- add-prometheus-metrics, add metrics-enable, metrics-interface, metrics-port,

and metrics-path options.

configure

@@ -22179,7 +22179,7 @@ then :
 printf "%s\n" "#define USE_METRICS /**/" >>confdefs.h
 
 
-printf "%s\n" "#define UNBOUND_METRICS_PORT 9100" >>confdefs.h
+printf "%s\n" "#define UNBOUND_METRICS_PORT 9101" >>confdefs.h
 
 
 else $as_nop

configure.ac

@@ -1502,7 +1502,7 @@ large outgoing port ranges.  ])
 	# only enabled when the required version is found and used
 	AC_CHECK_FUNCS([evhttp_free], [
 		AC_DEFINE_UNQUOTED([USE_METRICS], [], [Define this to expose Unbound statistics via a prometheus metrics HTTP endpoint.])
-		AC_DEFINE_UNQUOTED([UNBOUND_METRICS_PORT], [9100], [Define the default metrics HTTP endpoint port.])
+		AC_DEFINE_UNQUOTED([UNBOUND_METRICS_PORT], [9101], [Define the default metrics HTTP endpoint port.])
 	], [
 		AC_MSG_NOTICE([disabling prometheus metrics])
 	])

daemon/daemon.c

@@ -69,6 +69,7 @@
 #include "daemon/daemon.h"
 #include "daemon/worker.h"
 #include "daemon/remote.h"
+#include "daemon/metrics.h"
 #include "daemon/acl_list.h"
 #include "util/log.h"
 #include "util/config_file.h"
@@ -301,10 +302,25 @@ daemon_init(void)
 	if(gettimeofday(&daemon->time_boot, NULL) < 0)
 		log_err("gettimeofday: %s", strerror(errno));
 	daemon->time_last_stat = daemon->time_boot;
+#ifdef USE_METRICS
+	if(!(daemon->metrics = daemon_metrics_create())) {
+		acl_list_delete(daemon->acl_interface);
+		acl_list_delete(daemon->acl);
+		tcl_list_delete(daemon->tcl);
+		edns_known_options_delete(daemon->env);
+		free(daemon->env);
+		free(daemon);
+		return NULL;
+	}
+	daemon->metrics_port = -1;
+#endif /* USE_METRICS */
 	if((daemon->env->auth_zones = auth_zones_create()) == 0) {
 		acl_list_delete(daemon->acl_interface);
 		acl_list_delete(daemon->acl);
 		tcl_list_delete(daemon->tcl);
+#ifdef USE_METRICS
+		daemon_metrics_delete(daemon->metrics);
+#endif
 		edns_known_options_delete(daemon->env);
 		free(daemon->env);
 		free(daemon);
@@ -315,6 +331,9 @@ daemon_init(void)
 		acl_list_delete(daemon->acl_interface);
 		acl_list_delete(daemon->acl);
 		tcl_list_delete(daemon->tcl);
+#ifdef USE_METRICS
+		daemon_metrics_delete(daemon->metrics);
+#endif
 		edns_known_options_delete(daemon->env);
 		free(daemon->env);
 		free(daemon);
@@ -440,6 +459,19 @@ daemon_open_shared_ports(struct daemon* daemon)
 			return 0;
 		daemon->rc_port = daemon->cfg->control_port;
 	}
+#ifdef USE_METRICS
+	if(!daemon->cfg->metrics_enable && daemon->metrics_port != -1) {
+		daemon_metrics_close_ports(daemon->metrics);
+		daemon->metrics_port = -1;
+	}
+	if(daemon->cfg->metrics_enable &&
+		daemon->cfg->metrics_port != daemon->metrics_port) {
+		daemon_metrics_close_ports(daemon->metrics);
+		if(!daemon_metrics_open_ports(daemon->metrics, daemon->cfg))
+			return 0;
+		daemon->metrics_port = daemon->cfg->metrics_port;
+	}
+#endif /* USE_METRICS */
 	return 1;
 }
 
@@ -918,6 +950,9 @@ daemon_cleanup(struct daemon* daemon)
 		auth_zones_cleanup(daemon->env->auth_zones);
 	/* key cache is cleared by module deinit during next daemon_fork() */
 	daemon_remote_clear(daemon->rc);
+#ifdef USE_METRICS
+	daemon_metrics_detach(daemon->metrics);
+#endif
 	if(daemon->fast_reload_thread)
 		fast_reload_thread_stop(daemon->fast_reload_thread);
 	if(daemon->fast_reload_printq_list)
@@ -960,6 +995,9 @@ daemon_delete(struct daemon* daemon)
 	modstack_call_destartup(&daemon->mods, daemon->env);
 	modstack_free(&daemon->mods);
 	daemon_remote_delete(daemon->rc);
+#ifdef USE_METRICS
+	daemon_metrics_delete(daemon->metrics);
+#endif
 	for(i = 0; i < daemon->num_ports; i++)
 		listening_ports_free(daemon->ports[i]);
 	free(daemon->ports);

