7 **rec_control** [*OPTION*]... *COMMAND* [*COMMAND-OPTION*]...
12 :program:`rec_control` allows the operator to query and control a running
13 instance of the PowerDNS Recursor.
15 :program:`rec_control` talks to the recursor via a the 'controlsocket'. Which
16 is usually located in ``/var/run`` . The *--socket-dir* or the *--config-dir*
17 and *--config-name* switches control to which process :program:`rec_control`
22 To see if the Recursor is alive, run::
26 To stop the recursor by hand, run::
30 To dump the cache to disk, execute::
32 # rec_control dump-cache /tmp/the-cache
36 Before version 4.5.0, for each command that writes to a file, :program:`pdns_recursor` would open the file to write to.
37 Starting with 4.5.0, the files are opened by the :program:`rec_control` command itself using the credentials and the current working directory of the user running :program:`rec_control`.
38 A single minus *-* can be used as a filename to write the data to the standard output stream.
42 --help provide this helpful message.
43 --config-dir=<path> Directory where the recursor.conf lives.
44 --config-name=<name> Name of the virtual configuration.
45 --socket-dir=<path> Where the controlsocket will live, please
46 use **--config-dir** instead.
47 --socket-pid=<pid> When running in SMP mode, pid of **pdns_recursor** to
49 --timeout=<num> Number of seconds to wait for the remote PowerDNS
54 add-dont-throttle-names NAME [NAME...]
55 Add names for nameserver domains that may not be throttled.
57 add-dont-throttle-netmasks NETMASK [NETMASK...]
58 Add netmasks for nameservers that may not be throttled.
60 add-nta *DOMAIN* [*REASON*]
61 Add a Negative Trust Anchor for *DOMAIN*, suffixed optionally with
64 add-ta *DOMAIN* *DSRECORD*
65 Add a Trust Anchor for *DOMAIN* with DS record data *DSRECORD*. This adds
66 the new Trust Anchor to the existing set of Trust Anchors for *DOMAIN*.
69 Shows the currently active queries.
71 clear-dont-throttle-names NAME [NAME...]
72 Remove names that are not allowed to be throttled. If *NAME* is ``*``, remove all
74 clear-dont-throttle-netmasks NETMASK [NETMASK...]
75 Remove netmasks that are not allowed to be throttled. If *NETMASK* is ``*``, remove all
78 Remove Negative Trust Anchor for one or more *DOMAIN*\ s. Set domain to
79 ``*`` to remove all NTA's.
81 clear-ta [*DOMAIN*]...
82 Remove Trust Anchor for one or more *DOMAIN*\ s. Note that removing the
83 root trust anchor is not possible.
86 Dumps the entire cache to *FILENAME*. This file should not exist already,
87 PowerDNS will refuse to overwrite it. While dumping, the recursor
88 might not answer questions.
90 Typical PowerDNS Recursors run multiple threads, therefore you'll see
91 duplicate, different entries for the same domains. The negative cache is
92 also dumped to the same file. The per-thread positive and negative cache
93 dumps are separated with an appropriate comment.
95 dump-dot-probe-map *FILENAME*
96 Dump the contents of the DoT probe map to the *FILENAME* mentioned.
99 Dumps the EDNS status to the filename mentioned. This file should not exist
100 already, PowerDNS will refuse to overwrite it. While dumping, the recursor
101 will not answer questions.
103 dump-failedservers *FILENAME*
104 Dump the contents of the failed server map to the *FILENAME* mentioned.
105 This file should not exist already, PowerDNS will refuse to
106 overwrite it otherwise. While dumping, the recursor will not answer
109 dump-non-resolving *FILENAME*
110 Dump the contents of the map of nameserver names that did not resolve to
111 an address. This file should not exist already, PowerDNS will
112 refuse to overwrite it otherwise. While dumping, the recursor will
113 not answer questions.
115 dump-nsspeeds *FILENAME*
116 Dumps the nameserver speed statistics to the *FILENAME* mentioned. This
117 file should not exist already, PowerDNS will refuse to overwrite it. While
118 dumping, the recursor will not answer questions. Statistics are kept per
119 thread, and the dumps end up in the same file.
