Forward only BIND server [closed]

I have a unique situation where I provide hosting service with subdomain.mycompany.com to my users. The subdomain can be hosted on any of my geographically distributed servers which has their own name servers configured.

To correctly resolve IP addresses I have created a "forward" only name server which basically acts as a gateway to all other name servers. Makes sense?

Here is my config

options {
    allow-query { any; };
    dnssec-enable yes;
    dnssec-validation yes;

    auth-nxdomain no;    
    listen-on-v6 { any; };
    recursion yes;
    forwarders {
            nameserver-loc1.ip;
            nameserver-loc2.ip;
            nameserver-loc3.ip;
            nameserver-loc4.ip;
    };

    forward only;
}

My question is - Am I in the right direction (as I am new to BIND server) and how can I secure this configuration to increase security posture.


If I understand your setup correctly, it doesn't sound like it will work.

First of all, forwarding in BIND works as a variation of recursion. Ie, it will only be acted upon if the RD (Recursion Desired) bit is set in the incoming query.
Forwarding will happen if someone has your nameserver in resolv.conf (the OS stub resolver does set RD) but when a domain has been delegated to your server and some recursor out there queries your server RD is not set.

Secondly, NXDOMAIN is a valid response and will not trigger retries, so if the first forwarder that is used answers with NXDOMAIN this is what the response to the client will be.
Actual errors, like SERVFAIL or lack of a response would cause it to try the next server as well, though.

And as for security, from what I can tell this is largely a non-issue considering that it seems like a fundamentally non-working setup.
However, while your setup allows recursion from absolutely anywhere, which is normally disastrous, it is set to forward only and lists your own presumably authoritative-only nameservers (if they do allow recursion, however, stick to "disastrously bad"), the set of names that you can actually get answers on is limited and I suppose the end result is not that much more problematic than just a normal authoritative server.