Each setting can appear on the command line, prefixed by '--', or in the configuration file. The command line overrides the configuration file.
## `aaaa-additional-processing`
-If turned on, the recursor will attempt to add AAAA IPv6 records to questions for MX records and NS records. Can be quite slow as absence of these records in earlier answers does not guarantee their non-existence. Can double the amount of queries needed. Off by default.
+* Boolean
+* Default: No
+
+If turned on, the recursor will attempt to add AAAA IPv6 records to questions
+for MX records and NS records. Can be quite slow as absence of these records in
+earlier answers does not guarantee their non-existence. Can double the amount of
+queries needed.
## `allow-from`
-Comma separated netmasks (both IPv4 and IPv6) that are allowed to use the server. The default allows access only from RFC 1918 private IP addresses, like 10.0.0.0/8. Due to the aggressive nature of the internet these days, it is highly recommended to not open up the recursor for the entire internet. Questions from IP addresses not listed here are ignored and do not get an answer.
+* IP ranges, separated by commas
+* Default: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
+
+Netmasks (both IPv4 and IPv6) that are allowed to use the server. The default
+allows access only from RFC 1918 private IP addresses. Due to the aggressive
+nature of the internet these days, it is highly recommended to not open up the
+recursor for the entire internet. Questions from IP addresses not listed here
+are ignored and do not get an answer.
## `allow-from-file`
-Like [`allow-from`](#allow-from), except reading from file. Overrides the [`allow-from`](#allow-from) setting. To use this feature, supply one netmask per line, with optional comments preceded by a \#. Available since version 3.1.5.
+* Path
+
+Like [`allow-from`](#allow-from), except reading from file. Overrides the
+[`allow-from`](#allow-from) setting. To use this feature, supply one netmask per
+line, with optional comments preceded by a \#. Available since version 3.1.5.
## `any-to-tcp`
-Answer questions for the ANY type on UDP with a truncated packet that refers the remote server to TCP. Useful for mitigating ANY reflection attacks. Defaults to off.
+* Boolean
+* Default: no
+
+Answer questions for the ANY type on UDP with a truncated packet that refers the
+remote server to TCP. Useful for mitigating ANY reflection attacks.
## `auth-can-lower-ttl`
-Authoritative zones can transmit a TTL value that is lower than that specified in the parent zone. This is called a 'delegation inconsistency'. To follow RFC 2181 paragraphs 5.2 and 5.4 to the letter, enable this feature. This will mean a slight deterioration of performance, and it will not solve any problems, but does make the recursor more standards compliant. Not recommended unless you have to tick an 'RFC 2181 compliant' box. Off by default.
+* Boolean
+* Default: no
+
+Authoritative zones can transmit a TTL value that is lower than that specified
+in the parent zone. This is called a 'delegation inconsistency'. To follow
+RFC 2181 paragraphs 5.2 and 5.4 to the letter, enable this feature. This will
+mean a slight deterioration of performance, and it will not solve any problems,
+but does make the recursor more standards compliant. Not recommended unless you
+have to tick an 'RFC 2181 compliant' box.
## `auth-zones`
-Comma separated list of 'zonename=filename' pairs. Zones read from these files (in BIND format) are served authoritatively. Example: `auth-zones=example.org=/var/zones/example.org, powerdns.com=/var/zones/powerdns.com`. Available since version 3.1.
+* Comma separated list of 'zonename=filename' pairs
+* Available since: 3.1
+
+Zones read from these files (in BIND format) are served authoritatively. Example:
+`auth-zones=example.org=/var/zones/example.org, powerdns.com=/var/zones/powerdns.com`.
## `carbon-ourname`
+* String
+* Available since: 3.5.3
+
If sending carbon updates, if set, this will override our hostname. Be
careful not to include any dots in this setting, unless you know what you
-are doing. See ["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome).
-Available beyond 3.5.3.
+are doing. See ["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome).
