Self Hosted DNS using NSD
Our Servers
Master : ns1.example.etherarp.net
Slave : ns2.example.etherarp.net
Both will receive public queries, and function indistinguishably to clients. The master is where we add/append data; the slave receives a read only copy from the master.
Configuring NSD
sudo apt-get install nsd haveged ldnsutils
Now we set up nsd-control
root@ns1:~# nsd-control-setup
setup in directory /etc/nsd
nsd_server.key exists
nsd_control.key exists
create nsd_server.pem (self signed certificate)
create nsd_control.pem (signed client certificate)
Signature ok
subject=/CN=nsd-control
Getting CA Private Key
Setup success. Certificates created.
This control applications allows interaction with a running nsd instance and uses SSL for authentication and confidentiality. For security, it's best to have it listen only on 127.0.0.1
Generate a shared secret to authenticate between the master and slave
root@ns1:~# dd if=/dev/random of=/dev/stdout count=1 bs=32 2>/dev/null|openssl base64
NhLUGzaz7MulybZ7rivrRTmqKoN+COYEn1y/bhOlHFM=
nsd.conf (for both servers)
server:
do-ip4: yes
do-ip6: yes
port: 53
username: nsd
hide-version: yes
zonesdir: "/etc/nsd/zones"
logfile: "/var/log/nsd.log"
pidfile: "/run/nsd/nsd.pid"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: "/etc/nsd/nsd_server.key"
server-cert-file: "/etc/nsd/nsd_server.pem"
control-key-file: "/etc/nsd/nsd_control.key"
control-cert-file: "/etc/nsd/nsd_control.pem"
key:
name: sha256secret
algorithm: hmac-sha256
secret: "NhLUGzaz7MulybZ7rivrRTmqKoN+COYEn1y/bhOlHFM="
Creating a Zone
root@ns1:~# mkdir /etc/nsd/zones
root@ns1:# cat > /etc/nsd/zones/example.etherarp.net << EOF
$ORIGIN example.etherarp.net.
$TTL 1800
@ IN SOA ns1.example.etherarp.net admin.example.etherarp.net. (
2017170301
3600
900
1209600
1800
)
@ IN NS ns1.example.etherarp.net.
@ IN NS ns2.example.etherarp.net.
ns1 IN A 198.0.2.246
ns2 IN A 198.0.2.36
violets IN TXT "ARE BLUE"
roses IN TXT "ARE RED"
EOF
Don't forget the trailing '.' on all records (except the SOA)
Configure the zone
The master needs to be configured to allow authenticated access from the slave
root@ns1:~# cat > /etc/nsd/zones/example.etherarp.net << EOF
zone:
name: example.etherarp.net
zonefile: example.etherarp.net.zone
notify: 192.0.6.36 sha256secret
provide-xfr: 192.0.6.36 sha256secret
EOF
The slave server needs to be configured to pull the zone from the master
root@ns2:~# cat > /etc/nsd/zones/example.etherarp.net << EOF
zone:
name: example.etherarp.net
zonefile: example.etherarp.net.zone
allow-notify: 192.0.6.246 sha256secret
request-xfr: 192.0.6.246 sha256secret
EOF
Check it works
Check the NSD configuration.
root@ns1:~# nsd-checkconf /etc/nsd/nsd.conf
root@ns1:~# systemctl start nsd.service
root@ns2:~# nsd-checkconf /etc/nsd/nsd.conf
root@ns2:~# systemctl start nsd.service
Check the records are reachable on the internet
rohan@desktop:~$ dig @64.6.64.6 violets.example.etherarp.net TXT +short
"ARE BLUE"