Setting up NSD

Install

either use your distro’s binaries or build it from source

ubuntu

apt install nsd ldnsutils

from source

see NSD from scratch

Friendly MWE

server:
        username: nsd
        pidfile: "/var/run/nsd.pid"

remote-control:
        control-enable: no

zone:
        name: "example.local"
        zonefile: "%s.db"

a few more options e.g. for NetBSD

        username: _nsd
        pidfile: "/var/run/nsd/nsd.pid"

start with extreme verbosity

nsd -4 -V 5

Prep for remote control

you can also control-enable: no and skip the key setup if you do not plan to receive any updates.

generate two private keys and two self-signed SSL certificates

cd /var/chroot/nsd/etc/
nsd-control-setup
ls -lhF *.key
ls -lhF *.pem

eventually generate a secret for receiving updates

dd if=/dev/random count=1 bs=32 | base64

Setup

how many cores do you have?

grep ^processor /proc/cpuinfo
dmesg | egrep '(^|] )cpu[[:digit:]]+:'

edit the configuration accordingly:

• define a zone and eventually its reverse name space
• also tune notify & XFR towards your ISP’s secondary NS

w/o chroot on Debian 11

server:
        do-ip4: yes
        do-ip6: no
        verbosity: 1
        username: nsd
        server-count: HOW_MANY_CORES
        pidfile: /run/nsd.pid
        hide-version: yes
        version: "none of your business"
        #round-robin: yes

remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        control-port: 8952
        server-key-file:        "/etc/nsd/nsd_server.key"
        server-cert-file:       "/etc/nsd/nsd_server.pem"
        control-key-file:       "/etc/nsd/nsd_control.key"
        control-cert-file:      "/etc/nsd/nsd_control.pem"

key:
        name: "xc-key"
        algorithm: hmac-sha256
        secret: "XecUzzM7SuUW9g3P8gB5Bu8661LEW2BlYp/r39FLNh0="

zone:
        name: "example.local"
        zonefile: "%s.db"
        notify: SECONDARY-IP NOKEY
        provide-xfr: SECONDARY-IP NOKEY

zone:
        name: "c.b.a.in-addr.arpa"
        zonefile: "a.b.c.db"
        notify: SECONDARY-IP NOKEY
        provide-xfr: SECONDARY-IP NOKEY

with chroot on Slackware 15.0

vi /var/chroot/nsd/etc/nsd.conf

server:
    do-ip4: yes
    do-ip6: no
    verbosity: 1
    #verbosity: 3
    username: nsd
    server-count: HOW_MANY_CORES
    pidfile:        "/var/chroot/nsd/db/nsd.pid"
    hide-version: yes
        version: "none of your business"
    #round-robin: yes

    chroot:         "/var/chroot/nsd"
    zonesdir:       "/var/chroot/nsd/etc"
    zonelistfile:   "/var/chroot/nsd/db/zone.list"
    database:       "/var/chroot/nsd/db/nsd.db"
    xfrdfile:       "/var/chroot/nsd/db/xfrd.state"
    xfrdir:         "/var/chroot/nsd/db"

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 8952
    server-key-file:        "/var/chroot/nsd/etc/nsd_server.key"
    server-cert-file:       "/var/chroot/nsd/etc/nsd_server.pem"
    control-key-file:       "/var/chroot/nsd/etc/nsd_control.key"
    control-cert-file:      "/var/chroot/nsd/etc/nsd_control.pem"

key:
    name: "HOST-key"
    algorithm: hmac-sha256
    secret: "PASTE SECRET HERE"

zone:
    name: "example.local"
    zonefile: "%s.db"
    notify: SECONDARY-IP NOKEY
    provide-xfr: SECONDARY-IP NOKEY

zone:
    name: "c.b.a.in-addr.arpa"
    zonefile: "a.b.c.db"
    notify: SECONDARY-IP NOKEY
    provide-xfr: SECONDARY-IP NOKEY

moar options

If you don’t plan to use remote control nor keys at all, use that instead

remote-control:
    control-enable: no

Note: switch to username _nsd on NetBSD.

Note: round-robin would only apply to identical record names pointing to different values/destinations. Besides, it should be for the resolvers to handle the server response properly, whatever the order of the records. So I guess this server-side setup is just a hack against broken clients.

Setup zones

see zone setup

Serve to Unbound

it seems only Unbound has special restrictions on serving localhost. NSD serves localhost just fine by default

NSD binds to all interfaces by default (incl. localhost) but we want to use Unbound on the same host and ports would conflict

vi /etc/nsd/nsd.conf

    ip-address: 127.0.0.1@5353
    ip-address: ::1@5353

Ready to go

read the logs

# debian
tail -F /var/log/syslog

# slackware
tail -F /var/log/messages

check

which nsd
nsd -v

zone=example.local

# w/o chroot
nsd-checkconf /etc/nsd/nsd.conf && echo OK
nsd-checkzone $zone /etc/nsd/$zone.db
nsd-checkzone $zone /etc/nsd/$zone.db.signed

# w/ chroot
nsd-checkconf /var/chroot/nsd/nsd.conf && echo OK
    nsd-checkzone $zone /var/chroot/nsd/$zone.db
    nsd-checkzone $zone /var/chroot/nsd/$zone.db.signed

w/o remote control nor systemd

enable at startup

vi /etc/rc.local

# self-verbose
rm -f /var/chroot/nsd/db/nsd.pid
/usr/local/sbin/nsd
#-4

status

pgrep -a nsd
cat /var/run/nsd/nsd.pid
cat /var/db/nsd/nsd.pid
cat /var/chroot/nsd/nsd.pid
netstat -lntup | grep 53

reload

# DOES NOT WORK
#pkill -HUP nsd

# YOU NEED TO GRAB THE PID MANUALLY - THE PARENT PROCESS
ps auxfww | grep nsd
kill -HUP PID

stop

# IDEM
#pkill nsd
kill PID

w/ remote control no systemd

enable at startup

echo starting nsd
/usr/local/sbin/nsd-control start

status

nsd-control status

status for the zones

nsd-control zonestatus 

reload

#nsd-control reload [<zone>]
#nsd-control reconfig

debian w/ systemd

netstat -lntup | grep :53
systemctl stop named
systemctl disable named

systemctl restart nsd
systemctl status nsd # not enabled yet
systemctl enable nsd

Acceptance

verify a few records

host $zone localhost
host -t ns $zone localhost
host -t mx $zone localhost
host HOST.$zone localhost

dig $zone @localhost +short
dig ns $zone @localhost +short
dig mx $zone @localhost +short
dig HOST.$zone @localhost +short

DNSSEC

see nsd-dnssec

Troubleshooting

Trying to start the daemon on NetBSD

problems sending reload xfrdtomain: Broken pipe
May 12 13:10:45 malabar nsd[13294]: did not get start signal from main

==> this does not help:

rm -f /var/db/nsd/nsd.db /var/run/nsd.pid /var/run/nsd/nsd.pid
ll /var/db/nsd/

rm -rf /var/chroot/nsd/nsd.db /var/chroot/nsd/nsd.pid /var/chroot/nsd/nsd-xfr-*/
ll /var/chroot/nsd/

==> this neither

CFLAGS="-g -O2"
...
/usr/local/sbin/nsd -V 5
-F -1 -L 2

==> see NSD from scratch, and NSD has been bug fixed in the meanwhile.

Out of memory: Killed process 3865 (nsd: xfrd) total-vm:109688kB, anon-rss:83596kB, file-rss:0kB, shmem-rss:0kB

==> DO NOT ENABLE TMEM

Resources

nsd - Name Server Daemon (NSD) version 4.3.6. https://www.nlnetlabs.nl/documentation/nsd/nsd/

nsd.conf - NSD configuration file https://www.nlnetlabs.nl/documentation/nsd/nsd.conf/

nsd-control, nsd-control-setup - NSD remote server control utility. https://www.nlnetlabs.nl/documentation/nsd/nsd-control/

nsd-checkconf - NSD configuration file checker. https://www.nlnetlabs.nl/documentation/nsd/nsd-checkconf/

nsd-checkzone - NSD zone file syntax checker. https://www.nlnetlabs.nl/documentation/nsd/nsd-checkzone/

How To Use NSD, an Authoritative-Only DNS Server, on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-use-nsd-an-authoritative-only-dns-server-on-ubuntu-14-04

How to get a random string of 32 hexadecimal digits through command line? https://stackoverflow.com/questions/34328759/how-to-get-a-random-string-of-32-hexadecimal-digits-through-command-line

backup ns

Secondary DNS at Online.net https://documentation.online.net/en/dedicated-server/tutorials/administration/configure-secondary-dns

ttl

What is DNS TTL + Best Practices https://www.varonis.com/blog/dns-ttl/

troubles

Re: No buffer space available https://mail-index.netbsd.org/netbsd-users/2012/09/10/msg011397.html

FS#37588 - Nsd update to 4.0.0-1 causes nsd to fail to start and command nscd not present https://bugs.archlinux.org/task/37588

NSD not starting after upgrade https://discourse.mailinabox.email/t/nsd-not-starting-after-upgrade/1452

[nsd-users] NSD db permissions error after upgrade? https://open.nlnetlabs.nl/pipermail/nsd-users/2014-November/002036.html

[nsd-users] NSD 4.0.2 released https://www.nlnetlabs.nl/pipermail/nsd-users/2014-March/001875.html