In this article, you will learn how easy and quick it is to have your own caching resolving DNS server (unbound), as well as an authoritative\/master DNS server (nsd) running locally on your own OpenBSD AKLWEB HOST instance.<\/p>\n

While nsd was available in previous release too, unbound was linked to the build for the 5.6 release. Starting with 5.7 release, BIND will be completely removed from the base system (and available via ports).<\/p>\n

unbound<\/h3>\n

For resolving DNS, people generally use defaults provided by their distribution\/provider or a service from Google (public DNS) and OpenDNS. While those are usually fine, running you own gives you more control, better performance (once you fill out your own cache), better privacy, etc. It is very easy to get your own resolving DNS setup on OpenBSD.<\/p>\n

\n
1. Enable the service:\n

   sudo rcctl enable unbound\r\n<\/code><\/pre>\n<\/li>\n
   Start the service:\n
   sudo rcctl start unbound\r\n<\/code><\/pre>\n<\/li>\n
   To make it active, put the following in\u00a0\/etc\/resolv.conf<\/code>\u00a0(and delete any other\u00a0nameserver<\/code>\u00a0entries):\n
   nameserver 127.0.0.1\r\n<\/code><\/pre>\n<\/li>\n<\/ol>\n
   You can now try it out:<\/p>\n
   dig google.com\r\n<\/code><\/pre>\n
   We’re looking for the following two lines:<\/p>\n
   ;; Query time: 35 msec\r\n;; SERVER: 127.0.0.1#53(127.0.0.1)\r\n<\/code><\/pre>\n
   The server used was\u00a0localhost<\/code>, which is what we wanted. Query time is 35 sec on a cold start. Let’s try the same\u00a0dig<\/code>\u00a0command one more time:<\/p>\n
   ;; Query time: 1 msec\r\n<\/code><\/pre>\n
   At this point, the caching is working and we can continue with the authoritative nsd server.<\/p>\n
   nsd<\/h3>\n
   Unlike unbound, nsd is an authoritative DNS server, which is used for serving your own zones. One server is generally not enough, so you could spin up another AKLWEB HOST instance as a secondary server in another location, for redundancy.<\/p>\n
   Since setting up primary\/secondary service (although not hard) is a bit out of the scope of this article, we will show how to serve a single domain zone.<\/p>\n
   \n
   First let’s edit\u00a0\/var\/nsd\/etc\/nsd.conf<\/code>\u00a0file. Here is a complete example:\n
   server:\r\n    hide-version: yes\r\n    ip-address: 108.xx.xxx.xx\r\n\r\nremote-control:\r\n    control-enable: yes\r\n\r\nzone:\r\n    name: \"example.com\"\r\n    zonefile: \"example.com.zone\"\r\n<\/code><\/pre>\n
   Note: Replace\u00a0108.xx.xxx.xx<\/code>\u00a0with the IP address of your instance and\u00a0example.com<\/code>\u00a0with your own domain.<\/li>\n
   Zone files go to\u00a0\/var\/nsd\/zones<\/code>\u00a0directory. Here is a short\u00a0\/var\/nsd\/zones\/example.com.zone<\/code>\u00a0zone file:\n
   $ORIGIN example.com.\r\n$TTL 86400\r\n\r\n@       3600    SOA     a.ns.example.com. hostmaster.example.com. (\r\n                        2014110502      ; serial\r\n                        1800            ; refresh\r\n                        7200            ; retry\r\n                        1209600         ; expire\r\n                        3600 )          ; negative\r\n\r\n                NS      a.ns.example.com.\r\n                NS      b.ns.example.com.\r\n\r\n                MX      0 mail.example.com.\r\n\r\na.ns            A       108.xx.xxx.xx\r\nb.ns            A       108.xx.xxx.xx\r\nmail            A       108.xx.xxx.xx\r\n<\/code><\/pre>\n<\/li>\n
   We can now enable and start the service:\n
   sudo rcctl enable nsd\r\nsudo rcctl start nsd\r\n<\/code><\/pre>\n<\/li>\n<\/ol>\n
   You should now have both your own caching\/resolving DNS server, as well as an authoritative one.<\/p>\n
   BIND zone syntax and details on running your own master are a bit out of scope of this short guide and left as an exercise to the reader. Enjoy OpenBSD!<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[230,244],"manual_kb_tag":[407],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2724"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=2724"}],"version-history":[{"count":3,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2724\/revisions"}],"predecessor-version":[{"id":2729,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2724\/revisions\/2729"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=2724"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=2724"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=2724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}