In enterprise DNS configurations, you often need to forward queries for specific domains to designated nameservers rather than using your default DNS resolution path. This is particularly common when:
- Resolving internal corporate domains
- Handling special TLDs like .local or .internal
- Delegating specific zones to authoritative servers
The key configuration element is the forward zone type in named.conf. Here's the basic structure:
zone "domain.tld" IN {
type forward;
forward only|first;
forwarders { ip_address; [ip_address; ...] };
};Let's examine a production-grade configuration for forwarding .local domains:
// Forward all .local queries to internal resolver
zone "local." IN {
type forward;
forward only; // Never fall back to recursive resolution
forwarders {
10.10.1.9 port 5353; // Custom port
192.168.1.15; // Secondary server
};
};For more complex scenarios, consider these parameters:
zone "special.example.com" {
type forward;
forward only;
forwarders {
203.0.113.45;
2001:db8::53;
};
forwarder-port 853; // DNS-over-TLS
edns yes; // Enable EDNS
};After configuration reload (rndc reload), verify with:
dig @localhost example.local +norecurse
dig @localhost example.com +traceCheck query logs with:
tail -f /var/log/named/queries.log | grep forward- Place frequently-accessed forward zones early in configuration
- Monitor forwarder response times with
dnstop - Consider using
forward firstfor hybrid environments
When managing a BIND DNS server, you might encounter scenarios where you need to forward queries for specific domains to designated nameservers rather than using the default recursive resolution. This technique is particularly useful for:
- Internal corporate domains
- Private TLDs (like .local)
- Hybrid cloud environments
- Split-horizon DNS configurations
The solution involves creating a forward zone in your BIND configuration (typically named.conf or included files). Here's the basic syntax structure:
zone "target-domain" IN {
type forward;
forward only|first;
forwarders { ip-address; [ip-address; ...] };
};For a local domain (.local) that should be resolved by an internal nameserver at 10.10.1.9, you would configure:
zone "local." IN {
type forward;
forward only;
forwarders { 10.10.1.9; };
};forward only: The server will ONLY query the forwarders and won't attempt recursive resolution if forwarding fails.
forward first: The server will try the forwarders first, then fall back to standard resolution if needed.
Multiple forwarders: You can specify multiple servers for redundancy:
forwarders {
192.168.1.10;
192.168.1.11;
};After modifying your configuration:
- Check syntax:
named-checkconf - Reload BIND:
rndc reload - Test with:
dig @localhost example.local
Check query logs with rndc querylog to verify forwarding behavior.
For environments with multiple conditional forward zones, consider organizing them in a separate included file:
include "/etc/bind/conditional-forwarding.conf";When dealing with subdomains, remember that BIND's forwarding is zone-specific. You may need separate entries for parent and child zones.
Conditional forwarding can improve resolution times for frequently accessed internal domains while maintaining standard resolution for external queries. However, excessive conditional forwarding zones may complicate maintenance.