https://bind9.readthedocs.io/en/v9.20.12/reference.html#namedconf-statement-forwarders
> The default is the empty list (no forwarding). ^^^ you've effectively disabled forwarding. You haven't described precisely what are you trying to achieve, but you probably want to disable recursion? https://bind9.readthedocs.io/en/v9.20.12/reference.html#namedconf-statement-recursion However, please note this: > Caching may still occur as an effect of the server’s internal operation, such > as NOTIFY address lookups. The server might need to resolve some names internally, so perhaps a solution would be to actually configure the forwarders to point to your AdGuard container? Cheers, Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 2. 9. 2025, at 19:43, Sascha Marcel Hacker via bind-users > <bind-users@lists.isc.org> wrote: > > Hello, > I have a Bind server running for a private Samba AD. > The server is used exclusively for internal name resolution, > an Adguard container is used for requests to the WAN. > > To enable this, forwarding is disabled on the Bind DNS (primary DNS). > Unfortunately, I have noticed that the Bind DNS has been forwarding for some > time now, > even though this is disabled in the configuration. > > BIND version: BIND 9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support Version) > > named.conf.options: > ... > options { > directory “/var/cache/bind”; > notify no; > empty-zones-enable no; > auth-nxdomain yes; > > forward only; > forwarders { > # 1.1.1.1; > # 1.0.0.1; > # 9.9.9.9; > # 149.112.112.112; > # 2606:4700:4700::1111; > # 2606:4700:4700::1001; > # 2620:fe::fe; > # 2620:fe::9; > }; > ... > > named.conf.default-zones: > // prime the server with knowledge of the root servers > #zone "." { > # type hint; > # file "/usr/share/dns/root.hints"; > #}; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > Log: > Sep 02 19:03:15 routerpi systemd[1]: Starting named.service - BIND Domain > Name Server... > Sep 02 19:03:16 routerpi named[153686]: starting BIND > 9.18.30-0ubuntu0.24.04.2-Ubuntu (Extended Support Version) <id:> > Sep 02 19:03:16 routerpi named[153686]: running on Linux aarch64 > 6.8.0-1036-raspi #40-Ubuntu SMP PREEMPT_DYNAMIC Mon Aug 18 09:50:42 UTC 2025 > Sep 02 19:03:16 routerpi named[153686]: built with > '--build=aarch64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' > '--mandir=${prefix}/share/ma> > Sep 02 19:03:16 routerpi named[153686]: running as: named -f -u bind -n 1 > Sep 02 19:03:16 routerpi named[153686]: compiled by GCC 13.3.0 > Sep 02 19:03:16 routerpi named[153686]: compiled with OpenSSL version: > OpenSSL 3.0.13 30 Jan 2024 > Sep 02 19:03:16 routerpi named[153686]: linked to OpenSSL version: OpenSSL > 3.0.13 30 Jan 2024 > Sep 02 19:03:16 routerpi named[153686]: compiled with libuv version: 1.48.0 > Sep 02 19:03:16 routerpi named[153686]: linked to libuv version: 1.48.0 > Sep 02 19:03:16 routerpi named[153686]: compiled with libxml2 version: 2.9.14 > Sep 02 19:03:16 routerpi named[153686]: linked to libxml2 version: 20914 > Sep 02 19:03:16 routerpi named[153686]: compiled with json-c version: 0.17 > Sep 02 19:03:16 routerpi named[153686]: linked to json-c version: 0.17 > Sep 02 19:03:16 routerpi named[153686]: compiled with zlib version: 1.3 > Sep 02 19:03:16 routerpi named[153686]: linked to zlib version: 1.3 > Sep 02 19:03:16 routerpi named[153686]: > ---------------------------------------------------- > Sep 02 19:03:16 routerpi named[153686]: BIND 9 is maintained by Internet > Systems Consortium, > Sep 02 19:03:16 routerpi named[153686]: Inc. (ISC), a non-profit 501(c)(3) > public-benefit > Sep 02 19:03:16 routerpi named[153686]: corporation. Support and training > for BIND 9 are > Sep 02 19:03:16 routerpi named[153686]: available at > https://www.isc.org/support > Sep 