Hello, this is Agata.<\/p>\n\n\n\n
If you operate a mail server, you may encounter a large number of DNS queries when using DNSBL for spam prevention. In such cases, it is convenient to have a cache server.<\/p>\n\n\n\n
BIND is a popular choice, but there are some security concerns. Therefore, we decided to try a different DNS server software and came up with the following configuration.<\/p>\n\n\n\n
NSD stands for \u201cName Server Daemon\u201d and is software dedicated to authoritative DNS servers. It is developed by NLnet Labs, a non-profit organization.<\/p>\n\n\n\n
Its features are as follows.<\/p>\n\n\n\n
Unbound is a cache-only DNS resolver. It is also developed by NLnet Labs.<\/p>\n\n\n\n
The features are as follows.<\/p>\n\n\n\n
Now, let’s take a look at the actual setup procedure.<\/p>\n\n\n\n
OS\uff1aUbuntu24.04<\/p>\n\n\n\n
Run an authoritative server and a cache server on a single server.<\/p>\n\n\n\n
The cache server handles only local processing.<\/p>\n\n\n\n
For this reason, the authoritative server will listen on port 53, and the cache server will listen on port 5353. This means that local queries will not be sent to the cache server, so we will adjust the resolver (systemd-resolved) settings to address this.<\/p>\n\n\n\n
* Ideally, these should be run on separate servers. However, in this case, the DNS authoritative server and mail server are running on a VPS, and the cache for DNSBL needs to be operated, resulting in this non-standard configuration.<\/p>\n\n\n\n
First, let’s start with the cache server Unbound.<\/p>\n\n\n\n
Install Unbound with the following command.<\/p>\n\n\n\n
sudo apt install unbound<\/code><\/pre>\n\n\n\nNext, create the Unbound configuration file. Enter the following content into \/etc\/unbound\/unbound.conf.d\/local.conf.<\/p>\n\n\n\n
server:\n\tverbosity: 1\n\tinterface: 127.0.0.1\n\tport: 5353\n\tdo-not-query-localhost: no\n\n\thide-identity: yes\n\thide-version: yes\n\n\tcache-min-ttl: 60\n\tcache-max-ttl: 86400<\/code><\/pre>\n\n\n\nOnce you have configured the settings, restart Unbound.<\/p>\n\n\n\n
sudo systemctl restart unbound<\/code><\/pre>\n\n\n\nIn Ubuntu 24.04, systemd-resolved is the default resolver. To point it to the Unbound you just set up, edit \/etc\/systemd\/resolved.conf.<\/p>\n\n\n\n
DNS=127.0.0.1:5353<\/code><\/pre>\n\n\n\nLet’s restart systemd-resolved as well.<\/p>\n\n\n\n
sudo systemctl restart systemd-resolved<\/code><\/pre>\n\n\n\nNow, let’s check if the name resolution works properly. After testing with the dig command, you can check the cache status of Unbound.<\/p>\n\n\n\n
dig www.google.com\nsudo unbound-control stats\nsudo unbound-control dump_cache<\/code><\/pre>\n\n\n\nNSD settings<\/h2>\n\n\n\n
Next, we will configure the NSD for the authoritative server. Let’s start with the installation.<\/p>\n\n\n\n
sudo apt install nsd<\/code><\/pre>\n\n\n\nCreate a directory to store the zone files.<\/p>\n\n\n\n
In this case, since existing BIND zone files exist, copy the BIND zone files.<\/p>\n\n\n\n
NSD can basically use BIND zone files as they are.<\/p>\n\n\n\n
sudo mkdir \/etc\/nsd\/zones\ncp db.example.com \/etc\/nsd\/zones\/example.com.zone<\/code><\/pre>\n\n\n\nCreate the NSD configuration file \/etc\/nsd\/nsd.conf.d\/example.com.conf.<\/p>\n\n\n\n
server:\n ip-address: xxx.xxx.xxx.xxx\n server-count: 1\n ip4-only: no\n hide-version: yes\n identity: \"NSD\"\n zonesdir: \"\/etc\/nsd\/zones\"\n\nremote-control:\n control-enable: yes\n control-interface: 127.0.0.1\n\nzone:\n name: \"example.com\"\n zonefile: \"example.com.zone\"<\/code><\/pre>\n\n\n\nLet’s check if there are any problems with the zone file syntax.<\/p>\n\n\n\n
sudo nsd-checkzone example.com \/etc\/nsd\/zones\/example.com.zone\nzone example.com is ok<\/code><\/pre>\n\n\n\nOnce confirmed, restart NSD.<\/p>\n\n\n\n
sudo systemctl restart nsd<\/code><\/pre>\n\n\n\nThat completes the basic DNS server settings! All that remains is to switch the name servers, and you will be ready for actual operation.<\/p>\n\n\n\n
Summary<\/h2>\n\n\n\n
In this article, we introduced how to build a DNS server using NSD and Unbound as DNS server software other than BIND. NSD is simple and designed specifically for authoritative servers, so it is easy to configure and secure. Unbound is also a high-performance cache resolver and is ideal for operating DNSBL.<\/p>\n\n\n\n
Of course, there may still be room for fine-tuning, but the basic configuration is sufficient for now.<\/p>\n\n\n\n
That’s all for this article.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hello, this is Agata. If you operate a mail server, you may encounter a large number of DNS queries when using DNSBL for spam prevention. In such cases, it is convenient to have a cache server. BIND is a popular choice, but there are some security concerns. Therefore, we decided to try a different DNS server software and came up with the following configuration. What is NSD? NSD stands for \u201cName Server Daemon\u201d and is software dedicated to authoritative DNS servers. It is developed by NLnet Labs, a non-profit organization. Its features are as follows. What is Unbound\uff1f Unbound is a cache-only DNS resolver. It is also developed by NLnet…<\/p>\n","protected":false},"author":2,"featured_media":121,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"vkexunit_cta_each_option":"","footnotes":""},"categories":[18],"tags":[33,26,28],"class_list":["post-118","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-application","tag-dns","tag-install","tag-linux"],"_links":{"self":[{"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/posts\/118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/comments?post=118"}],"version-history":[{"count":4,"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/posts\/118\/revisions"}],"predecessor-version":[{"id":125,"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/posts\/118\/revisions\/125"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/media\/121"}],"wp:attachment":[{"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/media?parent=118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/categories?post=118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.interstellar.co.jp\/en\/wp-json\/wp\/v2\/tags?post=118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}