+
+## `carbon-server`
+* IP address
+* Available since: 3.5.3
+If set to an IP or IPv6 address, will send all available metrics to this server
+via the carbon protocol, which is used by graphite and metronome. See
+["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome).
-## `carbon-server=...`
-If set to an IP or IPv6 address, will send all available metrics to this server via the carbon protocol, which is used by graphite and metronome. See ["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome). Available beyond 3.5.3.
+## `carbon-interval`
+* Integer
+* Default: 30
-## `carbon-interval=...`
If sending carbon updates, this is the interval between them in seconds. See ["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome). Available beyond 3.5.3.
## `chroot`
+* Path to a Directory
If set, chroot to this directory for more security. See [Security](../common/security.md).
-Make sure that `/dev/log` is available from within the chroot. Logging will silently fail over time otherwise (on logrotate).
+Make sure that `/dev/log` is available from within the chroot. Logging will
+silently fail over time otherwise (on logrotate).
## `client-tcp-timeout`
-Time to wait for data from TCP clients. Defaults to 2 seconds.
+* Integer
+* Default: 2
+
+Time to wait for data from TCP clients.
## `config-dir`
-Directory where the configuration file can be found.
+* Path
+
+Location of configuration directory (`recursor.conf`). Usually `/etc/powerdns`, but
+this depends on `SYSCONFDIR` during compile-time.
+
+## `config-name`
+* String
+* Default: unset
+
+When running multiple recursors on the same server, read settings from
+"name-recursor.conf", this will also rename the binary image.
## `daemon`
-Operate in the background, which is the default.
+* Boolean
+* Default: yes
+
+Operate in the background.
## `delegation-only`
-A Verisign special.
+* Domains, comma separated
+
+Which domains we only accept delegations from (a Verisign special).
+
+## `disable-edns`
+* Boolean
+* Default: yes
+
+Disable EDNS. EDNS support is experimental, please keep this setting as-is.
## `disable-packetcache`
-Turn off the packet cache. Useful when running with Lua scripts that can not be cached. Available since version 3.2.
+* Boolean
+* Default: no
+* Available since: 3.2
+
+Turn off the packet cache. Useful when running with Lua scripts that can not be
+cached.
## `dont-query`
-The DNS is a public database, but sometimes contains delegations to private IP addresses, like for example 127.0.0.1. This can have odd effects, depending on your network, and may even be a security risk. Therefore, since version 3.1.5, the PowerDNS recursor by default does not query private space IP addresses. This setting can be used to expand or reduce the limitations.
+* Netmasks, comma separated
+* Default: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
+ 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24,
+ 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96,
+ ::ffff:0:0/96, 100::/64, 2001:db8::/32
+* Available since: 3.1.5
+
+The DNS is a public database, but sometimes contains delegations to private IP
+addresses, like for example 127.0.0.1. This can have odd effects, depending on
+your network, and may even be a security risk. Therefore, since version 3.1.5,
+the PowerDNS recursor by default does not query private space IP addresses.
+This setting can be used to expand or reduce the limitations.
## `entropy-source`
-From version 3.1.5 onwards, PowerDNS can read entropy from a (hardware) source. This is used for generating random numbers which are very hard to predict. Generally on UNIX platforms, this source will be `/dev/urandom`, which will always supply random numbers, even if entropy is lacking. Change to `/dev/random` if PowerDNS should block waiting for enough entropy to arrive.
+* Path
+* Default: /dev/urandom
+* Available since: 3.1.5
+
+PowerDNS can read entropy from a (hardware) source. This is used for generating
+random numbers which are very hard to predict. Generally on UNIX platforms,
+this source will be `/dev/urandom`, which will always supply random numbers,
+even if entropy is lacking. Change to `/dev/random` if PowerDNS should block
+waiting for enough entropy to arrive.
+
+## `experimental-api-config-dir`
+* Path
+* Default: unset
+
+Directory where the REST API stores its configuration and zones.
