About Archive Other Contact

How to implement Unbound and NSD on FreeBSD

How to implement Unbound and NSD on FreeBSD as an intranet DNS solution!

We need name resolution for everything we do on our computers, laptops, tablets and smart phones. Whether it is to access the local intranet site or a web site on the internet or sending an e-mail. For all these actions you need a perfect working name resolution system. Name resolution is the process of finding the right IP address with the hostname of a system used by another system and vice versa.

We will implement a caching name server and an authoritative name server for a local intranet zone on one and the same system using FreeBSD. This is the perfect name resolving setup allowing you to resolve both local resources as well as public resources on the internet. Unbound is used as caching name server and NSD as authoritative name server.

Requirements

The following requirements have to be in place to be able to implement what is described in this post:

Assumptions

The following assumptions apply to this post:

Unbound

Unbound is a validating caching resolver only. In FreeBSD 10 Unbound replaced BIND.

Installation

Unbound comes pre installed as part of the FreeBSD 10.x releases base system.

Configuration

Unbound can now be configured. To be able to use the daemon the following line must be added to /etc/rc.conf of your FreeBSD system:

local_unbound_enable="YES"
Now we have to write the Unbound configuration file /var/unbound/unbound.conf. The directory /var/unbound already exists by default. Use your favourite editor and put the content shown in the SoCruel.NU Unbound example configuration in the /var/unbound/unbound.conf file. Please consult the unbound.conf manual page for detailed explanation of all the configuration lines.

As a last step we now have to start the Unbound daemon by running the command

# service local_unbound start
as root.

NSD

NSD is an authoritative only, high performance, simple and open source name server.

Installation

The FreeBSD Ports are used to install the NSD software:

# cd /usr/ports/dns/nsd
# make install clean
You can leave all the default options as they are. You can also use the FreeBSD Binary Package Management System to install NSD:
# pkg install nsd

Configuration

Now we can configure NSD, which runs in a chroot environment. First we have to make a directory structure for this environment:

# mkdir -p /var/nsd/var/db/nsd
# mkdir /var/nsd/var/run
# mkdir /var/nsd/var/log
# mkdir /var/nsd/tmp
# chown -R nsd:nsd /var/nsd/var
The next step is to write the NSD configuration file nsd.conf, which resides in the /var/nsd folder. The the SoCruel.NU NSD example configuration is provided. You can consult the nsd.conf manual page for a detailed explanation of all the configuration lines.

We want to be able to use the nsd-control command, with which you perform administration tasks on NSD. To be able to do so we have to set it up by performing the following command:

# nsd-control-setup -d /var/nsd
With this we create the certificates as given in our /var/nsd/nsd.conf config file and put them in the /var/nsd folder.

Now we have one last task to complete: make the files for our forward - and reverse lookup zones intra.domain.nl and 30.20.10.in-addr.arpa. We place them in the /var/nsd folder. The links to the content of them are zone.intra.domain.nl file and zone.30.20.10 file.

What this setup does

Unbound listens on the intranet interface and gets all the DNS queries. When it gets a DNS query for either intra.domain.nl. or 30.20.10.in-addr.arpa. it forwards it to NSD listening on localhost on port 53530. NSD will handle both these queries. All other queries are forwarded to 1.2.3.4 and 5.6.7.8. When Unbound doesn't have a result cached it will cache it such that it answer the query itself the next time it is requested.

Resources

Some resources used for this subject:

Updated: August 21, 2018