Self Hosted DNS using NSD

on networking, linux, sysadmin, dns

Our Servers

Master : ns1.example.etherarp.net  
Slave  : ns2.example.etherarp.net

Both will receive public queries, and function indistinguishably to clients. The master is where we add/append data; the slave receives a read only copy from the master.

Configuring NSD

sudo apt-get install nsd haveged ldnsutils

Now we set up nsd-control

root@ns1:~# nsd-control-setup
setup in directory /etc/nsd
nsd_server.key exists
nsd_control.key exists
create nsd_server.pem (self signed certificate)
create nsd_control.pem (signed client certificate)
Signature ok
subject=/CN=nsd-control
Getting CA Private Key
Setup success. Certificates created.

This control applications allows interaction with a running nsd instance and uses SSL for authentication and confidentiality. For security, it's best to have it listen only on  127.0.0.1

Generate a shared secret to authenticate between the master and slave

root@ns1:~# dd if=/dev/random of=/dev/stdout count=1 bs=32 2>/dev/null|openssl base64
NhLUGzaz7MulybZ7rivrRTmqKoN+COYEn1y/bhOlHFM=

nsd.conf (for both servers)

server:
	do-ip4: yes
	do-ip6: yes
	port: 53
	username: nsd
	hide-version: yes
	zonesdir: "/etc/nsd/zones"
	logfile: "/var/log/nsd.log"
	pidfile: "/run/nsd/nsd.pid"

remote-control:
	control-enable: yes
	control-interface: 127.0.0.1
	control-port: 8952
	server-key-file: "/etc/nsd/nsd_server.key"
	server-cert-file: "/etc/nsd/nsd_server.pem"
	control-key-file: "/etc/nsd/nsd_control.key"
	control-cert-file: "/etc/nsd/nsd_control.pem"

key:
    name: sha256secret
    algorithm: hmac-sha256
    secret: "NhLUGzaz7MulybZ7rivrRTmqKoN+COYEn1y/bhOlHFM="

Creating a Zone

root@ns1:~# mkdir /etc/nsd/zones
root@ns1:# cat > /etc/nsd/zones/example.etherarp.net << EOF
$ORIGIN example.etherarp.net.
$TTL 1800
@ IN SOA ns1.example.etherarp.net admin.example.etherarp.net. (
	2017170301
	3600
	900
	1209600
	1800
	)
@	IN	NS	ns1.example.etherarp.net.
@	IN	NS	ns2.example.etherarp.net.
ns1	IN	A	198.0.2.246
ns2	IN	A	198.0.2.36	
violets	IN	TXT	"ARE BLUE"
roses	IN	TXT	"ARE RED"
EOF

Don't forget the trailing '.' on all records (except the SOA)

Configure the zone

The master needs to be configured to allow authenticated access from the slave

root@ns1:~# cat > /etc/nsd/zones/example.etherarp.net << EOF
zone:
    name: example.etherarp.net
    zonefile: example.etherarp.net.zone
    notify: 192.0.6.36 sha256secret
    provide-xfr: 192.0.6.36 sha256secret
EOF

The slave server needs to be configured to pull the zone from the master

root@ns2:~# cat > /etc/nsd/zones/example.etherarp.net << EOF
zone:
    name: example.etherarp.net
    zonefile: example.etherarp.net.zone
    allow-notify: 192.0.6.246 sha256secret
    request-xfr: 192.0.6.246 sha256secret
 EOF

Check it works

Check the NSD configuration.

root@ns1:~# nsd-checkconf /etc/nsd/nsd.conf
root@ns1:~# systemctl start nsd.service

root@ns2:~# nsd-checkconf /etc/nsd/nsd.conf
root@ns2:~# systemctl start nsd.service

Check the records are reachable on the internet

rohan@desktop:~$ dig @64.6.64.6 violets.example.etherarp.net TXT +short
"ARE BLUE"