121 dump-rpz *ZONE NAME* *FILE NAME*
122 Dumps the content of the RPZ zone named *ZONE NAME* to the *FILENAME*
123 mentioned. This file should not exist already, PowerDNS will refuse to
124 overwrite it otherwise. While dumping, the recursor will not answer
125 questions. For details on how RPZ are named see
126 `<https://docs.powerdns.com/recursor/lua-config/rpz.html#policyname>`__.
128 dump-saved-parent-ns-sets *FILE NAME*
129 Dump the entries of the map containing saved parent NS sets
130 that were successfully used in resolving.
131 The total number of entries is also printed in the header.
132 An entry is saved if the recursor sees that the parent set includes
133 names not in the child set. This is an indication of a
134 misconfigured domain.
136 dump-throttlemap *FILENAME*
137 Dump the contents of the throttle map to the *FILENAME* mentioned.
138 This file should not exist already, PowerDNS will refuse to
139 overwrite it otherwise. While dumping, the recursor will not answer
142 get *STATISTIC* [*STATISTIC*]...
143 Retrieve a statistic. For items that can be queried, see
144 `<https://docs.powerdns.com/recursor/metrics.html>`__.
147 Retrieve all known statistics.
149 get-dont-throttle-names
150 Get the list of names that are not allowed to be throttled.
152 get-dont-throttle-netmasks
153 Get the list of netmasks that are not allowed to be throttled.
156 Get a list of the currently configured Negative Trust Anchors.
159 Get a list of the currently configured Trust Anchors.
161 get-parameter *KEY* [*KEY*]...
162 Retrieves the specified configuration parameter(s).
164 get-proxymapping-stats
165 Get the list of proxy-mapped subnets and associated counters.
168 Retrieves QType statistics. Queries from cache aren't being counted yet.
170 get-remotelogger-stats
171 Retrieves the remote logger statistics, per type and address.
173 hash-password [*WORK-FACTOR*]
174 Asks for a password then returns the hashed and salted version,
175 to use as a webserver password or API key. This command does
176 not contact the recursor but does the hashing inside rec_control.
177 An optional scrypt work factor can be specified, in power of two.
181 Shows a list of supported commands understood by the running
182 :program:`pdns_recursor`
185 List supported (and potentially disabled) DNSSEC algorithms.
188 Check if server is alive.
191 Request shutdown of the recursor, exiting the process while
192 letting the OS clean up resources.
195 Request nice shutdown of the recursor. This method allows all
196 threads to finish their current work and releases resources before
197 exiting. This is the preferred method to stop the recursor.
202 reload-lua-script [*FILENAME*]
203 (Re)loads Lua script *FILENAME*. If *FILENAME* is empty, attempt to reload
204 the currently loaded script. This replaces the script currently loaded.
206 reload-lua-config [*FILENAME*]
207 (Re)loads Lua configuration *FILENAME*. If *FILENAME* is empty, attempt
208 to reload the currently loaded file. Note that *FILENAME* will be fully
209 executed, any settings changed at runtime that are not modified in this
210 file, will still be active. The effects of reloading do not always take
211 place immediately, as some subsystems reload and replace configuration
212 in an asynchronous way.
215 Reload authoritative and forward zones. Retains current configuration in
218 set-carbon-server *CARBON SERVER* [*CARBON OURNAME*]
219 Set the carbon-server setting to *CARBON SERVER*. If *CARBON OURNAME* is
220 not empty, also set the carbon-ourname setting to *CARBON OURNAME*.
222 set-dnssec-log-bogus *SETTING*
223 Set dnssec-log-bogus setting to *SETTING*. Set to ``on`` or ``yes`` to log
224 DNSSEC validation failures and to ``no`` or ``off`` to disable logging these
227 set-ecs-minimum-ttl *NUM*
228 Set ecs-minimum-ttl-override to *NUM*.
230 set-max-cache-entries *NUM*
231 Change the maximum number of entries in the DNS cache. If reduced, the
232 cache size will start shrinking to this number as part of the normal
233 cache purging process, which might take a while.
235 set-max-packetcache-entries *NUM*
236 Change the maximum number of entries in the packet cache. If reduced, the
237 cache size will start shrinking to this number as part of the normal
238 cache purging process, which might take a while.