daemon/daemon.h

@@ -56,6 +56,7 @@ struct local_zones;
 struct views;
 struct ub_randstate;
 struct daemon_remote;
+struct daemon_metrics;
 struct respip_set;
 struct shm_main_info;
 struct doq_table;
@@ -99,6 +100,10 @@ struct daemon {
 	struct listen_port* rc_ports;
 	/** remote control connections management (for first worker) */
 	struct daemon_remote* rc;
+	/** port number for metrics that has ports opened. */
+	int metrics_port;
+	/** metrics endpoint connections management (for first worker) */
+	struct daemon_metrics* metrics;
 	/** ssl context for listening to dnstcp over ssl */
 	void* listen_dot_sslctx;
 	/** ssl context for connecting to dnstcp over ssl */

daemon/metrics.c

@@ -1,5 +1,5 @@
 /*
- * daemon/metrics.c - prometheus metrics output.
+ * daemon/metrics.c - prometheus metrics endpoint.
  *
  * Copyright (c) 2026, NLnet Labs. All rights reserved.
  *
@@ -40,7 +40,438 @@
  */
 #include "config.h"
 #include "daemon/metrics.h"
+#include "daemon/daemon.h"
+#include "daemon/worker.h"
+#include "daemon/stats.h"
+#include "util/config_file.h"
+#include "util/net_help.h"
+#include "util/ub_event.h"
+#include "util/timeval_func.h"
+#include "services/listen_dnsport.h"
 
+/* If there is no metrics enabled, do not add the code. */
 #ifdef USE_METRICS
+#ifdef HAVE_SYS_TYPES_H
+#  include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#include <event2/event.h>
+#include <event2/http.h>
+#include <event2/buffer.h>
 
