Multiple authoritative DNS server on same IPv4 address

domain-name-system recursive forwarding tunneling authoritative

I'd like to maintain a DNS tunnel on my self-hosted server at example.com. I also have a DNS server on it, which serves everything for example.com. I'm currently using dns2tcp for DNS tunneling, on the domain tunnel.example.com. NSD3 is used for serving authoritative zones, because it is both simple and secure.

However, I have only one public IPv4 address, which means that NSD and dns2tcp can't listen on the same IP/port.

So I'm currently using PowerDNS Recursor using the forward-zones parameter like this:

forward-zones-recurse=tunnel.example.com=1.2.3.4:5354
forward-zones=example.com=1.2.3.4:5353

This enables request for authoritative zone to be asked to the correct server, as well as for tunnel requests. NSD is listening on port 5353 and dns2tcp on port 5354.

However, this is bad, because the recursor needs to be open. And it actually answers to any recursive query.

Do you have any solution for that? I really prefer a solution that doesn't involve setting up BIND, but if you are in the mood to convince me, don't hesitate to do so ;)

EDIT: I change the title to be clearer.


Two servers can not listen on the same IP+Port combination at the same time.
Anything you do to enable such a beast with two backs is Hackery - it is Bad and Wrong and should not be done. Pain, Sorrow, Madness and Death lie down this path - turn back now or you will be eaten by a grue.

The Right Solution

Get another IP. Ideally get another server entirely, and don't run your recursive DNS on the same box as your authoritative.

The easy solution

Get over your fear/distrust/hatred of BIND (acquire a copy of DNS and BIND and make nice), and use the allow-recursion{…}; directive to limit who can make recursive queries.

This easy solution may still leave you open to cache poisoning and other nastiness. If you really want security for your authoritative DNS server you need to run a separate nameserver process listening on a separate IP address, ideally on a separate host (or jail, VM, whatever).

Related

nginx alias with location regex get wrong file name
Intercepting the browser's basic authorization popup with nginx
OpenBSD and filesystem snapshots
Setting up restriction classes in postfix for blocking receiving and sending mail to external domains.
SSH Port Forwarding not working on remote server
What are good default settings for DNSSEC?
dig all txt records
failed to reconnect to your remote session
Route mail from Postfix to SMTP Relay and Back
Definition of finite elements (Ciarlet)
Calculate: $ \lim_{x \to 0 } = x \cdot \sin(\frac{1}{x}) $
When each prime ideal is maximal [duplicate]