Forwarding Mode Explained: Forward Queries to Upstream DNS Server (Optionally with DNS-over-TLS)

Forwarding sends all queries to configured upstream recursive resolvers, optionally encrypting that traffic.

When to use forwarding:

  • You want encrypted DNS queries between your resolver and upstream servers.

  • Your local recursive DNS is blocked, slow, or you want to use filtering providers.

  • You accept trusting a third-party provider with your DNS data.

Example 1: Forward All Queries (cleartext)

File path: /etc/unbound/unbound.conf.d/pi-hole.conf

server:
    interface: 127.0.0.1
    port: 53

forward-zone:
    name: "."
    forward-addr: 8.8.8.8
    forward-addr: 8.8.4.4

Example 2: Forward All Queries with DNS-over-TLS Encryption

  • Encrypt traffic to upstream servers to prevent local network/ISP snooping.

  • Requires specifying server hostname for TLS certificate validation.

  • Requires tls-cert-bundle to verify upstream certificates.

server:
    interface: 127.0.0.1
    port: 53

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 9.9.9.9@853#dns.quad9.net

# TLS certificate bundle location to validate upstream TLS certificates
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"   # Debian/Ubuntu
# tls-cert-bundle: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"   # RHEL/Fedora/CentOS

Example 3: Split Forwarding for Specific Zones

Forward a particular internal domain to a specific DNS server (such as your local network’s domain), and forward the rest to encrypted upstream:

forward-zone:
    name: "example.internal"
    forward-addr: 192.168.1.5

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com

Important Notes

  • The hostname after # in forward-addr is mandatory for correct DNS-over-TLS validation.

  • The tls-cert-bundle file must contain trusted root CA certificates to validate upstream servers.

  • If you run Unbound recursively without forwarding, no certificates or TLS configuration are needed.

  • Restart Unbound after modifying configuration:

sudo systemctl restart unbound

or for docker container:

docker restart unbound
PreviousConfiguring DoT with Unbound and Pi-hole on OPNsenseNextPublic DNS Services

Last updated