+/**
+ * list of connection accepting file descriptors
+ */
+struct metrics_acceptlist {
+	struct metrics_acceptlist* next;
+	int accept_fd;
+	char* ident;
+	struct daemon_metrics* metrics;
+};
+
+/**
+ * The metrics daemon state.
+ */
+struct daemon_metrics {
+	/** The worker for this metrics endpoint */
+	struct worker* worker;
+	/** commpoints for accepting HTTP connections */
+	struct metrics_acceptlist* accept_list;
+	/** libevent http server */
+	struct evhttp *http_server;
+};
+
+/** The callback that handles a metrics http request. */
+static void metrics_http_callback(struct evhttp_request *req, void *p);
+
+struct daemon_metrics*
+daemon_metrics_create(void)
+{
+	struct daemon_metrics* metrics = (struct daemon_metrics*)calloc(
+		sizeof(*metrics), 1);
+	if(!metrics) {
+		log_err("out of memory");
+		return NULL;
+	}
+	return metrics;
+}
+
+void
+daemon_metrics_delete(struct daemon_metrics* metrics)
+{
+	if(!metrics) return;
+	daemon_metrics_detach(metrics);
+	daemon_metrics_close_ports(metrics);
+	free(metrics);
+}
+
+void
+daemon_metrics_close_ports(struct daemon_metrics* metrics)
+{
+	struct metrics_acceptlist *h, *nh;
+	if(!metrics) return;
+
+	/* close listen sockets */
+	h = metrics->accept_list;
+	while(h) {
+		nh = h->next;
+		close(h->accept_fd);
+		free(h->ident);
+		free(h);
+		h = nh;
+	}
+	metrics->accept_list = NULL;
+}
+
+void
+daemon_metrics_detach(struct daemon_metrics* metrics)
+{
+	if(!metrics) return;
+	if (metrics->http_server) {
+		evhttp_free(metrics->http_server);
+		metrics->http_server = NULL;
+	}
+}
+
+/**
+ * Add and open a new metrics port
+ * @param metrics: metrics with result list.
+ * @param cfg: config options.
+ * @param ip: ip str
+ * @param nr: port nr
+ * @param noproto_is_err: if lack of protocol support is an error.
+ * @return false on failure.
+ */
+static int
+metrics_add_open(struct daemon_metrics* metrics, struct config_file* cfg,
+	const char* ip, int nr, int noproto_is_err)
+{
+	struct addrinfo hints;
+	struct addrinfo* res;
+	struct metrics_acceptlist* hl;
+	int noproto = 0;
+	int fd, r;
+	char port[15];
+	snprintf(port, sizeof(port), "%d", nr);
+	port[sizeof(port)-1]=0;
+	memset(&hints, 0, sizeof(hints));
+	assert(ip);
+
+	if(ip[0] == '/') {
+		/* This looks like a local socket */
+		fd = create_local_accept_sock(ip, &noproto, cfg->use_systemd);
+		/*
+		 * Change socket ownership and permissions so users other
+		 * than root can access it provided they are in the same
+		 * group as the user we run as.
+		 */
+		if(fd != -1) {
+#ifdef HAVE_CHOWN
+			if(chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)) == -1) {
+				verbose(VERB_QUERY, "cannot chmod metrics socket %s: %s", ip, strerror(errno));
+			}
+			if (cfg->username && cfg->username[0] &&
+				cfg_uid != (uid_t)-1) {
+				if(chown(ip, cfg_uid, cfg_gid) == -1)
+					verbose(VERB_QUERY, "cannot chown metrics socket %u.%u %s: %s",
+					  (unsigned)cfg_uid, (unsigned)cfg_gid,
+					  ip, strerror(errno));
+			}
+#else
+			(void)cfg;
+#endif
+		}
+	} else {
+		hints.ai_socktype = SOCK_STREAM;
+		hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+		/* if we had no interface ip name, "default" is what we
+		 * would do getaddrinfo for. */
+		if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
+#ifdef USE_WINSOCK
+			if(!noproto_is_err && r == EAI_NONAME) {
+				/* tried to lookup the address as name */
+				return 1; /* return success, but do nothing */
+			}
+#endif /* USE_WINSOCK */
+			log_err("metrics interface %s:%s getaddrinfo: %s %s",
+				ip, port, gai_strerror(r),
+#ifdef EAI_SYSTEM
+				r==EAI_SYSTEM?(char*)strerror(errno):""
+#else
+				""
+#endif
+				);
+			return 0;
+		}
+
+		/* open fd */
+		fd = create_tcp_accept_sock(res, 1, &noproto, 0,
+			cfg->ip_transparent, 0, 0, cfg->ip_freebind,
+			cfg->use_systemd, cfg->ip_dscp, "metrics");
+		freeaddrinfo(res);
+	}
+
+	if(fd == -1 && noproto) {
+		if(!noproto_is_err)
+			return 1; /* return success, but do nothing */
+		log_err("cannot open metrics interface %s %d : "
+			"protocol not supported", ip, nr);
+		return 0;
+	}
+	if(fd == -1) {
+		log_err("cannot open metrics interface %s %d", ip, nr);
+		return 0;
+	}
+
+	/* alloc */
+	hl = (struct metrics_acceptlist*)calloc(1, sizeof(*hl));
+	if(!hl) {
+		sock_close(fd);
+		log_err("out of memory");
+		return 0;
+	}
+	hl->metrics = metrics;
+	hl->ident = strdup(ip);
+	if(!hl->ident) {
+		log_err("out of memory");
+		sock_close(fd);
+		free(hl);
+		return 0;
+	}
+	hl->next = metrics->accept_list;
+	metrics->accept_list = hl;
+
+	hl->accept_fd = fd;
+	return 1;
+}
+
+int
+daemon_metrics_open_ports(struct daemon_metrics* metrics,
+	struct config_file* cfg)
+{
+	assert(cfg->metrics_enable);
+	if(cfg->metrics_ifs.first) {
+		struct config_strlist* p;
+		for(p = cfg->metrics_ifs.first; p; p = p->next) {
+			if(!metrics_add_open(metrics, cfg, p->str,
+				cfg->metrics_port, 1)) {
+				return 0;
+			}
+		}
+	} else {
+		/* defaults */
+		if(cfg->do_ip6 && !metrics_add_open(metrics, cfg, "::1",
+			cfg->metrics_port, 0)) {
+			return 0;
+		}
+		if(cfg->do_ip4 &&
+			!metrics_add_open(metrics, cfg, "127.0.0.1",
+			cfg->metrics_port, 1)) {
+			return 0;
+		}
+	}
+	return 1;
+}
+
+int
+daemon_metrics_attach(struct daemon_metrics* metrics, struct worker* worker)
+{
+	int fd;
+	struct metrics_acceptlist* p;
+	if(!metrics) return 1;
+	metrics->worker = worker;
+
