a minimum Time to live in seconds for RRsets and messages in the cache.
|
|
|
|
|
If the minimum value kicks in, the data is cached for longer than the domain owner intended,
|
|
|
|
|
and thus fewer queries are made to look up the data. The 0 value ensures
|
|
|
|
|
the data in the cache is as the domain owner intended. High values can lead to
|
|
|
|
|
trouble as the data in the cache might not match up with the actual data anymore.
|
|
|
|
|
TTL for Host cache entries Time to live in seconds for entries in the host cache.
|
|
|
|
|
The host cache contains round-trip timing, lameness and EDNS support information.
|
|
|
|
|
Number of Hosts to cache Number of hosts for which information is cached.
|
|
|
|
|
Unwanted Reply Threshold If enabled, a total number of unwanted replies is kept track of in every
|
|
|
|
|
thread. When it reaches the threshold, a defensive action is taken and
|
|
|
|
|
a warning is printed to the log file. This defensive action is to clear
|
|
|
|
|
the RRSet and message caches, hopefully flushing away any poison.
|
|
|
|
|
The default is disabled, but if enabled a value of 10 million is suggested.
|
|
|
|
|
Log level verbosity Select the log verbosity. Level 0 means no verbosity, only errors.
|
|
|
|
|
Level 1 gives operational information. Level 2 gives detailed
|
|
|
|
|
operational information. Level 3 gives query level information,
|
|
|
|
|
output per query. Level 4 gives algorithm level information.
|
|
|
|
|
Level 5 logs client identification for cache misses. Default is level 1.
|
|
|
|
|
==================================== ===============================================================================
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|