use TLS when -unbound.key is present (#84)

Previously, we attempted TLS if either of `-unbound.ca` or `-unbound.cert` were present.

In practice TLS configuration requires all three to succeed, though.

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "go"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"

.github/workflows/integration.yaml

@@ -0,0 +1,27 @@
+---
+name: integration
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  integration:
+    runs-on: [ubuntu-latest]
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21.x"
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: Start containers
+        run: docker compose up --build --detach
+      - name: run integration test
+        run: go test -v --tags=integration
+      - name: Stop containers
+        if: always()
+        run: docker compose down

.github/workflows/release.yml

@@ -14,11 +14,11 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
         with:
-          go-version: '1.20.1'
+          go-version: '1.21.4'
 
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           persist-credentials: false
 

.github/workflows/test.yaml

@@ -15,16 +15,18 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.20.x]
+        go-version: 
+          - 1.20.x
+          - 1.21.x
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:
@@ -32,7 +34,7 @@ jobs:
       - name: go coverage
         run: |
           go test -mod=readonly -v -race -covermode=atomic -coverprofile=coverage.out ./...
-      - uses: codecov/codecov-action@v2
+      - uses: codecov/codecov-action@v3
         if: success()
         with:
           file: ./coverage.out

Dockerfile

@@ -0,0 +1,20 @@
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21.4-bookworm AS build
+
+WORKDIR /go/src/app
+
+COPY go.mod .
+COPY go.sum .
+
+RUN go mod download
+
+COPY *.go .
+
+ENV CGO_ENABLED=0
+
+RUN GOOS=$TARGETOS GOARCH=$TARGETPLATFORM go build -v -o /go/bin/unbound_exporter ./...
+
+FROM gcr.io/distroless/static-debian12
+
+COPY --from=build /go/bin/unbound_exporter /
+
+ENTRYPOINT ["/unbound_exporter"]

README.md

@@ -11,7 +11,7 @@ names and labels by using a set of regular expressions.
 
 # Prerequisites
 
-Go 1.16 or above is required.
+Go 1.20 or above is required.
 
 # Installation
 
@@ -29,18 +29,33 @@ go mod tidy
 
 - - - -
 
-# Usage
+# Usage - Unix socket
 
-To show all CLI flags available
+The simplest way to run unbound_exporter is on the same machine as your Unbound instance, connecting via a Unix socket. First, make sure you have this in your unbound.conf:
 
-    $ unbound_exporter -h
+    remote-control:
+      control-enable: yes
+      control-interface: /run/unbound.ctl
 
-Scrape metrics from the exporter
+Then, arrange to run this on the same machine:
+
+    unbound_exporter -unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound.ctl"
+
+Metrics will be exported under /metrics, on port 9167, on all interfaces.
 
     $ curl 127.0.0.1:9167/metrics | grep '^unbound_up'
     unbound_up 1
 
+# Usage - TLS
+
+The more complicated way to run unbound_exporter is to configure unbound's control-interface with a TLS certificate from a private CA, and run unbound_exporter on a separate host. This is more of a hassle because you have to keep the certificate up to date and distribute the private CA to the host that unbound_exporter runs on.
+
+See https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control for instructions on setting up the certificates and keys for remote-control via TLS. On the unbound_exporter side you will need to set the `-unbound.ca`, `-unbound.cert`, and `-unbound.key` flags to point to valid files that will trust the Unbound server's certificate and be trusted by Unbound in return.
+
+# Extended statistics
+
 From the Unbound [statistics doc](https://www.nlnetlabs.nl/documentation/unbound/howto-statistics/): Unbound has an option to enable extended statistics collection. If enabled, more statistics are collected, for example what types of queries are sent to the resolver. Otherwise, only the total number of queries is collected. Add the following to your `unbound.conf`.
 
     server:
 	    extended-statistics: yes
+

docker-compose.yml

@@ -0,0 +1,22 @@
+services:
+  unbound_exporter:
+    build: .
+    command: [ "-unbound.host=unix:///var/run/socket/unbound.ctl" ]
+    volumes:
+      - socket:/var/run/socket:ro
+    ports:
+      - "9167:9167"
+    depends_on:
+      unbound:
+        condition: service_started
+  unbound:
+    image: "mvance/unbound:1.18.0"
+    volumes:
+      - socket:/var/run/socket:rw
+      - ./unbound-example.conf:/opt/unbound/etc/unbound/unbound.conf
+      - ./droplist.zone:/opt/unbound/etc/unbound/droplist.zone
+    ports:
+      - "1053:1053/udp"
+      - "1053:1053/tcp"
+volumes:
+  socket:

