Nethence Newdoc Olddoc Lab Your IP BBDock  

Setting up NSD from scratch

on Ubuntu Server 16.04

Introduction

We are going to bind the authoritative name server NSD to lo network interface on port 54 so it does not interfere with Unbound caching names and serving on port 53.

Requirements

as root

Install a few needed libraries,

apt install build-essential \
    libevent-dev \
    libssl-dev

Compilation & Installation

as user

Fetch the latest [version[(https://www.nlnetlabs.nl/downloads/nsd/),

wget https://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.17.tar.gz
sha256sum nsd-4.1.17.tar.gz
# Checksum sha256: 107fa506d18ed6fd0a922d1b96774afd9270ec38ec6b17cd7c46fb9433a03a6c 
#wget https://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.17.tar.gz.asc
tar xzf nsd-4.1.17.tar.gz 
cd nsd-4.1.17/
#./configure --help|less
./configure
make
sudo make install

Check the version you just got installed,

nsd -v

Configuration

as root

Create an account for NSD to drop privileges (nsd by default),

useradd -r nsd
grep nsd /etc/passwd
grep 999 /etc/group
chown -R nsd:nsd /var/db/nsd/

Also create a dedicated folder for NSD’s PID file,

mkdir /var/run/nsd/
chown nsd:nsd /var/run/nsd/

Generate the SSL keys and certificates](https://www.digitalocean.com/community/tutorials/how-to-use-nsd-an-authoritative-only-dns-server-on-ubuntu-14-04),

nsd-control-setup
ls -lhF /etc/nsd/*.{key,pem}

Check how much cores you got,

grep ^processor /proc/cpuinfo 

Generate a secret for zone transfers,

dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64

Edit the configuration accordingly,

cd /etc/nsd/
cp -pi nsd.conf.sample nsd.conf
vi nsd.conf

server: 

        server-count: 4
        ip-address: 0.0.0.0:54
        #port: 54
    verbosity: 2
        pidfile: "/var/run/nsd/nsd.pid"
    hide-version: yes
        round-robin: yes

remote-control:

        control-enable: yes

key:
        name: "stdpierrekey"
        secret: PASTE SECRET HERE

Notes.

Create a zone for e.g. stdpierre.os3.site name space and a reverse for a single IP address,

cd /etc/nsd/
vi nsd.conf

zone:
        name: "stdpierre.os3.site"
        zonefile: "%s"

Create the zone files accordingly e.g.,

cd /etc/nsd/
date +%s
vi stdpierre.os3.site

$ORIGIN stdpierre.os3.site.
$TTL 1800

@       IN      SOA     stdpierre.os3.site.      p\.braun.innopolis.ru. (
                        1504548291              ; serial number
                        3600                    ; refresh
                        900                     ; retry
                        1209600                 ; expire
                        1800                    ; ttl
                        )

                IN NS           stdpierre.os3.site.
@               IN A            18.221.51.221
*               IN A            18.221.51.221
mx              IN A            18.221.51.221
@               IN MX           0 mx
@               IN MX           9 mx.otherstudent.os3.site.
doc             IN CNAME        mx
ftp             IN CNAME        mx

Operations

as root

Always watch the logs in another window,

tail -F /var/log/syslog

Daemon Maintenance

Check your NSD configuration,

nsd-checkconf /etc/nsd/nsd.conf

Check the status and see if ports 53 and 54 are used or not,

nsd-control status
ls -alhF /var/db/nsd/
ls -alhF /var/run/nsd/
cat /var/run/nsd/nsd.pid
ps auxfw | grep ^nsd
netstat -antupe --inet --inet6 | grep -E ':5[34][[:space:]]'

Start the daemon (and eventually check the status again, see above) and enable it at boot time,

nsd-control start

vi /etc/rc.local

echo -n starting NSD...
/usr/local/sbin/nsd-control start

To reload the configuration file,

nsd-control reconfig

Zones Maintenance

Check your zones,

nsd-checkzone stdpierre.os3.site stdpierre.os3.site

Check the status of the served zones,

nsd-control zonestatus stdpierre.os3.site

To reload an edited zone (works with or without the ending root dot),

nsd-control reload stdpierre.os3.site

Acceptance

Verify a few records e.g.,

dig -t NS -p 54 stdpierre.os3.site @localhost +short
dig -t MX -p 54 stdpierre.os3.site @localhost +short
dig -p 54 stdpierre.os3.site @localhost +short
dig -p 54 mx.stdpierre.os3.site @localhost +short
dig -p 54 ftp.stdpierre.os3.site @localhost +short

Troubleshooting

If you get this error while stopping the daemon,

failed to unlink pidfile /var/run/nsd.pid: Permission denied

simply make sure you have created a dedicated folder for NSD’s PID file as stated above.

References

Refs – DNSSEC


Home | GitHub | Docker Hub | Donate | Contact