apt install nsd cd /etc/nsd/ mkdir .trash/ mv nsd.conf nsd.conf.d/ .trash/ zcat /usr/share/doc/nsd/examples/nsd.conf.sample.gz > nsd.conf.sample sed -r '/^[[:space:]]*(#|$)/d' nsd.conf.sample > nsd.conf
apt install build-essential \
libevent-dev \
libssl-dev
beware the databases goes to /var/lib/nsd/ instead of /var/db/nsd
grab the latest release w/ signature and hash, build e.g. on netbsd
export CPPFLAGS="-D_OPENBSD_SOURCE" #export CFLAGS="-g -O2" export OPENSSL_CFLAGS="-I/usr/local/ssl/include" export OPENSSL_LIBS="-L/usr/local/ssl/lib -lssl -lcrypto" args --disable-dnstap --disable-systemd --with-ssl=/usr/local/ssl --disable-ipv6 #--enable-mmap
in case you plan to chroot you might need to force configuration file location for nsd-control reconfig to re-read its configuration
#--with-chroot=/var/chroot/nsd --with-nsd_conf_file=/var/chroot/nsd/nsd.conf
if it doesn’t exist yet (NetBSD has _nsd built-in, although nsd is the default), create an account for NSD to drop privileges
groupadd -g 32764 nsd useradd -u 32764 -d /var/db/nsd -g nsd -s /sbin/nologin nsd #-d /var/chroot/nsd
-r / --system on Debian/Ubuntu-m as the folder was created during make installprovide some defaults
cd /etc/nsd/ sed -r '/^[[:space:]]*(#|$)/d' nsd.conf.sample > nsd.conf
you can also control-enable: no and skip the key setup if you do not plan to transfer (or receive?) any zone
generate two private keys and two self-signed SSL certificates
cd /etc/nsd/ nsd-control-setup ll /etc/nsd/*.key ll /etc/nsd/*.pem
eventually generate a secret for zone transfers
dd if=/dev/random count=1 bs=32 | base64 #dd if=/dev/urandom count=1 bs=32 | base64
server:
username: _nsd
pidfile: "/var/run/nsd/nsd.pid"
remote-control:
control-enable: no
zone:
name: "example.local"
zonefile: "%s.db"
/usr/local/sbin/nsd -4 -V 5
how much cores?
dmesg | egrep '(^|] )cpu[[:digit:]]+:' grep ^processor /proc/cpuinfo
edit the configuration accordingly
vi /etc/nsd/nsd.conf
server:
do-ip4: yes
do-ip6: no
verbosity: 1
#verbosity: 3
username: _nsd
server-count: HOW_MANY_CORES
pidfile: "/var/run/nsd/nsd.pid"
hide-version: yes
version: "NSD"
#round-robin: yes
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: "/etc/nsd/nsd_server.key"
server-cert-file: "/etc/nsd/nsd_server.pem"
control-key-file: "/etc/nsd/nsd_control.key"
control-cert-file: "/etc/nsd/nsd_control.pem"
key:
name: "HOSTkey"
algorithm: hmac-sha256
secret: "PASTE SECRET HERE"
define e.g. example.local and its reverse name spaces
zone:
name: "example.local"
zonefile: "%s.db"
zone:
name: "c.b.a.in-addr.arpa"
zonefile: "a.b.c.db"
round-robin would only apply to identical record names pointing to different values/destinations. Besides, it should be for the resolvers to handle the server response properly, whatever the order of the records. So I guess this server-side setup is just a hack against broken clients.zone=example.local
date +%s
vi /var/chroot/var/db/$zone.db
$ORIGIN example.local.
$TTL 1800
@ IN SOA example.local. abuse.example.local. (
SERIAL-HERE ; serial number
3600 ; refresh
900 ; retry
1209600 ; expire
1800 ; ttl
)
IN NS ns.example.local.
IN MX 5 mx
IN A INTERNAL_IP
* IN A INTERNAL_IP
ns IN A INTERNAL_IP
mx IN A INTERNAL_IP
host IN A INTERNAL_IP
pxe IN CNAME host
you will get two errors
unable to open the database /var/db/nsd/nsd.db: Permission denied failed to unlink pidfile /var/run/nsd.pid: Permission denied
so fix the perms accordingly and create a dedicated folder for pid (draft THOSE NEED TO BE GENERATED BY THE SAME USER THAT RUNS NSD-CONTROL in case it is not root, and which supposedly may not be the same as the running daemon)
ll /var/db/nsd/
ll /var/run/nsd/
ps auxww | grep nsd
rm -f /var/run/nsd/nsd.pid
rm -f /var/db/nsd/nsd.db
mkdir -p /var/run/nsd/
chown -R _nsd:_nsd /var/db/nsd/
chown -R _nsd:_nsd /var/run/nsd/
vi /etc/nsd/nsd.conf
pidfile: "/var/run/nsd/nsd.pid"
mv /etc/nsd/nsd.conf /var/chroot/nsd/nsd.conf chmod 444 /var/chroot/nsd/nsd.conf ln -s /var/chroot/nsd/nsd.conf /etc/nsd/nsd.conf vi /var/chroot/nsd/nsd.conf rm -rf /var/db/nsd/ rm -rf /var/run/nsd/
the dirty - and maybe problematic - way
server:
...
pidfile: "/var/chroot/nsd/nsd.pid"
...
chroot: "/var/chroot/nsd"
zonesdir: "/var/chroot/nsd"
zonelistfile: "/var/chroot/nsd/zone.list"
database: "/var/chroot/nsd/nsd.db"
#xfrdfile: ""
xfrdfile: "/var/chroot/nsd/xfrd.state"
xfrdir: "/var/chroot/nsd"
chown -R _nsd:_nsd /var/chroot/nsd/
ll /var/chroot/nsd/
–> nsd.conf and ZONE.db (not nsd.db) are root:wheel
the clean way
#ll /var/chroot/nsd/var/db/ #ll /var/chroot/nsd/var/db/nsd/ #ll /var/chroot/nsd/var/run/ #mkdir /var/chroot/nsd/tmp/ #chown -R root:wheel /var/chroot/nsd/ #chown -R nsd:nsd /var/chroot/nsd/var/db/ #chown -R nsd:nsd /var/chroot/nsd/var/run/ #chown -R nsd:nsd /var/chroot/nsd/tmp/
it seems only Unbound has special restrictions on serving localhost. NSD serves localhost just fine by default
NSD binds to all interfaces by default (incl. localhost) but we want to use Unbound on the same host
vi /etc/nsd/nsd.conf
ip-address: 127.0.0.1@5353
ip-address: ::1@5353
notify & XFR to backup NS
zone:
name: "example.com"
zonefile: "%s.db"
notify: x.x.x.x NOKEY
provide-xfr: x.x.x.x NOKEY
nsd -v tail -F /var/log/messages tail -F /var/log/syslog nsd-checkconf /etc/nsd/nsd.conf && echo config ok nsd-checkzone example.local /etc/nsd/example.local.db
debian/ubuntu binary
systemctl start nsd #systemctl restart nsd #systemctl reload nsd
manually
ps auxww | grep nsd cat /var/run/nsd/nsd.pid /usr/local/sbin/nsd -4 #pkill nsd
w/ remote-control
nsd-control status nsd-control start #nsd-control reload [<zone>] #nsd-control reconfig
at boot time
vi /etc/rc.local #self verbose echo starting NSD /usr/local/sbin/nsd-control start
53/udp and tcp
netstat -lntupe --inet --inet6 | grep 53
status for the zones
nsd-control zonestatus example.local
verify a few records
host example.local localhost host pxe.example.local localhost host -t ns example.local localhost host -t mx example.local localhost dig example.local @localhost +short dig pxe.example.local @localhost +short dig -t ns example.local @localhost +short dig -t mx example.local @localhost +short
on-going draft
problems sending reload xfrdtomain: Broken pipe May 12 13:10:45 malabar nsd[13294]: did not get start signal from main
==> this does not help:
rm -f /var/db/nsd/nsd.db /var/run/nsd.pid /var/run/nsd/nsd.pid ll /var/db/nsd/ rm -rf /var/chroot/nsd/nsd.db /var/chroot/nsd/nsd.pid /var/chroot/nsd/nsd-xfr-*/ ll /var/chroot/nsd/
this neither
CFLAGS="-g -O2" ... /usr/local/sbin/nsd -V 5 -F -1 -L 2
README https://github.com/NLnetLabs/nsd/tree/master/doc/README
man 8 nsd / https://www.nlnetlabs.nl/documentation/nsd/nsd/
man 5 nsd.conf / https://www.nlnetlabs.nl/documentation/nsd/nsd.conf/
man 8 nsd-control / https://www.nlnetlabs.nl/documentation/nsd/nsd-control/
man 8 nsd-checkconf / https://www.nlnetlabs.nl/documentation/nsd/nsd-checkconf/
man 8 nsd-checkzone / https://www.nlnetlabs.nl/documentation/nsd/nsd-checkzone/
How To Use NSD, an Authoritative-Only DNS Server, on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-use-nsd-an-authoritative-only-dns-server-on-ubuntu-14-04
How to get a random string of 32 hexadecimal digits through command line? https://stackoverflow.com/questions/34328759/how-to-get-a-random-string-of-32-hexadecimal-digits-through-command-line
Re: No buffer space available https://mail-index.netbsd.org/netbsd-users/2012/09/10/msg011397.html
FS#37588 - Nsd update to 4.0.0-1 causes nsd to fail to start and command nscd not present https://bugs.archlinux.org/task/37588
NSD not starting after upgrade https://discourse.mailinabox.email/t/nsd-not-starting-after-upgrade/1452
[nsd-users] NSD db permissions error after upgrade? https://open.nlnetlabs.nl/pipermail/nsd-users/2014-November/002036.html
[nsd-users] NSD 4.0.2 released https://www.nlnetlabs.nl/pipermail/nsd-users/2014-March/001875.html
Secondary DNS at Online.net https://documentation.online.net/en/dedicated-server/tutorials/administration/configure-secondary-dns