Running nsd and unbound on OpenBSD 5.7
443 words, 3 minutes
I started replacing Bind with nsd/unbound on previous OpenBSD release. Now it’s time to update to OpenBSD 5.7 and ensure it still works.
The system
The server is running OpenBSD 5.7 amd64 and stock daemons.
# uname -a
OpenBSD panthera.tumfatig.net 5.7 GENERIC.MP#881 amd64
# nsd -v
NSD version 4.1.1
(...)
# unbound -dv
[1436899816] unbound[18443:0] notice: Start of unbound 1.5.2.
^C
The authoritative DNS name server
The nsd server listens on localhost and is queried by the unbound daemon.
The configuration goes simple:
# diff /var/nsd/etc/nsd.conf.orig /var/nsd/etc/nsd.conf
8c8
< # ip-address: 192.0.2.53@5678
---
> ip-address: 0.0.0.0@8053
21,23c21,23
< #zone:
< # name: "example.com"
< # zonefile: "example.com"
---
> zone:
> name: "tumfatig.net"
> zonefile: "tumfatig.net"
25a26,33
>
> zone:
> name: "carnat.net"
> zonefile: "carnat.net"
>
> zone:
> name: "192.in-addr.arpa"
> zonefile: "192.in-addr.arpa"
Starting the daemon as usual:
# rcctl enable nsd
# rcctl start nsd
And a few checks to ensure it works:
# nsd-control status
version: 4.1.1
verbosity: 0
ratelimit: 200
# nsd-control zonestatus tumfatig.net
zone: tumfatig.net
state: master
# nsd-control zonestatus openbsd.org
error zone openbsd.org not configured
# dig @localhost -p 8053 -t mx carnat.net +short
10 internal.tumfatig.net.
# dig @localhost -p 8053 -t ns tumfatig.net +short
internal.tumfatig.net.
The DNS resolver
This daemon is used by clients for name resolving.
Configuration is about listening port and forwarding requests to nsd:
# diff /var/unbound/etc/unbound.conf.orig /var/unbound/etc/unbound.conf
4c4
< interface: 127.0.0.1
---
> interface: 0.0.0.0
10a11
> access-control: 192.168.0.0/24 allow
19c20
< #auto-trust-anchor-file: "/var/unbound/db/root.key"
---
> auto-trust-anchor-file: "/var/unbound/db/root.key"
24c25
< #local-zone: "local." static
---
> local-zone: "168.192.in-addr.arpa." nodefault
50a52,68
>
> remote-control:
> control-enable: yes
> control-interface: 127.0.0.1
>
> stub-zone:
> name: "tumfatig.net"
> stub-addr: 192.168.0.150@8053
>
> stub-zone:
> name: "carnat.net"
> stub-addr: 192.168.0.150@8053
>
> stub-zone:
> name: "0.168.192.in-addr.arpa."
> stub-addr: 192.168.0.150@8053
>
Configure the remote control utility:
# unbound-control-setup
setup in directory /var/unbound/etc
generating unbound_server.key
(...)
generating unbound_control.key
(...)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
(...)
Setup success. Certificates created. Enable in unbound.conf file to use
Finally start the daemon and check it works:
# rcctl enable unbound
# rcctl start unbound
# unbound-control status
version: 1.5.2
(...)
unbound (pid 28443) is running...
# unbound-control list_stubs
. IN stub prime M.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 2001:dc3::35 2001:500:3::42 2001:7fd::1 2001:503:c27::2:30 2001:7fe::53 2001:500:1::803f:235 2001:500:2f::f 2001:500:2d::d 2001:500:2::c 2001:500:84::b 2001:503:ba3e::2:30 202.12.27.33 199.7.83.42 193.0.14.129 192.58.128.30 192.36.148.17 128.63.2.53 192.112.36.4 192.5.5.241 192.203.230.10 199.7.91.13 192.33.4.12 192.228.79.201 198.41.0.4
carnat.net. IN stub noprime 192.168.0.150
tumfatig.net. IN stub noprime 192.168.0.150
0.168.192.in-addr.arpa. IN stub noprime 192.168.0.150
# dig @localhost -t mx tumfatig.net +short
10 internal.tumfatig.net.
# dig @localhost www.openbsd.org +short
129.128.5.194
Everything is still working. Great news.