Get the value of the option. Give the option name without a trailing ':'.
The value is printed. If the value is "", nothing is printed
and the connection closes. On error 'error ...' is printed (it gives
a syntax error on unknown option). For some options a list of values,
one on each line, is printed. The options are shown from the config file
as modified with set_option. For some options an override may have been
taken that does not show up with this command, not results from e.g. the
verbosity and forward control commands. Not all options work, see list_stubs,
list_forwards, list_local_zones and list_local_data for those.
.TP
.Blist_stubs
List the stub zones in use. These are printed one by one to the output.
This includes the root hints in use.
.TP
.Blist_forwards
List the forward zones in use. These are printed zone by zone to the output.
.TP
.Blist_local_zones
List the local zones in use. These are printed one per line with zone type.
.TP
.Blist_local_data
List the local data RRs in use. The resource records are printed.
.TP
.Binsecure_add\fIzone
Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
Adds to the running unbound without affecting the cache contents (which may
still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
.TP
.Binsecure_remove\fIzone
Removes domain\-insecure for the given zone.
.TP
.Bforward_add\fR[\fI+i\fR]\fIzoneaddr...
Add a new forward zone to running unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
a DNSSEC root trust anchor configured for other names).
The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
in unbound.conf.
.TP
.Bforward_remove\fR[\fI+i\fR]\fIzone
Remove a forward zone from running unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
.Bstub_add\fR[\fI+ip\fR]\fIzoneaddr...
Add a new stub zone to running unbound. With +i option also adds a
\fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime,
without it it is set to notprime. The addr can be IP4, IP6 or nameserver
names, like the \fIstub-zone\fR config in unbound.conf.
.TP
.Bstub_remove\fR[\fI+i\fR]\fIzone
Remove a stub zone from running unbound. The +i also removes a
\fIdomain\-insecure\fR for the zone.
.TP
.Bforward\fR[\fIoff\fR|\fIaddr...\fR]
Setup forwarding mode. Configures if the server should ask other upstream
nameservers, should go to the internet root nameservers itself, or show
the current config. You could pass the nameservers after a DHCP update.
.IP
Without arguments the current list of addresses used to forward all queries
to is printed. On startup this is from the forward\-zone "." configuration.
Afterwards it shows the status. It prints off when no forwarding is used.
.IP
If \fIoff\fR is passed, forwarding is disabled and the root nameservers
are used. This can be used to avoid to avoid buggy or non\-DNSSEC supporting
nameservers returned from DHCP. But may not work in hotels or hotspots.
.IP
If one or more IPv4 or IPv6 addresses are given, those are then used to forward
queries to. The addresses must be separated with spaces. With '@port' the
port number can be set explicitly (default port is 53 (DNS)).
.IP
By default the forwarder information from the config file for the root "." is
used. The config file is not changed, so after a reload these changes are
gone. Other forward zones from the config file are not affected by this command.
.SH"EXIT CODE"
The unbound\-control program exits with status code 1 on error, 0 on success.
.SH"SET UP"
The setup requires a self\-signed certificate and private keys for both
the server and client. The script \fIunbound\-control\-setup\fR generates
these in the default run directory, or with \-d in another directory.
If you change the access control permissions on the key files you can decide
who can use unbound\-control, by default owner and group but not all users.
Run the script under the same username as you have configured in unbound.conf
or as root, so that the daemon is permitted to read the files, for example with:
.nf
sudo \-u unbound unbound\-control\-setup
.fi
If you have not configured
a username in unbound.conf, the keys need read permission for the user
credentials under which the daemon is started.
The script preserves private keys present in the directory.
After running the script as root, turn on \fBcontrol\-enable\fR in
\fIunbound.conf\fR.
.SH"STATISTIC COUNTERS"
The \fIstats\fR command shows a number of statistic counters.
.TP
.IthreadX.num.queries
number of queries received by thread
.TP
.IthreadX.num.cachehits
number of queries that were successfully answered using a cache lookup
.TP
.IthreadX.num.cachemiss
number of queries that needed recursive processing
.TP
.IthreadX.num.prefetch
number of cache prefetches performed. This number is included in
cachehits, as the original query had the unprefetched answer from cache,
and resulted in recursive processing, taking a slot in the requestlist.
Not part of the recursivereplies (or the histogram thereof) or cachemiss,
as a cache response was sent.
.TP
.IthreadX.num.recursivereplies
The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries.
.TP
.IthreadX.requestlist.avg
The average number of requests in the internal recursive processing request list on insert of a new incoming recursive processing query.
.TP
.IthreadX.requestlist.max
Maximum size attained by the internal recursive processing request list.
.TP
.IthreadX.requestlist.overwritten
Number of requests in the request list that were overwritten by newer entries. This happens if there is a flood of queries that recursive processing and the server has a hard time.
.TP
.IthreadX.requestlist.exceeded
Queries that were dropped because the request list was full. This happens if a flood of queries need recursive processing, and the server can not keep up.
.TP
.IthreadX.requestlist.current.all
Current size of the request list, includes internally generated queries (such
as priming queries and glue lookups).
