unbound-control(8) unbound 1.1.1 unbound-control(8)
NAME
unbound-control - Unbound remote server control utility.
SYNOPSIS
unbound-control [-h] [-c cfgfile] [-s server] command
DESCRIPTION
Unbound-control performs remote administration on the unbound(8) DNS
server. It reads the configuration file, contacts the unbound server
over SSL sends the command and displays the result.
The available options are:
-h Show the version and commandline option help.
-c cfgfile
The config file to read with settings. If not given the default
config file /usr/local/etc/unbound/unbound.conf is used.
-s server[@port]
IPv4 or IPv6 address of the server to contact. If not given,
the address is read from the config file.
COMMANDS
There are several commands that the server understands.
start Start the server. Simply execs unbound(8). The unbound exe-
cutable is searched for in the PATH set in the environment. It
is started with the config file specified using -c or the
default config file.
stop Stop the server. The server daemon exits.
reload Reload the server. This flushes the cache and reads the config
file fresh.
verbosity number
Change verbosity value for logging. Same values as verbosity
keyword in unbound.conf(5). This new setting lasts until the
server is issued a reload (taken from config file again), or the
next verbosity control command.
stats Print statistics. Resets the internal counters to zero, this can
be controlled using the statistics-cumulative config statement.
Statistics are printed with one [name]: [value] per line.
local_zone name type
Add new local zone with name and type. Like local-zone config
statement. If the zone already exists, the type is changed to
the given argument.
local_zone_remove name
Remove the local zone with the given name. Removes all local
data inside it. If the zone does not exist, the command suc-
ceeds.
local_data RR data...
Add new local data, the given resource record. Like local-data
config statement, except for when no covering zone exists. In
that case this remote control command creates a transparent zone
with the same name as this record. This command is not good at
returning detailed syntax errors.
local_data_remove name
Remove all RR data from local name. If the name already has no
items, nothing happens. Often results in NXDOMAIN for the name
(in a static zone), but if the name has become an empty nonter-
minal (there is still data in domain names below the removed
name), NOERROR nodata answers are the result for that name.
dump_cache
The contents of the cache is printed in a text format to stdout.
You can redirect it to a file to store the cache in a file.
load_cache
The contents of the cache is loaded from stdin. Uses the same
format as dump_cache uses. Loading the cache with old, or wrong
data can result in old or wrong data returned to clients.
lookup name
Print to stdout the name servers that would be used to look up
the name specified.
flush name
Remove the name from the cache. Removes the types A, AAAA, NS,
SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR. Because that is fast
to do. Other record types can be removed using flush_type or
flush_zone.
flush_type name type
Remove the name, type information from the cache.
flush_zone name
Remove all information at or below the name from the cache. The
rrsets and key entries are removed so that new lookups will be
performed. This needs to walk and inspect the entire cache, and
is a slow operation.
EXIT CODE
The unbound-control program exits with status code 1 on error, 0 on
success.
SET UP
The setup requires a self-signed certificate and private keys for both
the server and client. The script unbound-control-setup generates
these in the default run directory, or with -d in another directory.
The script preserves private keys present in the directory. After run-
ning the script as root, turn on control-enable in unbound.conf.
STATISTIC COUNTERS
The stats command shows a number of statistic counters.
threadX.num.queries
number of queries received by thread
threadX.num.cachehits
number of queries that were successfully answered using a cache
lookup
threadX.num.cachemiss
number of queries that needed recursive processing
threadX.num.recursivereplies
The number of replies sent to queries that needed recursive pro-
cessing. Could be smaller than threadX.num.cachemiss if due to
timeouts no replies were sent for some queries.
threadX.requestlist.avg
The average number of requests in the internal recursive pro-
cessing request list on insert of a new incoming recursive pro-
cessing query.
threadX.requestlist.max
Maximum size attained by the internal recursive processing
request list.
threadX.requestlist.overwritten
Number of requests in the request list that were overwritten by
newer entries. This happens if there is a flood of queries that
recursive processing and the server has a hard time.
threadX.requestlist.exceeded
Queries that were dropped because the request list was full.