02 19:03:16 routerpi named[153686]: > ---------------------------------------------------- > Sep 02 19:03:16 routerpi named[153686]: adjusted limit on open files from > 524288 to 1048576 > Sep 02 19:03:16 routerpi named[153686]: found 4 CPUs, using 1 worker thread > Sep 02 19:03:16 routerpi named[153686]: using 1 UDP listener per interface > Sep 02 19:03:16 routerpi named[153686]: DNSSEC algorithms: RSASHA1 > NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 > Sep 02 19:03:16 routerpi named[153686]: DS algorithms: SHA-1 SHA-256 SHA-384 > Sep 02 19:03:16 routerpi named[153686]: HMAC algorithms: HMAC-MD5 HMAC-SHA1 > HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 > Sep 02 19:03:16 routerpi named[153686]: TKEY mode 2 support (Diffie-Hellman): > yes > Sep 02 19:03:16 routerpi named[153686]: TKEY mode 3 support (GSS-API): yes > Sep 02 19:03:16 routerpi named[153686]: the initial working directory is '/' > Sep 02 19:03:16 routerpi named[153686]: loading configuration from > '/etc/bind/named.conf' > Sep 02 19:03:16 routerpi named[153686]: the working directory is now > '/var/cache/bind' > Sep 02 19:03:16 routerpi named[153686]: reading built-in trust anchors from > file '/etc/bind/bind.keys' > Sep 02 19:03:16 routerpi named[153686]: looking for GeoIP2 databases in > '/usr/share/GeoIP' > Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv4 port range: > [32768, 60999] > Sep 02 19:03:16 routerpi named[153686]: using default UDP/IPv6 port range: > [32768, 60999] > Sep 02 19:03:16 routerpi named[153686]: listening on IPv4 interface lo, > 127.0.0.1#53 > ... > Sep 02 19:03:16 routerpi named[153686]: generating session key for dynamic DNS > Sep 02 19:03:16 routerpi named[153686]: sizing zone task pool based on 4 zones > Sep 02 19:03:16 routerpi named[153686]: Loading 'AD DNS Zone' using driver > dlopen > Sep 02 19:03:16 routerpi named[153686]: samba_dlz: started for DN ... > Sep 02 19:03:16 routerpi named[153686]: samba_dlz: starting configure > ... > Sep 02 19:03:16 routerpi named[153686]: none:99: 'max-cache-size 90%' - > setting to 3405MB (out of 3784MB) > Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34: no > forwarders seen; disabling forwarding > Sep 02 19:03:16 routerpi named[153686]: set up managed keys zone for view > _default, file 'managed-keys.bind' > Sep 02 19:03:16 routerpi named[153686]: /etc/bind/named.conf.options:34: no > forwarders seen; disabling forwarding > Sep 02 19:03:16 routerpi named[153686]: configuring command channel from > '/etc/bind/rndc.key' > Sep 02 19:03:16 routerpi named[153686]: command channel listening on > 127.0.0.1#953 > Sep 02 19:03:16 routerpi named[153686]: configuring command channel from > '/etc/bind/rndc.key' > Sep 02 19:03:16 routerpi named[153686]: command channel listening on ::1#953 > Sep 02 19:03:16 routerpi systemd[1]: Started named.service - BIND Domain Name > Server. > > netstat -tulpen | grep named: > ... > tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN > 114 526776 153686/named > tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN > 114 526829 153686/named > ... > tcp6 0 0 ::1:953 :::* LISTEN > 114 526830 153686/named > tcp6 0 0 ::1:53 :::* LISTEN > 114 526804 153686/named > ... > udp 0 0 127.0.0.1:53 0.0.0.0:* > 114 526775 153686/named > udp6 0 0 ::1:53 :::* > 114 526803 153686/named > ... > > nslookup google.com: > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Non-authoritative answer: > Name: google.com > Address: 142.251.36.174 > Name: google.com > Address: 2a00:1450:4016:808::200e > > resolve.conf: > # operation for /etc/resolv.conf. > > nameserver 127.0.0.1 > nameserver 10.13.1.4 > nameserver 1.1.1.1 > nameserver ::1 > nameserver fdda:9280:731e:1:0:4::1 > nameserver 2606:4700:4700::1111 > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