+	metrics->http_server = evhttp_new(ub_libevent_get_event_base(
+		comm_base_internal(worker->base)));
+	if(!metrics->http_server) {
+		log_err("out of memory, evhttp_new failed");
+		return 0;
+	}
+	for(p = metrics->accept_list; p; p = p->next) {
+		fd = p->accept_fd;
+		if (evhttp_accept_socket(metrics->http_server, fd)) {
+			log_err("metrics: cannot set http server to accept socket");
+			return 0;
+		}
+
+		/* only handle requests to metrics_path, anything else returns 404 */
+		evhttp_set_cb(metrics->http_server,
+			worker->daemon->cfg->metrics_path,
+			metrics_http_callback, p);
+		/* evhttp_set_gencb(metrics->http_server, metrics_http_callback_generic, p); */
+	}
+	return 1;
+}
+
+/* Add help and type printout of a metric. */
+static void
+print_metric_help_and_type(struct evbuffer *buf, char *prefix, char *name,
+	char *help, char *type)
+{
+	evbuffer_add_printf(buf, "# HELP %s%s %s\n# TYPE %s%s %s\n",
+		prefix, name, help, prefix, name, type);
+}
+
+/* metrics print of stat block */
+static int
+metrics_print_stats(struct evbuffer* reply, const char* nm,
+	struct ub_stats_info* s)
+{
+	(void)reply;
+	(void)nm;
+	(void)s;
+	return 1;
+}
+
+/* metrics print of thread stats */
+static int
+metrics_print_thread_stats(struct evbuffer* reply, int i,
+	struct ub_stats_info* s)
+{
+	(void)reply;
+	(void)i;
+	(void)s;
+	return 1;
+}
+
+/* metrics print of uptime stats */
+static int
+metrics_print_uptime(struct evbuffer* reply, struct worker* worker,
+	struct timeval* stattime)
+{
+	char* prefix = "unbound_";
+	struct timeval up, dt;
+	timeval_subtract(&up, stattime, &worker->daemon->time_boot);
+	timeval_subtract(&dt, stattime, &worker->daemon->time_last_stat);
+
+	print_metric_help_and_type(reply, prefix, "time_now_seconds",
+		"Time of the statistics printout, in seconds.", "untyped");
+	evbuffer_add_printf(reply, "%stime_now_seconds " ARG_LL "d.%6.6u\n",
+		prefix, (long long)stattime->tv_sec,
+		(unsigned)stattime->tv_usec);
+
+	print_metric_help_and_type(reply, prefix, "time_up_seconds_total",
+		"Uptime since server boot in seconds.", "counter");
+	evbuffer_add_printf(reply,
+		"%stime_up_seconds_total " ARG_LL "d.%6.6u\n",
+		prefix, (long long)up.tv_sec, (unsigned)up.tv_usec);
+
+	print_metric_help_and_type(reply, prefix, "time_elapsed_seconds",
+		"Time since last statistics printout and "
+		"reset (by unbound-control stats) in seconds.",
+		"untyped");
+	evbuffer_add_printf(reply,
+		"%stime_elapsed_seconds " ARG_LL "d.%6.6u\n",
+		prefix, (long long)dt.tv_sec, (unsigned)dt.tv_usec);
+	return 1;
+}
+
+/* metrics print of mem stats */
+static int
+metrics_print_mem(struct evbuffer* reply, struct worker* worker,
+	struct daemon* daemon, struct ub_stats_info* s)
+{
+	(void)reply;
+	(void)worker;
+	(void)daemon;
+	(void)s;
+	return 1;
+}
+
+/* metrics print of histogram */
+static int
+metrics_print_hist(struct evbuffer* reply, struct ub_stats_info* s)
+{
+	(void)reply;
+	(void)s;
+	return 1;
+}
+
+/* metrics print of extended stats */
+static int
+metrics_print_ext(struct evbuffer* reply, struct ub_stats_info* s,
+	int inhibit_zero)
+{
+	(void)reply;
+	(void)s;
+	(void)inhibit_zero;
+	return 1;
+}
+
+/* process statistics */
+static void
+do_metrics_stats(struct evbuffer* reply, struct worker* worker, int reset)
+{
+	struct daemon* daemon = worker->daemon;
+	struct ub_stats_info total;
+	struct ub_stats_info s;
+	int i;
+	struct timeval stattime;
+	if(gettimeofday(&stattime, NULL) < 0)
+		log_err("gettimeofday: %s", strerror(errno));
+
+	memset(&total, 0, sizeof(total));
+	log_assert(daemon->num > 0);
+	/* gather all thread statistics in one place */
+	for(i=0; i<daemon->num; i++) {
+		server_stats_obtain(worker, daemon->workers[i], &s, reset);
+		if(!metrics_print_thread_stats(reply, i, &s))
+			return;
+		if(i == 0)
+			total = s;
+		else	server_stats_add(&total, &s);
+	}
+	/* print the thread statistics */
+	total.mesh_time_median /= (double)daemon->num;
+	if(!metrics_print_stats(reply, "total", &total))
+		return;
+	if(!metrics_print_uptime(reply, worker, &stattime))
+		return;
+	if(daemon->cfg->stat_extended) {
+		if(!metrics_print_mem(reply, worker, daemon, &total))
+			return;
+		if(!metrics_print_hist(reply, &total))
+			return;
+		if(!metrics_print_ext(reply, &total,
+			daemon->cfg->stat_inhibit_zero))
+			return;
+	}
+
+	if(reset) {
+		worker->daemon->time_last_stat = stattime;
+		worker_stats_clear(worker);
+	}
+}
+
+/* Callback for handling the active http request to the specific URI */
+static void
+metrics_http_callback(struct evhttp_request *req, void *p)
+{
+	struct evbuffer *reply = NULL;
+	struct daemon_metrics *metrics = ((struct metrics_acceptlist *)p)->metrics;
+
+	/* currently only GET requests are supported/allowed */
+	enum evhttp_cmd_type cmd = evhttp_request_get_command(req);
+	if (cmd != EVHTTP_REQ_GET /* && cmd != EVHTTP_REQ_HEAD */) {
+		evhttp_send_error(req, HTTP_BADMETHOD, 0);
+		return;
+	}
+
+	reply = evbuffer_new();
+
+	if (!reply) {
+		evhttp_send_error(req, HTTP_INTERNAL, 0);
+		log_err("metrics: failed to allocate reply buffer\n");
+		return;
+	}
+
+	evhttp_add_header(evhttp_request_get_output_headers(req),
+			  "Content-Type", "text/plain; version=0.0.4");
+	do_metrics_stats(reply, metrics->worker, 0);
+	evhttp_send_reply(req, HTTP_OK, NULL, reply);
+	verbose(VERB_DETAIL, "metrics operation completed, response sent");
+	evbuffer_free(reply);
+}
 #endif /* USE_METRICS */