+
+## `experimental-api-key`
+* String
+* Default: unset
+
+Static pre-shared authentication key for access to the REST API.
+
+## `experimental-api-readonly`
+* Boolean
+* Default: no
+
+Whether or not the JSON API is read only.
+
+## `experimental-logfile`
+* Path
+* Default: unset
+
+Location of the logs from the JSON parser.
+
+## `experimental-webserver`
+* Boolean
+* Default: no
+
+Start the experimental webserver for monitoring.
+
+## `experimental-webserver-address`
+* IP Addresses, separated by spaces
+* Default: 127.0.0.1
+
+IP address for the webserver to listen on.
+
+## `experimental-webserver-password`
+* String
+* Default: unset
+
+Password required to access the webserver.
+
+## `experimental-webserver-port`
+* Integer
+* Default: 8082
+
+TCP port where the webserver should listen on.
+
+## `webserver-allow-from`
+* IP addresses, comma separated
+* Default: 0.0.0.0, ::/0
+
+These subnets are allowed to access the webserver.
+
+## `etc-hosts-file`
+* Path
+* Default: /etc/hosts
+
+The path to the /etc/hosts file, or equivalent. This file can be used to serve
+data authoritatively using [`export-etc-hosts`](#export-etc-hosts).
## `export-etc-hosts`
-If set, this flag will export the host names and IP addresses mentioned in `/etc/hosts`. Available since version 3.1.
+* Boolean
+* Default: no
+* Available since: 3.1
+
+If set, this flag will export the host names and IP addresses mentioned in
+`/etc/hosts`.
## `export-etc-hosts-search-suffix`
-If set, all hostnames in the export-etc-hosts file are loaded in canonical form, based on this suffix, unless the name contain a '.', in which case the name is unchanged. So an entry called 'pc' with export-etc-hosts-search-suffix='home.com' will lead to the generation of 'pc.home.com' within the recursor. An entry called 'server1.home' will be stored as 'server1.home', regardless of the export-etc-hosts setting. Available in since version 3.4.
+* String
+* Available since: 3.4
+
+If set, all hostnames in the [`export-etc-hosts`](#export-etc-hosts) file are
+loaded in canonical form, based on this suffix, unless the name contains a '.',
+in which case the name is unchanged. So an entry called 'pc' with
+`export-etc-hosts-search-suffix='home.com'` will lead to the generation of
+'pc.home.com' within the recursor. An entry called 'server1.home' will be stored
+as 'server1.home', regardless of this setting.
## `fork`
-If running on an SMP system with enough memory, this feature forks PowerDNS so it benefits from two processors. Experimental. Renames controlsockets, so care is needed to connect to the right one using `rec_control`, using `socket-pid`. Available in versions of the Recursor before 3.2, replaced by the 'threads' setting.
+* Boolean
+* Default: no
+* Available until: 3.2
+
+If running on an SMP system with enough memory, this feature forks PowerDNS so
+it benefits from two processors. Experimental. Renames controlsockets, so care
+is needed to connect to the right one using `rec_control`, using `socket-pid`.
+Available in versions of the Recursor before 3.2, replaced by the
+['threads'](#threads) setting.
## `forward-zones`
-Comma separated list of 'zonename=IP' pairs. Queries for zones listed here will be forwarded to the IP address listed. `forward-zones=example.org=203.0.113.210, powerdns.com=2001:DB8::BEEF:5`. Available since version 3.1.
+* 'zonename=IP' pairs, comma separated
+* Available since: 3.1
+
+Queries for zones listed here will be forwarded to the IP address listed. i.e.
+`forward-zones=example.org=203.0.113.210, powerdns.com=2001:DB8::BEEF:5`.
-Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. Sample syntax: `forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530;[2001:DB8::1:3]:5300`, or on the command line: `--forward-zones="example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;9.8.7.6:530;[2001:DB8::1:3]:5300"`.
