# Forwarding Mode Explained: Forward Queries to Upstream DNS Server (Optionally with DNS-over-TLS)

Forwarding sends all queries to configured upstream recursive resolvers, optionally encrypting that traffic.

### When to use forwarding:

* You want encrypted DNS queries between your resolver and upstream servers.
* Your local recursive DNS is blocked, slow, or you want to use filtering providers.
* You accept trusting a third-party provider with your DNS data.

### Example 1: Forward All Queries (cleartext)

**File path:** `/etc/unbound/unbound.conf.d/pi-hole.conf`

```
server:
    interface: 127.0.0.1
    port: 53

forward-zone:
    name: "."
    forward-addr: 8.8.8.8
    forward-addr: 8.8.4.4
```

### Example 2: Forward All Queries with DNS-over-TLS Encryption

* Encrypt traffic to upstream servers to prevent local network/ISP snooping.
* Requires specifying server hostname for TLS certificate validation.
* Requires `tls-cert-bundle` to verify upstream certificates.

```
server:
    interface: 127.0.0.1
    port: 53

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 9.9.9.9@853#dns.quad9.net

# TLS certificate bundle location to validate upstream TLS certificates
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"   # Debian/Ubuntu
# tls-cert-bundle: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"   # RHEL/Fedora/CentOS
```

### Example 3: Split Forwarding for Specific Zones

Forward a particular internal domain to a specific DNS server (such as your local network’s domain), and forward the rest to encrypted upstream:

```
forward-zone:
    name: "example.internal"
    forward-addr: 192.168.1.5

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
```

***

### Important Notes <a href="#important-notes" id="important-notes"></a>

* The hostname after `#` in `forward-addr` is **mandatory** for correct DNS-over-TLS validation.
* The `tls-cert-bundle` file must contain trusted root CA certificates to validate upstream servers.
* If you run Unbound **recursively without forwarding**, no certificates or TLS configuration are needed.
* Restart Unbound after modifying configuration:

```bash
sudo systemctl restart unbound
```

or for docker container:

```bash
docker restart unbound
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://martian1337.gitbook.io/notes/digital-privacy/privacy-focused-dns-configuration-guides/forwarding-mode-explained-forward-queries-to-upstream-dns-server-optionally-with-dns-over-tls.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.