1.\" $OpenBSD: unwind.conf.5,v 1.35 2024/11/24 11:33:34 kirill Exp $ 2.\" 3.\" Copyright (c) 2018 Florian Obser <florian@openbsd.org> 4.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org> 5.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> 6.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 7.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org> 8.\" 9.\" Permission to use, copy, modify, and distribute this software for any 10.\" purpose with or without fee is hereby granted, provided that the above 11.\" copyright notice and this permission notice appear in all copies. 12.\" 13.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20.\" 21.Dd $Mdocdate: November 24 2024 $ 22.Dt UNWIND.CONF 5 23.Os 24.Sh NAME 25.Nm unwind.conf 26.Nd validating DNS resolver configuration file 27.Sh DESCRIPTION 28The 29.Xr unwind 8 30daemon is a validating DNS resolver. 31.Pp 32The 33.Nm 34config file is divided into the following main sections: 35.Bl -tag -width xxxx 36.It Sy Macros 37User-defined variables may be defined and used later, simplifying the 38configuration file. 39.It Sy Global Configuration 40Global settings for 41.Xr unwind 8 . 42.El 43.Pp 44Additional configuration files can be included with the 45.Ic include 46keyword. 47.Sh MACROS 48Macros can be defined that will later be expanded in context. 49Macro names must start with a letter, digit, or underscore, 50and may contain any of those characters. 51Macro names may not be reserved words (for example, 52.Ic forwarder , 53.Ic port , 54or 55.Ic DoT ) . 56Macros are not expanded inside quotes. 57.Pp 58For example: 59.Bd -literal -offset indent 60fwd1=192.0.2.53 61fwd2=192.0.2.153 62forwarder { $fwd1 $fwd2 } 63.Ed 64.Sh GLOBAL CONFIGURATION 65.Bl -tag -width Ds 66.It Ic block list Ar file Op Cm log 67A file containing domains to block, one per line. 68If a domain from this list is queried, 69.Nm unwind 70answers with a return code of 71.Dv REFUSED . 72With 73.Cm log 74blocked queries are logged. 75The list supports limited wildcard syntax: domains starting with . (dot) 76are treated as any subdomains on that zone. 77.It Ic forwarder Brq Ar address Oo Ic port Ar number Oc Oo Oo Ic authentication name Ar name Oc Ic DoT Oc ... 78A list of addresses of DNS name servers to forward queries to. 79.Ic port 80defaults to 53. 81If 82.Ic DoT 83is specified, use DNS over TLS when sending queries to the server at 84.Ar address . 85The default 86.Ic port 87is 853. 88.Ar name 89validates the certificate of the DNS over TLS server. 90.It Ic preference Brq Ar type ... 91A list of DNS name server types to specify the order in which 92name servers are picked when measured round-trip time medians are equal. 93Additionally, the first mentioned type gets a time bonus. 94Validating name servers are always picked over non-validating name servers. 95DNS name server types are, 96in default order of preference: 97.Bl -tag -width "oDoT-forwarder" 98.It Ic DoT 99DNS over TLS name servers configured in 100.Nm . 101.It Ic oDoT-forwarder 102Name servers configured in 103.Nm . 104.Nm unwind 105tries to opportunistically use DNS over TLS. 106.It Ic forwarder 107Name servers configured in 108.Nm . 109.It Ic recursor 110.Nm unwind 111itself recursively resolves names. 112.It Ic oDoT-autoconf 113Name servers learned from autoconfiguration. 114A list of sources for proposals learned through autoconfiguration 115is documented in 116.Xr resolvd 8 . 117.Nm unwind 118tries to opportunistically use DNS over TLS. 119.It Ic autoconf 120Name servers learned from autoconfiguration. 121.It Ic stub 122Name servers learned from autoconfiguration, 123queried using the libc functions 124(see 125.Xr asr_run 3 ) . 126Will never validate. 127Useful when running behind broken middle boxes that do not like edns0. 128DNS answers from stub name servers are not cached. 129.El 130.It Ic force Oo Cm accept bogus Oc Ar type Brq Ar name ... 131Force resolving of 132.Ar name 133and its subdomains by the given resolver 134.Ar type . 135The 136.Ar type 137must be listed in the 138.Ic preference 139list to be used. 140If 141.Cm accept bogus 142is specified, validation is not enforced. 143.El 144.Sh FILES 145.Bl -tag -width "/etc/unwind.conf" -compact 146.It Pa /etc/unwind.conf 147The default 148.Xr unwind 8 149configuration file. 150.El 151.Sh EXAMPLES 152Block requests for domains in 153.Pa /etc/blocklist 154and log each blocked request: 155.Bd -literal -offset indent 156block list "/etc/blocklist" log 157.Ed 158.Pp 159Define a DNS over TLS (DoT) forwarder and make it the preferred resolver: 160.Bd -literal -offset indent 161forwarder { 192.168.1.250 port 8080 authentication name "resolver.local" DoT } 162preference { DoT } 163.Ed 164.Pp 165Where a domain requires a specific nameserver 166and it may only exist in a nameserver available on the local network, 167force 168.Xr unwind 8 169to use a specific resolver type: 170.Bd -literal -offset indent 171force autoconf { domain.local } 172.Ed 173.Sh SEE ALSO 174.Xr rc.conf.local 8 , 175.Xr unwind 8 , 176.Xr unwindctl 8 177.Sh HISTORY 178The 179.Nm 180file format first appeared in 181.Ox 6.5 . 182