diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp
index 878dcdf..ca9aa61 100644
--- a/dns/manifests/init.pp
+++ b/dns/manifests/init.pp
@@ -220,7 +220,7 @@ class dns::server::ldap inherits dns::server {
 # $name:
 #      Zone name.
 # $role:
-#       The role {master, slave, dynamic} of this host.
+#       The role {master, slave, dynamic, forward} of this host.
 # $master:
 #      IP address of DNS master for this zone if role is slave.
 #      IP address and FQDN of DNS master for this zone if running as
@@ -228,6 +228,8 @@ class dns::server::ldap inherits dns::server {
 # $slaves:
 #      IP addresess and host names of the DNS slaves for this zone.
 #      Required only when using autogenrated zones.
+# $forwarders:
+#      Array of forwarder IP addresses for forward role zones.
 # $source:
 #      Source file to use for zone. Defaults to auto.
 # $key:
@@ -235,7 +237,7 @@ class dns::server::ldap inherits dns::server {
 # $keytype:
 #      Key algorithm. Defaults to 'hmac-md5'.
 #
-define dns::zone($role = "master", $master = "", $slaves = [],
+define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
                  $source = "AUTO", $key = "none", $keytype = "hmac-md5") {
 
     $tmpname = regsubst($name, '([^/]+/)?([0-9]+)/([0-9\.]+\.in-addr\.arpa)', '\1\2-\3')
@@ -292,6 +294,12 @@ define dns::zone($role = "master", $master = "", $slaves = [],
                 }
             }
         }
+        "forward": {
+            if $forwarders == [] {
+                fail("No forwarders defined for dns::zone '${name}'")
+            }
+            $zonedir = ""
+        }
         default: {
             fail("Unknown DNS zone type '${role}'")
         }
@@ -309,19 +317,21 @@ define dns::zone($role = "master", $master = "", $slaves = [],
         }
     }
 
-    if !defined(File["${dns::server::chroot}${zonedir}"]) {
-        file { "${dns::server::chroot}${zonedir}":
-            ensure => directory,
-            mode   => $role ? {
-                "master" => "0750",
-                default  => "0770",
-            },
-            owner  => "root",
-            group  => $dns::server::group,
-            before => $role ? {
-                "master" => File["${dns::server::chroot}${zonedir}db.${zone}"],
-                default  => undef,
-            },
+    if $zonedir != "" {
+        if !defined(File["${dns::server::chroot}${zonedir}"]) {
+            file { "${dns::server::chroot}${zonedir}":
+                ensure => directory,
+                mode   => $role ? {
+                    "master" => "0750",
+                    default  => "0770",
+                },
+                owner  => "root",
+                group  => $dns::server::group,
+                before => $role ? {
+                    "master" => File["${dns::server::chroot}${zonedir}db.${zone}"],
+                    default  => undef,
+                },
+            }
         }
     }
 
diff --git a/dns/templates/zone.forward.erb b/dns/templates/zone.forward.erb
new file mode 100644
index 0000000..85f6666
--- /dev/null
+++ b/dns/templates/zone.forward.erb
@@ -0,0 +1,9 @@
+zone "<%= zone %>" {
+    type forward;
+    forward only;
+    forwarders {
+<% forwarders.each do |ip| -%>
+        <%= ip %>;
+<% end -%>
+    };
+};