daemon/metrics.h

@@ -1,5 +1,5 @@
 /*
- * daemon/metrics.h - prometheus metrics output.
+ * daemon/metrics.h - prometheus metrics endpoint.
  *
  * Copyright (c) 2026, NLnet Labs. All rights reserved.
  *
@@ -41,5 +41,57 @@
 
 #ifndef DAEMON_METRICS_H
 #define DAEMON_METRICS_H
+struct daemon_metrics;
+struct config_file;
+struct worker;
+
+/* the metrics daemon needs little backlog */
+#define TCP_BACKLOG_METRICS 16 /* listen() tcp backlog */
+
+/**
+ * Create new metrics endpoint for the daemon.
+ * Does not open the ports, for that call the open ports routine, and
+ * later the attach routine on the worker event base.
+ * @return new state, or NULL on failure.
+ */
+struct daemon_metrics* daemon_metrics_create(void);
+
+/**
+ * Delete metrics daemon and close HTTP listeners.
+ * @param m: daemon to delete.
+ */
+void daemon_metrics_delete(struct daemon_metrics* m);
+
+/**
+ * Close metrics HTTP listener ports.
+ * Does not delete the object itself.
+ * @param m: state to close.
+ */
+void daemon_metrics_close_ports(struct daemon_metrics* m);
+
+/**
+ * Detach the metrics listener from the event base.
+ * Does not delete the object itself.
+ * @param m: state to detach.
+ */
+void daemon_metrics_detach(struct daemon_metrics* m);
+
+/**
+ * Open and create HTTP listeners for metrics daemon.
+ * @param m: metrics state that contains list of accept sockets.
+ * @param cfg: config options.
+ * @return false on failure.
+ */
+int daemon_metrics_open_ports(struct daemon_metrics* m,
+	struct config_file* cfg);
+
+/**
+ * Setup HTTP listener.
+ * @param m: state
+ * @param worker: The worker thread that hosts the endpoint.
+ *	The HTTP listener is attached to its event base.
+ * @return false on failure.
+ */
+int daemon_metrics_attach(struct daemon_metrics* m, struct worker* worker);
 
 #endif /* DAEMON_METRICS_H */

daemon/remote.c

@@ -4943,6 +4943,12 @@ fr_check_compat_cfg(struct fast_reload_thread* fr, struct config_file* newcfg)
 	FR_CHECK_CHANGED_CFG_STRLIST("tls-additional-port", tls_additional_port, changed_str);
 	FR_CHECK_CHANGED_CFG_STR("interface-automatic-ports", if_automatic_ports, changed_str);
 	FR_CHECK_CHANGED_CFG("udp-upstream-without-downstream", udp_upstream_without_downstream, changed_str);
+#ifdef USE_METRICS
+	FR_CHECK_CHANGED_CFG("metrics-enable", metrics_enable, changed_str);
+	FR_CHECK_CHANGED_CFG("metrics-port", metrics_port, changed_str);
+	FR_CHECK_CHANGED_CFG_STR("metrics-path", metrics_path, changed_str);
+	FR_CHECK_CHANGED_CFG_STRLIST("metrics-interface", metrics_ifs.first, changed_str);
+#endif
 
 	if(changed_str[0] != 0) {
 		/* The new config changes some items that do not work with
@@ -5257,6 +5263,10 @@ config_file_getmem(struct config_file* cfg)
 	m += getmem_str(cfg->dnstap_tls_client_cert_file);
 	m += getmem_str(cfg->dnstap_identity);
 	m += getmem_str(cfg->dnstap_version);
+#ifdef USE_METRICS
+	m += getmem_config_strlist(cfg->metrics_ifs.first);
+	m += getmem_str(cfg->metrics_path);
+#endif
 	m += getmem_config_str2list(cfg->ratelimit_for_domain);
 	m += getmem_config_str2list(cfg->ratelimit_below_domain);
 	m += getmem_config_str2list(cfg->edns_client_strings);
@@ -6104,6 +6114,13 @@ fr_atomic_copy_cfg(struct config_file* oldcfg, struct config_file* cfg,
 	COPY_VAR_int(dnstap_log_forwarder_query_messages);
 	COPY_VAR_int(dnstap_log_forwarder_response_messages);
 	COPY_VAR_int(disable_dnssec_lame_check);
+#ifdef USE_METRICS
+	COPY_VAR_int(metrics_enable);
+	COPY_VAR_ptr(metrics_ifs.first);
+	COPY_VAR_ptr(metrics_ifs.last);
+	COPY_VAR_int(metrics_port);
+	COPY_VAR_ptr(metrics_path);
+#endif
 	COPY_VAR_int(ip_ratelimit);
 	COPY_VAR_int(ip_ratelimit_cookie);
 	COPY_VAR_size_t(ip_ratelimit_slabs);

