Bind forwards DNS requests even though forwarding is disabled.
Sten Carlsen
stenc at s-carlsen.dk
Wed Sep 3 09:00:10 UTC 2025
You still have the "forward only;" and "forwarders" statements. Would commenting those out make a difference?
--
Best regards
Sten Carlsen
Don't be impressed with unintelligible stuff said condescendingly .
-- Radia Perlman.
> On 2 Sep 2025, at 20.12, Ondřej Surý <ondrej at isc.org> wrote:
>
> https://bind9.readthedocs.io/en/v9.20.12/reference.html#namedconf-statement-forwarders
>
>> The default is the empty list (no forwarding).
>
> ^^^ you've effectively disabled forwarding.
>
> You haven't described precisely what are you trying to achieve, but you probably want to disable recursion?
>
> https://bind9.readthedocs.io/en/v9.20.12/reference.html#namedconf-statement-recursion
>
> However, please note this:
>
>> Caching may still occur as an effect of the server’s internal operation, such as NOTIFY address lookups.
>
> The server might need to resolve some names internally, so perhaps a solution would be to actually configure the forwarders to point to your AdGuard container?
>
> Cheers,
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
>> On 2. 9. 2025, at 19:43, Sascha Marcel Hacker via bind-users <bind-users at lists.isc.org> wrote:
>>
>> Hello,
>> I have a Bind server running for a private Samba AD.
>> The server is used exclusively for internal name resolution,
>> an Adguard container is used for requests to the WAN.
>>
>> To enable this, forwarding is disabled on the Bind DNS (primary DNS).
>> Unfortunately, I have noticed that the Bind DNS has been forwarding for some time now,
>> even though this is disabled in the configuration.
>>
>> BIND version: BIND 9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support Version)
>>
>> named.conf.options:
>> ...
>> options {
>> directory “/var/cache/bind”;
>> notify no;
>> empty-zones-enable no;
>> auth-nxdomain yes;
>>
>> forward only;
>> forwarders {
>> # 1.1.1.1;
>> # 1.0.0.1;
>> # 9.9.9.9;
>> # 149.112.112.112;
>> # 2606:4700:4700::1111;
>> # 2606:4700:4700::1001;
>> # 2620:fe::fe;
>> # 2620:fe::9;
>> };
>> ...
>>
>> named.conf.default-zones:
>> // prime the server with knowledge of the root servers
>> #zone "." {
>> # type hint;
>> # file "/usr/share/dns/root.hints";
>> #};
>>
>> // be authoritative for the localhost forward and reverse zones, and for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>>
>> Log:
>> Sep 02 19:03:15 routerpi systemd[1]: Starting named.service - BIND Domain Name Server...
>> Sep 02 19:03:16 routerpi named[153686]: starting BIND 9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support Version) <id:>
>> Sep 02 19:03:16 routerpi named[153686]: running on Linux aarch64 6.8.0-1036-raspi #40-Ubuntu SMP PREEMPT_DYNAMIC Mon Aug 18 09:50:42 UTC 2025
>> Sep 02 19:03:16 routerpi named[153686]: built with '--build=aarch64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/ma>
>> Sep 02 19:03:16 routerpi named[153686]: running as: named -f -u bind -n 1
>> Sep 02 19:03:16 routerpi named[153686]: compiled by GCC 13.3.0
>> Sep 02 19:03:16 routerpi named[153686]: compiled with OpenSSL version: OpenSSL 3.0.13 30 Jan 2024
>> Sep 02 19:03:16 routerpi named[153686]: linked to OpenSSL version: OpenSSL 3.0.13 30 Jan 2024
>> Sep 02 19:03:16 routerpi named[153686]: compiled with libuv version: 1.48.0
>> Sep 02 19:03:16 routerpi named[153686]: linked to libuv version: 1.48.0
>> Sep 02 19:03:16 routerpi named[153686]: compiled with libxml2 version: 2.9.14
>> Sep 02 19:03:16 routerpi named[153686]: linked to libxml2 version: 20914
>> Sep 02 19:03:16 routerpi named[153686]: compiled with json-c version: 0.17
>> Sep 02 19:03:16 routerpi named[153686]: linked to json-c version: 0.17
>> Sep 02 19:03:16 routerpi named[153686]: compiled with zlib version: 1.3
>> Sep 02 19:03:16 routerpi named[153686]: linked to zlib version: 1.3
>> Sep 02 19:03:16 routerpi named[153686]: ----------------------------------------------------
>> Sep 02 19:03:16 routerpi named[153686]: BIND 9 is maintained by Internet Systems Consortium,
