Troubleshooting BIND9 Forwarders: Why DNS Forwarding Fails for Non-Zone Queries


3 views

When working with BIND9 configurations, a common frustration occurs when forwarders appear to be properly configured yet fail to resolve queries for domains not listed in local zone files. The key indicators are:

  • Local zone resolution works perfectly
  • External DNS servers (forwarders) are known to be functional
  • No error messages in logs despite forwarding failure

The provided configuration shows a standard setup:

options {
    directory "/var/cache/bind";
    forwarders {
        131.181.127.32;
        131.181.59.48;
    };
    dnssec-validation auto;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
};

Two crucial directives are often overlooked:

options {
    // Previous config...
    forward only; // Forces use of forwarders
    recursion yes; // Allows recursive queries
}

Verify forwarding behavior with these commands:

# Check forwarders configuration
named-checkconf /etc/bind/named.conf

# Test query with dig showing recursion path
dig +trace example.com @localhost

Here's a verified functional configuration:

options {
    directory "/var/cache/bind";
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    forward only;
    recursion yes;
    dnssec-validation auto;
    allow-query { any; };
    listen-on { any; };
    listen-on-v6 { any; };
};

Add detailed logging to identify forwarding issues:

logging {
    channel query.log {
        file "/var/log/bind/query.log" versions 3 size 5m;
        severity debug 3;
        print-time yes;
    };
    category queries { query.log; };
    category resolver { query.log; };
};

Ensure your system allows outbound DNS traffic:

# For Ubuntu/Debian systems using UFW
sudo ufw allow out 53/tcp
sudo ufw allow out 53/udp



When BIND9 is configured with zone files, it acts as an authoritative server for those zones. However, for domains outside these zones, it should forward queries to the specified DNS servers. From your configuration:


options {
directory "/var/cache/bind";
forwarders {
    131.181.127.32;
    131.181.59.48;
};
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
};


The key elements are present, but we need to verify several aspects.


First, check if BIND9 is actually receiving and processing the forwarders:


sudo rndc querylog
sudo tail -f /var/log/syslog | grep queries


This will show you real-time query processing. You should see entries like:


client @0x7f1234567890: query: example.com IN A + (127.0.0.1)
forwarder 131.181.127.32#53: query failed (SERVFAIL) for example.com/IN/A


1. Missing Forward Directive: Ensure you have the forwarding mode enabled:


options {
    ...
    forward first;  // or "forward only"
    ...
};


2. Connectivity Issues: Verify forwarder accessibility:


dig @131.181.127.32 google.com
ping -c 4 131.181.127.32


3. Firewall Restrictions: Check outgoing DNS traffic (UDP 53):


sudo iptables -L -n -v | grep 53
sudo ufw status verbose


Here's a more robust configuration that handles various edge cases:


options {
    directory "/var/cache/bind";
    
    // Primary forwarders
    forwarders {
        131.181.127.32;
        131.181.59.48;
        8.8.8.8;        // Google backup
        1.1.1.1;        // Cloudflare backup
    };
    
    forward first;
    
    // Timeout settings
    max-cache-ttl 3600;
    max-ncache-ttl 3600;
    resolver-query-timeout 3000;
    
    // Security
    dnssec-validation auto;
    auth-nxdomain no;
    allow-query { any; };
    allow-recursion { any; };
    
    // IPv6
    listen-on-v6 { any; };
};


After making changes:


sudo named-checkconf
sudo systemctl restart bind9
dig @localhost external-domain.com


Check the response codes:


;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345