daemon/worker.c

@@ -46,6 +46,7 @@
 #include "daemon/worker.h"
 #include "daemon/daemon.h"
 #include "daemon/remote.h"
+#include "daemon/metrics.h"
 #include "daemon/acl_list.h"
 #include "util/netevent.h"
 #include "util/config_file.h"
@@ -2249,6 +2250,12 @@ worker_init(struct worker* worker, struct config_file *cfg,
 			worker_delete(worker);
 			return 0;
 		}
+#ifdef USE_METRICS
+		if(!daemon_metrics_attach(worker->daemon->metrics, worker)) {
+			worker_delete(worker);
+			return 0;
+		}
+#endif /* USE METRICS */
 #ifdef UB_ON_WINDOWS
 		wsvc_setup_worker(worker);
 #endif /* UB_ON_WINDOWS */

testdata/prometheus_metrics.tdir/prometheus_metrics.conf

@@ -0,0 +1,32 @@
+server:
+	verbosity: 5
+	num-threads: 1
+	interface: 127.0.0.1@@PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+	metrics-enable: yes
+	metrics-path: "/metrics"
+	metrics-interface: 127.0.0.1
+	metrics-port: @METRICSPORT@
+
+	statistics-cumulative: no
+	extended-statistics: yes
+	statistics-inhibit-zero: yes
+
+	local-data: "www.example.com. IN A 192.0.2.10"
+	local-data: 'a.example.com. IN TXT "abcdef text"'
+
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	# control-interface: ::1
+	control-port: @CONTROL_PORT@
+	server-key-file: "unbound_server.key"
+	server-cert-file: "unbound_server.pem"
+	control-key-file: "unbound_control.key"
+	control-cert-file: "unbound_control.pem"

testdata/prometheus_metrics.tdir/prometheus_metrics.dsc

@@ -0,0 +1,16 @@
+BaseName: prometheus_metrics
+Version: 1.0
+Description: Test prometheus metrics
+CreationDate: Fri 30 Jan 13:22:03 CET 2026
+Maintainer: dr. Wouter Wijngaards
+Category:
+Component:
+CmdDepends:
+Depends:
+Help:
+Pre: prometheus_metrics.pre
+Post: prometheus_metrics.post
+Test: prometheus_metrics.test
+AuxFiles: prometheus_metrics.conf, prometheus_metrics.zone
+Passed:
+Failure:

testdata/prometheus_metrics.tdir/prometheus_metrics.post

@@ -0,0 +1,11 @@
+# #-- prometheus_metrics.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $UNBOUND_PID
+cat unbound.log
+exit 0

testdata/prometheus_metrics.tdir/prometheus_metrics.pre

@@ -0,0 +1,33 @@
+# #-- prometheus_metrics.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+if grep "define USE_METRICS" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi
+# Is curl available
+if test -f "$(which curl 2>&1)"; then
+	echo "curl available, do test"
+else
+	skip_test "curl not available, skip test"
+fi
+
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+CONTROL_PORT=$(($RND_PORT + 1))
+METRICS_PORT=$(($RND_PORT + 2))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+echo "METRICS_PORT=$METRICS_PORT" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@METRICSPORT\@/'$METRICS_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < prometheus_metrics.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_unbound_up unbound.log

testdata/prometheus_metrics.tdir/prometheus_metrics.test

@@ -0,0 +1,105 @@
+# #-- prometheus_metrics.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+
+NUM_A_QUERIES=5
+NUM_TXT_QUERIES=3
+
+# query server a few times
+for i in $(seq 1 $NUM_A_QUERIES); do
+	dig @127.0.0.1 -p "$UNBOUND_PORT" www.example.com. A IN | tee out2
+	if grep "192.0.2.10" out2; then
+		echo "OK"
+	else
+		echo "data not present"
+		exit 1
+	fi
+done
+
+for i in $(seq 1 $NUM_TXT_QUERIES); do
+	dig @127.0.0.1 -p "$UNBOUND_PORT" a.example.com. TXT IN | tee out2
+	if grep "abcdef text" out2; then
+		echo "OK"
+	else
+		echo "data not present"
+		exit 1
+	fi
+done
+
+# check metrics
+if ! curl -Ssi "http://127.0.0.1:$METRICS_PORT/metrics" -o metrics.out; then
+	echo "FAIL"
+	exit 1
+fi
+
+echo ">> metrics output"
+cat metrics.out
+
+echo ">> unbound-control stats"
+$PRE/unbound-control -c ub.conf stats | tee stats
+
+echo "done for now"
+exit 0
+
+# more tests
+if grep -Fx "unbound_queries_total{server=\"0\"} $((NUM_TXT_QUERIES+NUM_A_QUERIES))" metrics.out; then
+	echo "OK"
+else
+	echo "FAIL"
+	exit 1
+fi
+
+if grep -Fx "unbound_queries_by_type_total{type=\"TXT\"} $NUM_TXT_QUERIES" metrics.out; then
+	echo "OK"
+else
+	echo "FAIL"
+	exit 1
+fi
+
+if grep -Fx "unbound_queries_by_type_total{type=\"A\"} $NUM_A_QUERIES" metrics.out; then
+	echo "OK"
+else
+	echo "FAIL"
+	exit 1
+fi
+
+# check that metrics shows the reset stats after using nsd-control stats
+# and check statistics are the same as metrics
+$PRE/unbound-control -c ub.conf stats | tee stats
+if grep "num.queries=$((NUM_TXT_QUERIES+NUM_A_QUERIES))" stats; then echo "OK"; else echo "FAIL"; exit 1; fi
+if grep "num.type.TXT=$NUM_TXT_QUERIES" stats; then echo "OK"; else echo "FAIL"; exit 1; fi
+if grep "num.type.A=$NUM_A_QUERIES" stats; then echo "OK"; else echo "FAIL"; exit 1; fi
+
+# check metrics again
+curl -Ssi "http://127.0.0.1:$TPKG_METRICS_PORT/metrics" -o metrics.out2
+
+echo ">> metrics output"
+cat metrics.out2
+
+if grep -Fx "unbound_queries_total{server=\"0\"} 0" metrics.out2; then
+	echo "OK"
+else
+	echo "FAIL"
+	exit 1
+fi
+
+if grep -Fx "unbound_queries_by_type_total{type=\"TXT\"} 0" metrics.out2; then
+	echo "OK"
+else
+	echo "FAIL"
+	exit 1
+fi
+
+if grep -Fx "unbound_queries_by_type_total{type=\"A\"} 0" metrics.out2; then
+	echo "OK"
+else
+	echo "FAIL"
+	exit 1
+fi
+
+exit 0

