Maintained by: NLnet Labs

Query forwarding

Petr Spacek
Tue Jan 19 13:25:58 CET 2016


On 19.1.2016 02:48, Dave Warren via Unbound-users wrote:
> On 2016-01-18 03:28, Havard Eidnes via Unbound-users wrote:
>> I'm trying to figure out how unbound can be configured to behave
>> with respect to query forwarding.  In unbound.conf(5) I find this
>> particular gem:
>>
>>      forward-first: <yes or no>
>>             If enabled, a query is attempted without the forward clause if
>>             it fails.  The data could not be retrieved and would have caused
>>             SERVFAIL because the servers are unreachable, instead it is
>>             tried without this clause.  The default is no.
> 
> Oddly this was perfectly clear to me when I first read it, but on each 
> subsequent re-read, I find myself re-parsing the words and second-guessing :)
> 
> With forward-first: no, Unbound will forward a query as configured for this 
> zone, and if it ultimately reaches SERVFAIL state, that's what it returns to the 
> client.
> 
> With forward-first: yes, Unbound will forward a query and if it ultimately 
> reaches SERVFAIL state, it will fall back on resolving via the default method as 
> though there were no forwarding clause at all.
> 
> However, only SERVFAIL will cause default resolution methods to be used, a 
> NXDOMAIN or other no answer situations will be returned without further lookups. 
> This can be useful if you wanted to, for example, forward a particular zone 
> within a VPN if the VPN is up, but you still want to resolve via normal 
> resolution (recursion, forwarding, whatever) if the VPN based authoritative 
> servers are not available.

Longer explanation can be found on
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html

Please let me know if the text helps or is unclear, we would be happy to
improve it!

-- 
Petr Spacek  @  Red Hat