+Since version 3.1.5, multiple IP addresses can be specified. Additionally, port
+numbers other than 53 can be configured. Sample syntax:
+`forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530;[2001:DB8::1:3]:5300`,
+or on the command line:
+`--forward-zones="example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;9.8.7.6:530;[2001:DB8::1:3]:5300"`.
-Forwarded queries have the 'recursion desired' bit set to 0, meaning that this setting is intended to forward queries to authoritative servers.
+Forwarded queries have the 'recursion desired' bit set to 0, meaning that this
+setting is intended to forward queries to authoritative servers.
## `forward-zones-file`
-Same as [`forward-zones`](#forward-zones-file), parsed from a file. Only 1 zone is allowed per line, specified as follows: `example.org=203.0.113.210, 192.0.2.4:5300`. No comments are allowed. Available since version 3.1.5.
+* Path
+* Available since: 3.1.5
-Since version 3.2, zones prefixed with a '+' are forwarded with the recursion-desired bit set to one, for which see 'forward-zones-recurse'. Default behaviour without '+' is as with [`forward-zones`](#forward-zones).
+Same as [`forward-zones`](#forward-zones), parsed from a file. Only 1 zone is
+allowed per line, specified as follows: `example.org=203.0.113.210, 192.0.2.4:5300`.
+No comments are allowed.
+
+Since version 3.2, zones prefixed with a '+' are forwarded with the
+recursion-desired bit set to one, for which see ['forward-zones-recurse'](#forward-zones-recurse).
+Default behaviour without '+' is as with [`forward-zones`](#forward-zones).
## `forward-zones-recurse`
-Like regular 'forward-zones' (see above), but forwarded queries have the 'recursion desired' bit set to 1, meaning that this setting is intended to forward queries to authoritative servers or to resolving servers. Available since version 3.2.
+* 'zonename=IP' pairs, comma separated
+* Available since: 3.2
+
+Like regular [`forward-zones`](#forward-zones), but forwarded queries have the
+'recursion desired' bit set to 1, meaning that this setting is intended to
+forward queries to authoritative servers or to resolving servers.
## `hint-file`
-If set, the root-hints are read from this file. If unset, default root hints are used. Available since version 2.9.19.
+* Path
+* Available since: 2.9.19
+
+If set, the root-hints are read from this file. If unset, default root hints are
+used.
+
+## `include-dir`
+* Path
+
+Directory to scan for additional config files. All files that end with .conf are
+loaded in order using `POSIX` as locale.
## `latency-statistic-size`
-Indication of how many queries will be averaged to get the average latency reported by the 'qa-latency' metric. Since 3.6.
+* Integer
+* Default: 10000
+* Available since 3.6
+
+Indication of how many queries will be averaged to get the average latency
+reported by the 'qa-latency' metric.
## `local-address`
-Local IPv4 or IPv6 addresses to bind to, comma separated. Defaults to only loopback. Addresses can also contain port numbers, for IPv4 specify like this: `192.0.2.4:5300`, for IPv6: `[::1]:5300`. Port specifications are available since version 3.1.2.
+* IP addresses, comma separated
+* Default: 127.0.0.1
-**Warning**: When binding to wildcard addresses, UNIX semantics mean that answers may not be sent from the address a query was received on. It is highly recommended to bind to explicit addresses.
+Local IPv4 or IPv6 addresses to bind to. Addresses can also contain port numbers,
+for IPv4 specify like this: `192.0.2.4:5300`, for IPv6: `[::1]:5300`.
+Port specifications are available since version 3.1.2.
+
+**Warning**: When binding to wildcard addresses, UNIX semantics mean that
+answers may not be sent from the address a query was received on. It is highly
+recommended to bind to explicit addresses.
## `local-port`
-Local port (singular) to bind to. Defaults to 53.
+* Integer
+* Default: 53
+
+Local port to bind to.
