In this article, you will learn how easy and quick it is to have your own caching resolving DNS server (unbound), as well as an authoritative/master DNS server (nsd) running locally on your own OpenBSD AKLWEB HOST instance.
While nsd was available in previous release too, unbound was linked to the build for the 5.6 release. Starting with 5.7 release, BIND will be completely removed from the base system (and available via ports).
unbound
For resolving DNS, people generally use defaults provided by their distribution/provider or a service from Google (public DNS) and OpenDNS. While those are usually fine, running you own gives you more control, better performance (once you fill out your own cache), better privacy, etc. It is very easy to get your own resolving DNS setup on OpenBSD.
- Enable the service:
sudo rcctl enable unbound - Start the service:
sudo rcctl start unbound - To make it active, put the following in
/etc/resolv.conf(and delete any othernameserverentries):nameserver 127.0.0.1
You can now try it out:
dig google.com
We’re looking for the following two lines:
;; Query time: 35 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
The server used was localhost, which is what we wanted. Query time is 35 sec on a cold start. Let’s try the same dig command one more time:
;; Query time: 1 msec
At this point, the caching is working and we can continue with the authoritative nsd server.
nsd
Unlike unbound, nsd is an authoritative DNS server, which is used for serving your own zones. One server is generally not enough, so you could spin up another AKLWEB HOST instance as a secondary server in another location, for redundancy.
Since setting up primary/secondary service (although not hard) is a bit out of the scope of this article, we will show how to serve a single domain zone.
- First let’s edit
/var/nsd/etc/nsd.conffile. Here is a complete example:server: hide-version: yes ip-address: 108.xx.xxx.xx remote-control: control-enable: yes zone: name: "example.com" zonefile: "example.com.zone"Note: Replace
108.xx.xxx.xxwith the IP address of your instance andexample.comwith your own domain. - Zone files go to
/var/nsd/zonesdirectory. Here is a short/var/nsd/zones/example.com.zonezone file:$ORIGIN example.com. $TTL 86400 @ 3600 SOA a.ns.example.com. hostmaster.example.com. ( 2014110502 ; serial 1800 ; refresh 7200 ; retry 1209600 ; expire 3600 ) ; negative NS a.ns.example.com. NS b.ns.example.com. MX 0 mail.example.com. a.ns A 108.xx.xxx.xx b.ns A 108.xx.xxx.xx mail A 108.xx.xxx.xx - We can now enable and start the service:
sudo rcctl enable nsd sudo rcctl start nsd
You should now have both your own caching/resolving DNS server, as well as an authoritative one.
BIND zone syntax and details on running your own master are a bit out of scope of this short guide and left as an exercise to the reader. Enjoy OpenBSD!