DNS Forwarders
Forwarding configuration. Global and per-zone forwarding, forward-first vs forward-only, and VyOS dual-BIND HA architecture.
Forwarding Concepts
A forwarding resolver sends queries to upstream servers instead of performing iterative resolution itself. This reduces the attack surface (no direct root/TLD communication) and centralizes caching at the upstream forwarders.
Global Forwarding
options {
forwarders { 10.50.1.50; 8.8.8.8; 8.8.4.4; };
forward first;
};forward first tries the forwarder list in order. If all forwarders fail or return SERVFAIL, BIND falls back to iterative resolution starting from root hints. This is the resilient choice.
options {
forwarders { 10.50.1.50; 8.8.8.8; };
forward only;
};forward only never performs iterative resolution. If all forwarders are unreachable, queries fail with SERVFAIL. Use this when the server must not communicate with external DNS infrastructure directly.
Per-Zone Forwarding
zone "inside.domusdigitalis.dev" IN {
type forward;
forwarders { 10.50.1.50; };
forward only;
};The inside.domusdigitalis.dev zone is forwarded exclusively to the AD domain controller. All other zones use the global forwarder list. This is the standard pattern for Linux hosts in an AD environment.
zone "1.50.10.in-addr.arpa" IN {
type forward;
forwarders { 10.50.1.50; };
forward only;
};AD DNS manages PTR records for the domain subnet. Forward reverse lookups there so dig -x returns AD-registered hostnames.
zone "googleapis.com" IN {
type forward;
forwarders { 8.8.8.8; };
forward only;
};Useful for zones that require specific upstream resolvers — compliance, geolocation, or performance reasons.
VyOS Dual-BIND Forwarding Architecture
options {
directory "/var/named";
forwarders { 10.50.1.50; 8.8.8.8; };
forward first;
listen-on port 53 { 10.50.1.2; 127.0.0.1; };
};
# Authoritative for lab zone
zone "inside.domusdigitalis.dev" IN {
type master;
file "inside.domusdigitalis.dev.zone";
allow-transfer { 10.50.1.3; };
};options {
directory "/var/named";
forwarders { 10.50.1.50; 8.8.8.8; };
forward first;
listen-on port 53 { 10.50.1.3; 127.0.0.1; };
};
zone "inside.domusdigitalis.dev" IN {
type slave;
masters { 10.50.1.2; };
file "slaves/inside.domusdigitalis.dev.zone";
};Both BIND instances forward non-authoritative queries through AD DNS first. If AD DNS is down, they fall back to public DNS. Clients point at the VyOS VIP for seamless failover.
Testing Forwarding
dig inside.domusdigitalis.dev A | grep "SERVER"Shows which upstream server provided the answer. If forwarding is working, this should be your BIND server, which in turn queried the forwarder.
dig @10.50.1.90 home-dc01.inside.domusdigitalis.dev A +shortIf this resolves, BIND is successfully forwarding to AD DNS.
dig @10.50.1.90 google.com A +shortShould succeed via the 8.8.8.8 forwarder even if AD DNS handles only internal zones.
for server in 10.50.1.50 8.8.8.8 1.1.1.1; do
echo -n "$server: "
dig @"$server" google.com +stats +noall | awk '/Query time/{print $4, $5}'
doneIdentifies the fastest forwarder. Place the fastest one first in the forwarders list.
Forwarding vs Recursion
The distinction matters for security posture:
-
Forwarding: server asks another resolver to do the work. Fewer outbound connections. Depends on upstream availability.
-
Recursion: server walks the DNS tree itself (root → TLD → authoritative). More outbound connections. Independent of any single upstream.
-
forward first: try forwarding, fall back to recursion. Best of both worlds.
-
forward only: forwarding or failure. Tightest control over DNS egress.
See Also
-
Recursive — forwarding vs recursion tradeoffs
-
BIND — named.conf options block
-
Server Types — forwarding resolver role