Forwarding Mode Explained: Forward Queries to Upstream DNS Server (Optionally with DNS-over-TLS)

Forwarding sends all queries to configured upstream recursive resolvers, optionally encrypting that traffic.

When to use forwarding:

  • You want encrypted DNS queries between your resolver and upstream servers.

  • Your local recursive DNS is blocked, slow, or you want to use filtering providers.

  • You accept trusting a third-party provider with your DNS data.

Example 1: Forward All Queries (cleartext)

File path: /etc/unbound/unbound.conf.d/pi-hole.conf

server:
    interface: 127.0.0.1
    port: 53

forward-zone:
    name: "."
    forward-addr: 8.8.8.8
    forward-addr: 8.8.4.4

Example 2: Forward All Queries with DNS-over-TLS Encryption

  • Encrypt traffic to upstream servers to prevent local network/ISP snooping.

  • Requires specifying server hostname for TLS certificate validation.

  • Requires tls-cert-bundle to verify upstream certificates.

Example 3: Split Forwarding for Specific Zones

Forward a particular internal domain to a specific DNS server (such as your local network’s domain), and forward the rest to encrypted upstream:

Important Notes

  • The hostname after # in forward-addr is mandatory for correct DNS-over-TLS validation.

  • The tls-cert-bundle file must contain trusted root CA certificates to validate upstream servers.

  • If you run Unbound recursively without forwarding, no certificates or TLS configuration are needed.

  • Restart Unbound after modifying configuration:

or for docker container:

PreviousConfiguring DoT with Unbound and Pi-hole on OPNsenseNextPublic DNS Services

Last updated