testdata/prometheus_metrics.tdir/unbound_control.key

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
+1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
+F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
+ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
+vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
+IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
+cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
+lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
+15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
+LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
+Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
+YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
+whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
+lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
+tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
+U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
+Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
+Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
+ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
+1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
+b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
+ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
+TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
+tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
+aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
+A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
+LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
+R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
+7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
+7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
+jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
+BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
+kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
+qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
+VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
+MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
+C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
+-----END RSA PRIVATE KEY-----

testdata/prometheus_metrics.tdir/unbound_control.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
+A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
+OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
+1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
+NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
+A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
+Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
+TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
+nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
+4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
+hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
+9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
+ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
+pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
+72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
+muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
+uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
+-----END CERTIFICATE-----

testdata/prometheus_metrics.tdir/unbound_server.key

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
+WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
+O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
+IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
+qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
+dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
+bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
+YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
+7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
+gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
+5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
+ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
+oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
+s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
+zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
+ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
+oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
+BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
+mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
+kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
+7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
+RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
+jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
+O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
+MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
+-----END RSA PRIVATE KEY-----

testdata/prometheus_metrics.tdir/unbound_server.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
+igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
+a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
+4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
+aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
+TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
+uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
+XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
+dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
+84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
+JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
+fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
+XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
+qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
+sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
+yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
+CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
+-----END CERTIFICATE-----

util/config_file.c

@@ -340,6 +340,14 @@ config_create(void)
 	cfg->dnstap_bidirectional = 1;
 	cfg->dnstap_tls = 1;
 	cfg->disable_dnssec_lame_check = 0;
+#ifdef USE_METRICS
+	cfg->metrics_enable = 0;
+	cfg->metrics_ifs.first = NULL;
+	cfg->metrics_ifs.last = NULL;
+	cfg->metrics_port = UNBOUND_METRICS_PORT;
+	if(!(cfg->metrics_path = strdup("/metrics")))
+		goto error_exit;
+#endif /* USE_METRICS */
 	cfg->ip_ratelimit_cookie = 0;
 	cfg->ip_ratelimit = 0;
 	cfg->ratelimit = 0;
@@ -839,6 +847,12 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("dnstap-log-forwarder-response-messages:",
 		dnstap_log_forwarder_response_messages)
 #endif
+#ifdef USE_METRICS
+	else S_YNO("metrics-enable:", metrics_enable)
+	else S_STRLIST_APPEND("metrics-interface:", metrics_ifs)
+	else S_NUMBER_NONZERO("metrics-port:", metrics_port)
+	else S_STR("metrics-path:", metrics_path)
+#endif /* USE_METRICS */
 #ifdef USE_DNSCRYPT
 	else S_YNO("dnscrypt-enable:", dnscrypt)
 	else S_NUMBER_NONZERO("dnscrypt-port:", dnscrypt_port)
@@ -1332,6 +1346,12 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "dnstap-log-forwarder-response-messages",
 		dnstap_log_forwarder_response_messages)
 #endif
+#ifdef USE_METRICS
+	else O_YNO(opt, "metrics-enable", metrics_enable)
+	else O_LST(opt, "metrics-interface", metrics_ifs.first)
+	else O_DEC(opt, "metrics-port", metrics_port)
+	else O_STR(opt, "metrics-path", metrics_path)
+#endif /* USE_METRICS */
 #ifdef USE_DNSCRYPT
 	else O_YNO(opt, "dnscrypt-enable", dnscrypt)
 	else O_DEC(opt, "dnscrypt-port", dnscrypt_port)
@@ -1829,6 +1849,10 @@ config_delete(struct config_file* cfg)
 	free(cfg->dnstap_tls_client_cert_file);
 	free(cfg->dnstap_identity);
 	free(cfg->dnstap_version);
+#ifdef USE_METRICS
+	config_delstrlist(cfg->metrics_ifs.first);
+	free(cfg->metrics_path);
+#endif /* USE_METRICS */
 	config_deldblstrlist(cfg->ratelimit_for_domain);
 	config_deldblstrlist(cfg->ratelimit_below_domain);
 	config_delstrlist(cfg->python_script);

util/config_file.h

@@ -625,6 +625,17 @@ struct config_file {
 	/** true to disable DNSSEC lameness check in iterator */
 	int disable_dnssec_lame_check;
 
