Przejdź do treści

NSD Authoritative DNS

An alternative to BIND, NSD (Name Server Daemon) is a modern authoritative-only DNS server maintained by NLnet Labs.

Prerequisites and assumptions

  • A server running Rocky Linux
  • Able to use firewalld for creating firewall rules
  • A domain name or internal recursive DNS server pointed to your authoritative DNS server

Introduction

External, or public, DNS servers map hostnames to IP addresses and, in the case of PTR (known as "pointer" or "reverse") records, map the IP addresses to the hostname. This is an essential part of the Internet. It makes your mail server, web server, FTP server, or many other servers and services work as expected no matter where you are.

Installing and enabling NSD

First, install EPEL:

dnf install epel-release

Next, install NSD:

dnf install nsd

Configuring NSD

Before making changes to any configuration file, copy the original installed working file, nsd.conf:

cp /etc/nsd/nsd.conf /etc/nsd/nsd.conf.orig

That will help in the future if the introduction of errors into the configuration file occurs. It is always a good idea to make a backup copy before making changes.

Edit the nsd.conf file. The author uses vi, but you can substitute your favorite command line editor:

vi /etc/nsd/nsd.conf

Navigate to the bottom and insert the following:

zone:
    name: example.com
    zonefile: /etc/nsd/example.com.zone

Replace example.com with the domain name for which you run a nameserver.

Next, create the zone files:

vi /etc/nsd/example.com.zone

The DNS zone files are BIND compatible. In the file, insert:

$TTL    86400 ; How long should records last?
; $TTL used for all RRs without explicit TTL value
$ORIGIN example.com. ; Define our domain name
@  1D  IN  SOA ns1.example.com. hostmaster.example.com. (
                              2024061301 ; serial
                              3h ; refresh duration
                              15 ; retry duration
                              1w ; expiry duration
                              3h ; nxdomain error ttl
                             )
       IN  NS     ns1.example.com. ; in the domain
       IN  MX  10 mail.another.com. ; external mail provider
       IN  A      172.20.0.100 ; default A record
; server host definitions
ns1    IN  A      172.20.0.100 ; name server definition
www    IN  A      172.20.0.101 ; web server definition
mail   IN  A      172.20.0.102 ; mail server definition

If you need help customizing BIND-style zone files, Oracle has a good introduction to zone files.

Save your changes.

Enabling NSD

Next, allow DNS ports in firewalld and enable NSD:

firewall-cmd --add-service=dns --zone=public
firewall-cmd --runtime-to-permanent
systemctl enable --now nsd

Check DNS resolution with the host command:

% host example.com 172.20.0.100
Using domain server:
Name: 172.20.0.100
Address: 172.20.0.100#53
Aliases:

example.com has address 172.20.0.100
example.com mail is handled by 10 mail.another.com.
%

Secondary DNS server

It is generally a norm to run one or more secondary authoritative DNS servers in case the primary server goes down. NSD has a feature that allows for the syncing of DNS records from a primary server to one or many backup servers.

To enable a backup server, generate the signing keys on the primary zone:

nsd-control-setup

You will need to copy the following files to the backup server in the /etc/nsd/ directory:

  • nsd_control.key
  • nsd_control.pem
  • nsd_server.key
  • nsd_server.pem

On all the DNS servers add the following before the zone: directive:

remote-control:
        control-enable: yes
        control-interface: 0.0.0.0
        control-port: 8952
        server-key-file: "/etc/nsd/nsd_server.key"
        server-cert-file: "/etc/nsd/nsd_server.pem"
        control-key-file: "/etc/nsd/nsd_control.key"
        control-cert-file: "/etc/nsd/nsd_control.pem"

Also enable the firewall entries:

firewall-cmd --zone=public --add-port=8952/tcp
firewall-cmd --runtime-to-permanent

On the primary server, change the zone to match the following:

zone:
    name: example.com
    zonefile: /etc/nsd/example.com.zone
    allow-notify: NS2_IP NOKEY
    provide-xfr: NS2_IP NOKEY
    outgoing-interface: NS1_IP

Replace NS1_IP1 and NS2_IP2 with the public IP addresses of the primary and secondary nameservers.

On the secondary server add the zone:

zone:
    name: fourplex.net
    notify: NS1_IP NOKEY
    request-xfr: NS1_IP NOKEY
    outgoing-interface: NS2_IP

Replace NS1_IP1 and NS2_IP2 with the public IP addresses of the primary and secondary nameservers.

Restart NSD on both nameservers:

NS1# systemctl restart --now nsd

To download the zone file to the secondary nameserver from the primary one:

nsd-control notify -s NS2_IP

Replace NS2_IP2 with the public IP addresses of the secondary nameserver.

Conclusion

Most people use third-party services for DNS. However, there are scenarios where self-hosting DNS is desirable. Telecommunication, hosting, and social media companies, for example, host many DNS entries where hosted services are undesirable.

NSD is one of many open source tools that make hosting DNS possible.

Author: Neel Chauhan

Contributors: Steven Spencer, Ganna Zhyrnova