Forwarding

The forward list of rules overrides which servers get asked to obtain DNS data.

forward: <list>
subtree: <subtree name>

Subtree to forward.

servers: <list of addresses>|<list of servers>

Optionaly you can set port after address by @ separator (193.17.47.1@5353).

address: <address>|<list of addresses>

IP address(es) of a forward server.

transport: tls

Optional, transport protocol for a forward server.

hostname: <hostname>

Hostname of the Forward server.

ca-file: <path>

Optional, path to CA certificate file.

options:
authoritative: true|false
Default

false

The forwarding target is an authoritative server.

dnssec: true|false
Default

true

Enable/disable DNSSEC for a subtree.

forward:
  # ask everything through some public resolver
  - subtree: .
    servers: [ 2001:148f:fffe::1, 193.17.47.1 ]
forward:
  # encrypted public resolver, again for all names
  - subtree: .
    servers:
      - address: [ 2001:148f:fffe::1, 193.17.47.1 ]
        transport: tls
        hostname: odvr.nic.cz

  # use a local authoritative server for an internal-only zone
  - subtree: internal.example.com
    servers: [ 10.0.0.53 ]
    options:
      authoritative: true
      dnssec: false