In this article, you will learn how easy and quick it is to have your own caching resolving DNS server (unbound), as well as an authoritative/master DNS server (nsd) running locally on your own OpenBSD Vultr instance.
For installing OpenBSD, refer to the following article: Setup OpenBSD 5.5 64-bit. Just be sure to use the newer, 5.6 ISO image instead.
While nsd was available in previous release too, unbound was linked to the build for the 5.6 release. Starting with 5.7 release, BIND will be completely removed from the base system (and available via ports).
unbound
For resolving DNS, people generally use defaults provided by their distribution/provider or a service from Google (public DNS) and OpenDNS. While those are usually fine, running you own gives you more control, better performance (once you fill out your own cache), better privacy, etc. It is very easy to get your own resolving DNS setup on OpenBSD.
-
Enable the service:
sudo rcctl enable unbound
-
Start the service:
sudo rcctl start unbound
-
To make it active, put the following in
/etc/resolv.conf
(and delete any othernameserver
entries):nameserver 127.0.0.1
You can now try it out:
dig google.com
We’re looking for the following two lines:
;; Query time: 35 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
The server used was localhost
, which is what we wanted. Query time is 35
sec on a cold start. Let’s try the same dig
command one more time:
;; Query time: 1 msec
At this point, the caching is working and we can continue with the authoritative nsd server.
nsd
Unlike unbound, nsd is an authoritative DNS server, which is used for serving your own zones. One server is generally not enough, so you could spin up another Vultr instance as a secondary server in another location, for redundancy.
Since setting up primary/secondary service (although not hard) is a bit out of the scope of this article, we will show how to serve a single domain zone.
-
First let’s edit
/var/nsd/etc/nsd.conf
file. Here is a complete example:server: hide-version: yes ip-address: 108.xx.xxx.xx remote-control: control-enable: yes zone: name: "example.com" zonefile: "example.com.zone"
Note: Replace
108.xx.xxx.xx
with the IP address of your instance andexample.com
with your own domain. -
Zone files go to
/var/nsd/zones
directory. Here is a short/var/nsd/zones/example.com.zone
zone file:$ORIGIN example.com. $TTL 86400 @ 3600 SOA a.ns.example.com. hostmaster.example.com. ( 2014110502 ; serial 1800 ; refresh 7200 ; retry 1209600 ; expire 3600 ) ; negative NS a.ns.example.com. NS b.ns.example.com. MX 0 mail.example.com. a.ns A 108.xx.xxx.xx b.ns A 108.xx.xxx.xx mail A 108.xx.xxx.xx
-
We can now enable and start the service:
sudo rcctl enable nsd sudo rcctl start nsd
You should now have both your own caching/resolving DNS server, as well as an authoritative one.
BIND zone syntax and details on running your own master are a bit out of scope of this short guide and left as an exercise to the reader. Enjoy OpenBSD!
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article