How to implement Unbound and NSD on FreeBSD
How to implement Unbound and NSD on FreeBSD as an intranet DNS solution!
We need name resolution for everything we do on our computers, laptops, tablets and smart phones. Whether it is to access the local intranet site or a web site on the internet or sending an e-mail. For all these actions you need a perfect working name resolution system. Name resolution is the process of finding the right IP address with the hostname of a system used by another system and vice versa.
We will implement a caching name server and an authoritative name server for a local intranet zone on one and the same system using FreeBSD. This is the perfect name resolving setup allowing you to resolve both local resources as well as public resources on the internet. Unbound is used as caching name server and NSD as authoritative name server.
The following requirements have to be in place to be able to implement what is described in this post:
- an up to date FreeBSD version 10.x or 11.x system with updated ports installed
- a connection to the internet with access to a public caching name server.
The following assumptions apply to this post:
- the LAN IP address of the system on which Unbound and NSD are implemented is
- the subnet of the network the system is on is
- the IP addresses of the caching name servers of the imaginary ISP are
- the local domain is
- Unbound listens on the localhost interface and the LAN IP address
- NSD listens on localhost only (port 53530)
- Unbound forwards requests to NSD for the local domain
- Unbound forwards requests to ISP caching name servers when it cannot answer requests itself.
Unbound is a validating caching resolver only. In FreeBSD 10 Unbound replaced BIND.
Unbound comes pre installed as part of the FreeBSD 10.x releases base system.
Unbound can now be configured. To be able to use the daemon the following line must be added to
/etc/rc.conf of your FreeBSD system:
local_unbound_enable="YES"Now we have to write the Unbound configuration file
/var/unbound/unbound.conf. The directory
/var/unboundalready exists by default. Use your favourite editor and put the content shown in the SoCruel.NU Unbound example configuration in the
/var/unbound/unbound.conffile. Please consult the unbound.conf manual page for detailed explanation of all the configuration lines.
As a last step we now have to start the Unbound daemon by running the command
# service local_unbound startas root.
NSD is an authoritative only, high performance, simple and open source name server.
The FreeBSD Ports are used to install the NSD software:
# cd /usr/ports/dns/nsd # make install cleanYou can leave all the default options as they are. You can also use the FreeBSD Binary Package Management System to install NSD:
# pkg install nsd
Now we can configure NSD, which runs in a chroot environment. First we have to make a directory structure for this environment:
# mkdir -p /var/nsd/var/db/nsd # mkdir /var/nsd/var/run # mkdir /var/nsd/var/log # mkdir /var/nsd/tmp # chown -R nsd:nsd /var/nsd/varThe next step is to write the NSD configuration file
nsd.conf, which resides in the
/var/nsdfolder. The the SoCruel.NU NSD example configuration is provided. You can consult the nsd.conf manual page for a detailed explanation of all the configuration lines.
We want to be able to use the
nsd-control command, with which you perform administration tasks on NSD. To be able to do so we have to set it up by performing the following command:
# nsd-control-setup -d /var/nsdWith this we create the certificates as given in our
/var/nsd/nsd.confconfig file and put them in the
Now we have one last task to complete: make the files for our forward - and reverse lookup zones intra.domain.nl and 30.20.10.in-addr.arpa. We place them in the
/var/nsd folder. The links to the content of them are zone.intra.domain.nl file and zone.30.20.10 file.
What this setup does
Unbound listens on the intranet interface and gets all the DNS queries. When it gets a DNS query for either
30.20.10.in-addr.arpa. it forwards it to NSD listening on localhost on port 53530. NSD will handle both these queries.
All other queries are forwarded to
When Unbound doesn’t have a result cached it will cache it such that it answer the query itself the next time it is requested.
Some resources used for this subject: