Bind forwards DNS requests even though forwarding is disabled.

Sascha Marcel Hacker smhrambo at googlemail.com
Tue Sep 2 17:43:10 UTC 2025 

 Hello,
I have a Bind server running for a private Samba AD.
The server is used exclusively for internal name resolution,
an Adguard container is used for requests to the WAN.

To enable this, forwarding is disabled on the Bind DNS (primary DNS).
Unfortunately, I have noticed that the Bind DNS has been forwarding for
some time now,
even though this is disabled in the configuration.

BIND version: BIND 9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support
Version)

*named.conf.options:*
...
options {
        directory “/var/cache/bind”;
        notify no;
        empty-zones-enable no;
        auth-nxdomain yes;

        forward only;
        forwarders {
#               1.1.1.1;
#               1.0.0.1;
#               9.9.9.9;
#               149.112.112.112;
#               2606:4700:4700::1111;
#               2606:4700:4700::1001;
#               2620:fe::fe;
#               2620:fe::9;
        };
...

*named.conf.default-zones:*
// prime the server with knowledge of the root servers
#zone "." {
#       type hint;
#       file "/usr/share/dns/root.hints";
#};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

*Log:*
Sep 02 19:03:15 routerpi systemd[1]: Starting named.service - BIND Domain
Name Server...
Sep 02 19:03:16 routerpi named[153686]: starting BIND
9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support Version) <id:>
Sep 02 19:03:16 routerpi named[153686]: running on Linux aarch64
6.8.0-1036-raspi #40-Ubuntu SMP PREEMPT_DYNAMIC Mon Aug 18 09:50:42 UTC 2025
Sep 02 19:03:16 routerpi named[153686]: built with
 '--build=aarch64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/ma>
Sep 02 19:03:16 routerpi named[153686]: running as: named -f -u bind -n 1
Sep 02 19:03:16 routerpi named[153686]: compiled by GCC 13.3.0
Sep 02 19:03:16 routerpi named[153686]: compiled with OpenSSL version:
OpenSSL 3.0.13 30 Jan 2024
Sep 02 19:03:16 routerpi named[153686]: linked to OpenSSL version: OpenSSL
3.0.13 30 Jan 2024
Sep 02 19:03:16 routerpi named[153686]: compiled with libuv version: 1.48.0
Sep 02 19:03:16 routerpi named[153686]: linked to libuv version: 1.48.0
Sep 02 19:03:16 routerpi named[153686]: compiled with libxml2 version:
2.9.14
Sep 02 19:03:16 routerpi named[153686]: linked to libxml2 version: 20914
Sep 02 19:03:16 routerpi named[153686]: compiled with json-c version: 0.17
Sep 02 19:03:16 routerpi named[153686]: linked to json-c version: 0.17
Sep 02 19:03:16 routerpi named[153686]: compiled with zlib version: 1.3
Sep 02 19:03:16 routerpi named[153686]: linked to zlib version: 1.3
Sep 02 19:03:16 routerpi named[153686]:
----------------------------------------------------
Sep 02 19:03:16 routerpi named[153686]: BIND 9 is maintained by Internet
Systems Consortium,
Sep 02 19:03:16 routerpi named[153686]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Sep 02 19:03:16 routerpi named[153686]: corporation.  Support and training
for BIND 9 are
Sep 02 19:03:16 routerpi named[153686]: available at
https://www.isc.org/support
Sep 02 19:03:16 routerpi named[153686]:
----------------------------------------------------
Sep 02 19:03:16 routerpi named[153686]: adjusted limit on open files from
524288 to 1048576
Sep 02 19:03:16 routerpi named[153686]: found 4 CPUs, using 1 worker thread
Sep 02 19:03:16 routerpi named[153686]: using 1 UDP listener per interface
Sep 02 19:03:16 routerpi named[153686]: DNSSEC algorithms: RSASHA1
NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519
ED448
Sep 02 19:03:16 routerpi named[153686]: DS algorithms: SHA-1 SHA-256 SHA-384
Sep 02 19:03:16 routerpi named[153686]: HMAC algorithms: HMAC-MD5 HMAC-SHA1
HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
Sep 02 19:03:16 routerpi named[153686]: TKEY mode 2 support
(Diffie-Hellman): yes
Sep 02 19:03:16 routerpi named[153686]: TKEY mode 3 support (GSS-API): yes
Sep 02 19:03:16 routerpi named[153686]: the initial working directory is '/'
Sep 02 19:03:16 routerpi named[153686]: loading configuration from
'/etc/bind/named.conf'
Sep 02 19:03:16 routerpi named[153686]: the working directory is now
'/var/cache/bind'
Sep 02 19:03:16 routerpi named[153686]: reading built-in trust anchors from
file '/etc/bind/bind.keys'
Sep 02 19:03:16 routerpi named[153686]: looking for GeoIP2 databases in
'/usr/share/GeoIP'
Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv4 port range:
[32768, 60999]
Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv6 port range:
[32768, 60999]
Sep 02 19:03:16 routerpi named[153686]: listening on IPv4 interface lo,
127.0.0.1#53
...
Sep 02 19:03:16 routerpi named[153686]: generating session key for dynamic
DNS
Sep 02 19:03:16 routerpi named[153686]: sizing zone task pool based on 4
zones
Sep 02 19:03:16 routerpi named[153686]: Loading 'AD DNS Zone' using driver
dlopen
Sep 02 19:03:16 routerpi named[153686]: samba_dlz: started for DN ...
Sep 02 19:03:16 routerpi named[153686]: samba_dlz: starting configure
...
Sep 02 19:03:16 routerpi named[153686]: none:99: 'max-cache-size 90%' -
setting to 3405MB (out of 3784MB)
Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34: no
forwarders seen; disabling forwarding
Sep 02 19:03:16 routerpi named[153686]: set up managed keys zone for view
_default, file 'managed-keys.bind'
Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34: no
forwarders seen; disabling forwarding
Sep 02 19:03:16 routerpi named[153686]: configuring command channel from
'/etc/bind/rndc.key'
Sep 02 19:03:16 routerpi named[153686]: command channel listening on
127.0.0.1#953
Sep 02 19:03:16 routerpi named[153686]: configuring command channel from
'/etc/bind/rndc.key'
Sep 02 19:03:16 routerpi named[153686]: command channel listening on ::1#953
Sep 02 19:03:16 routerpi systemd[1]: Started named.service - BIND Domain
Name Server.

*netstat -tulpen | grep named:*
...
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
     114        526776     153686/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
     114        526829     153686/named
...
tcp6       0      0 ::1:953                 :::*                    LISTEN
     114        526830     153686/named
tcp6       0      0 ::1:53                  :::*                    LISTEN
     114        526804     153686/named
...
udp        0      0 127.0.0.1:53            0.0.0.0:*
    114        526775     153686/named
udp6       0      0 ::1:53                  :::*
     114        526803     153686/named
...

*nslookup google.com <http://google.com>:*
Server:   127.0.0.1
Address:  127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 142.251.36.174
Name:   google.com
Address: 2a00:1450:4016:808::200e

*resolve.conf:*
# operation for /etc/resolv.conf.

nameserver 127.0.0.1
nameserver 10.13.1.4
nameserver 1.1.1.1
nameserver ::1
nameserver fdda:9280:731e:1:0:4::1
nameserver 2606:4700:4700::1111
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250902/65143fb1/attachment-0001.htm>

More information about the bind-users mailing list