+#ifdef USE_METRICS
+	/** metrics section. enable toggle. */
+	int metrics_enable;
+	/** the interfaces the metrics endpoint should listen on */
+	struct config_strlist_head metrics_ifs;
+	/** port number for the metrics endpoint */
+	int metrics_port;
+	/** HTTP path for the metrics endpoint */
+	char* metrics_path;
+#endif /* USE_METRICS */
+
 	/** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */
 	int ip_ratelimit;
 	/** ratelimit for ip addresses with a valid DNS Cookie. 0 is off,

util/configlexer.lex

@@ -491,6 +491,10 @@ interface-tag-action{COLON}	{ YDVAR(3, VAR_INTERFACE_TAG_ACTION) }
 interface-tag-data{COLON}	{ YDVAR(3, VAR_INTERFACE_TAG_DATA) }
 interface-view{COLON}		{ YDVAR(2, VAR_INTERFACE_VIEW) }
 local-zone-override{COLON}	{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
+metrics-enable{COLON}		{ YDVAR(1, VAR_METRICS_ENABLE) }
+metrics-interface{COLON}	{ YDVAR(1, VAR_METRICS_INTERFACE) }
+metrics-port{COLON}		{ YDVAR(1, VAR_METRICS_PORT) }
+metrics-path{COLON}		{ YDVAR(1, VAR_METRICS_PATH) }
 dnstap{COLON}			{ YDVAR(0, VAR_DNSTAP) }
 dnstap-enable{COLON}		{ YDVAR(1, VAR_DNSTAP_ENABLE) }
 dnstap-bidirectional{COLON}	{ YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) }

util/configparser.y

@@ -126,6 +126,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_INFRA_CACHE_MIN_RTT VAR_INFRA_CACHE_MAX_RTT VAR_INFRA_KEEP_PROBING
 %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL VAR_DNS64_IGNORE_AAAA
 %token VAR_NAT64_PREFIX
+%token VAR_METRICS_ENABLE VAR_METRICS_INTERFACE VAR_METRICS_PORT
+%token VAR_METRICS_PATH
 %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH VAR_DNSTAP_IP
 %token VAR_DNSTAP_TLS VAR_DNSTAP_TLS_SERVER_NAME VAR_DNSTAP_TLS_CERT_BUNDLE
 %token VAR_DNSTAP_TLS_CLIENT_KEY_FILE VAR_DNSTAP_TLS_CLIENT_CERT_FILE
@@ -359,7 +361,9 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_harden_unknown_additional | server_disable_edns_do |
 	server_log_destaddr | server_cookie_secret_file |
 	server_iter_scrub_ns | server_iter_scrub_cname | server_max_global_quota |
-	server_harden_unverified_glue | server_log_time_iso | server_iter_scrub_promiscuous
+	server_harden_unverified_glue | server_log_time_iso | server_iter_scrub_promiscuous |
+	server_metrics_enable | server_metrics_interface |
+	server_metrics_port | server_metrics_path
 	;
 stub_clause: stubstart contents_stub
 	{
@@ -2748,6 +2752,52 @@ server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG
 		}
 	}
 	;
+server_metrics_enable: VAR_METRICS_ENABLE STRING_ARG
+	{
+		OUTYY(("P(server_metrics_enable:%s)\n", $2));
+#ifdef USE_METRICS
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->metrics_enable = (strcmp($2, "yes")==0);
+#else
+		if(strcmp($2, "yes")==0)
+			log_warn("%s:%d the server is not compiled with "
+				"prometheus metrics.", cfg_parser->filename,
+				cfg_parser->line);
+#endif
+		free($2);
+	};
+server_metrics_interface: VAR_METRICS_INTERFACE STRING_ARG
+	{
+		OUTYY(("P(server_metrics_interface:%s)\n", $2));
+#ifdef USE_METRICS
+		if(!cfg_strlist_append(&cfg_parser->cfg->metrics_ifs, $2))
+			yyerror("out of memory");
+#else
+		free($2);
+#endif
+	};
+server_metrics_port: VAR_METRICS_PORT STRING_ARG
+	{
+		OUTYY(("P(server_metrics_port:%s)\n", $2));
+#ifdef USE_METRICS
+		if(atoi($2) == 0 && strcmp($2,"0")!=0)
+			yyerror("port number expected");
+		else
+			cfg_parser->cfg->metrics_port = atoi($2);
+#endif
+		free($2);
+	};
+server_metrics_path: VAR_METRICS_PATH STRING_ARG
+	{
+		OUTYY(("P(server_metrics_path:%s)\n", $2));
+#ifdef USE_METRICS
+		free(cfg_parser->cfg->metrics_path);
+		cfg_parser->cfg->metrics_path = $2;
+#else
+		free($2);
+#endif
+	};
 server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG
 	{
 		OUTYY(("P(server_ip_ratelimit:%s)\n", $2));