Forward Zones¶
In Unbound, a Forward Zone controls how queries are handled on a per-zone basis. This can be used to send queries for a specific domain or zone to a specific DNS server, or it can be used to setup forwarding mode sending all queries to one or more upstream recursive DNS servers.
Forward Zone Examples¶
Example to override the default resolver behavior and forward all queries to an upstream DNS server:
tnsr(config)# unbound server
tnsr(config-unbound)# forward-zone .
tnsr(config-unbound-fwd-zone)# nameserver address 8.8.8.8
tnsr(config-unbound-fwd-zone)# nameserver address 8.8.4.4
This forwards the root zone (.
) and all zones underneath to the specified
servers, in this case, 8.8.8.8
and 8.8.4.4
.
Example to send queries for one specific domain to an alternate server:
tnsr(config)# unbound server
tnsr(config-unbound)# forward-zone example.com
tnsr(config-unbound-fwd-zone)# nameserver address 192.0.2.5
This example sends all queries for example.com
and subdomains underneath
example.com
to the server at 192.0.2.5
. This is useful for sending
queries for internal domains to a local authoritative DNS server, or an internal
DNS server reachable through a VPN.
Forward Zone Configuration¶
To enter config-unbound-fwd-zone
mode, start from config-unbound
mode
and use the forward-zone <zone-name>
command. The <zone-name>
takes the
form of the domain part of a fully qualified domain name (FQDN), but may also be
.
to denote the root zone.
- nameserver address <ip-address> [port <port>] [auth-name <name>]:
Specifies a DNS server for this zone by IP address. Optionally, a port number may be given (default
53
).auth-name
sets the FQDN of the DNS server for use in validating certificates with DNS over TLS.- nameserver host <host-name>:
Specifies a DNS server for this zone by FQDN. This hostname will be resolved before use.
- forward-first:
When enabled, if a query fails to the forwarding DNS servers it will be retried using resolver mode through the root DNS servers. By default this behavior is disabled.
- forward-tls-upstream:
When enabled, queries to the DNS servers in this zone are sent using DNS over TLS, typically on port
853
. This mode provides query privacy by encrypting communication between Unbound and upstream DNS servers in the zone. Default is disabled as this feature is not yet widely supported by other platforms.
Multiple DNS server address or host entries may be given for a forward zone. These servers are not queried sequentially and are not necessarily queried simultaneously. Unbound tracks the availability and performance of each DNS server in the zone and will attempt to use the most optimal server for a query.