How to ask forwarders only after direct query to target zone NS'es is failed?

Eric Luehrsen ericluehrsen at
Tue Dec 19 21:32:20 UTC 2017

There is a "forward-first:" parameter but not the opposite order. Maybe
make a feature request to deprecate "forward-first:," then replace it with
"forward-preference: {only, preferred, backup}."


On Dec 19, 2017 08:44, "Ilya Evseev via Unbound-users" <
unbound-users at> wrote:

>   Hi all!
> By default, Unbound DNS server works by "classic" scheme: queries root
> servers, then queries NS'es for A/AAAA/...
> Sometime (rarely) connectivity between my Unbound DNS host and target zone
> NS'es is failed, but target NS'es are still available from various
> LookingGlasses and from Google/Level3 DNS, so "nslookup
>" and "nslookup" returns the correct answer.
> So my question is very simple:
> How to setup Unbound to use public forwarders when (and only after) direct
> query to the target NS'es is failed?
> The following config works fine, but routes all queries immediately to
> forwarders, ignoring target NS'es at all:
> forward-zone:
>     name: "."
>     forward-first: no
>     forward-addr:
>     forward-addr:
> WBR, Ilya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unbound-users mailing list