Forwarding¶
Forwarding configuration instructs resolver to forward cache-miss queries from clients to manually specified DNS resolvers(upstream servers). In other words theforwarding mode does exact opposite of the defaultrecursive mode because resolver inrecursive mode automatically selects which servers to ask.
Main use-cases are:
- Building a tree structure of DNS resolvers to improve performance (by improving cache hit rate).
- Accessing domains which are not available using recursion (e.g. if internal company servers return different anusers than public ones).
- Forwarding through a central DNS traffic filter.
Forwarding implementation in Knot Resolver has following properties:
- Answers fromupstream servers are cached.
- Answers fromupstream servers are locally DNSSEC-validated, unless
policy.STUBis used.- Resolver automatically selects which IP address from given set of IP addresses will be used (based on performance characteristics).
- Forwarding can use either unencrypted DNS protocol, orForwarding over TLS protocol (DNS-over-TLS).
Warning
We strongly discourage use of “fake top-level domains” likecorp. because these made-up domains are indistinguishable from an attack, so DNSSEC validation will prevent such domains from working. If youreally need a variant of forwarding which does not DNSSEC-validate received data please see chapterReplacing part of the DNS tree. In long-term it is better to migrate data into a legitimate, properly delegated domains which do not suffer from these security problems.
Simple examples forunencrypted forwarding:
-- forward all traffic to specified IP addresses (selected automatically)policy.add(policy.all(policy.FORWARD({'2001:db8::1','192.0.2.1'})))-- forward only queries for names under domain example.com to a single IP addresspolicy.add(policy.suffix(policy.FORWARD('192.0.2.1'),{todname('example.com.')}))
To configure encrypted version please see chapterForwarding over TLS protocol (DNS-over-TLS).
Forwarding is documented in depth together with rest ofQuery policies.