240 set-minimum-ttl *NUM*
241 Set minimum-ttl-override to *NUM*.
243 set-event-trace-enabled *NUM*
244 Set logging of event trace messages, ``0`` = disabled, ``1`` = protobuf,
245 ``2`` = log file, ``3`` = protobuf and log file.
248 Show Yaml representation of odl-style config.
251 Shows the top-20 queries. Statistics are over the last
252 'stats-ringbuffer-entries' queries.
255 Shows the top-20 queries grouped by public suffix list. Statistics are over
256 the last 'stats-ringbuffer-entries' queries.
258 top-largeanswer-remotes
259 Shows the top-20 remote hosts causing large answers. Statistics are over
260 the last 'stats-ringbuffer-entries' queries.
263 Shows the top-20 most active remote hosts. Statistics are over the last
264 'stats-ringbuffer-entries' queries.
267 Shows the top-20 queries causing servfail responses. Statistics are over
268 the last 'stats-ringbuffer-entries' queries.
271 Shows the top-20 queries causing bogus responses. Statistics are over
272 the last 'stats-ringbuffer-entries' queries.
274 top-pub-servfail-queries
275 Shows the top-20 queries causing servfail responses grouped by public
276 suffix list. Statistics are over the last 'stats-ringbuffer-entries'
279 top-pub-bogus-queries
280 Shows the top-20 queries causing bogus responses grouped by public
281 suffix list. Statistics are over the last 'stats-ringbuffer-entries'
285 Shows the top-20 most active remote hosts causing servfail responses.
286 Statistics are over the last 'stats-ringbuffer-entries' queries.
289 Shows the top-20 most active remote hosts causing bogus responses.
290 Statistics are over the last 'stats-ringbuffer-entries' queries.
293 Shows the top-20 most active downstream timeout destinations.
294 Statistics are over the last 'stats-ringbuffer-entries' queries.
296 trace-regex *REGEX* *FILE*
297 Emit resolution trace for matching queries. No arguments disables tracing.
298 Before version 4.9.0, there was no *FILE* argument, traces were always
299 written to the log. Starting with version 4.9.0, trace information is
300 written to the file specified, which may be ``-`` for the standard out
303 Queries matching this regular expression will generate voluminous tracing
304 output. Be aware that matches from the packet cache will still not generate
305 tracing. To unset the regex, pass **trace-regex** without a new regex.
307 The regular expression is matched against domain queries terminated with a
308 dot. For example the regex ``'powerdns.com$'`` will not match a query for
309 ``'www.powerdns.com'``, since the attempted match will be with
310 ``'www.powerdns.com.'``.
312 In addition, since this is a regular expression, to exclusively match
313 queries for ``'www.powerdns.com'``, one should escape the dots:
314 ``'^www\.powerdns\.com\.$'``.
315 Note that the single quotes prevent
316 further interpretation of the backslashes by the shell.
318 Multiple matches can be chained with the ``|`` operator. For example, to
319 match all queries for Dutch (``.nl``) and German (``.de``) domain names, use:
320 ``'\.nl\.$|\.de\.$'``.
323 Unloads Lua script if one was loaded.
326 Report running version.
328 wipe-cache *DOMAIN* [*DOMAIN*] [...]
329 Wipe entries for *DOMAIN* (exact name match) from the cache. This is useful
330 if, for example, an important server has a new IP address, but the TTL has
331 not yet expired. Multiple domain names can be passed.
332 *DOMAIN* can be suffixed with a ``$``. to delete the whole tree from the
333 cache. i.e. ``powerdns.com$`` will remove all cached entries under and
334 including the powerdns.com name.
336 **Note**: this command also wipes the negative cache.
338 **Warning**: Don't just wipe "www.somedomain.com", its NS records or CNAME
339 target may still be undesired, so wipe "somedomain.com" as well.
341 wipe-cache-typed *qtype* *DOMAIN* [*DOMAIN*] [...]
342 Same as wipe-cache, but only wipe records of type *qtype*.
346 :manpage:`pdns_recursor(1)`
347 `<https://docs.powerdns.com/recursor>`__