English 日本語
INTERSTELLAR TECH BLOG

Building DNS authoritative and cache servers with NSD and Unbound

Application

Hello, this is Agata.

If you operate a mail server, you may encounter a large number of DNS queries when using DNSBL for spam prevention. In such cases, it is convenient to have a cache server.

BIND is a popular choice, but there are some security concerns. Therefore, we decided to try a different DNS server software and came up with the following configuration.

  • Authoritative server: NSD (lightweight and simple authoritative DNS server)
  • Cache server: Unbound (secure, high-performance cache DNS resolver)

What is NSD?

NSD stands for “Name Server Daemon” and is software dedicated to authoritative DNS servers. It is developed by NLnet Labs, a non-profit organization.

Its features are as follows.

  • Simple and focused solely on authoritative server functions
  • Lightweight and fast
  • Security-conscious design
  • Easier to configure than BIND

What is Unbound?

Unbound is a cache-only DNS resolver. It is also developed by NLnet Labs.

The features are as follows.

  • Fast cache functionality
  • Full security features (DNSSEC compatible)
  • Memory efficient
  • Easy to customize

Now, let’s take a look at the actual setup procedure.

Environment

OS:Ubuntu24.04

Run an authoritative server and a cache server on a single server.

The cache server handles only local processing.

For this reason, the authoritative server will listen on port 53, and the cache server will listen on port 5353. This means that local queries will not be sent to the cache server, so we will adjust the resolver (systemd-resolved) settings to address this.

* Ideally, these should be run on separate servers. However, in this case, the DNS authoritative server and mail server are running on a VPS, and the cache for DNSBL needs to be operated, resulting in this non-standard configuration.

Unbound settings

First, let’s start with the cache server Unbound.

Install Unbound with the following command.

sudo apt install unbound

Next, create the Unbound configuration file. Enter the following content into /etc/unbound/unbound.conf.d/local.conf.

server:
	verbosity: 1
	interface: 127.0.0.1
	port: 5353
	do-not-query-localhost: no

	hide-identity: yes
	hide-version: yes

	cache-min-ttl: 60
	cache-max-ttl: 86400

Once you have configured the settings, restart Unbound.

sudo systemctl restart unbound

In Ubuntu 24.04, systemd-resolved is the default resolver. To point it to the Unbound you just set up, edit /etc/systemd/resolved.conf.

DNS=127.0.0.1:5353

Let’s restart systemd-resolved as well.

sudo systemctl restart systemd-resolved

Now, let’s check if the name resolution works properly. After testing with the dig command, you can check the cache status of Unbound.

dig www.google.com
sudo unbound-control stats
sudo unbound-control dump_cache

NSD settings

Next, we will configure the NSD for the authoritative server. Let’s start with the installation.

sudo apt install nsd

Create a directory to store the zone files.

In this case, since existing BIND zone files exist, copy the BIND zone files.

NSD can basically use BIND zone files as they are.

sudo mkdir /etc/nsd/zones
cp db.example.com /etc/nsd/zones/example.com.zone

Create the NSD configuration file /etc/nsd/nsd.conf.d/example.com.conf.

server:
    ip-address: xxx.xxx.xxx.xxx
    server-count: 1
    ip4-only: no
    hide-version: yes
    identity: "NSD"
    zonesdir: "/etc/nsd/zones"

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1

zone:
    name: "example.com"
    zonefile: "example.com.zone"

Let’s check if there are any problems with the zone file syntax.

sudo nsd-checkzone example.com /etc/nsd/zones/example.com.zone
zone example.com is ok

Once confirmed, restart NSD.

sudo systemctl restart nsd

That completes the basic DNS server settings! All that remains is to switch the name servers, and you will be ready for actual operation.

Summary

In this article, we introduced how to build a DNS server using NSD and Unbound as DNS server software other than BIND. NSD is simple and designed specifically for authoritative servers, so it is easy to configure and secure. Unbound is also a high-performance cache resolver and is ideal for operating DNSBL.

Of course, there may still be room for fine-tuning, but the basic configuration is sufficient for now.

That’s all for this article.

Click here to inquire about this article or to request work.
Follow
Recommend
PAGE TOP