SoCruel.NU

The domain that loves BSD

Home About Me
FreeBSD Security Miscellaneous
Archive Contact

How to implement Unbound and NSD on FreeBSD

How to implement Unbound and NSD on FreeBSD as an intranet DNS solution!

We need name resolution for everything we do on our computers, laptops, tablets and smart phones. Whether it is to access the local intranet site or a web site on the internet or sending an e-mail. For all these actions you need a perfect working name resolution system. Name resolution is the process of finding the right IP address with the hostname of a system used by another system and vice versa.

We will implement a caching name server and an authoritative name server for a local intranet zone on one and the same system using FreeBSD. This is the perfect name resolving setup allowing you to resolve both local resources as well as public resources on the internet. Unbound is used as caching name server and NSD as authoritative name server.

Requirements

The following requirements have to be in place to be able to implement what is described in this post:

  • an up to date FreeBSD version 10.x or 11.x system with updated ports installed
  • a connection to the internet with access to a public caching name server.

Assumptions

The following assumptions apply to this post:

  • the LAN IP address of the system on which Unbound and NSD are implemented is 10.20.30.1
  • the subnet of the network the system is on is 10.20.30.0/24
  • the IP addresses of the caching name servers of the imaginary ISP are 1.2.3.4 and 5.6.7.8
  • the local domain is intra.yourdomain.nl
  • Unbound listens on the localhost interface and the LAN IP address
  • NSD listens on localhost only (port 53530)
  • Unbound forwards requests to NSD for the local domain intra.yourdomain.nl
  • Unbound forwards requests to ISP caching name servers when it cannot answer requests itself.

Unbound

Unbound is a validating caching resolver only. In FreeBSD 10 Unbound replaced BIND.

Installation

Unbound comes pre installed as part of the FreeBSD 10.x releases base system.

Configuration

Unbound can now be configured. To be able to use the daemon the following line must be added to /etc/rc.conf of your FreeBSD system: 

local_unbound_enable="YES"
Now we have to write the Unbound configuration file /var/unbound/unbound.conf. The directory /var/unbound already exists by default. Use your favourite editor and put the content shown in the SoCruel.NU Unbound example configuration in the /var/unbound/unbound.conf file. Please consult the unbound.conf manual page for detailed explanation of all the configuration lines.

As a last step we now have to start the Unbound daemon by running the command 

# service local_unbound start
as root.

NSD

NSD is an authoritative only, high performance, simple and open source name server.

Installation

The FreeBSD Ports are used to install the NSD software: 

# cd /usr/ports/dns/nsd
# make install clean
You can leave all the default options as they are. You can also use the FreeBSD Binary Package Management System to install NSD: 
# pkg install nsd

Configuration

Now we can configure NSD, which runs in a chroot environment. First we have to make a directory structure for this environment: 

# mkdir -p /var/nsd/var/db/nsd
# mkdir /var/nsd/var/run
# mkdir /var/nsd/var/log
# mkdir /var/nsd/tmp
# chown -R nsd:nsd /var/nsd/var
The next step is to write the NSD configuration file nsd.conf, which resides in the /var/nsd folder. The the SoCruel.NU NSD example configuration is provided. You can consult the nsd.conf manual page for a detailed explanation of all the configuration lines.

We want to be able to use the nsd-control command, with which you perform administration tasks on NSD. To be able to do so we have to set it up by performing the following command: 

# nsd-control-setup -d /var/nsd
With this we create the certificates as given in our /var/nsd/nsd.conf config file and put them in the /var/nsd folder.

Now we have one last task to complete: make the files for our forward - and reverse lookup zones intra.domain.nl and 30.20.10.in-addr.arpa. We place them in the /var/nsd folder. The links to the content of them are zone.intra.domain.nl file and zone.30.20.10 file.

What this setup does

Unbound listens on the intranet interface and gets all the DNS queries. When it gets a DNS query for either intra.domain.nl. or 30.20.10.in-addr.arpa. it forwards it to NSD listening on localhost on port 53530. NSD will handle both these queries. All other queries are forwarded to 1.2.3.4 and 5.6.7.8. When Unbound doesn’t have a result cached it will cache it such that it answer the query itself the next time it is requested.

Resources

Some resources used for this subject:

Updated: August 21, 2018