This would work for lookups from a BIND DNS server if it is providing authoritative DNS - but if you are referring queries to an unbound server in which internal lookups are forwarded on to another DNS server, then defining the referral as a stub zone in the machine here will not work. control-interface: 127.0.0.1 # port number for remote control operations. server-key-file: "/etc/unbound/unbound_server.key" # unbound server certificate file.
In that case it is necessary to define a forward zone as above, since forward zones can have daisy chain lookups onward to other DNS servers. forward zones can refer queries to recursive DNS servers. server-cert-file: "/etc/unbound/unbound_server.pem" # unbound-control key file. control-key-file: "/etc/unbound/unbound_control.key" # unbound-control certificate file. control-cert-file: "/etc/unbound/unbound_control.pem" For users who wish to run both a validating, recursive, caching DNS server as well as an authoritative DNS server on a single machine then it may be useful to refer to the wiki page nsd which gives an example of a configuration for such a system.
Windows-based DNS servers come pre-installed with an automatic method of querying Internet names using a method called “DNS Root Hints.” Once you install the DNS role on a Windows-based server the Root Hints will be automatically added, and practically speaking, will allow you to resolve any Internet name as long as you have Internet connectivity for that server and there is no firewall rule that blocks it from querying those servers.
You do not have to perform any additional configuration.
It does it to DNS queries that it cannot resolve locally, meaning DNS queries that it has no personal knowledge of.