[dns-operations] Custom DNS server as backend for authoritative DNS server

Paul Vixie paul at redbarn.org
Fri Mar 15 00:56:49 UTC 2019

Casey Deccio wrote on 2019-03-14 15:56:
> Hi all,
> I've built a little authoritative DNS server that returns synthesized
> responses, based on the query names it receives.  I would like to
> stand it up as a backend for an existing authoritative DNS server
> implementation.  Most of my DNS zones would then be served right from
> the production authoritative server (e.g., BIND, NSD, whatever), but
> when a query for a given zone is received, the authoritative server
> looks to a backend running on (for example) some other port on the
> same machine and then returns it to the client that asked it.

bump-in-the-wire signers worked that way; the method may still exist. 
it's also how much RBL and RHSBL content is served, since "rbldnsd via 
rsync" is often considered preferable to NOTIFY/IXFR.

> So, effectively the authoritative server does some forwarding of queries
> to a designated backend, but only specified zones, and it should
> always act as an authoritative server, in the sense that it doesn't
> require RD=1.  I've spun my wheels a little bit and haven't found an
> effective solution, so I'm looking to my friends in the DNS
> Community.  Any ideas?

i think your backend should FORMERR on RD=1. note that it will have to 
be able to respond to SOA and NS queries at the apex. straight-forward 
"zone { type forward; ... }" would almost work (in BIND9, though other 
servers implement the same feature with different syntax), except, you 
have to use TTL 0 to prevent caching, and, i'm not completely clear on 
what the real server will do with an RD=0 query in terms of forwarding.

did you test any of those possibilities?

see also http://uribl.com/datafeed_faq.shtml#q5

P Vixie

More information about the dns-operations mailing list