This happens if a flood of queries need recursive processing,
and the server can not keep up.
threadX.requestlist.current.all
Current size of the request list, includes internally generated
queries (such as priming queries and glue lookups).
threadX.requestlist.current.user
Current size of the request list, only the requests from client
queries.
threadX.recursion.time.avg
Average time it took to answer queries that needed recursive
processing. Note that queries that were answered from the cache
are not in this average.
threadX.recursion.time.median
The median of the time it took to answer queries that needed
recursive processing. The median means that 50% of the user
queries were answered in less than this time. Because of big
outliers (usually queries to non responsive servers), the aver-
age can be bigger than the median. This median has been calcu-
lated by interpolation from a histogram.
total.num.queries
summed over threads.
total.num.cachehits
summed over threads.
total.num.cachemiss
summed over threads.
total.num.recursivereplies
summed over threads.
total.requestlist.avg
averaged over threads.
total.requestlist.max
the maximum of the thread requestlist.max values.
total.requestlist.overwritten
summed over threads.
total.requestlist.exceeded
summed over threads.
total.requestlist.current.all
summed over threads.
total.recursion.time.median
averaged over threads.
time.now
current time in seconds since 1970.
time.up
uptime since server boot in seconds.
time.elapsed
time since last statistics printout, in seconds.
EXTENDED STATISTICS
mem.total.sbrk
If sbrk(2) is available, an estimate of the heap size of the
program in number of bytes. Close to the total memory used by
the program, as reported by top and ps. Could be wrong if the
OS allocates memory non-contiguously.
mem.cache.rrset
Memory in bytes in use by the RRset cache.
mem.cache.message
Memory in bytes in use by the message cache.
mem.mod.iterator
Memory in bytes in use by the iterator module.
mem.mod.validator
Memory in bytes in use by the validator module. Includes the key
cache and negative cache.
histogram.<sec>.<usec>.to.<sec>.<usec>
Shows a histogram, summed over all threads. Every element counts
the recursive queries whose reply time fit between the lower and
upper bound. Times larger or equal to the lowerbound, and
smaller than the upper bound. There are 40 buckets, with bucket
sizes doubling.
num.query.type.A
The total number of queries over all threads with query type A.
Printed for the other query types as well, but only for the
types for which queries were received, thus =0 entries are omit-
ted for brevity.
num.query.type.other
Number of queries with query types 256-65535.
num.query.class.IN
The total number of queries over all threads with query class IN
(internet). Also printed for other classes (such as CH (CHAOS)
sometimes used for debugging), or NONE, ANY, used by dynamic
update. num.query.class.other is printed for classes 256-65535.
num.query.opcode.QUERY
The total number of queries over all threads with query opcode
QUERY. Also printed for other opcodes, UPDATE, ...
num.query.tcp
Number of queries that were made using TCP towards the unbound
server.
num.query.flags.RD
The number of queries that had the RD flag set in the header.
Also printed for flags QR, AA, TC, RA, Z, AD, CD. Note that
queries with flags QR, AA or TC may have been rejected because
of that.
num.query.edns.present
number of queries that had an EDNS OPT record present.
num.query.edns.DO
number of queries that had an EDNS OPT record with the DO
(DNSSEC OK) bit set. These queries are also included in the
num.query.edns.present number.
num.answer.rcode.NXDOMAIN
The number of answers to queries, from cache or from recursion,
that had the return code NXDOMAIN. Also printed for the other
return codes.
num.answer.rcode.nodata
The number of answers to queries that had the pseudo return code
nodata. This means the actual return code was NOERROR, but
additionally, no data was carried in the answer (making what is
called a NOERROR/NODATA answer). These queries are also
included in the num.answer.rcode.NOERROR number. Common for
AAAA lookups when an A record exists, and no AAAA.
num.answer.secure
Number of answers that were secure. The answer validated cor-
rectly. The AD bit might have been set in some of these
answers, where the client signalled (with DO or AD bit in the
query) that they were ready to accept the AD bit in the answer.
num.answer.bogus
Number of answers that were bogus. These answers resulted in
SERVFAIL to the client because the answer failed validation.
num.rrset.bogus
The number of rrsets marked bogus by the validator. Increased
for every RRset inspection that fails.
unwanted.queries
Number of queries that were refused or dropped because they
failed the access control settings.
unwanted.replies
Replies that were unwanted or unsolicited. Could have been ran-
dom traffic, delayed duplicates, very late answers, or could be
spoofing attempts. Some low level of late answers and delayed
duplicates are to be expected with the UDP protocol. Very high
values could indicate a threat (spoofing).
FILES
/usr/local/etc/unbound/unbound.conf
unbound configuration file.
/usr/local/etc/unbound
directory with private keys (unbound_server.key and unbound_con-
trol.key) and self-signed certificates (unbound_server.pem and
unbound_control.pem).
SEE ALSO
unbound.conf(5), unbound(8).
NLnet Labs Nov 20, 2008 unbound-control(8)
