OpenBSD manual page server

Manual Page Search Parameters

UNWIND.CONF(5) File Formats Manual UNWIND.CONF(5)

validating DNS resolver configuration file

The unwind(8) daemon is a validating DNS resolver.

The unwind.conf config file is divided into the following main sections:

User-defined variables may be defined and used later, simplifying the configuration file.
Global Configuration
Global settings for unwind(8).

Additional configuration files can be included with the include keyword.

Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example, forwarder, port, or DoT). Macros are not expanded inside quotes.

For example:

forwarder { $fwd1 $fwd2 }

A file containing domains to block, one per line. If a domain from this list is queried unwind answers with a return code of refused.
unwind can detect when it is running behind a “captive portal” by sending an HTTP request and checking the response against the configured expected response. The check is triggered when dhclient(8) reports new nameservers. If the response does not match, unwind uses the DHCP provided nameservers and periodically re-checks if the user passed the captive portal.
[yes | no]
When auto is set to yes unwind automatically triggers a captive portal check when the network is changed. When set to no a captive portal check can be triggered by unwindctl(8). The default is yes.
The body of the HTTP response is compared to response. The default is the empty string.
The expected HTTP status code. The default is 200.
URL to send HTTP queries to. This parameter is required.
{address [port number] [[authentication name name] DoT] ...}
A list of addresses of DNS name servers to forward queries to. port defaults to 53. If DoT is specified, use DNS over TLS when sending queries to the server at address. The default port is 853. name validates the certificate of the DNS over TLS server.
{type ...}
A list of DNS name server types to specify the preference in which name servers are picked. Validating name servers are always picked over non-validating name servers. DNS name server types are:

Name servers learned via DHCP.
DNS over TLS name servers configured in unwind.conf.
Name servers configured in unwind.conf.
unwind itself recursively resolves names.

The default preference is DoT forwarder recursor dhcp.

Example configuration file.
The default unwind(8) configuration file.

rc.conf.local(8), unwind(8), unwindctl(8)

The unwind.conf file format first appeared in OpenBSD 6.5.
May 10, 2019 OpenBSD-current