>> Sep 02 19:03:16 routerpi named[153686]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
>> Sep 02 19:03:16 routerpi named[153686]: corporation. Support and training for BIND 9 are
>> Sep 02 19:03:16 routerpi named[153686]: available at https://www.isc.org/support
>> Sep 02 19:03:16 routerpi named[153686]: ----------------------------------------------------
>> Sep 02 19:03:16 routerpi named[153686]: adjusted limit on open files from 524288 to 1048576
>> Sep 02 19:03:16 routerpi named[153686]: found 4 CPUs, using 1 worker thread
>> Sep 02 19:03:16 routerpi named[153686]: using 1 UDP listener per interface
>> Sep 02 19:03:16 routerpi named[153686]: DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
>> Sep 02 19:03:16 routerpi named[153686]: DS algorithms: SHA-1 SHA-256 SHA-384
>> Sep 02 19:03:16 routerpi named[153686]: HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
>> Sep 02 19:03:16 routerpi named[153686]: TKEY mode 2 support (Diffie-Hellman): yes
>> Sep 02 19:03:16 routerpi named[153686]: TKEY mode 3 support (GSS-API): yes
>> Sep 02 19:03:16 routerpi named[153686]: the initial working directory is '/'
>> Sep 02 19:03:16 routerpi named[153686]: loading configuration from '/etc/bind/named.conf'
>> Sep 02 19:03:16 routerpi named[153686]: the working directory is now '/var/cache/bind'
>> Sep 02 19:03:16 routerpi named[153686]: reading built-in trust anchors from file '/etc/bind/bind.keys'
>> Sep 02 19:03:16 routerpi named[153686]: looking for GeoIP2 databases in '/usr/share/GeoIP'
>> Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv4 port range: [32768, 60999]
>> Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv6 port range: [32768, 60999]
>> Sep 02 19:03:16 routerpi named[153686]: listening on IPv4 interface lo, 127.0.0.1#53
>> ...
>> Sep 02 19:03:16 routerpi named[153686]: generating session key for dynamic DNS
>> Sep 02 19:03:16 routerpi named[153686]: sizing zone task pool based on 4 zones
>> Sep 02 19:03:16 routerpi named[153686]: Loading 'AD DNS Zone' using driver dlopen
>> Sep 02 19:03:16 routerpi named[153686]: samba_dlz: started for DN ...
>> Sep 02 19:03:16 routerpi named[153686]: samba_dlz: starting configure
>> ...
>> Sep 02 19:03:16 routerpi named[153686]: none:99: 'max-cache-size 90%' - setting to 3405MB (out of 3784MB)
>> Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34: no forwarders seen; disabling forwarding
>> Sep 02 19:03:16 routerpi named[153686]: set up managed keys zone for view _default, file 'managed-keys.bind'
>> Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34: no forwarders seen; disabling forwarding
>> Sep 02 19:03:16 routerpi named[153686]: configuring command channel from '/etc/bind/rndc.key'
>> Sep 02 19:03:16 routerpi named[153686]: command channel listening on 127.0.0.1#953
>> Sep 02 19:03:16 routerpi named[153686]: configuring command channel from '/etc/bind/rndc.key'
>> Sep 02 19:03:16 routerpi named[153686]: command channel listening on ::1#953
>> Sep 02 19:03:16 routerpi systemd[1]: Started named.service - BIND Domain Name Server.
>>
>> netstat -tulpen | grep named:
>> ...
>> tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 114 526776 153686/named
>> tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 114 526829 153686/named
>> ...
>> tcp6 0 0 ::1:953 :::* LISTEN 114 526830 153686/named
>> tcp6 0 0 ::1:53 :::* LISTEN 114 526804 153686/named
>> ...
>> udp 0 0 127.0.0.1:53 0.0.0.0:* 114 526775 153686/named
>> udp6 0 0 ::1:53 :::* 114 526803 153686/named
>> ...
>>
>> nslookup google.com:
>> Server: 127.0.0.1
>> Address: 127.0.0.1#53
>>
>> Non-authoritative answer:
>> Name: google.com
>> Address: 142.251.36.174
>> Name: google.com
>> Address: 2a00:1450:4016:808::200e
>>
>> resolve.conf:
>> # operation for /etc/resolv.conf.
>>
>> nameserver 127.0.0.1
>> nameserver 10.13.1.4
>> nameserver 1.1.1.1
>> nameserver ::1
>> nameserver fdda:9280:731e:1:0:4::1
>> nameserver 2606:4700:4700::1111
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250903/d6386aee/attachment.htm>
More information about the bind-users
mailing list