I'd like to maintain a DNS tunnel on my self-hosted server at example.com. I also have a DNS server on it, which serves everything for example.com. I'm currently using dns2tcp for DNS tunneling, on the domain tunnel.example.com. NSD3 is used for serving authoritative zones, because it is both simple and secure.

However, I have only one public IPv4 address, which means that NSD and dns2tcp can't listen on the same IP/port.

So I'm currently using PowerDNS Recursor using the forward-zones parameter like this:

forward-zones-recurse=tunnel.example.com=1.2.3.4:5354
forward-zones=example.com=1.2.3.4:5353

This enables request for authoritative zone to be asked to the correct server, as well as for tunnel requests. NSD is listening on port 5353 and dns2tcp on port 5354.

However, this is bad, because the recursor needs to be open. And it actually answers to any recursive query.

Do you have any solution for that? I really prefer a solution that doesn't involve setting up BIND, but if you are in the mood to convince me, don't hesitate to do so ;)

EDIT: I change the title to be clearer.