Bind forwards DNS requests even though forwarding is disabled.
Ondřej Surý
ondrej at isc.org
Wed Sep 3 10:00:04 UTC 2025
No, the forwarding is disabled if the forwarding list is empty. What you can probably do is to create a sinkhole address on the localhost (with DROP firewall rule) and forward to that. However, why not just disable recursion or properly forward to the AdGuard DNS server instead? Both are perfectly fine solution and not fragile as trying to bash square peg into round hole.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> On 3. 9. 2025, at 11:00, Sten Carlsen <stenc at s-carlsen.dk> wrote:
>
> You still have the "forward only;" and "forwarders" statements. Would commenting those out make a difference?
>
> --
> Best regards
> Sten Carlsen
>
> Don't be impressed with unintelligible stuff said condescendingly .
> -- Radia Perlman.
>
>> On 2 Sep 2025, at 20.12, Ondřej Surý <ondrej at isc.org> wrote:
>>
>> https://bind9.readthedocs.io/en/v9.20.12/reference.html#namedconf-statement-forwarders
>>
>>> The default is the empty list (no forwarding).
>>
>> ^^^ you've effectively disabled forwarding.
>>
>> You haven't described precisely what are you trying to achieve, but you probably want to disable recursion?
>>
>> https://bind9.readthedocs.io/en/v9.20.12/reference.html#namedconf-statement-recursion
>>
>> However, please note this:
>>
>>> Caching may still occur as an effect of the server’s internal operation, such as NOTIFY address lookups.
>>
>> The server might need to resolve some names internally, so perhaps a solution would be to actually configure the forwarders to point to your AdGuard container?
>>
>> Cheers,
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
>>
>> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>>
>>> On 2. 9. 2025, at 19:43, Sascha Marcel Hacker via bind-users <bind-users at lists.isc.org> wrote:
>>>
>>> Hello,
>>> I have a Bind server running for a private Samba AD.
>>> The server is used exclusively for internal name resolution,
>>> an Adguard container is used for requests to the WAN.
>>>
>>> To enable this, forwarding is disabled on the Bind DNS (primary DNS).
>>> Unfortunately, I have noticed that the Bind DNS has been forwarding for some time now,
>>> even though this is disabled in the configuration.
>>>
>>> BIND version: BIND 9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support Version)
>>>
>>> named.conf.options:
>>> ...
>>> options {
>>> directory “/var/cache/bind”;
>>> notify no;
>>> empty-zones-enable no;
>>> auth-nxdomain yes;
>>>
>>> forward only;
>>> forwarders {
>>> # 1.1.1.1;
>>> # 1.0.0.1;
>>> # 9.9.9.9;
>>> # 149.112.112.112;
>>> # 2606:4700:4700::1111;
>>> # 2606:4700:4700::1001;
>>> # 2620:fe::fe;
>>> # 2620:fe::9;
>>> };
>>> ...
>>>
>>> named.conf.default-zones:
>>> // prime the server with knowledge of the root servers
>>> #zone "." {
>>> # type hint;
>>> # file "/usr/share/dns/root.hints";
>>> #};
>>>
>>> // be authoritative for the localhost forward and reverse zones, and for
>>> // broadcast zones as per RFC 1912
>>>
>>> zone "localhost" {
>>> type master;
>>> file "/etc/bind/db.local";
>>> };
>>>
>>> zone "127.in-addr.arpa" {
>>> type master;
>>> file "/etc/bind/db.127";
>>> };
>>>
>>> zone "0.in-addr.arpa" {
>>> type master;
>>> file "/etc/bind/db.0";
>>> };
>>>
>>> zone "255.in-addr.arpa" {
>>> type master;
>>> file "/etc/bind/db.255";
>>> };
>>>
>>> Log:
>>> Sep 02 19:03:15 routerpi systemd[1]: Starting named.service - BIND Domain Name Server...
