Bind - how to proxy DNS requests to another server (static-stub/forward type not working as expected)

Question

How do I proxy DNS requests from bind9 to acme-dns?

Here is my named/bind9 configuration file

options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1035
        dnssec-validation auto;
        listen-on-v6 { any; };

        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        recursion yes;
        allow-recursion { any;}; # had to change to allow bind9 to query 127.0.0.53 
        version "go away";
};

zone "xample.in" {
    type master;
    file "/usr/local/etc/bind/zones/db.xample.in";
};

zone "auth.example.com" {
  type static-stub;
  server-addresses { 127.0.0.3; };
  forward first;
  forwarders { 127.0.0.3; };
};

I setup acme-dns to run on 127.0.0.3:53. it replies to SOA, NS and TXT records.

While querying with dig TXT test.auth.example.com +trace, I see -E(0)D which can be reproduced with dig TXT test.auth.example.com @127.0.0.1 +norecurse +noedns +dnssec

Jun 17 03:14:09 in-servername named[6000]: client @0xffff7c0142c8 127.0.0.1#53223 (test.auth.example.com): query: test.auth.example.com IN TXT -E(0)D (127.0.0.1)
Jun 17 03:14:09 in-servername named[6000]: client @0xffff7c0142c8 127.0.0.1#53223 (test.auth.example.com): query failed (REFUSED) for test.auth.example.com/IN/TXT at query.c:5499

versions:

BIND 9.16.16 (Stable Release)
OS: Linux ARM64(aarch64)

I tried setting dnssec-validation no;, it did not work

Configuration files

https://github.com/joohoi/acme-dns/blob/master/config.cfg

[general]
listen = "127.0.0.1:53"
# domain name to serve the requests off of
domain = "auth.example.com"
# zone name server
nsname = "one.ns.example.com"
# admin email address, where @ is substituted with .
nsadmin = "admin.example.com"
# predefined records served in addition to the TXT
records = [
    # domain pointing to the public IP of your acme-dns server 
    "auth.example.com. A 198.51.100.1",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "auth.example.com. NS one.ns.xample.in.",
]

zone file

$TTL    3600
@       IN      SOA     one.ns.xample.in. webmaster.xample.in. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       86400   IN      NS      one.ns.xample.in.
@       86400   IN      NS      two.ns.xample.in.
@       IN      A       1.1.1.1
www     IN      A       1.1.1.1
_dmarc  IN      TXT     "v=DMARC1; p=reject;"
_acme-challenge IN  TXT __test_message__

Question: How do I proxy DNS requests from bind9 to acme-dns?

There are multiple ways. Myself would suggest, that ` forwarders {127.0.0.3}; forward only; ` should be used else it may be possible that your server tries it first — djdomi, Jun 17 '21 at 04:33
SOA is working with forward only, but TXT records are not showing up. — Sairam, Jun 17 '21 at 06:09

Bind - how to proxy DNS requests to another server (static-stub/forward type not working as expected)

Configuration files

0 Answers0