Setting up NSD

debian/ubuntu binary

apt install nsd

cd /etc/nsd/
mkdir .trash/
mv nsd.conf nsd.conf.d/ .trash/
zcat /usr/share/doc/nsd/examples/nsd.conf.sample.gz > nsd.conf.sample
sed -r '/^[[:space:]]*(#|$)/d' nsd.conf.sample > nsd.conf

debian/ubuntu from scratch

apt install build-essential \
    libevent-dev \
    libssl-dev

beware the databases goes to /var/lib/nsd/ instead of /var/db/nsd

from scratch

grab the latest release w/ signature and hash, build e.g. on netbsd

export CPPFLAGS="-D_OPENBSD_SOURCE"
#export CFLAGS="-g -O2"
export OPENSSL_CFLAGS="-I/usr/local/ssl/include"
export OPENSSL_LIBS="-L/usr/local/ssl/lib -lssl -lcrypto"

args --disable-dnstap --disable-systemd --with-ssl=/usr/local/ssl --disable-ipv6
#--enable-mmap

in case you plan to chroot you might need to force configuration file location for nsd-control reconfig to re-read its configuration

#--with-chroot=/var/chroot/nsd --with-nsd_conf_file=/var/chroot/nsd/nsd.conf

if it doesn’t exist yet (NetBSD has _nsd built-in, although nsd is the default), create an account for NSD to drop privileges

groupadd -g 32764 nsd
useradd -u 32764 -d /var/db/nsd -g nsd -s /sbin/nologin nsd
#-d /var/chroot/nsd

provide some defaults

cd /etc/nsd/
sed -r '/^[[:space:]]*(#|$)/d' nsd.conf.sample > nsd.conf

remote-control

you can also control-enable: no and skip the key setup if you do not plan to transfer (or receive?) any zone

generate two private keys and two self-signed SSL certificates

cd /etc/nsd/
nsd-control-setup
ll /etc/nsd/*.key
ll /etc/nsd/*.pem

eventually generate a secret for zone transfers

dd if=/dev/random count=1 bs=32 | base64
#dd if=/dev/urandom count=1 bs=32 | base64

MWE

server:
        username: _nsd
        pidfile: "/var/run/nsd/nsd.pid"

remote-control:
        control-enable: no

zone:
        name: "example.local"
        zonefile: "%s.db"

/usr/local/sbin/nsd -4 -V 5

non-chroot setup

how much cores?

dmesg | egrep '(^|] )cpu[[:digit:]]+:' 
grep ^processor /proc/cpuinfo

edit the configuration accordingly

vi /etc/nsd/nsd.conf

server:
    do-ip4: yes
    do-ip6: no 
    verbosity: 1
    #verbosity: 3
    username: _nsd
    server-count: HOW_MANY_CORES
    pidfile: "/var/run/nsd/nsd.pid"
    hide-version: yes
    version: "NSD"
    #round-robin: yes

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 8952
    server-key-file: "/etc/nsd/nsd_server.key"
    server-cert-file: "/etc/nsd/nsd_server.pem"
    control-key-file: "/etc/nsd/nsd_control.key"
    control-cert-file: "/etc/nsd/nsd_control.pem"

key:
    name: "HOSTkey"
    algorithm: hmac-sha256
    secret: "PASTE SECRET HERE"

define e.g. example.local and its reverse name spaces

zone:
    name: "example.local"
    zonefile: "%s.db"

zone:
    name: "c.b.a.in-addr.arpa"
    zonefile: "a.b.c.db"

zones

zone=example.local
date +%s
vi /var/chroot/var/db/$zone.db

$ORIGIN example.local.
$TTL 1800

@       IN      SOA     example.local. abuse.example.local. (
                        SERIAL-HERE             ; serial number
                        3600                    ; refresh
                        900                     ; retry
                        1209600                 ; expire
                        1800                    ; ttl
                        )

                IN NS           ns.example.local.
                IN MX           5 mx
                IN A            INTERNAL_IP
*               IN A            INTERNAL_IP
ns              IN A            INTERNAL_IP
mx              IN A            INTERNAL_IP
host            IN A            INTERNAL_IP
pxe             IN CNAME        host

non-chrooted

you will get two errors

unable to open the database /var/db/nsd/nsd.db: Permission denied
failed to unlink pidfile /var/run/nsd.pid: Permission denied

so fix the perms accordingly and create a dedicated folder for pid (draft THOSE NEED TO BE GENERATED BY THE SAME USER THAT RUNS NSD-CONTROL in case it is not root, and which supposedly may not be the same as the running daemon)

ll /var/db/nsd/
ll /var/run/nsd/
ps auxww | grep nsd
rm -f /var/run/nsd/nsd.pid
rm -f /var/db/nsd/nsd.db
mkdir -p /var/run/nsd/
chown -R _nsd:_nsd /var/db/nsd/
chown -R _nsd:_nsd /var/run/nsd/

vi /etc/nsd/nsd.conf

    pidfile: "/var/run/nsd/nsd.pid"

chrooted

mv /etc/nsd/nsd.conf /var/chroot/nsd/nsd.conf
chmod 444 /var/chroot/nsd/nsd.conf
ln -s /var/chroot/nsd/nsd.conf /etc/nsd/nsd.conf
vi /var/chroot/nsd/nsd.conf

rm -rf /var/db/nsd/
rm -rf /var/run/nsd/

the dirty - and maybe problematic - way

server:
    ...
    pidfile: "/var/chroot/nsd/nsd.pid"
    ...
    chroot: "/var/chroot/nsd"
    zonesdir: "/var/chroot/nsd"
    zonelistfile: "/var/chroot/nsd/zone.list"
    database: "/var/chroot/nsd/nsd.db"
    #xfrdfile: ""
    xfrdfile: "/var/chroot/nsd/xfrd.state"
    xfrdir: "/var/chroot/nsd"

chown -R _nsd:_nsd /var/chroot/nsd/
ll /var/chroot/nsd/

–> nsd.conf and ZONE.db (not nsd.db) are root:wheel

the clean way

#ll /var/chroot/nsd/var/db/
#ll /var/chroot/nsd/var/db/nsd/
#ll /var/chroot/nsd/var/run/
#mkdir /var/chroot/nsd/tmp/
#chown -R root:wheel /var/chroot/nsd/
#chown -R nsd:nsd /var/chroot/nsd/var/db/
#chown -R nsd:nsd /var/chroot/nsd/var/run/
#chown -R nsd:nsd /var/chroot/nsd/tmp/

serve Unbound

it seems only Unbound has special restrictions on serving localhost. NSD serves localhost just fine by default

NSD binds to all interfaces by default (incl. localhost) but we want to use Unbound on the same host

vi /etc/nsd/nsd.conf

    ip-address: 127.0.0.1@5353
    ip-address: ::1@5353

backup NS

notify & XFR to backup NS

zone:
        name: "example.com"
        zonefile: "%s.db"
        notify: x.x.x.x NOKEY
        provide-xfr: x.x.x.x NOKEY

operations

nsd -v

tail -F /var/log/messages
tail -F /var/log/syslog

nsd-checkconf /etc/nsd/nsd.conf && echo config ok
nsd-checkzone example.local /etc/nsd/example.local.db

debian/ubuntu binary

systemctl start nsd
#systemctl restart nsd
#systemctl reload nsd

manually

ps auxww | grep nsd
cat /var/run/nsd/nsd.pid
/usr/local/sbin/nsd -4
#pkill nsd

w/ remote-control

nsd-control status
nsd-control start
#nsd-control reload [<zone>]
#nsd-control reconfig

53/udp and tcp

netstat -lntupe --inet --inet6 | grep 53

status for the zones

nsd-control zonestatus example.local

acceptance

verify a few records

host example.local localhost
host pxe.example.local localhost
host -t ns example.local localhost
host -t mx example.local localhost

dig example.local @localhost +short
dig pxe.example.local @localhost +short
dig -t ns example.local @localhost +short
dig -t mx example.local @localhost +short

troubleshooting

on-going draft

problems sending reload xfrdtomain: Broken pipe
May 12 13:10:45 malabar nsd[13294]: did not get start signal from main

==> this does not help:

rm -f /var/db/nsd/nsd.db /var/run/nsd.pid /var/run/nsd/nsd.pid
ll /var/db/nsd/

rm -rf /var/chroot/nsd/nsd.db /var/chroot/nsd/nsd.pid /var/chroot/nsd/nsd-xfr-*/
ll /var/chroot/nsd/

this neither

CFLAGS="-g -O2"
...
/usr/local/sbin/nsd -V 5
-F -1 -L 2

resources

README https://github.com/NLnetLabs/nsd/tree/master/doc/README

man 8 nsd / https://www.nlnetlabs.nl/documentation/nsd/nsd/

man 5 nsd.conf / https://www.nlnetlabs.nl/documentation/nsd/nsd.conf/

man 8 nsd-control / https://www.nlnetlabs.nl/documentation/nsd/nsd-control/

man 8 nsd-checkconf / https://www.nlnetlabs.nl/documentation/nsd/nsd-checkconf/

man 8 nsd-checkzone / https://www.nlnetlabs.nl/documentation/nsd/nsd-checkzone/

How To Use NSD, an Authoritative-Only DNS Server, on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-use-nsd-an-authoritative-only-dns-server-on-ubuntu-14-04

How to get a random string of 32 hexadecimal digits through command line? https://stackoverflow.com/questions/34328759/how-to-get-a-random-string-of-32-hexadecimal-digits-through-command-line

troubleshooting

Re: No buffer space available https://mail-index.netbsd.org/netbsd-users/2012/09/10/msg011397.html

FS#37588 - Nsd update to 4.0.0-1 causes nsd to fail to start and command nscd not present https://bugs.archlinux.org/task/37588

NSD not starting after upgrade https://discourse.mailinabox.email/t/nsd-not-starting-after-upgrade/1452

[nsd-users] NSD db permissions error after upgrade? https://open.nlnetlabs.nl/pipermail/nsd-users/2014-November/002036.html

[nsd-users] NSD 4.0.2 released https://www.nlnetlabs.nl/pipermail/nsd-users/2014-March/001875.html

backup NS

Secondary DNS at Online.net https://documentation.online.net/en/dedicated-server/tutorials/administration/configure-secondary-dns


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml