Bind forwards DNS requests even though forwarding is disabled.
Greg Choules
gregchoules+bindusers at googlemail.com
Tue Sep 2 19:55:17 UTC 2025
Hi Sascha.
I have a few questions.
1) Are you sure BIND is forwarding? Is that the term you mean to use?
Please can you take a binary packet capture (pcap, not copy/paste of
terminal output) that shows what the BIND server is doing and send that,
You may have disabled global forwarding but recursion is still enabled, as
Ondřej points out. Let's look at what queries BIND is sending and to where.
2) How do you intend to get queries from BIND to Adguard?
3) What was the "nslookupo" intended to show?
Send us a bit more information and we'll try to help.
Cheers, Greg
On Tue, 2 Sept 2025 at 18:43, Sascha Marcel Hacker via bind-users <
bind-users at lists.isc.org> wrote:
> Hello,
> I have a Bind server running for a private Samba AD.
> The server is used exclusively for internal name resolution,
> an Adguard container is used for requests to the WAN.
>
> To enable this, forwarding is disabled on the Bind DNS (primary DNS).
> Unfortunately, I have noticed that the Bind DNS has been forwarding for
> some time now,
> even though this is disabled in the configuration.
>
> BIND version: BIND 9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support
> Version)
>
> *named.conf.options:*
> ...
> options {
> directory “/var/cache/bind”;
> notify no;
> empty-zones-enable no;
> auth-nxdomain yes;
>
> forward only;
> forwarders {
> # 1.1.1.1;
> # 1.0.0.1;
> # 9.9.9.9;
> # 149.112.112.112;
> # 2606:4700:4700::1111;
> # 2606:4700:4700::1001;
> # 2620:fe::fe;
> # 2620:fe::9;
> };
> ...
>
> *named.conf.default-zones:*
> // prime the server with knowledge of the root servers
> #zone "." {
> # type hint;
> # file "/usr/share/dns/root.hints";
> #};
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> *Log:*
> Sep 02 19:03:15 routerpi systemd[1]: Starting named.service - BIND Domain
> Name Server...
> Sep 02 19:03:16 routerpi named[153686]: starting BIND
> 9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support Version) <id:>
> Sep 02 19:03:16 routerpi named[153686]: running on Linux aarch64
> 6.8.0-1036-raspi #40-Ubuntu SMP PREEMPT_DYNAMIC Mon Aug 18 09:50:42 UTC 2025
> Sep 02 19:03:16 routerpi named[153686]: built with
> '--build=aarch64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/ma>
> Sep 02 19:03:16 routerpi named[153686]: running as: named -f -u bind -n 1
> Sep 02 19:03:16 routerpi named[153686]: compiled by GCC 13.3.0
> Sep 02 19:03:16 routerpi named[153686]: compiled with OpenSSL version:
> OpenSSL 3.0.13 30 Jan 2024
> Sep 02 19:03:16 routerpi named[153686]: linked to OpenSSL version: OpenSSL
> 3.0.13 30 Jan 2024
> Sep 02 19:03:16 routerpi named[153686]: compiled with libuv version: 1.48.0
> Sep 02 19:03:16 routerpi named[153686]: linked to libuv version: 1.48.0
> Sep 02 19:03:16 routerpi named[153686]: compiled with libxml2 version:
> 2.9.14
> Sep 02 19:03:16 routerpi named[153686]: linked to libxml2 version: 20914
> Sep 02 19:03:16 routerpi named[153686]: compiled with json-c version: 0.17
> Sep 02 19:03:16 routerpi named[153686]: linked to json-c version: 0.17
> Sep 02 19:03:16 routerpi named[153686]: compiled with zlib version: 1.3
> Sep 02 19:03:16 routerpi named[153686]: linked to zlib version: 1.3
> Sep 02 19:03:16 routerpi named[153686]:
> ----------------------------------------------------
> Sep 02 19:03:16 routerpi named[153686]: BIND 9 is maintained by Internet
> Systems Consortium,
> Sep 02 19:03:16 routerpi named[153686]: Inc. (ISC), a non-profit 501(c)(3)
> public-benefit
> Sep 02 19:03:16 routerpi named[153686]: corporation. Support and training
> for BIND 9 are
> Sep 02 19:03:16 routerpi named[153686]: available at
> https://www.isc.org/support
> Sep 02 19:03:16 routerpi named[153686]:
