TRUE remote unbound-control(8) from another host

tazmo

I have determined how to control just the unbound daemon on pfSense from a remote host using unbound-control.

I had to change the "control-interface:" attribute in /var/unbound/remotecontrol.conf from 127.0.0.1, to my local LAN ip, restart Unbound, and copy some *.pem and *.key files over to my remote host so that the following command would succeed:

unbound-control -s <my LAN ip>@<control port> command

Believe it or not, I could not find the details (other than the -s option) to make the above work documented anywhere, even from NLnet Labs docs. It appears pfSense and NLnet Labs assumes the use of unbound-control is local to the host unbound is running on... but yet it communicates over a TLS enabled TCP/IP connection.

Am I missing a pfSense WebUI option/setting to change the "control-interface" some place?
(if not, any chance one could be added?)

Would there be any circumstances where the /var/unbound/remotecontrol.conf file is overwritten/re-generated (other than the obvious like an upgrade)?

Note: it appears the contents of the unbound "Custom Options" field is put into the unbound.conf file before the include of remotecontrol.conf so I don't think it could be added there, since it would get overridden by the last occurance of the attribute.

I ask because it would also be nice to have that as part of the backup config.xml file (assuming I am not missing a WebUI field somewhere). I could see some use cases for external monitoring tools for Unbound (and a few others).

Thanks,
Bob