On 19.1.2016 02:48, Dave Warren via Unbound-users wrote: > On 2016-01-18 03:28, Havard Eidnes via Unbound-users wrote: >> I'm trying to figure out how unbound can be configured to behave >> with respect to query forwarding. In unbound.conf(5) I find this >> particular gem: >> >> forward-first: <yes or no> >> If enabled, a query is attempted without the forward clause if >> it fails. The data could not be retrieved and would have caused >> SERVFAIL because the servers are unreachable, instead it is >> tried without this clause. The default is no. > > Oddly this was perfectly clear to me when I first read it, but on each > subsequent re-read, I find myself re-parsing the words and second-guessing :) > > With forward-first: no, Unbound will forward a query as configured for this > zone, and if it ultimately reaches SERVFAIL state, that's what it returns to > the > client. > > With forward-first: yes, Unbound will forward a query and if it ultimately > reaches SERVFAIL state, it will fall back on resolving via the default method > as > though there were no forwarding clause at all. > > However, only SERVFAIL will cause default resolution methods to be used, a > NXDOMAIN or other no answer situations will be returned without further > lookups. > This can be useful if you wanted to, for example, forward a particular zone > within a VPN if the VPN is up, but you still want to resolve via normal > resolution (recursion, forwarding, whatever) if the VPN based authoritative > servers are not available.
Longer explanation can be found on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html Please let me know if the text helps or is unclear, we would be happy to improve it! -- Petr Spacek @ Red Hat