droplist.zone

@@ -0,0 +1,2 @@
+*.example.com IN A 127.0.0.1
+*.example.net IN A 127.0.0.1

go.mod

@@ -4,18 +4,17 @@ go 1.20
 
 require (
 	github.com/go-kit/log v0.2.1
-	github.com/prometheus/client_golang v1.14.0
-	github.com/prometheus/common v0.39.0
+	github.com/prometheus/client_golang v1.17.0
+	github.com/prometheus/common v0.45.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/go-logfmt/logfmt v0.5.1 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
-	golang.org/x/sys v0.3.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/go-logfmt/logfmt v0.6.0 // indirect
+	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 )

go.sum

@@ -1,35 +1,25 @@
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
-github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=
 github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
-github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA=
-github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
-github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
-github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
-github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
-github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
-github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
-github.com/prometheus/common v0.39.0 h1:oOyhkDq05hPZKItWVBkJ6g6AtGxi+fy7F4JvUV8uhsI=
-github.com/prometheus/common v0.39.0/go.mod h1:6XBZ7lYdLCbkAVhwRsWTZn+IN5AB9F/NXd5w0BbEX0Y=
-github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
-github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4=
+github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
+github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
+github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
+github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
+github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
+github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
+github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
+github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
+github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
+github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

integration_test.go

@@ -0,0 +1,59 @@
+//go:build integration
+
+package main
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/prometheus/common/expfmt"
+)
+
+// TestIntegration checks that unbound_exporter is running, successfully
+// scraping and exporting metrics.
+//
+// It assumes unbound_exporter is available on localhost:9167, and Unbound on
+// localhost:1053, as is set up in the docker-compose.yml file.
+//
+// A typical invocation of this test would look like
+//
+//	docker compose up --build -d
+//	go test --tags=integration
+//	docker compose down
+func TestIntegration(t *testing.T) {
+	resp, err := http.Get("http://localhost:9167/metrics")
+	if err != nil {
+		t.Fatalf("Failed to fetch metrics from unbound_exporter: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("Expected a 200 OK from unbound_exporter, got: %v", resp.StatusCode)
+	}
+
+	parser := expfmt.TextParser{}
+	metrics, err := parser.TextToMetricFamilies(resp.Body)
+	if err != nil {
+		t.Fatalf("Failed to parse metrics from unbound_exporter: %v", err)
+	}
+
+	// unbound_up is 1 if we've successfully scraped metrics from it
+	unbound_up := metrics["unbound_up"].Metric[0].Gauge.GetValue()
+	if unbound_up != 1 {
+		t.Errorf("Expected unbound_up to be 1, not: %v", unbound_up)
+	}
+
+	// Check some expected metrics are present
+	for _, metric := range []string{
+		"go_info",
+		"unbound_queries_total",
+		"unbound_response_time_seconds",
+		"unbound_cache_hits_total",
+		"unbound_query_https_total",
+		"unbound_memory_doh_bytes",
+	} {
+		if _, ok := metrics[metric]; !ok {
+			t.Errorf("Expected metric is missing: %s", metric)
+		}
+	}
+}

unbound-example.conf

@@ -0,0 +1,93 @@
+## This is an example Unbound configuration file
+## This is needed to use unbound_exporter
+remote-control:
+    control-enable: yes
+    control-interface: /var/run/socket/unbound.ctl
+
+# The rest of this file is standard Unbound configuration
+# There's nothing special here.
+server:
+    module-config: "respip validator iterator"
+    extended-statistics: yes
+    cache-max-ttl: 86400
+    cache-min-ttl: 300
+    directory: "/opt/unbound/etc/unbound"
+    do-ip4: yes
+    do-ip6: no
+    do-tcp: yes
+    do-udp: yes
+    edns-buffer-size: 1232
+    interface: 0.0.0.0
+    port: 1053
+    prefer-ip6: no
+    rrset-roundrobin: yes
+    username: "_unbound"
+    log-local-actions: no
+    log-queries: no
+    log-replies: no
+    log-servfail: yes
+    logfile: /opt/unbound/etc/unbound/unbound.log
+    verbosity: 2
+    infra-cache-slabs: 4
+    incoming-num-tcp: 10
+    key-cache-slabs: 4
+    msg-cache-size: 142768128
+    msg-cache-slabs: 4
+    num-queries-per-thread: 4096
+    num-threads: 3
+    outgoing-range: 8192
+    rrset-cache-size: 285536256
+    rrset-cache-slabs: 4
+    minimal-responses: yes
+    prefetch: yes
+    prefetch-key: yes
+    serve-expired: yes
+    so-reuseport: yes
+    aggressive-nsec: yes
+    delay-close: 10000
+    do-daemonize: no
+    do-not-query-localhost: no
+    neg-cache-size: 4M
+    qname-minimisation: yes
+    access-control: 127.0.0.1/32 allow
+    access-control: 192.168.0.0/16 allow
+    access-control: 172.16.0.0/12 allow
+    access-control: 10.0.0.0/8 allow
+    access-control: fc00::/7 allow
+    access-control: ::1/128 allow
+    auto-trust-anchor-file: "/opt/unbound/etc/unbound/var/root.key"
+    chroot: ""
+    deny-any: yes
+    harden-algo-downgrade: yes
+    harden-below-nxdomain: yes
+    harden-dnssec-stripped: yes
+    harden-glue: yes
+    harden-large-queries: yes
+    harden-referral-path: no
+    harden-short-bufsize: yes
+    hide-http-user-agent: no
+    hide-identity: yes
+    hide-version: no
+    http-user-agent: "DNS"
+    identity: "DNS"
+    private-address: 10.0.0.0/8
+    private-address: 172.16.0.0/12
+    private-address: 192.168.0.0/16
+    private-address: 169.254.0.0/16
+    private-address: fd00::/8
+    private-address: fe80::/10
+    private-address: ::ffff:0:0/96
+    ratelimit: 1000
+    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+    unwanted-reply-threshold: 10000
+    use-caps-for-id: yes
+    val-clean-additional: yes
+    include: /opt/unbound/etc/unbound/a-records.conf
+    include: /opt/unbound/etc/unbound/srv-records.conf
+
+rpz:
+    name: unbound_exporter_cloak
+    zonefile: /opt/unbound/etc/unbound/droplist.zone
+    rpz-log: yes
+    rpz-log-name: unbound_exporter_cloak
+    rpz-action-override: nxdomain

