In Unbound, a Forward Zone controls how queries are handled on a per-zone basis. This can be used to send queries for a specific domain or zone to a specific DNS server, or it can be used to setup forwarding mode sending all queries to one or more upstream recursive DNS servers.
Forward Zone Examples¶
Example to override the default resolver behavior and forward all queries to an upstream DNS server:
tnsr(config)# unbound server tnsr(config-unbound)# forward-zone . tnsr(config-unbound-fwd-zone)# nameserver address 220.127.116.11 tnsr(config-unbound-fwd-zone)# nameserver address 18.104.22.168
This forwards the root zone (
.) and all zones underneath to the specified
servers, in this case,
Example to send queries for one specific domain to an alternate server:
tnsr(config)# unbound server tnsr(config-unbound)# forward-zone example.com tnsr(config-unbound-fwd-zone)# nameserver address 192.0.2.5
This example sends all queries for
example.com and subdomains underneath
example.com to the server at
192.0.2.5. This is useful for sending
queries for internal domains to a local authoritative DNS server, or an internal
DNS server reachable through a VPN.
Forward Zone Configuration¶
config-unbound-fwd-zone mode, start from
and use the
forward-zone <zone-name> command. The
<zone-name> takes the
form of the domain part of a fully qualified domain name (FQDN), but may also be
. to denote the root zone.
- nameserver address <ip-address> [port <port>] [auth-name <name>]
Specifies a DNS server for this zone by IP address. Optionally, a port number may be given (default
auth-namesets the FQDN of the DNS server for use in validating certificates with DNS over TLS.
- nameserver host <host-name>
Specifies a DNS server for this zone by FQDN. This hostname will be resolved before use.
- enable/disable forward-first
When enabled, if a query fails to the forwarding DNS servers it will be retried using resolver mode through the root DNS servers. By default this behavior is disabled.
- enable/disable forward-tls-upstream
When enabled, queries to the DNS servers in this zone are sent using DNS over TLS, typically on port
853. This mode provides query privacy by encrypting communication between Unbound and upstream DNS servers in the zone. Default is disabled as this feature is not yet widely supported by other platforms.
Multiple DNS server address or host entries may be given for a forward zone. These servers are not queried sequentially and are not necessarily queried simultaneously. Unbound tracks the availability and performance of each DNS server in the zone and will attempt to use the most optimal server for a query.