> ----------------------------------------------------
> Sep 02 19:03:16 routerpi named[153686]: adjusted limit on open files from
> 524288 to 1048576
> Sep 02 19:03:16 routerpi named[153686]: found 4 CPUs, using 1 worker thread
> Sep 02 19:03:16 routerpi named[153686]: using 1 UDP listener per interface
> Sep 02 19:03:16 routerpi named[153686]: DNSSEC algorithms: RSASHA1
> NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519
> ED448
> Sep 02 19:03:16 routerpi named[153686]: DS algorithms: SHA-1 SHA-256
> SHA-384
> Sep 02 19:03:16 routerpi named[153686]: HMAC algorithms: HMAC-MD5
> HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
> Sep 02 19:03:16 routerpi named[153686]: TKEY mode 2 support
> (Diffie-Hellman): yes
> Sep 02 19:03:16 routerpi named[153686]: TKEY mode 3 support (GSS-API): yes
> Sep 02 19:03:16 routerpi named[153686]: the initial working directory is
> '/'
> Sep 02 19:03:16 routerpi named[153686]: loading configuration from
> '/etc/bind/named.conf'
> Sep 02 19:03:16 routerpi named[153686]: the working directory is now
> '/var/cache/bind'
> Sep 02 19:03:16 routerpi named[153686]: reading built-in trust anchors
> from file '/etc/bind/bind.keys'
> Sep 02 19:03:16 routerpi named[153686]: looking for GeoIP2 databases in
> '/usr/share/GeoIP'
> Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv4 port range:
> [32768, 60999]
> Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv6 port range:
> [32768, 60999]
> Sep 02 19:03:16 routerpi named[153686]: listening on IPv4 interface lo,
> 127.0.0.1#53
> ...
> Sep 02 19:03:16 routerpi named[153686]: generating session key for dynamic
> DNS
> Sep 02 19:03:16 routerpi named[153686]: sizing zone task pool based on 4
> zones
> Sep 02 19:03:16 routerpi named[153686]: Loading 'AD DNS Zone' using driver
> dlopen
> Sep 02 19:03:16 routerpi named[153686]: samba_dlz: started for DN ...
> Sep 02 19:03:16 routerpi named[153686]: samba_dlz: starting configure
> ...
> Sep 02 19:03:16 routerpi named[153686]: none:99: 'max-cache-size 90%' -
> setting to 3405MB (out of 3784MB)
> Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34:
> no forwarders seen; disabling forwarding
> Sep 02 19:03:16 routerpi named[153686]: set up managed keys zone for view
> _default, file 'managed-keys.bind'
> Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34:
> no forwarders seen; disabling forwarding
> Sep 02 19:03:16 routerpi named[153686]: configuring command channel from
> '/etc/bind/rndc.key'
> Sep 02 19:03:16 routerpi named[153686]: command channel listening on
> 127.0.0.1#953
> Sep 02 19:03:16 routerpi named[153686]: configuring command channel from
> '/etc/bind/rndc.key'
> Sep 02 19:03:16 routerpi named[153686]: command channel listening on
> ::1#953
> Sep 02 19:03:16 routerpi systemd[1]: Started named.service - BIND Domain
> Name Server.
>
> *netstat -tulpen | grep named:*
> ...
> tcp 0 0 127.0.0.1:53 0.0.0.0:*
> LISTEN 114 526776 153686/named
> tcp 0 0 127.0.0.1:953 0.0.0.0:*
> LISTEN 114 526829 153686/named
> ...
> tcp6 0 0 ::1:953 :::* LISTEN
> 114 526830 153686/named
> tcp6 0 0 ::1:53 :::* LISTEN
> 114 526804 153686/named
> ...
> udp 0 0 127.0.0.1:53 0.0.0.0:*
> 114 526775 153686/named
> udp6 0 0 ::1:53 :::*
> 114 526803 153686/named
> ...
>
> *nslookup google.com <http://google.com>:*
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> Name: google.com
> Address: 142.251.36.174
> Name: google.com
> Address: 2a00:1450:4016:808::200e
>
> *resolve.conf:*
> # operation for /etc/resolv.conf.
>
> nameserver 127.0.0.1
> nameserver 10.13.1.4
> nameserver 1.1.1.1
> nameserver ::1
> nameserver fdda:9280:731e:1:0:4::1
> nameserver 2606:4700:4700::1111
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250902/c4aa12be/attachment-0001.htm>
More information about the bind-users
mailing list