Multiple authoritative DNS server on same IPv4 address
I'd like to maintain a DNS tunnel on my self-hosted server at example.com. I also have a DNS server on it, which serves everything for example.com. I'm currently using dns2tcp for DNS tunneling, on the domain tunnel.example.com. NSD3 is used for serving authoritative zones, because it is both simple and secure.
However, I have only one public IPv4 address, which means that NSD and dns2tcp can't listen on the same IP/port.
So I'm currently using PowerDNS Recursor using the forward-zones
parameter like this:
forward-zones-recurse=tunnel.example.com=1.2.3.4:5354
forward-zones=example.com=1.2.3.4:5353
This enables request for authoritative zone to be asked to the correct server, as well as for tunnel requests. NSD is listening on port 5353 and dns2tcp on port 5354.
However, this is bad, because the recursor needs to be open. And it actually answers to any recursive query.
Do you have any solution for that? I really prefer a solution that doesn't involve setting up BIND, but if you are in the mood to convince me, don't hesitate to do so ;)
EDIT: I change the title to be clearer.
Two servers can not listen on the same IP+Port combination at the same time.
Anything you do to enable such a beast with two backs is Hackery - it is Bad and Wrong and should not be done. Pain, Sorrow, Madness and Death lie down this path - turn back now or you will be eaten by a grue.
The Right Solution
Get another IP. Ideally get another server entirely, and don't run your recursive DNS on the same box as your authoritative.
The easy solution
Get over your fear/distrust/hatred of BIND (acquire a copy of DNS and BIND and make nice), and use the allow-recursion{…};
directive to limit who can make recursive queries.
This easy solution may still leave you open to cache poisoning and other nastiness. If you really want security for your authoritative DNS server you need to run a separate nameserver process listening on a separate IP address, ideally on a separate host (or jail, VM, whatever).