Score:0

Bind - how to proxy DNS requests to another server (static-stub/forward type not working as expected)

cn flag

How do I proxy DNS requests from bind9 to acme-dns?

Here is my named/bind9 configuration file

options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1035
        dnssec-validation auto;
        listen-on-v6 { any; };

        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        recursion yes;
        allow-recursion { any;}; # had to change to allow bind9 to query 127.0.0.53 
        version "go away";
};

zone "xample.in" {
    type master;
    file "/usr/local/etc/bind/zones/db.xample.in";
};

zone "auth.example.com" {
  type static-stub;
  server-addresses { 127.0.0.3; };
  forward first;
  forwarders { 127.0.0.3; };
};

I setup acme-dns to run on 127.0.0.3:53. it replies to SOA, NS and TXT records.

While querying with dig TXT test.auth.example.com +trace, I see -E(0)D which can be reproduced with dig TXT test.auth.example.com @127.0.0.1 +norecurse +noedns +dnssec

Jun 17 03:14:09 in-servername named[6000]: client @0xffff7c0142c8 127.0.0.1#53223 (test.auth.example.com): query: test.auth.example.com IN TXT -E(0)D (127.0.0.1)
Jun 17 03:14:09 in-servername named[6000]: client @0xffff7c0142c8 127.0.0.1#53223 (test.auth.example.com): query failed (REFUSED) for test.auth.example.com/IN/TXT at query.c:5499

versions:

BIND 9.16.16 (Stable Release)
OS: Linux ARM64(aarch64)

I tried setting dnssec-validation no;, it did not work

Configuration files

https://github.com/joohoi/acme-dns/blob/master/config.cfg

[general]
listen = "127.0.0.1:53"
# domain name to serve the requests off of
domain = "auth.example.com"
# zone name server
nsname = "one.ns.example.com"
# admin email address, where @ is substituted with .
nsadmin = "admin.example.com"
# predefined records served in addition to the TXT
records = [
    # domain pointing to the public IP of your acme-dns server 
    "auth.example.com. A 198.51.100.1",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "auth.example.com. NS one.ns.xample.in.",
]

zone file

$TTL    3600
@       IN      SOA     one.ns.xample.in. webmaster.xample.in. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       86400   IN      NS      one.ns.xample.in.
@       86400   IN      NS      two.ns.xample.in.
@       IN      A       1.1.1.1
www     IN      A       1.1.1.1
_dmarc  IN      TXT     "v=DMARC1; p=reject;"
_acme-challenge IN  TXT __test_message__

Question: How do I proxy DNS requests from bind9 to acme-dns?

djdomi avatar
za flag
There are multiple ways. Myself would suggest, that ` forwarders {127.0.0.3}; forward only; ` should be used else it may be possible that your server tries it first
cn flag
SOA is working with forward only, but TXT records are not showing up.
djdomi avatar
za flag
then show us the zone files of both
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.