1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
.\" $OpenBSD: unwind.conf.5,v 1.13 2019/04/03 03:48:45 florian Exp $
.\"
.\" Copyright (c) 2018 Florian Obser <florian@openbsd.org>
.\" Copyright (c) 2005 Esben Norby <norby@openbsd.org>
.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
.\" Copyright (c) 2002 Daniel Hartmeier <dhartmei@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: April 3 2019 $
.Dt UNWIND.CONF 5
.Os
.Sh NAME
.Nm unwind.conf
.Nd validating DNS resolver configuration file
.Sh DESCRIPTION
The
.Xr unwind 8
daemon is a validating DNS resolver.
.Pp
The
.Nm
config file is divided into the following main sections:
.Bl -tag -width xxxx
.It Sy Macros
User-defined variables may be defined and used later, simplifying the
configuration file.
.It Sy Global Configuration
Global settings for
.Xr unwind 8 .
.El
.Pp
Additional configuration files can be included with the
.Ic include
keyword.
.Sh MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore,
and may contain any of those characters.
Macro names may not be reserved words (for example,
.Ic forwarder ,
.Ic port ,
or
.Ic DoT ) .
Macros are not expanded inside quotes.
.Pp
For example:
.Bd -literal -offset indent
fwd1=192.0.2.53
fwd2=192.0.2.153
forwarder { $fwd1 $fwd2 }
.Ed
.Sh GLOBAL CONFIGURATION
.Bl -tag -width Ds
.It Ic captive portal Brq ...
.Nm unwind
can detect when it is running behind a
.Dq captive portal
by sending an HTTP request and checking the response against the
configured expected response.
The check is triggered when
.Xr dhclient 8
reports new nameservers.
If the response does not match,
.Nm unwind
uses the DHCP provided nameservers and periodically re-checks if the user
passed the captive portal.
.Bl -tag -width Ds
.It Ic auto Op Cm yes | no
When
.Ic auto
is set to
.Cm yes
.Nm unwind
automatically triggers a captive portal check
when the network is changed.
When set to
.Cm no
a captive portal check can be triggered by
.Xr unwindctl 8 .
The default is
.Cm yes .
.It Ic expected response Ar response
The body of the HTTP response is compared to
.Ar response .
The default is the empty string.
.It Ic expected status Ar status
The expected HTTP status code.
The default is 200.
.It Ic url Ar URL
URL to send HTTP queries to.
This parameter is required.
.El
.It Ic forwarder Brq Ar address Oo Ic port Ar number Oc Oo Oo Ic authentication name Ar name Oc Ic DoT Oc ...
A list of addresses of DNS name servers to forward queries to.
.Ic port
defaults to 53.
If
.Ic DoT
is specified, use DNS over TLS when sending queries to the server at
.Ar address .
The default
.Ic port
is 853.
.Ar name
validates the certificate of the DNS over TLS server.
.It Ic preference Brq Ar type ...
A list of DNS name server types to specify the preference in which
name servers are picked.
Validating name servers are always picked over non-validating name servers.
DNS name server types are:
.Pp
.Bl -tag -width "forwarder" -compact
.It Ic dhcp
Name servers learned via DHCP.
.It Ic DoT
DNS over TLS name servers configured in
.Nm .
.It Ic forwarder
Name servers configured in
.Nm .
.It Ic recursor
.Nm unwind
itself recursively resolves names.
.El
.Pp
The default preference is
.Ic DoT forwarder recursor dhcp .
.El
.Sh FILES
.Bl -tag -width "/etc/examples/unwind.conf" -compact
.It Pa /etc/examples/unwind.conf
Example configuration file.
.It Pa /etc/unwind.conf
The default
.Xr unwind 8
configuration file.
.El
.Sh SEE ALSO
.Xr rc.conf.local 8 ,
.Xr unwind 8 ,
.Xr unwindctl 8
.Sh HISTORY
The
.Nm
file format first appeared in
.Ox 6.5 .
|