## `loglevel`
-Amount of logging. Higher is more, more logging may destroy performance. Available since 3.6.
+* Integer between 0 and
+* Default: 4
+* Available since: 3.6
+
+Amount of logging. Higher is more, more logging may destroy performance.
## `log-common-errors`
-Some DNS errors occur rather frequently and are no cause for alarm. Logging these is on by default.
+* Boolean
+* Default: no
+
+Some DNS errors occur rather frequently and are no cause for alarm.
## `logging-facility`
-If set to a digit, logging is performed under this LOCAL facility. See [Logging](../common/logging.md#logging). Available from 3.1.3 and onwards. Do not pass names like 'local0'!
+* Integer
+* Available since: 3.1.3
+
+If set to a digit, logging is performed under this LOCAL facility. See
+[Logging](../common/logging.md#logging). Do not pass names like 'local0'!
+
+## `lua-dns-script`
+* Path
+* Default: unset
+
+Path to a lua file to manipulate the recursor's answers. See [Scripting the
+recursor](scripting.md).
## `max-cache-entries`
-Maximum number of DNS cache entries. 1 million per thread will generally suffice for most installations.
+* Integer
+* Default: 1000000
-## `max-packetcache-entries`
-Maximum number of Packet Cache entries. 1 million per thread will generally suffice for most installations. Available since version 3.2.
+Maximum number of DNS cache entries. 1 million per thread will generally suffice
+for most installations.
## `max-cache-ttl`
-Maximum number of seconds to cache an item in the DNS cache, no matter what the original TTL specified. Available since version 3.2.
+* Integer
+* Default: 86400
+* Available since: 3.2
+
+Maximum number of seconds to cache an item in the DNS cache, no matter what the
+original TTL specified.
+
+## `max-mthreads`
+* Integer
+* Default: 2048
+
+Maximum number of simultaneous MTasker threads.
+
+## `max-packetcache-entries`
+* Integer
+* Default: 500000
+* Available since: 3.2
+
+Maximum number of Packet Cache entries. 1 million per thread will generally
+suffice for most installations.
+
+## `max-qperq`
+* Integer
+* Default: 50
+
+The maximum number of outgoing queries that will be sent out during the resolution
+of a single client query. This is used to limit endlessy chasing CNAME redirections.
## `max-negative-ttl`
-A query for which there is authoritatively no answer is cached to quickly deny a record's existence later on, without putting a heavy load on the remote server. In practice, caches can become saturated with hundreds of thousands of hosts which are tried only once. This setting, which defaults to 3600 seconds, puts a maximum on the amount of time negative entries are cached.
+* Integer
+* Default: 3600
+
+A query for which there is authoritatively no answer is cached to quickly deny a
+record's existence later on, without putting a heavy load on the remote server.
+In practice, caches can become saturated with hundreds of thousands of hosts
+which are tried only once. This setting, which defaults to 3600 seconds, puts a
+maximum on the amount of time negative entries are cached.
## `max-tcp-clients`
-Maximum number of simultaneous incoming TCP connections allowed. Defaults to 128. Available since version 2.9.18.
+* Integer
+* Default: 128
+
+Maximum number of simultaneous incoming TCP connections allowed.
## `max-tcp-per-client`
-Maximum number of simultaneous incoming TCP connections allowed per client (remote IP address). Defaults to 0, which means unlimited.
+* Integer
+* Default: 0 (unlimited)
+
+Maximum number of simultaneous incoming TCP connections allowed per client
+(remote IP address).
+
+## `max-total-msec`
+* Integer
+* Default: 7000
+
+Total maximum number of miliseconds of wallclock time the servermay use to answer
+a single query.
## `minimum-ttl-override`
-Available since 3.6, this setting artificially raises all TTLs to be at least this long. While this is a gross hack, and violates RFCs, under conditions of DoS, it may enable you to continue serving your customers. Can be set at runtime using `rec_control set-minimum-ttl 3600`. To disable, set to 0 (the default).
