Product SiteDocumentation Site

9.9. Configuring Forwarders and Forward Policy

A DNS forwarder is a server which passes DNS queries on to another, external DNS name server for resolution. Within the FreeIPA DNS domain, there are three configuration properties that define how forwarders are used:

9.9.1. Configuring Global Forwarders

Global forwarders are configured as part of the FreeIPA server configuration itself. Forwarders are (optionally) set up when the server is installed with the setup-dns option or when the ipa-dns-install script is used.
After server configuration, the list of global forwarders can be edited using the dnsconfig-mod command. For example:
[jsmith@server ~]$ ipa dnsconfig-mod --forwarder=
  Global forwarders:

9.9.2. Configuring Zone Forwarders

Forwarders can be configured to be used with a specific DNS zone as part of the zone configuration. The --forwarder option sets a semi-colon-separated list of forwarders to use with the zone.
For example:
[jsmith@server ~]$ ipa dnszone-mod --forwarder=;

  Zone name:
  Zone forwarders:;


DNS forwarders must be specified as IP addresses, not as hostnames.

9.9.3. Configuring Forwarder Policy for a Zone

Once forwarders are configured, there are different ways that the zone can use them to service requests.
The zone can use the forwarders only for servicing name resolution requests; this is called a forward-only zone. A forward-only zone does not check its own name records. Only the forwarder server records are checked. If the record does not exist on the configured forwarders, then the zone returns a negative response to the client.
Alternatively, the zone can check the forwarder records first, and then fallback on its own resource records. This has a first policy.
This configuration is set in the --forward-policy option, using a policy of either only or first. For example:
[jsmith@server ~]$ ipa dnszone-mod --forward-policy=only

  Zone name:
  Zone forwarders:;
  Forward policy: only