Setting up NSD

nsd | source | dnssec | secondary

Install

either use your distro’s binaries or build it from source

debian

apt install nsd dns-root-data ldnsutils

from source

see NSD from scratch

Friendly MWE

server:
        username: nsd
        pidfile: "/var/run/nsd.pid"

remote-control:
        control-enable: no

zone:
        name: "example.local"
        zonefile: "%s.db"

a few more options e.g. for NetBSD

        username: _nsd
        pidfile: "/var/run/nsd/nsd.pid"

start with extreme verbosity

nsd -4 -V 5

Remote control

eventually generate two private keys and two self-signed SSL certificates for handling the daemon from the command line

cd /var/chroot/nsd/etc/
nsd-control-setup
ls -lhF *.key
ls -lhF *.pem

if you don’t plan to use remote control at all, use that instead

remote-control:
    control-enable: no

Sync secret

here we skip the generation of a shared secret for AXFR sync since our ISP does not require a key. see secondary if you need to setup a full-blown backup NS on your own.

Setup

how many cores do you have?

grep ^processor /proc/cpuinfo
dmesg | egrep '(^|] )cpu[[:digit:]]+:'

edit the configuration accordingly:

w/o chroot on Debian 11

server:
        do-ip4: yes
        do-ip6: no
        username: nsd
        server-count: HOW_MANY_CORES
        pidfile: /var/run/nsd.pid
        hide-version: yes
        version: "none of your business"
        #round-robin: yes

        log-only-syslog: no
        logfile: "/var/log/nsd.log"
        verbosity: 1

remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        control-port: 8952
        server-key-file:        "/etc/nsd/nsd_server.key"
        server-cert-file:       "/etc/nsd/nsd_server.pem"
        control-key-file:       "/etc/nsd/nsd_control.key"
        control-cert-file:      "/etc/nsd/nsd_control.pem"

key:
        name: "sync"
        algorithm: hmac-sha256
        secret: "THAT-SECRET-HERE"

zone:
        name: "example.local"
        zonefile: "%s.db"
        notify: SECONDARY-IP NOKEY
        provide-xfr: SECONDARY-IP NOKEY

zone:
        name: "c.b.a.in-addr.arpa"
        zonefile: "a.b.c.db"
        notify: SECONDARY-IP NOKEY
        provide-xfr: SECONDARY-IP NOKEY

with chroot on Slackware 15.0

vi /var/chroot/nsd/etc/nsd.conf

server:
    do-ip4: yes
    do-ip6: no
    verbosity: 1
    #verbosity: 3
    username: nsd
    server-count: HOW_MANY_CORES
    pidfile:        "/var/chroot/nsd/db/nsd.pid"
    hide-version: yes
        version: "none of your business"
    #round-robin: yes

    chroot:         "/var/chroot/nsd"
    zonesdir:       "/var/chroot/nsd/etc"
    zonelistfile:   "/var/chroot/nsd/db/zone.list"
    database:       "/var/chroot/nsd/db/nsd.db"
    xfrdfile:       "/var/chroot/nsd/db/xfrd.state"
    xfrdir:         "/var/chroot/nsd/db"

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 8952
    server-key-file:        "/var/chroot/nsd/etc/nsd_server.key"
    server-cert-file:       "/var/chroot/nsd/etc/nsd_server.pem"
    control-key-file:       "/var/chroot/nsd/etc/nsd_control.key"
    control-cert-file:      "/var/chroot/nsd/etc/nsd_control.pem"

key:
    name: "HOST-key"
    algorithm: hmac-sha256
    secret: "PASTE SECRET HERE"

zone:
    name: "example.local"
    zonefile: "%s.db"
    notify: SECONDARY-IP NOKEY
    provide-xfr: SECONDARY-IP NOKEY

zone:
    name: "c.b.a.in-addr.arpa"
    zonefile: "a.b.c.db"
    notify: SECONDARY-IP NOKEY
    provide-xfr: SECONDARY-IP NOKEY

Setup zones

see zone setup

Serve to Unbound

it seems only Unbound has special restrictions on serving localhost. NSD serves localhost just fine by default

NSD binds to all interfaces by default (incl. localhost) but we want to use Unbound on the same host and ports would conflict

vi /etc/nsd/nsd.conf

    ip-address: 127.0.0.1@5353
    ip-address: ::1@5353

Ready to go

read the logs

# debian
tail -F /var/log/syslog

# slackware
tail -F /var/log/messages

check

which nsd
nsd -v

zone=example.local

# w/o chroot
nsd-checkconf /etc/nsd/nsd.conf && echo OK
nsd-checkzone $zone /etc/nsd/$zone.db
nsd-checkzone $zone /etc/nsd/$zone.db.signed