+* Integer
+* Default: 0 (disabled)
+
+This setting artificially raises all TTLs to be at least this long. While this
+is a gross hack, and violates RFCs, under conditions of DoS, it may enable you
+to continue serving your customers. Can be set at runtime using
+`rec_control set-minimum-ttl 3600`.
## `network-timeout`
-Number of milliseconds to wait for a remote authoritative server to respond. Defaults to 1500 msec, available since version 3.2.
+* Integer
+* Default: 1500
+* Available since: 3.2
+
+Number of milliseconds to wait for a remote authoritative server to respond.
## `packetcache-ttl`
-Maximum number of seconds to cache an item in the packet cache, no matter what the original TTL specified. Available since version 3.2.
+* Integer
+* Default: 3600
+* Available since: 3.2
+
+Maximum number of seconds to cache an item in the packet cache, no matter what
+the original TTL specified.
## `packetcache-servfail-ttl`
-Maximum number of seconds to cache a 'server failure' answer in the packet cache. Available since version 3.2.
+* Integer
+* Default: 60
+* Available since: 3.2
+
+Maximum number of seconds to cache a 'server failure' answer in the packet cache.
## `pdns-distributes-queries`
-If set, PowerDNS will have only 1 thread listening on client sockets, and distribute work by itself over threads. Improves performance on Linux. Do not use on Recursor versions before 3.6 as the feature was experimental back then, and not that stable.
+* Boolean
+* Default: no
+* Available since: 3.6
+
+If set, PowerDNS will have only 1 thread listening on client sockets, and
+distribute work by itself over threads. Improves performance on Linux. Do not
+use on Recursor versions before 3.6 as the feature was experimental back then,
+and not that stable.
## `query-local-address`
-Send out local queries from this address, or addresses. Since version 3.2, by adding multiple addresses, increased spoofing resilience is achieved. Addresses can be separated by a comma.
+* IPv4 Address, comma separated
+* Default: 0.0.0.0
+* Available since: 3.2
+
+Send out local queries from this address, or addresses, by adding multiple
+addresses, increased spoofing resilience is achieved.
## `query-local-address6`
-Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing IPv6 support. Since version 3.2, multiple addresses can be specified, separated by a comma.
+* IPv6 addresses, comma separated
+* Default: unset
+* Available since: 3.2
+
+Send out local IPv6 queries from this address or addresses. Disabled by default,
+which also disables outgoing IPv6 support.
## `quiet`
-Don't log queries. On by default.
+* Boolean
+* Default: yes
+
+Don't log queries.
+
+## `serve-rfc-1918`
+* Boolean
+* Default: yes
-## `remotes-ringbuffer-entries`
-Number of entries in the remotes ringbuffer, which keeps statistics on who is querying your server. Can be read out using **rec\_control top-remotes**. Defaults to 0.
+This makes the server authoritatively aware of: `10.in-addr.arpa`,
+`168.192.in-addr.arpa`, `16-31.172.in-addr.arpa`, which saves load on the AS112
+servers. Individual parts of these zones can still be loaded or forwarded.
-## `serve-rfc*1918*`
-On by default, this makes the server authoritatively aware of: `10.in-addr.arpa`, `168.192.in-addr.arpa`, `16-31.172.in-addr.arpa`, which saves load on the AS112 servers. Individual parts of these zones can still be loaded or forwarded.
+## `server-down-max-fails`
+* Integer
+* Default: 64
+* Available since: 3.6
-## `server-down-max-fails`, `server-down-throttle-time`
-If a server has not responded in any way this many times in a row, no longer send it any queries for server-down-throttle-time seconds. Afterwards, we will try a new packet, and if that also gets no response at all, we again throttle for server-down-throttle-time-seconds. Even a single response packet will drop the block. Available and on by default since 3.6.
+If a server has not responded in any way this many times in a row, no longer
+send it any queries for [`server-down-throttle-time`](#server-down-throttle-time)
+seconds. Afterwards, we will try a new packet, and if that also gets no response
+at all, we again throttle for [`server-down-throttle-time-seconds`](#server-down-throttle-time).
+Even a single response packet will drop the block.
+
+## `server-down-throttle-time`
+* Integer
+* Default: 60
+* Available since: 3.6
+
+Throttle a server that has failed to respond [`server-down-max-fails`](#server-down-max-fails)
+times for this many seconds.
## `server-id`
-The PowerDNS recursor by replies to a query for 'id.server' with its hostname, useful for in clusters. Use this setting to override the answer it gives.
+* String
+* Default: The hostname of the server
+
+The PowerDNS recursor by replies to a query for 'id.server' with its hostname,
+useful for in clusters. Use this setting to override the answer it gives.
+
+## `setgid`, `setuid`
+* String
+* Default: unset
+
+PowerDNS can change its user and group id after binding to its socket. Can be
+used for better [security](security.md).
+
+## `single-socket`
+* Boolean
+* Default: no
-setgid, setuid
-PowerDNS can change its user and group id after binding to its socket. Can be used for better security.
+Use only a single socket for outgoing queries.
## `socket-dir`
-Where to store the control socket. This option also works with the controller, **rec\_control**.
+* Path
+
+Where to store the control socket and pidfile. The default depends on
+`LOCALSTATEDIR` during compile-time (usually `/var/run` or `/run`).
## `socket-owner`, `socket-group`, `socket-mode`
-Owner, group and mode of the controlsocket. Owner and group can be specified by name, mode is in octal.
+Owner, group and mode of the controlsocket. Owner and group can be specified by
+name, mode is in octal.
## `spoof-nearmiss-max`
-If set to non-zero, PowerDNS will assume it is being spoofed after seeing this many answers with the wrong id. Defaults to 20.
+* Integer
+* Default: 20
+
+If set to non-zero, PowerDNS will assume it is being spoofed after seeing this
+many answers with the wrong id.
+
+## `stack-size`
+* Integer
+* Default: 200000
+
+Size of the stack per thread.
+
+## `stats-ringbuffer-entries`
+* Integer
+* Default: 10000
+
+Number of entries in the remotes ringbuffer, which keeps statistics on who is
+querying your server. Can be read out using `rec_control top-remotes`.
+
+## `threads`
+* Integer
+* Default: 2
+
+Spawn this number of threads on startup.
## `trace`
-If turned on, output impressive heaps of logging. May destroy performance under load.
+* Boolean
+* Default: no
+
+If turned on, output impressive heaps of logging. May destroy performance under
+load.
-## `udp-truncation-threshold=...`
-EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however also have downsides in terms of reflection attacks. This setting limits the accepted size. Maximum value is 65535, but values above 4096 should probably not be attempted. Default is 1680.
+## `udp-truncation-threshold`
+* Integer
+* Default: 1680
+
+EDNS0 allows for large UDP response datagrams, which can potentially raise
+performance. Large responses however also have downsides in terms of reflection
+attacks. This setting limits the accepted size. Maximum value is 65535, but
+values above 4096 should probably not be attempted.
## `version`
-Print version of this binary. Useful for checking which version of the PowerDNS recursor is installed on a system. Available since version 3.1.5.
+Print version of this binary. Useful for checking which version of the PowerDNS
+recursor is installed on a system. Available since version 3.1.5.
## `version-string`
-By default, PowerDNS replies to the 'version.bind' query with its version number. Security conscious users may wish to override the reply PowerDNS issues.
+* String
+* Default: PowerDNS Recursor version number
+
+By default, PowerDNS replies to the 'version.bind' query with its version number.
+Security conscious users may wish to override the reply PowerDNS issues.
projects / pdns / commitdiff