unbound_exporter.go

@@ -80,6 +80,24 @@ var (
 			prometheus.CounterValue,
 			[]string{"thread"},
 			"^thread(\\d+)\\.num\\.cachemiss$"),
+		newUnboundMetric(
+			"queries_cookie_client_total",
+			"Total number of queries with a client cookie.",
+			prometheus.CounterValue,
+			[]string{"thread"},
+			"^thread(\\d+)\\.num\\.queries_cookie_client$"),
+		newUnboundMetric(
+			"queries_cookie_invalid_total",
+			"Total number of queries with a invalid cookie.",
+			prometheus.CounterValue,
+			[]string{"thread"},
+			"^thread(\\d+)\\.num\\.queries_invalid_client$"),
+		newUnboundMetric(
+			"queries_cookie_valid_total",
+			"Total number of queries with a valid cookie.",
+			prometheus.CounterValue,
+			[]string{"thread"},
+			"^thread(\\d+)\\.num\\.queries_cookie_valid$"),
 		newUnboundMetric(
 			"memory_caches_bytes",
 			"Memory in bytes in use by caches.",
@@ -178,7 +196,7 @@ var (
 			"^num\\.query\\.tls\\.resume$"),
 		newUnboundMetric(
 			"query_https_total",
-			"Total number of queries that were made using HTTPS towards the Unbound server.",
+			"Total number of DoH queries that were made towards the Unbound server.",
 			prometheus.CounterValue,
 			nil,
 			"^num\\.query\\.https$"),
@@ -236,6 +254,12 @@ var (
 			prometheus.CounterValue,
 			nil,
 			"^num\\.rrset\\.bogus$"),
+		newUnboundMetric(
+			"rrset_cache_max_collisions_total",
+			"Total number of rrset cache hashtable collisions.",
+			prometheus.CounterValue,
+			nil,
+			"^rrset\\.cache\\.max_collisions$"),
 		newUnboundMetric(
 			"time_elapsed_seconds",
 			"Time since last statistics printout in seconds.",
@@ -284,12 +308,30 @@ var (
 			prometheus.GaugeValue,
 			nil,
 			"^msg\\.cache\\.count$"),
+		newUnboundMetric(
+			"msg_cache_max_collisions_total",
+			"Total number of msg cache hashtable collisions.",
+			prometheus.CounterValue,
+			nil,
+			"^msg\\.cache\\.max_collisions$"),
 		newUnboundMetric(
 			"rrset_cache_count",
 			"The Number of rrset cached",
 			prometheus.GaugeValue,
 			nil,
 			"^rrset\\.cache\\.count$"),
+		newUnboundMetric(
+			"rpz_action_count",
+			"Total number of triggered Response Policy Zone actions, by type.",
+			prometheus.CounterValue,
+			[]string{"type"},
+			"^num\\.rpz\\.action\\.rpz-([\\w-]+)$"),
+		newUnboundMetric(
+			"memory_doh_bytes",
+			"Memory used by DoH buffers, in bytes.",
+			prometheus.GaugeValue,
+			[]string{"buffer"},
+			"^mem\\.http\\.(\\w+)$"),
 	}
 )
 
@@ -430,7 +472,7 @@ func NewUnboundExporter(host string, ca string, cert string, key string) (*Unbou
 		}, nil
 	}
 
-	if ca == "" && cert == "" {
+	if ca == "" && cert == "" && key == "" {
 		return &UnboundExporter{
 			socketFamily: u.Scheme,
 			host:         u.Host,