Setting Up NSD3 for DNS

There are two major players in the Domain Name System server market: Bind and NSD. The former has been around since the 1980s and makes up a majority of the installations in use today, while the latter saw its first release around the turn of the century, and is designed to be purely authoritative (incapable of recursive DNS queries). While selecting a DNS server for Ambrose University College, NSD’s ability to easily run from a Chroot, and its lightweight footprint (currently using 69MB of RAM for the entire server), easily won our vote. Furthermore, NSD can make use of BIND’s zonefiles, and the migration from our old server was complete in a matter of minutes.

Securing your server

Before you even consider working on your DNS server, you’ll want to lock down your security. What good is a server if you can’t trust it? I’ve written up a separate post on Securing a Linux Server that should give you a head start.

Install NSD

NSD will start as soon as you install it, and complain if you don’t have a config file created already, so we’ll create a blank file for now.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ sudo mkdir /etc/nsd3
$ sudo touch /etc/nsd3/nsd.conf
$ sudo apt-get install nsd3
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  nsd3
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 931 kB of archives.
After this operation, 1,672 kB of additional disk space will be used.
Get:1 http://ca.archive.ubuntu.com/ubuntu/ precise/universe nsd3 amd64 3.2.9-1 [931 kB]
Fetched 931 kB in 1s (491 kB/s)
Selecting previously unselected package nsd3.
(Reading database ... 49711 files and directories currently installed.)
Unpacking nsd3 (from .../nsd3_3.2.9-1_amd64.deb) ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up nsd3 (3.2.9-1) ...
grep: /etc/aliases: No such file or directory
 * Building nsd3 zones... [ OK ]
 * Starting nsd3...       [ OK ]

Give yourself access to /etc/nsd3

By default, you won’t have access to /etc/nsd3 without working as root, and running as root is bad form, so let’s add the nsd group to our account. We probably have some kernel updates that need to be applied, and we need to relogin for the group to apply, so this is the perfect time to reboot our server as well.

1
2
3
4
5
6
$ sudo usermod -a -G nsd spenserj
$ sudo reboot now
Broadcast message from spenserj@dnsmaster
    (/dev/pts/0) at 17:23 ...

The system is going down for reboot NOW!

Configure NSD

Configure NSD as a Master

You’ll find a sample configuration at /etc/nsd3/nsd.conf.sample, and man nsd.conf is a great place to find more information. The config is quite simplistic though, and I was un and running in minutes.

/etc/nsd3/nsd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
server:
  logfile: "/var/log/nsd.log"
  username: nsd
  hide-version: yes
  identity: "ns1.ambrose.edu"

# Primary ambrose.edu Forward Lookup Zone
zone:
  name: ambrose.edu
  zonefile: forward/ambrose.edu.zone

  notify:      dnsslave1 NOKEY
  provide-xfr: dnsslave1 NOKEY

  notify:      dnsslave2 slave2key
  provide-xfr: dnsslave2 slave2key

# Shaw Reverse Lookup Zone
zone:
  name: 237.244.66.in-addr.arpa
  zonefile: reverse/66.244.237.zone

  notify:      dnsslave1 NOKEY
  provide-xfr: dnsslave1 NOKEY

  notify:      dnsslave2 slave2key
  provide-xfr: dnsslave2 slave2key

key:
  name: slave2key
  algorithm: hmac-md5
  secret: "95hP9OTvHID2jJO2GNaeuw=="

You may be asking yourself “But Spenser, how do I generate that key?”, and thankfully the answer is quite simple.

1
2
$ dd if=/dev/random bs=16 count=1 2>/dev/null | openssl base64
NzmiUkU7zA/2rQ6nnjut3w==

Configure NSD as a Slave

The slave configuration is nearly identical to the master, with the only change being the notify and provide-xfr lines changing to the slave-variant. Each zone is required to have a zonefile, but you don’t need to fill it out if it pulls from the master, so I just touched each file and left it empty.

/etc/nsd3/nsd.conf
1
2
3
4
5
6
zone:
  name: ambrose.edu
  zonefile: forward/ambrose.edu.zone

  allow-notify:      dnsmaster NOKEY
  request-xfr:  AXFR dnsmaster NOKEY

Zonefiles

NSD uses BIND zonefiles, and there is a plethora of documentation and guides on how to write one, so hit up your favourite search engine and you’ll be on your way. Don’t forget to update the SOA Serial whenever you make a change, otherwise the next step won’t work.

Applying your configuration changes

If you’ve modified your nsd.conf, you’ll need to restart NSD.

1
$ sudo nsdc restart

Otherwise, changes to zonefiles require the zone database to be rebuilt and reloaded.

1
2
$ sudo nsdc rebuild
$ sudo nsdc reload

If you have any slaves configured, be sure to check your logs for errors. If you don’t set the server verbosity to 1 (incoming notifies/transfers) or 2 (soft warnings), and don’t receive an error, it is likely working.

Confirming your Master/Slave zones

Dig is a wonderful tool when testing DNS changes. Check the forward and reverse zones of each of your nameservers, and make sure the serial and information matches. Then update the serial on your master, rebuild/reload, and check the slave again.

Check a Forward Zone
1
2
$ dig @ns2.ambrose.edu +nocmd mail.ambrose.edu any +multiline +noall +answer
mail.ambrose.edu.       10800 IN A 66.244.237.42
Check a Reverse Zone
1
2
3
4
5
6
7
8
9
10
11
12
$ dig @ns2.ambrose.edu +nocmd 237.244.66.in-addr.arpa. any +multiline +noall +answer
237.244.66.in-addr.arpa. 10800 IN SOA ns1.ambrose.edu. helpdesk.ambrose.edu. (
                                2013071201 ; serial
                                604800     ; refresh (1 week)
                                86400      ; retry (1 day)
                                2419200    ; expire (4 weeks)
                                604800     ; minimum (1 week)
                                )
237.244.66.in-addr.arpa. 10800 IN NS ns1.

$ dig @ns2.ambrose.edu +nocmd 42.237.244.66.in-addr.arpa. any +multiline +noall +answer
42.237.244.66.in-addr.arpa. 10800 IN PTR mail.ambrose.edu.

Get a second opinion

There are quite a few automated tests that will check the responses from your nameservers, and ensure everything is in working order. I found that Pingdom, the Swedish Internet Infrastructure Foundation, and IntoDNS were extremely helpful.

Comments