Wie funktioniert der DNS-Forwarder?



In unserem Prä-UCS-Netz betreiben wir einen eigenen DNS-Server. Dieser ist so konfiguriert, dass er die lokale Namensauflösung übernimmt, aber auch per RPZ Anfragen zu einzelnen Subdomänen beantwortet. Für alles andere fragt er selber bei einem DNS-Server von Google nach.

Jetzt stelle ich fest, dass unser UCS unter dns/forward1 ja schon unseren DNS-Server eingetragen hat. Anfragen eines neuen Slaveservers nach einer Subdomäne, die in der RPZ eingetragen ist, werden aber nicht durchgereicht.

Was kann ich machen?

Besten Gruß aus Berlin-Kreuzberg
Masin Al-Dujaili



sorry, I prefer English here so international users can make use of this forum.

Am I right you installed a new slave server, joined it to the domain? If this slave server now requests name resolution for a RPZ-blocked domain it does not ask the forwarder?

But you have set dns/forward1 on your master server?

Be aware you have to configure each server, the ucr- variables will not be transferred to the slave.

So if you do ucr set dns/forward1=<IP of your RPZ-enabled DNS> on your slave server it should work.

Does it work then?



Yes, I installed a new slave server and joined it to the domain. Actually, the join first failed because the slave couldn’t resolve the name of a memberserver.

The slaver server does not ask the forwarder. Until now, I understood the setting

forwarders {
	// Google's DNS;

so that the named itself queries the configured forwarder and returns the result to client.

I think so:

root@kappa:~# ucr get dns/forwarder1

With being our pre-UCS DNS server.

Isn’t it so that dns/forwarder1 is a setting for the bind9 daemon? Does a slave server resolve by itself? However: It didn’t work with setting it on the slave. dig reports it queries


which is the VM’s address. In /etc/bind/named.conf.samba4 there is this snippet:

# Found a forwarder in ucr variables, using forwarder in zone ".".
# Ignoring any setting of dns/fakeroot.
zone "." {
	type forward;
	forwarders {;

I guess I have to restart bind or samba or something but systemctl reports these services as not running: active(exited).

Masin AD



Which file is this sniplet from? Slave or master?
If you configure (Google) as forwarder your locally RPZ server will obviously ignored.

Indeed, that is correct. And has no clue about your RPZ zones.

And is your RPZ server?

So in between a question about your goal:
Do you want the UCS named to use your local RPZ DNS? Or do you want to configure your UCS to have RPZ zones and forwards all other queries (except RPZ and local domain) to

Yes, it is. And even on the slave there is a bind9 daemon running. So you have to configure your forwarder on the slave, too!

ucr set dns/forwarder1=......

Do NOT edit the files under /etc/bind EXCEPT the local.* ones!
Once you made a change restart the daemon by systemctl restart bind9 - the message is misleading.


This is from our pre-UCS DNS server. This way it only answers to local names and those in the RPZ. For everything else it queries Google’s DNS.


Whatever is easier to achieve. I thought configuring UCS to forward unknown queries to our old DNS server would be easier. But I fear UCS feeling authoritative for the domain doesn’t forward requests regarding its own domain to another DNS server.


Ok, I will do a short summary then and you will have to decide on your own.

A DNS server has “zones”. Zones can be configured completely different even on the same server. For each zone the server is authoritative or not.

UCS has its own zone (which gets created during initial install) which is replicated to all DNS servers in the domain: master, backup, slave. All servers are authoritative for this zone and any request for a name in this zone gets answered by these servers (found with IP or not found). No other servers will be queried. Never!

You can add additional zone by using the /etc/bind/local.* files on each single server. Be aware this changes only configuration of this single server and does not change anything on the other domain servers. Depending on the type of zone you configure (master, slave, forward) bind behaves differently. For master it is nearly the same as above. Except the zone is not replicated to the other servers in the UCS domain as it is only local.
For a slave zone bind starts an initial transfer and gets the full zone data from the configured master. Once transferred it will answer queries to this domain as it would be a master. Until the time-to-live (TTL) has elapsed. Then it will ask the master if there is updated zone data and transfers the zone again if so.
For a forward zone it will forward all queries regarding this zone to the configured forwarder.

If a query asks for a host from a zone which is not configured there are two ways. IF a (global) forwarder is configured it will ask this forwarder and forwards the answer to the requesting client. If not forwarder is configured bind will discover the authoritative DNS server for this domain by top-down and asks for “.de”, then the server for “.de” will be asked for “.beispiel.de” and finally this authoritative server for “host.beispiel.de”.

I do not know how you have configured SPZ on your DNS. If it is just a zone configuration you might configure UCS DNS to take care of it and configure the zone on every UCS-DNS. But I guess if might be easier to configure EVERY UCS server to use this DNS as forwarder by ucr set dns/forwarder1=<IP of SPZ DNS> and ucr set nameserver1=<IP OF MASTER>; ucr set nameserver2=<IP OF BACKUP>; ucr set nameserver3=<IP OF SLAVE>.

Thus, alls queries not regarding you domain zone will be forwarded from the dns server to your configured forwarder how takes care of the SPZ configuration.


[EDIT] And you should make sure all yur clients will querie only the UCS nameservers! Otherwise request for UCS zone will fail.