>>> Sep 02 19:03:16 routerpi named[153686]: starting BIND 9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support Version) <id:>
>>> Sep 02 19:03:16 routerpi named[153686]: running on Linux aarch64 6.8.0-1036-raspi #40-Ubuntu SMP PREEMPT_DYNAMIC Mon Aug 18 09:50:42 UTC 2025
>>> Sep 02 19:03:16 routerpi named[153686]: built with '--build=aarch64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/ma>
>>> Sep 02 19:03:16 routerpi named[153686]: running as: named -f -u bind -n 1
>>> Sep 02 19:03:16 routerpi named[153686]: compiled by GCC 13.3.0
>>> Sep 02 19:03:16 routerpi named[153686]: compiled with OpenSSL version: OpenSSL 3.0.13 30 Jan 2024
>>> Sep 02 19:03:16 routerpi named[153686]: linked to OpenSSL version: OpenSSL 3.0.13 30 Jan 2024
>>> Sep 02 19:03:16 routerpi named[153686]: compiled with libuv version: 1.48.0
>>> Sep 02 19:03:16 routerpi named[153686]: linked to libuv version: 1.48.0
>>> Sep 02 19:03:16 routerpi named[153686]: compiled with libxml2 version: 2.9.14
>>> Sep 02 19:03:16 routerpi named[153686]: linked to libxml2 version: 20914
>>> Sep 02 19:03:16 routerpi named[153686]: compiled with json-c version: 0.17
>>> Sep 02 19:03:16 routerpi named[153686]: linked to json-c version: 0.17
>>> Sep 02 19:03:16 routerpi named[153686]: compiled with zlib version: 1.3
>>> Sep 02 19:03:16 routerpi named[153686]: linked to zlib version: 1.3
>>> Sep 02 19:03:16 routerpi named[153686]: ----------------------------------------------------
>>> Sep 02 19:03:16 routerpi named[153686]: BIND 9 is maintained by Internet Systems Consortium,
>>> Sep 02 19:03:16 routerpi named[153686]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
>>> Sep 02 19:03:16 routerpi named[153686]: corporation. Support and training for BIND 9 are
>>> Sep 02 19:03:16 routerpi named[153686]: available at https://www.isc.org/support
>>> Sep 02 19:03:16 routerpi named[153686]: ----------------------------------------------------
>>> Sep 02 19:03:16 routerpi named[153686]: adjusted limit on open files from 524288 to 1048576
>>> Sep 02 19:03:16 routerpi named[153686]: found 4 CPUs, using 1 worker thread
>>> Sep 02 19:03:16 routerpi named[153686]: using 1 UDP listener per interface
>>> Sep 02 19:03:16 routerpi named[153686]: DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
>>> Sep 02 19:03:16 routerpi named[153686]: DS algorithms: SHA-1 SHA-256 SHA-384
>>> Sep 02 19:03:16 routerpi named[153686]: HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
>>> Sep 02 19:03:16 routerpi named[153686]: TKEY mode 2 support (Diffie-Hellman): yes
>>> Sep 02 19:03:16 routerpi named[153686]: TKEY mode 3 support (GSS-API): yes
>>> Sep 02 19:03:16 routerpi named[153686]: the initial working directory is '/'
>>> Sep 02 19:03:16 routerpi named[153686]: loading configuration from '/etc/bind/named.conf'
>>> Sep 02 19:03:16 routerpi named[153686]: the working directory is now '/var/cache/bind'
>>> Sep 02 19:03:16 routerpi named[153686]: reading built-in trust anchors from file '/etc/bind/bind.keys'
>>> Sep 02 19:03:16 routerpi named[153686]: looking for GeoIP2 databases in '/usr/share/GeoIP'
>>> Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv4 port range: [32768, 60999]
>>> Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv6 port range: [32768, 60999]
>>> Sep 02 19:03:16 routerpi named[153686]: listening on IPv4 interface lo, 127.0.0.1#53
>>> ...
>>> Sep 02 19:03:16 routerpi named[153686]: generating session key for dynamic DNS
>>> Sep 02 19:03:16 routerpi named[153686]: sizing zone task pool based on 4 zones
>>> Sep 02 19:03:16 routerpi named[153686]: Loading 'AD DNS Zone' using driver dlopen
>>> Sep 02 19:03:16 routerpi named[153686]: samba_dlz: started for DN ...
>>> Sep 02 19:03:16 routerpi named[153686]: samba_dlz: starting configure
>>> ...
>>> Sep 02 19:03:16 routerpi named[153686]: none:99: 'max-cache-size 90%' - setting to 3405MB (out of 3784MB)
>>> Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34: no forwarders seen; disabling forwarding
>>> Sep 02 19:03:16 routerpi named[153686]: set up managed keys zone for view _default, file 'managed-keys.bind'
>>> Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34: no forwarders seen; disabling forwarding
>>> Sep 02 19:03:16 routerpi named[153686]: configuring command channel from '/etc/bind/rndc.key'
>>> Sep 02 19:03:16 routerpi named[153686]: command channel listening on 127.0.0.1#953
>>> Sep 02 19:03:16 routerpi named[153686]: configuring command channel from '/etc/bind/rndc.key'
>>> Sep 02 19:03:16 routerpi named[153686]: command channel listening on ::1#953
>>> Sep 02 19:03:16 routerpi systemd[1]: Started named.service - BIND Domain Name Server.
>>>
>>> netstat -tulpen | grep named:
>>> ...
>>> tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 114 526776 153686/named
>>> tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 114 526829 153686/named
>>> ...
>>> tcp6 0 0 ::1:953 :::* LISTEN 114 526830 153686/named
>>> tcp6 0 0 ::1:53 :::* LISTEN 114 526804 153686/named
>>> ...
>>> udp 0 0 127.0.0.1:53 0.0.0.0:* 114 526775 153686/named
>>> udp6 0 0 ::1:53 :::* 114 526803 153686/named
>>> ...
>>>
>>> nslookup google.com:
>>> Server: 127.0.0.1
>>> Address: 127.0.0.1#53
>>>
>>> Non-authoritative answer:
>>> Name: google.com
>>> Address: 142.251.36.174
>>> Name: google.com
>>> Address: 2a00:1450:4016:808::200e
>>>
>>> resolve.conf:
>>> # operation for /etc/resolv.conf.
>>>
>>> nameserver 127.0.0.1
>>> nameserver 10.13.1.4
>>> nameserver 1.1.1.1
>>> nameserver ::1
>>> nameserver fdda:9280:731e:1:0:4::1
>>> nameserver 2606:4700:4700::1111
>>>
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250903/25ded92c/attachment-0001.htm>
More information about the bind-users
mailing list