What is this?

When you install IPFire, you configure DNS name servers either manually or via DHCP from your provider.

DNS forwarding allows you to configure additional name servers for certain zones. For these zones, all DNS queries will be forwarded to the respective name servers.

This is useful if you have a zone with non-public records like when you are using Microsoft Active Directory DNS services or an additional IPFire accessible through a VPN tunnel for example.

DNS-forwarding is not limited to use local name servers. It can also be used for Geo un-blocking services which allow access to streaming media services using reverse proxies. You can set up DNS forwarding for the media service sites only, so that you do not have to use the Geo un-blocking services' DNS server for all internet name resolution.


A zone (internet domain) and the name server for that zone is required. Valid zone names are all fully qualified domain names. The name server where all queries for this zone are sent to must be defined by its IP address.

The Remark field is optional.

Zones without DNS validation

It needs to be noted, that IPFire installations use unbound to resolve DNS names. IPFire is configured such, that the remote DNS server MUST provide validated DNS answers. Otherwise the DNS request will fail, and you will find related log entries. To spot them, use the WebGUI, there Logs / System Logs / Settings / Section: DNS-Unbound.

Unfortunately IPFire / Unbound does not provide validated answers when requested. When setting up a DNS forwarder for a VPN tunnel between two IPFire installation, see e.g. IPsec , DNS answers from the remote IPFire will be dropped, because no validated answers are provided. Consequently it is mandatory both IPFires must be configured such, that they accept DNS resolution without validated answer. This can only be configured "under the hood", i.e. root console, i.e. NOT on the WebGUI.

To achieve that, additional Unbound configuration files need to be added.

  • Open root console.
  • Create file /etc/unbound/local.d/insecure.conf with the following content:
# This is the file to include the remote zone example.com as an insecure zone
  domain-insecure: example.com
  • Save the file.
  • Restart Unbound by the following command on the root console: /etc/init.d/unbound restart

Hyper-V Default Switch / DHCP configured Non-DNSSec DNS Servers

The Hyper-V Default Switch comes with a DNS Forwarder that lacks support for DNSSec, resulting in failed DNS requests.

To resolve this issue, you can add a new configuration file to overwrite the DNS forward entry received from DHCP.

  • Open root console
  • Create a file /etc/unbound/local.d/forward.conf with the following content:
        name: "."
  • Replace the IP address with the DNS entry of your Hyper-V Host or any other server that supports DNSsec.
  • You can also add more than one forward-addr entry if needed.
  • Save the file.
  • Restart unbound: /etc/init.d/unbound restart

This should resolve the issue with DNS requests failing due to the lack of DNSSec support in the Hyper-V Default Switch's DNS Forwarder.