Running Nsd And Unbound On OpenBSD 5.6

In this article, you will learn how easy and quick it is to have your own caching resolving DNS server (unbound), as well as an authoritative/master DNS server (nsd) running locally on your own OpenBSD Vultr instance.

For installing OpenBSD, refer to the following article: Setup OpenBSD 5.5 64-bit. Just be sure to use the newer, 5.6 ISO image instead.

While nsd was available in previous release too, unbound was linked to the build for the 5.6 release. Starting with 5.7 release, BIND will be completely removed from the base system (and available via ports).

unbound

For resolving DNS, people generally use defaults provided by their distribution/provider or a service from Google (public DNS) and OpenDNS. While those are usually fine, running you own gives you more control, better performance (once you fill out your own cache), better privacy, etc. It is very easy to get your own resolving DNS setup on OpenBSD.

1. Enable the service:

   sudo rcctl enable unbound
   

2. Start the service:

   sudo rcctl start unbound
   

3. To make it active, put the following in /etc/resolv.conf (and delete any other nameserver entries):

   nameserver 127.0.0.1
   

You can now try it out:

dig google.com

We’re looking for the following two lines:

;; Query time: 35 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

The server used was localhost, which is what we wanted. Query time is 35
sec on a cold start. Let’s try the same dig command one more time:

;; Query time: 1 msec

At this point, the caching is working and we can continue with the authoritative nsd server.

nsd

Unlike unbound, nsd is an authoritative DNS server, which is used for serving your own zones. One server is generally not enough, so you could spin up another Vultr instance as a secondary server in another location, for redundancy.

Since setting up primary/secondary service (although not hard) is a bit out of the scope of this article, we will show how to serve a single domain zone.

1. First let’s edit /var/nsd/etc/nsd.conf file. Here is a complete example:

   server:
       hide-version: yes
       ip-address: 108.xx.xxx.xx
   
   remote-control:
       control-enable: yes
   
   zone:
       name: "example.com"
       zonefile: "example.com.zone"
   

   Note: Replace 108.xx.xxx.xx with the IP address of your instance and example.com with your own domain.

2. Zone files go to /var/nsd/zones directory. Here is a short /var/nsd/zones/example.com.zone zone file:

   $ORIGIN example.com.
   $TTL 86400
   
   @       3600    SOA     a.ns.example.com. hostmaster.example.com. (
                           2014110502      ; serial
                           1800            ; refresh
                           7200            ; retry
                           1209600         ; expire
                           3600 )          ; negative
   
                   NS      a.ns.example.com.
                   NS      b.ns.example.com.
   
                   MX      0 mail.example.com.
   
   a.ns            A       108.xx.xxx.xx
   b.ns            A       108.xx.xxx.xx
   mail            A       108.xx.xxx.xx
   

3. We can now enable and start the service:

   sudo rcctl enable nsd
   sudo rcctl start nsd
   

You should now have both your own caching/resolving DNS server, as well as an authoritative one.

BIND zone syntax and details on running your own master are a bit out of scope of this short guide and left as an exercise to the reader. Enjoy OpenBSD!