Forward Zones

In Unbound, a Forward Zone controls how queries are handled on a per-zone basis. This can be used to send queries for a specific domain or zone to a specific DNS server, or it can be used to setup forwarding mode sending all queries to one or more upstream recursive DNS servers.

Forward Zone Examples

Example to override the default resolver behavior and forward all queries to an upstream DNS server:

tnsr(config)# unbound server
tnsr(config-unbound)# forward-zone .
tnsr(config-unbound-fwd-zone)# nameserver address 8.8.8.8
tnsr(config-unbound-fwd-zone)# nameserver address 8.8.4.4

This forwards the root zone (.) and all zones underneath to the specified servers, in this case, 8.8.8.8 and 8.8.4.4.

Example to send queries for one specific domain to an alternate server:

tnsr(config)# unbound server
tnsr(config-unbound)# forward-zone example.com
tnsr(config-unbound-fwd-zone)# nameserver address 192.0.2.5

This example sends all queries for example.com and subdomains underneath example.com to the server at 192.0.2.5. This is useful for sending queries for internal domains to a local authoritative DNS server, or an internal DNS server reachable through a VPN.

Forward Zone Configuration

To enter config-unbound-fwd-zone mode, start from config-unbound mode and use the forward-zone <zone-name> command. The <zone-name> takes the form of the domain part of a fully qualified domain name (FQDN), but may also be . to denote the root zone.

nameserver address <ip-address> [port <port>] [auth-name <name>]

Specifies a DNS server for this zone by IP address. Optionally, a port number may be given (default 53). auth-name sets the FQDN of the DNS server for use in validating certificates with DNS over TLS.

nameserver host <host-name>

Specifies a DNS server for this zone by FQDN. This hostname will be resolved before use.

enable/disable forward-first

When enabled, if a query fails to the forwarding DNS servers it will be retried using resolver mode through the root DNS servers. By default this behavior is disabled.

enable/disable forward-tls-upstream

When enabled, queries to the DNS servers in this zone are sent using DNS over TLS, typically on port 853. This mode provides query privacy by encrypting communication between Unbound and upstream DNS servers in the zone. Default is disabled as this feature is not yet widely supported by other platforms.

Multiple DNS server address or host entries may be given for a forward zone. These servers are not queried sequentially and are not necessarily queried simultaneously. Unbound tracks the availability and performance of each DNS server in the zone and will attempt to use the most optimal server for a query.