Configuring nsd
(redirected from Openbsd.Nsd)
nsd is an authoritative name server. nsd comes as part of openbsd base so no installation will be necessary.
Advantages of nsd:
- Audited by the OpenBSD team
- Simpler than BIND
Disadvantages of nsd:
- More difficult to fork compared to delphinusdnsd
NOTICE: This guide assumes you have a basic understanding of TCP/IP networking, IPv4 and IPv6 addressing, the domain name system, resource records, and zone files.
Introduction
Please read through the nsd, nsd.conf, nsd-checkconf, and nsd-control man pages.
nsd.conf
Edit these sections in /var/nsd/etc/nsd.conf:
server:
        hide-version: yes
        verbosity: 2
        database: "" # disable database
        username: _nsd
        logfile: "/var/log/nsd.log"
You'll want to hide the version, change verbosity to 2 to get errors and warnings about failed transfers. We don't want a database so we leave it blank, we drop to the user _nsd after binding the socket?, and we want to log to /var/log/nsd.log.
## bind to a specific address/port
        ip-address: 198.51.100.1
#       ip-address: 192.0.2.53@5678
        ip-address: 2001:db8::
We bind to our public IPv4 address 198.51.100.1 and our public IPv6 address 2001:db8:: (substitute these with your real public IP addresses).
Note: If you forget your real public IP addresses, you can check ifconfig?, your hostname.if0?, or check your BuyVM or VMM install guides.
remote-control:
        control-enable: yes
        control-interface: /var/run/nsd.sock
This will allow using nsd-control to control the server.
Master-Only Server
The DNS system requires you to specify master and slave servers. Internet standards require every zone to have at least two name servers, so you'll normally need to configure both a master and a slave.
To start off, we'll configure just a master name server. This will let us quickly test to see if our name server is working:
## master zone example
zone:
       name: "example.com"
       zonefile: "master/example.com"
#       notify: 192.0.2.1 NOKEY
#       provide-xfr: 192.0.2.1 NOKEY
We'll uncomment the zone. The name is the name of our
domain or subdomain?. If you registered your own domain, it
might look like example.com. If we provided a subdomain, it might look like
subdomain.example.com.  The zonefile might look like
"master/subdomain.example.com" or "master/example.com" if you registered your
own domain.
Write the Zone File
Write your DNS zone into the zone that you specified above, /var/nsd/zones/master/example.com:
$ORIGIN example.com.
example.com.     3600   SOA   ns1.example.com. admin.example.com. (
                            2021020301   ; serial YYYYMMDDnn
                            1800        ; refresh
                            3600         ; retry
                            86400       ; expire
                            3600 )      ; minimum TTL
        3600    IN      MX      10 mail
        3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
        3600    IN      NS      ns1
        3600    IN      NS      ns2
ns1     3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
ns2     3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
www     3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
irc     3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
imap    3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
smtp    3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
mail    3600    IN      A       198.51.100.1
        3600    IN      AAAA    2001:db8::
For an explanation of how to interpret this zone file, please see the section on DNS zones.
Start NSD and Test
At this point, we can start nsd:
$ doas rcctl enable nsd $ doas rcctl start nsd
If all was configured correctly, we should now be able to query our nameserver with host or dig:
$ host www.example.com example.com Using domain server: Name: example.com Address: 198.51.100.1#53 Aliases: www.example.com has address 198.51.100.1 www.example.com has IPv6 address 2001:db8::
This will query the name server example.com for the resource records in www.example.com.
Delegate Zone
Once you've confirmed nsd works, you want to delegate authority for the zone to
your nameserver. If you're using a subdomain, you'll need to ask the sysadmin
in charge to finish this step. If you registered a domain elsewhere, make sure
that the nameserver for the domain points to your nameserver
(ns1.example.com and ns2.example.com) and that the glue records are
defined.
Troubleshooting
If at any step you are not getting proper results, you should first check the conf and zones using these helpful tools:
$ doas nsd-checkconf /var/nsd/etc/nsd.conf /var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error read /var/nsd/etc/nsd.conf failed: 1 errors in configuration file
The error is found on line 34 of /var/nsd/etc/nsd.conf:
#zone:
       name: "example.com"
       zonefile: "master/example.com"
Here we forgot to uncomment zone:. Once that is done, try again. If there are no errors, nsd-checkconf will not return any output -- no news is good news!
You'll also want to check if the zone is valid:
$ doas nsd-checkzone example.com /var/nsd/zones/master/example.com [2021-02-02 03:49:14.921] nsd-checkzone[32265]: error: /var/nsd/zones/master/example.com:8: out of zone data: out.of.zone.com. is outside the zone for fqdn example.com.
The error is on line 8 of /var/nsd/zones/master/example.com:
out.of.zone.example.com. 3600 IN A 10.0.0.1
Here we specify a FQDN? out.of.zone.example.com. which is outside of the zone for this file (example.com). This is invalid so nsd refuses to look any further and quits. In this case, we need to delete this line (or perhaps move it to the proper zone file). Once that is done, run the test again:
$ doas nsd-checkzone example.com /var/nsd/zones/master/example.com zone example.com is ok
You can also run nsd in the foreground or view the logs:
$ doas nsd -d -V 3 /var/nsd/etc/nsd.conf:34: at 'name:': error: syntax error read /var/nsd/etc/nsd.conf failed: 1 errors in configuration file [2021-02-02 03:33:50.261] nsd[93210]: error: could not read config: /var/nsd/etc/nsd.conf
This is the same error message as before when we ran nsd-checkconf above.
Suppose we had deleted /var/nsd/zones/master/example.com. When we check /var/log/nsd.log, we see:
[2021-02-02 07:31:43.898] nsd[37575]: info: zonefile master/example.com does not exist
Tip: Whenever you encounter an error with nsd, always check /var/log/nsd.log.