# w/ chroot
nsd-checkconf /var/chroot/nsd/nsd.conf && echo OK
    nsd-checkzone $zone /var/chroot/nsd/$zone.db
    nsd-checkzone $zone /var/chroot/nsd/$zone.db.signed

w/o remote control nor systemd

enable at startup

vi /etc/rc.local

# self-verbose
rm -f /var/chroot/nsd/db/nsd.pid
/usr/local/sbin/nsd
#-4

status

pgrep -a nsd
cat /var/run/nsd/nsd.pid
cat /var/db/nsd/nsd.pid
cat /var/chroot/nsd/nsd.pid
netstat -lntup | grep 53

reload

# DOES NOT WORK
#pkill -HUP nsd

# YOU NEED TO GRAB THE PID MANUALLY - THE PARENT PROCESS
ps auxfww | grep nsd
kill -HUP PID

stop

# IDEM
#pkill nsd
kill PID

w/ remote control no systemd

enable at startup

echo starting nsd
/usr/local/sbin/nsd-control start

status

nsd-control status

status for the zones

nsd-control zonestatus 

reload

#nsd-control reload [<zone>]
#nsd-control reconfig

debian w/ systemd

systemctl restart nsd
systemctl status nsd # enabled already
netstat -lntup | grep :53

Acceptance

verify a few records

host $zone localhost
host -t ns $zone localhost
host -t mx $zone localhost
host HOST.$zone localhost

dig $zone @localhost +short
dig ns $zone @localhost +short
dig mx $zone @localhost +short
dig HOST.$zone @localhost +short

DNSSEC

see nsd-dnssec

Additional notes

Note: round-robin would only apply to identical record names pointing to different values/destinations. Besides, it should be for the resolvers to handle the server response properly, whatever the order of the records. So I guess this server-side setup is just a hack against broken clients.

Troubleshooting

Trying to start the daemon on NetBSD

problems sending reload xfrdtomain: Broken pipe
May 12 13:10:45 malabar nsd[13294]: did not get start signal from main

==> this does not help:

rm -f /var/db/nsd/nsd.db /var/run/nsd.pid /var/run/nsd/nsd.pid
ll /var/db/nsd/

rm -rf /var/chroot/nsd/nsd.db /var/chroot/nsd/nsd.pid /var/chroot/nsd/nsd-xfr-*/
ll /var/chroot/nsd/

==> this neither

CFLAGS="-g -O2"
...
/usr/local/sbin/nsd -V 5
-F -1 -L 2

==> see NSD from scratch, and NSD has been bug fixed in the meanwhile.

Out of memory: Killed process 3865 (nsd: xfrd) total-vm:109688kB, anon-rss:83596kB, file-rss:0kB, shmem-rss:0kB

==> DO NOT ENABLE TMEM

Resources

nsd - Name Server Daemon (NSD) version 4.3.6. https://www.nlnetlabs.nl/documentation/nsd/nsd/

nsd.conf - NSD configuration file https://www.nlnetlabs.nl/documentation/nsd/nsd.conf/

nsd-control, nsd-control-setup - NSD remote server control utility. https://www.nlnetlabs.nl/documentation/nsd/nsd-control/

nsd-checkconf - NSD configuration file checker. https://www.nlnetlabs.nl/documentation/nsd/nsd-checkconf/

nsd-checkzone - NSD zone file syntax checker. https://www.nlnetlabs.nl/documentation/nsd/nsd-checkzone/

How To Use NSD, an Authoritative-Only DNS Server, on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-use-nsd-an-authoritative-only-dns-server-on-ubuntu-14-04

How to get a random string of 32 hexadecimal digits through command line? https://stackoverflow.com/questions/34328759/how-to-get-a-random-string-of-32-hexadecimal-digits-through-command-line

setup

https://linux.die.net/man/5/nsd.conf ==> logfile

backup ns

Secondary DNS at Online.net https://documentation.online.net/en/dedicated-server/tutorials/administration/configure-secondary-dns

ttl

What is DNS TTL + Best Practices https://www.varonis.com/blog/dns-ttl/

troubles

Re: No buffer space available https://mail-index.netbsd.org/netbsd-users/2012/09/10/msg011397.html

FS#37588 - Nsd update to 4.0.0-1 causes nsd to fail to start and command nscd not present https://bugs.archlinux.org/task/37588

NSD not starting after upgrade https://discourse.mailinabox.email/t/nsd-not-starting-after-upgrade/1452

[nsd-users] NSD db permissions error after upgrade? https://open.nlnetlabs.nl/pipermail/nsd-users/2014-November/002036.html

[nsd-users] NSD 4.0.2 released https://www.nlnetlabs.nl/pipermail/nsd-users/2014-March/001875.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun