Configuring nsd
nsd is an authoritative name server. nsd comes as part of openbsd base so no installation will be necessary.
Advantages of nsd:
- Audited by the OpenBSD team
- Simpler than BIND
Disadvantages of nsd:
- More difficult to fork compared to delphinusdnsd
NOTICE: This guide assumes you have a basic understanding of TCP/IP networking, IPv4 and IPv6 addressing, the domain name system, resource records, and zone files.
Introduction
Please read through the nsd, nsd.conf, nsd-checkconf, and nsd-control man pages.
nsd.conf
Edit these sections in /var/nsd/etc/nsd.conf:
server:
hide-version: yes
verbosity: 2
database: "" # disable database
username: _nsd
logfile: "/var/log/nsd.log"
You'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the socket?, and we want to log to /var/log/nsd.log.
## bind to a specific address/port
ip-address: 198.51.100.1
# ip-address: 192.0.2.53@5678
ip-address: 2001:db8::
We bind to our public IPv4 address 198.51.100.1 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).
Note: If you forget your real public IP addresses, you can check ifconfig?, your hostname.if0?, or check your BuyVM or VMM install guides.
remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
This will allow using nsd-control to control the server.
Master-Only Server
The DNS system requires you to specify master and slave servers. Internet standards require every zone to have at least two name servers, so you'll normally need to configure both a master and a slave.
To start off, we'll configure just a master name server. This will let us quickly test to see if our name server is working:
## master zone example
zone:
name: "example.com"
zonefile: "master/example.com"
# notify: 192.0.2.1 NOKEY
# provide-xfr: 192.0.2.1 NOKEY
We'll uncomment the zone. The name is the name of our
domain or subdomain?. If you registered your own domain, it
might look like example.com. If we provided a subdomain, it might look like
subdomain.example.com. The zonefile might look like
"master/subdomain.example.com" or "master/example.com" if you registered your
own domain.
Write the Zone File
Write your DNS zone into the zone that you specified above, /var/nsd/zones/master/example.com:
$ORIGIN example.com.
example.com. 3600 SOA ns1.example.com. admin.example.com. (
2021020301 ; serial YYYYMMDDnn
1800 ; refresh
3600 ; retry
86400 ; expire
3600 ) ; minimum TTL
3600 IN MX 10 mail
3600 IN A 198.51.100.1
3600 IN AAAA 2001:db8::
3600 IN NS ns1
3600 IN NS ns2
ns1 3600 IN A 198.51.100.1
3600 IN AAAA 2001:db8::
ns2 3600 IN A 198.51.100.1
3600 IN AAAA 2001:db8::
www 3600 IN A 198.51.100.1
3600 IN AAAA 2001:db8::
irc 3600 IN A 198.51.100.1
3600 IN AAAA 2001:db8::
imap 3600 IN A 198.51.100.1
3600 IN AAAA 2001:db8::
smtp 3600 IN A 198.51.100.1
3600 IN AAAA 2001:db8::
mail 3600 IN A 198.51.100.1
3600 IN AAAA 2001:db8::
For an explanation of how to interpret this zone file, please see the section on DNS zones.
Start NSD and Test
At this point, we can start nsd:
$ doas rcctl enable nsd $ doas rcctl start nsd
If all was configured correctly, we should now be able to query our nameserver with host or dig:
$ host www.example.com example.com Using domain server: Name: example.com Address: 198.51.100.1#53 Aliases: www.example.com has address 198.51.100.1 www.example.com has IPv6 address 2001:db8::
This will query the name server example.com for the resource records in www.example.com.
Delegate Zone
Once you've confirmed nsd works, you want to delegate authority for the zone to
your nameserver. If you're using a subdomain, you'll need to ask the sysadmin
in charge to finish this step. If you registered a domain elsewhere, make sure
that the nameserver for the domain points to your nameserver
(ns1.example.com and ns2.example.com) and that the glue records are
defined.
Troubleshooting
If at any step you are not getting proper results, you should first check the conf and zones using these helpful tools:
$ doas nsd-checkconf /var/nsd/etc/nsd.conf /var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error read /var/nsd/etc/nsd.conf failed: 1 errors in configuration file
The error is found on line 34 of /var/nsd/etc/nsd.conf:
#zone:
name: "example.com"
zonefile: "master/example.com"
Here we forgot to uncomment zone:. Once that is done, try again. If there are no errors, nsd-checkconf will not return any output -- no news is good news!
You'll also want to check if the zone is valid:
$ doas nsd-checkzone example.com /var/nsd/zones/master/example.com [2021-02-02 03:49:14.921] nsd-checkzone[32265]: error: /var/nsd/zones/master/example.com:8: out of zone data: out.of.zone.com. is outside the zone for fqdn example.com.
The error is on line 8 of /var/nsd/zones/master/example.com:
out.of.zone.example.com. 3600 IN A 10.0.0.1
Here we specify a FQDN? out.of.zone.example.com. which is outside of the zone for this file (example.com). This is invalid so nsd refuses to look any further and quits. In this case, we need to delete this line (or perhaps move it to the proper zone file). Once that is done, run the test again:
$ doas nsd-checkzone example.com /var/nsd/zones/master/example.com zone example.com is ok
You can also run nsd in the foreground or view the logs:
$ doas nsd -d -V 3 /var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error read /var/nsd/etc/nsd.conf failed: 1 errors in configuration file [2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf
This is the same error message as before when we ran nsd-checkconf above.
Suppose we had deleted /var/nsd/zones/master/example.com. When we check /var/log/nsd.log, we see:
[2021-02-02 07:31:43.898] nsd[37575]: info: zonefile master/example.com does not exist
Tip: Whenever you encounter an error with nsd, always check /var/log/nsd.log.