Recursive forward a zone in BIND

binddigdomain-name-systeminternal-dnsrecursive

I have a VPS with BIND set up. It works well for several months.

Recently I want to set up another DNS program to manage foo.example.org subdomain on this VPS. I've setup these in dns.he.net:

foo.example.org. IN NS vps.exmaple.org.
vps.example.org. IN A  xx.xx.xx.xx

Since BIND listens on 53/udp, I configured it to listen on port 5353 and in named.conf:

zone "foo.example.org" {
 type forward;
 forwarders{ 127.0.0.1 port 5353; };
};

I think this configuration will forward all queries for *.foo.example.org to the second DNS program. But when I test it…

On the VPS itself:

dig bar.foo.example.org @127.0.0.1 -p5353 works good.

dig bar.foo.example.org @127.0.0.1 works good.

On my laptop:

dig bar.foo.example.org @vps.example.org -p5353 works good.

dig bar.foo.example.org @vps.example.org works good.

dig foo.example.org @8.8.8.8 -t ns works good.

dig bar.foo.example.org @8.8.8.8 returns SERVFAIL.

Replacing 8.8.8.8 with other DNS servers gets same results and there is nothing wrong with TTL.

Is there anyone knows what's wrong with my configuration? Here is more info:

Other BIND9 configuration:

options {
  directory "/var/cache/bind";
  notify yes;
  allow-transfer { xx.xx.xx.xx; };
  dnssec-enable yes;
  dnssec-validation auto;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  recursion yes;
  allow-recursion { any; };
};

And, specifically, the "second DNS program" is iodine, which tunnels IP over DNS queries. I followed this guide to set it up behind BIND9: http://dev.kryo.se/iodine/wiki/TipsAndTricks#RunningiodinebehindBIND9

PS: I've tried another server with dnsmasq set up and use server=/foo.example.org/127.0.0.1#5353 to test. Still gets errors.

Could anyone help? Thanks in advance.

Best Answer

First of all, I would suggest you use something other than 5353 as an alternate port for DNS servers. 5353 conflicts with zeroconf/mDNS.

The reason it only works when you use vps.example.org as a recursive resolver is because that's the only recursive server that's been told that it needs to go to a special DNS server on port 5353 to find foo.example.org.

Because you can't specify a port number in an NS record, it's generally impossible to have a an authoritative server on a port other than 53. All of the recursive nameservers in the world are going to find the NS record for the domain in question and are going to try to contact that server on port 53. If you wanted them to use a different port, you'd have to configure every one of them with a forward zone pointing to port 5353.

By the way, it isn't clear why you want to host foo.example.org on a separate nameserver on a different port (or IP address). Why don't you just add the foo.example.org zone to the same authoritative nameserver that serves example.org?

Best Answer

Related Solutions

Centos – Cannot find solution to “One or more of your nameservers did not return any of your NS records.” on intoDNS site

How should I configure BIND9 to forward a zone

Related Topic