Setting up NSD

Install

either use your distro’s binaries or see NSD from scratch

Friendly MWE

server:
        username: nsd
        pidfile: "/var/run/nsd.pid"

remote-control:
        control-enable: no

zone:
        name: "example.local"
        zonefile: "%s.db"

a few more options e.g. for NetBSD

        username: _nsd
        pidfile: "/var/run/nsd/nsd.pid"

start with extreme verbosity

nsd -4 -V 5

Prep for remote control

you can also control-enable: no and skip the key setup if you do not plan to receive any updates.

generate two private keys and two self-signed SSL certificates

cd /var/chroot/nsd/etc/
nsd-control-setup
ls -lhF *.key
ls -lhF *.pem

eventually generate a secret for receiving updates

dd if=/dev/random count=1 bs=32 | base64

Setup NSD with chroot

how many cores do you have?

grep ^processor /proc/cpuinfo
dmesg | egrep '(^|] )cpu[[:digit:]]+:'

edit the configuration accordingly, define a zone and its reverse name spaces

vi /var/chroot/nsd/etc/nsd.conf

server:
    do-ip4: yes
    do-ip6: no
    verbosity: 1
    #verbosity: 3
    username: nsd
    server-count: HOW_MANY_CORES
        pidfile:        "/var/chroot/nsd/db/nsd.pid"
    hide-version: yes
    version: "NSD"
    #round-robin: yes

    chroot:         "/var/chroot/nsd"
    zonesdir:       "/var/chroot/nsd/etc"
    zonelistfile:   "/var/chroot/nsd/db/zone.list"
    database:       "/var/chroot/nsd/db/nsd.db"
    xfrdfile:       "/var/chroot/nsd/db/xfrd.state"
    xfrdir:         "/var/chroot/nsd/db"

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 8952
    server-key-file:        "/var/chroot/nsd/etc/nsd_server.key"
    server-cert-file:       "/var/chroot/nsd/etc/nsd_server.pem"
    control-key-file:       "/var/chroot/nsd/etc/nsd_control.key"
    control-cert-file:      "/var/chroot/nsd/etc/nsd_control.pem"

key:
    name: "HOST-key"
    algorithm: hmac-sha256
    secret: "PASTE SECRET HERE"

zone:
    name: "example.local"
    zonefile: "%s.db"
    notify: SECONDARY-IP NOKEY
    provide-xfr: SECONDARY-IP NOKEY

zone:
    name: "c.b.a.in-addr.arpa"
    zonefile: "a.b.c.db"
    notify: SECONDARY-IP NOKEY
    provide-xfr: SECONDARY-IP NOKEY

If you don’t plan to use remote control nor keys at all, use that instead

remote-control:
    control-enable: no

Note: switch to username _nsd on NetBSD.

Note: round-robin would only apply to identical record names pointing to different values/destinations. Besides, it should be for the resolvers to handle the server response properly, whatever the order of the records. So I guess this server-side setup is just a hack against broken clients.

Setup zones

zone=example.local
date +%s
vi /var/chroot/var/db/$zone.db

$ORIGIN example.local.
$TTL 21600

@       IN      SOA     example.local. abuse.example.local. (
                        SERIAL-HERE             ; serial number
                        3600                    ; refresh
                        900                     ; retry
                        1209600                 ; expire
                        21600           ; ttl
                        )

                IN NS           ns.example.local.
                IN MX           5 mx
                IN A            INTERNAL_IP
*               IN A            INTERNAL_IP
ns              IN A            INTERNAL_IP
mx              IN A            INTERNAL_IP
host            IN A            INTERNAL_IP
pxe             IN CNAME        host

Once everything is in place, eventually switch from 6 hours TTL to 24 hours (86400).

For testing purposes you may otherwise reduce it to 300 seconds (5 minutes) or 1800 (30 minutes).

Note we’re using the same long TTL for both $TTL AND the SOA record itself.

Serve to Unbound

it seems only Unbound has special restrictions on serving localhost. NSD serves localhost just fine by default

NSD binds to all interfaces by default (incl. localhost) but we want to use Unbound on the same host and ports would conflict

vi /etc/nsd/nsd.conf

    ip-address: 127.0.0.1@5353
    ip-address: ::1@5353

Secondary NS

notify & XFR to backup NS

zone:
        name: "example.com"
        zonefile: "%s.db"
        notify: x.x.x.x NOKEY
        provide-xfr: x.x.x.x NOKEY

Ready to go w/o remote control

read the logs

tail -F /var/log/messages
tail -F /var/log/syslog

check

which nsd
nsd -v

#w/o chroot
nsd-checkconf /etc/nsd/nsd.conf && echo OK
nsd-checkzone $domain /etc/nsd/$domain.db
nsd-checkzone $domain /etc/nsd/$domain.db.signed

#w/ chroot
nsd-checkconf /var/chroot/nsd/nsd.conf && echo OK
    nsd-checkzone $domain /var/chroot/nsd/$domain.db
    nsd-checkzone $domain /var/chroot/nsd/$domain.db.signed

warning: DO NOT ENABLE TMEM otherwise you will get

Out of memory: Killed process 3865 (nsd: xfrd) total-vm:109688kB, anon-rss:83596kB, file-rss:0kB, shmem-rss:0kB

enable at startup

vi /etc/rc.local

# self-verbose
rm -f /var/chroot/nsd/db/nsd.pid
/usr/local/sbin/nsd
#-4

status

pgrep -a nsd
cat /var/run/nsd/nsd.pid
cat /var/db/nsd/nsd.pid
cat /var/chroot/nsd/nsd.pid
netstat -lntup | grep 53

reload

# DOES NOT WORK
#pkill -HUP nsd

# YOU NEED TO GRAB THE PID MANUALLY - THE PARENT PROCESS
ps auxfww | grep nsd
kill -HUP PID

stop

# IDEM
#pkill nsd
kill PID

Ready to go w/ remote control

enable at startup

echo starting nsd
/usr/local/sbin/nsd-control start

status

nsd-control status

status for the zones

nsd-control zonestatus 

reload

#nsd-control reload [<zone>]
#nsd-control reconfig

Acceptance

verify a few records

host $domain localhost
host -t ns $domain localhost
host -t mx $domain localhost
host HOST.$domain localhost

dig $domain @localhost +short
dig ns $domain @localhost +short
dig mx $domain @localhost +short
dig HOST.$domain @localhost +short

DNSSEC

see nsd-dnssec

Troubleshooting

Trying to start the daemon on NetBSD

problems sending reload xfrdtomain: Broken pipe
May 12 13:10:45 malabar nsd[13294]: did not get start signal from main

==> this does not help:

rm -f /var/db/nsd/nsd.db /var/run/nsd.pid /var/run/nsd/nsd.pid
ll /var/db/nsd/

rm -rf /var/chroot/nsd/nsd.db /var/chroot/nsd/nsd.pid /var/chroot/nsd/nsd-xfr-*/
ll /var/chroot/nsd/

==> this neither

CFLAGS="-g -O2"
...
/usr/local/sbin/nsd -V 5
-F -1 -L 2

==> see NSD from scratch, and NSD has been bug fixed in the meanwhile.

Troubleshooting

Re: No buffer space available https://mail-index.netbsd.org/netbsd-users/2012/09/10/msg011397.html

FS#37588 - Nsd update to 4.0.0-1 causes nsd to fail to start and command nscd not present https://bugs.archlinux.org/task/37588

NSD not starting after upgrade https://discourse.mailinabox.email/t/nsd-not-starting-after-upgrade/1452

[nsd-users] NSD db permissions error after upgrade? https://open.nlnetlabs.nl/pipermail/nsd-users/2014-November/002036.html

[nsd-users] NSD 4.0.2 released https://www.nlnetlabs.nl/pipermail/nsd-users/2014-March/001875.html

Resources

nsd - Name Server Daemon (NSD) version 4.3.6. https://www.nlnetlabs.nl/documentation/nsd/nsd/

nsd.conf - NSD configuration file https://www.nlnetlabs.nl/documentation/nsd/nsd.conf/

nsd-control, nsd-control-setup - NSD remote server control utility. https://www.nlnetlabs.nl/documentation/nsd/nsd-control/

nsd-checkconf - NSD configuration file checker. https://www.nlnetlabs.nl/documentation/nsd/nsd-checkconf/

nsd-checkzone - NSD zone file syntax checker. https://www.nlnetlabs.nl/documentation/nsd/nsd-checkzone/

How To Use NSD, an Authoritative-Only DNS Server, on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-use-nsd-an-authoritative-only-dns-server-on-ubuntu-14-04

How to get a random string of 32 hexadecimal digits through command line? https://stackoverflow.com/questions/34328759/how-to-get-a-random-string-of-32-hexadecimal-digits-through-command-line

backup ns

Secondary DNS at Online.net https://documentation.online.net/en/dedicated-server/tutorials/administration/configure-secondary-dns

ttl

What is DNS TTL + Best Practices https://www.varonis.com/blog/dns-ttl/


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH