Conditional DNS Forwarding on USG

I have a simple network and lab setup and I really do not want to make it too complicated. DNS is controlled by a Ubiquiti USG; The same a the default gateway. Classic set up so far.

When running a homelab I need to have some form of DNS server I can control and add DNS records to. The USG does to day not support that role, hopefully in the future it will, but for now I need another solution.

As I would like my lab to mimic a enterprise setup I need Active Directory for authentication. So it makes perfect sense to also use this windows server as a DNS server for my lab.

Now I just need one thing – My USG DNS server and the windows DNS server to play nice together. This is called Conditional forwarding and can with some hack be set up quite easily.

The idea is that for my homelab domain – Lab.MichaelRyom.dk – the windows DNS server holds the DNS records and is therefore the DNS authority for this domain and for ever thing else the USG is the authority .

So just like when you tell your USG/router to use Cloudflare’s DNS ( and server to resolve everything on the internet for you. You need to tell your USG that for the Lab.MichaelRyom.dk domain the windows DNS server is to be used. Note that I am using a public domain here – MichaelRyom.dk – This is no issue as it is only the subdomain Lab which will be handled by the windows DNS server, everything else will work just as it use to do.

Setting up conditional forwarding

The Unifi interface does not support conditional forwarding. So we need to do this via SSH to the Cloudkey or mgmt server your are using. I am using a Cloudkey. On the Cloudkey we create a config file, which we will use force provisioning to set into action and after a reboot of the USG we should be up and running.

First SSH into the Cloudkey.

Next type: vi /srv/unifi/data/sites/default/config.gateway.json – Note that if you have multiple sites or your site name is not default. Change it so it fits your use case.

If you are using Ubuntu the path should be /usr/lib/unifi/data/sites/[site name/default]/

Below is an example of this json I am using to get the conditional forwarding to work.


Note that all you need to change is the domain, in my case lab.michaelryom.dk and what dns server to forward requests to, here

Now hit enter and unless you have created this file in the past for some other reason. This file should be empty. Now just copy the modified version of the json config in to the ssh session.

It is very important that the json is valid, if not you may get your self into problems, when rebooting the USG, it can be stuck in a loop. To check if the json is valid use https://jsonformatter.curiousconcept.com

Now hit “esc” and type “:wq” and hit enter to save the config file.

Validation and testing

Now you should have a working config, but just to make sure. You should validate the config is in working condition.

Run this command to check python -m json.tool /srv/unifi/data/sites/default/config.gateway.json

The output should be the content unless there is an error in the config.gateway.json file.

With everything working it is now  time to do a force provisioning on the USG.

Log into the Unifi webinterface and go to Devices click on the USG. Click Config > Manage Device and under Force provision click on provision

After the device as been provisioned, you need to reboot the USG. Just click on restart in the interface. It should go without saying, but you will lose internet access while it is rebooting.

That is it. Now I am able to do nslookup or ping FQDN servers running in my lab.

ps. every time I reboot my USG it comes up without the WAN interface working, so I need to do an extra reboot. I been meaning to have a chat with support about this, but just has not come around to that yet. If you face the problem, just reboot.

3 thoughts on “Conditional DNS Forwarding on USG

  1. I have a similar issue and was wondering if you could help. My USG seems to be preventing me from accessing my hosted server using the public domain from within the network. Outside the network it works as expected. I also have a local DNS server on Windows but have never needed to add the domain for DNS management as its not a locally managed domain on the network. If i replace the USG with my Virgin Modem it all works as expected.

    Any ideas?

  2. The latest version, UniFiSecurityGateway.ER-e120.v4.4.44.5213844.190726.1503 (ssh usg, cat /etc/version) does not have anything in the “/srv” directory any longer.

    Using “configure” I was able to set and save the forwarding config. However, despite setting it on December 30, 2019, the configuration did not seem to survive a reboot or update, and I had to re-set it again yesterday (January 12, 2020).

    This is what I did:

    ssh usg
    set service dns forwarding name-server
    set service dns forwarding name-server

    This *seems* to write this file:

    With this content:

    And then vyatta updates the /etc/dnsmasq.conf:
    # autogenerated by vyatta-dns-forwarding.pl on Wed Feb 12 22:56:59 EST 2020
    server= # statically configured
    server= # statically configured
    # … some other config lines

Leave a Reply

Your email address will not be published. Required fields are marked *