Recursive forward a zone in BIND

Question

I have a VPS with BIND set up. It works well for several months.

Recently I want to set up another DNS program to manage foo.example.org subdomain on this VPS. I've setup these in dns.he.net:

foo.example.org. IN NS vps.exmaple.org.
vps.example.org. IN A  xx.xx.xx.xx

Since BIND listens on 53/udp, I configured it to listen on port 5353 and in named.conf:

zone "foo.example.org" {
 type forward;
 forwarders{ 127.0.0.1 port 5353; };
};

I think this configuration will forward all queries for *.foo.example.org to the second DNS program. But when I test it...

On the VPS itself:

dig bar.foo.example.org @127.0.0.1 -p5353 works good.

dig bar.foo.example.org @127.0.0.1 works good.

On my laptop:

dig bar.foo.example.org @vps.example.org -p5353 works good.

dig bar.foo.example.org @vps.example.org works good.

dig foo.example.org @8.8.8.8 -t ns works good.

dig bar.foo.example.org @8.8.8.8 returns SERVFAIL.

Replacing 8.8.8.8 with other DNS servers gets same results and there is nothing wrong with TTL.

Is there anyone knows what's wrong with my configuration? Here is more info:

Other BIND9 configuration:

options {
  directory "/var/cache/bind";
  notify yes;
  allow-transfer { xx.xx.xx.xx; };
  dnssec-enable yes;
  dnssec-validation auto;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  recursion yes;
  allow-recursion { any; };
};

And, specifically, the "second DNS program" is iodine, which tunnels IP over DNS queries. I followed this guide to set it up behind BIND9: http://dev.kryo.se/iodine/wiki/TipsAndTricks#RunningiodinebehindBIND9

PS: I've tried another server with dnsmasq set up and use server=/foo.example.org/127.0.0.1#5353 to test. Still gets errors.

Could anyone help? Thanks in advance.

Well, I gave up forwarding a zone. I bought another IP and make iodine listen on that IP port 53. — Zhuoyun Wei, Sep 21 '12 at 06:38

score 1 · Accepted Answer · answered Sep 21 '12 at 16:09

First of all, I would suggest you use something other than 5353 as an alternate port for DNS servers. 5353 conflicts with zeroconf/mDNS.

The reason it only works when you use vps.example.org as a recursive resolver is because that's the only recursive server that's been told that it needs to go to a special DNS server on port 5353 to find foo.example.org.

Because you can't specify a port number in an NS record, it's generally impossible to have a an authoritative server on a port other than 53. All of the recursive nameservers in the world are going to find the NS record for the domain in question and are going to try to contact that server on port 53. If you wanted them to use a different port, you'd have to configure every one of them with a forward zone pointing to port 5353.

By the way, it isn't clear why you want to host foo.example.org on a separate nameserver on a different port (or IP address). Why don't you just add the foo.example.org zone to the same authoritative nameserver that serves example.org?

Thanks for answering! My `example.org` are hosted on dns.he.net, and my VPS serves other domains. I added NS record for `foo.example.org` on dns.he.net to make all queries for this subdomain to my VPS. Doesn't BIND on my VPS handle these queries and forward them to the second DNS program, getting the answer and tell the outside? I just followed this guide: http://dev.kryo.se/iodine/wiki/TipsAndTricks#RunningiodinebehindBIND9 — Zhuoyun Wei, Sep 22 '12 at 01:41
No. When other nameservers ask your VPS's BIND for an answer, they don't ask for recursion. So your VPS's BIND answer only for what it knows authoritatively, and it doesn't have authority over `foo.example.org` (i.e. it is not serving that zone). — Celada, Sep 23 '12 at 20:30

Recursive forward a zone in BIND

1 Answers1