.TP
.IthreadX.requestlist.current.user
Current size of the request list, only the requests from client queries.
.TP
.IthreadX.recursion.time.avg
Average time it took to answer queries that needed recursive processing. Note that queries that were answered from the cache are not in this average.
.TP
.IthreadX.recursion.time.median
The median of the time it took to answer queries that needed recursive
processing. The median means that 50% of the user queries were answered in
less than this time. Because of big outliers (usually queries to non
responsive servers), the average can be bigger than the median. This median
has been calculated by interpolation from a histogram.
If sbrk(2) is available, an estimate of the heap size of the program in number of bytes. Close to the total memory used by the program, as reported by top and ps. Could be wrong if the OS allocates memory non\-contiguously.
.TP
.Imem.cache.rrset
Memory in bytes in use by the RRset cache.
.TP
.Imem.cache.message
Memory in bytes in use by the message cache.
.TP
.Imem.mod.iterator
Memory in bytes in use by the iterator module.
.TP
.Imem.mod.validator
Memory in bytes in use by the validator module. Includes the key cache and
negative cache.
.TP
.Ihistogram.<sec>.<usec>.to.<sec>.<usec>
Shows a histogram, summed over all threads. Every element counts the
recursive queries whose reply time fit between the lower and upper bound.
Times larger or equal to the lowerbound, and smaller than the upper bound.
There are 40 buckets, with bucket sizes doubling.
.TP
.Inum.query.type.A
The total number of queries over all threads with query type A.
Printed for the other query types as well, but only for the types for which
queries were received, thus =0 entries are omitted for brevity.
.TP
.Inum.query.type.other
Number of queries with query types 256\-65535.
.TP
.Inum.query.class.IN
The total number of queries over all threads with query class IN (internet).
Also printed for other classes (such as CH (CHAOS) sometimes used for
debugging), or NONE, ANY, used by dynamic update.
num.query.class.other is printed for classes 256\-65535.
.TP
.Inum.query.opcode.QUERY
The total number of queries over all threads with query opcode QUERY.
Also printed for other opcodes, UPDATE, ...
.TP
.Inum.query.tcp
Number of queries that were made using TCP towards the unbound server.
.TP
.Inum.query.tcpout
Number of queries that the unbound server made using TCP outgoing towards
other servers.
.TP
.Inum.query.ipv6
Number of queries that were made using IPv6 towards the unbound server.
.TP
.Inum.query.flags.RD
The number of queries that had the RD flag set in the header.
Also printed for flags QR, AA, TC, RA, Z, AD, CD.
Note that queries with flags QR, AA or TC may have been rejected
because of that.
.TP
.Inum.query.edns.present
number of queries that had an EDNS OPT record present.
.TP
.Inum.query.edns.DO
number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit set.
These queries are also included in the num.query.edns.present number.
.TP
.Inum.answer.rcode.NXDOMAIN
The number of answers to queries, from cache or from recursion, that had the
return code NXDOMAIN. Also printed for the other return codes.
.TP
.Inum.answer.rcode.nodata
The number of answers to queries that had the pseudo return code nodata.
This means the actual return code was NOERROR, but additionally, no data was
carried in the answer (making what is called a NOERROR/NODATA answer).
These queries are also included in the num.answer.rcode.NOERROR number.
Common for AAAA lookups when an A record exists, and no AAAA.
.TP
.Inum.answer.secure
Number of answers that were secure. The answer validated correctly.
The AD bit might have been set in some of these answers, where the client
signalled (with DO or AD bit in the query) that they were ready to accept
the AD bit in the answer.
.TP
.Inum.answer.bogus
Number of answers that were bogus. These answers resulted in SERVFAIL
to the client because the answer failed validation.
.TP
.Inum.rrset.bogus
The number of rrsets marked bogus by the validator. Increased for every
RRset inspection that fails.
.TP
.Iunwanted.queries
Number of queries that were refused or dropped because they failed the
access control settings.
.TP
.Iunwanted.replies
Replies that were unwanted or unsolicited. Could have been random traffic,
delayed duplicates, very late answers, or could be spoofing attempts.
Some low level of late answers and delayed duplicates are to be expected
with the UDP protocol. Very high values could indicate a threat (spoofing).
.TP
.Imsg.cache.count
The number of items (DNS replies) in the message cache.
.TP
.Irrset.cache.count
The number of RRsets in the rrset cache. This includes rrsets used by
the messages in the message cache, but also delegation information.
.TP
.Iinfra.cache.count
The number of items in the infra cache. These are IP addresses with their
timing and protocol support information.
.TP
.Ikey.cache.count
The number of items in the key cache. These are DNSSEC keys, one item
per delegation point, and their validation status.
.SH"FILES"
.TP
.I@ub_conf_file@
unbound configuration file.
.TP
.I@UNBOUND_RUN_DIR@
directory with private keys (unbound_server.key and unbound_control.key) and
self\-signed certificates (unbound_server.pem and unbound_control.pem).