Running nsd and unbound on OpenBSD 5.7

I started replacing Bind with nsd/unbound on previous OpenBSD release. Now it’s time to update to OpenBSD 5.7 and ensure it still works.

The system

The server is running OpenBSD 5.7 amd64 and stock daemons.

# uname -a
OpenBSD bagheera.tumfatig.net 5.7 GENERIC.MP#881 amd64

# nsd -v
NSD version 4.1.1
(...)

# unbound -dv
[1436899816] unbound[18443:0] notice: Start of unbound 1.5.2.
^C

The authoritative DNS name server

The nsd server listens on localhost and is queried by the unbound daemon.

The configuration goes simple:

# diff /var/nsd/etc/nsd.conf.orig /var/nsd/etc/nsd.conf     
8c8
< #     ip-address: 192.0.2.53@5678
---
>       ip-address: 0.0.0.0@8053
21,23c21,23
< #zone:
< #     name: "example.com"
< #     zonefile: "example.com"
---
> zone:
>       name: "tumfatig.net"
>       zonefile: "tumfatig.net"
25a26,33
> 
> zone:
>       name: "carnat.net"
>       zonefile: "carnat.net"
> 
> zone:
>       name: "192.in-addr.arpa"
>       zonefile: "192.in-addr.arpa"

Starting the daemon as usual:

# rcctl enable nsd                                                                                                                 
# rcctl start nsd

And a few checks to ensure it works:

# nsd-control status
version: 4.1.1
verbosity: 0
ratelimit: 200

# nsd-control zonestatus tumfatig.net
zone:   tumfatig.net
        state: master

# nsd-control zonestatus openbsd.org
error zone openbsd.org not configured

# dig @localhost -p 8053 -t mx carnat.net +short
10 internal.tumfatig.net.

# dig @localhost -p 8053 -t ns tumfatig.net +short 
internal.tumfatig.net.

The DNS resolver

This daemon is used by clients for name resolving.

Configuration is about listening port and forwarding requests to nsd:

# diff /var/unbound/etc/unbound.conf.orig /var/unbound/etc/unbound.conf     
4c4
<       interface: 127.0.0.1
---
>       interface: 0.0.0.0
10a11
>       access-control: 192.168.0.0/24 allow
19c20
<       #auto-trust-anchor-file: "/var/unbound/db/root.key"
---
>       auto-trust-anchor-file: "/var/unbound/db/root.key"
24c25
<       #local-zone: "local." static
---
>       local-zone: "168.192.in-addr.arpa." nodefault
50a52,68
> 
> remote-control:
>       control-enable: yes
>       control-interface: 127.0.0.1
> 
> stub-zone:
>       name: "tumfatig.net"
>       stub-addr: 192.168.0.150@8053
> 
> stub-zone:
>       name: "carnat.net"
>       stub-addr: 192.168.0.150@8053
> 
> stub-zone:
>       name: "0.168.192.in-addr.arpa."
>       stub-addr: 192.168.0.150@8053
> 

Configure the remote control utility:

# unbound-control-setup
setup in directory /var/unbound/etc
generating unbound_server.key
(…)
generating unbound_control.key
(…)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
(…)
Setup success. Certificates created. Enable in unbound.conf file to use

Finally start the daemon and check it works:

# rcctl enable unbound
# rcctl start unbound

# unbound-control status
version: 1.5.2
(...)
unbound (pid 28443) is running...

# unbound-control list_stubs
. IN stub prime M.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 2001:dc3::35 2001:500:3::42 2001:7fd::1 2001:503:c27::2:30 2001:7fe::53 2001:500:1::803f:235 2001:500:2f::f 2001:500:2d::d 2001:500:2::c 2001:500:84::b 2001:503:ba3e::2:30 202.12.27.33 199.7.83.42 193.0.14.129 192.58.128.30 192.36.148.17 128.63.2.53 192.112.36.4 192.5.5.241 192.203.230.10 199.7.91.13 192.33.4.12 192.228.79.201 198.41.0.4
carnat.net. IN stub noprime 192.168.0.150
tumfatig.net. IN stub noprime 192.168.0.150
0.168.192.in-addr.arpa. IN stub noprime 192.168.0.150

# dig @localhost -t mx tumfatig.net +short
10 internal.tumfatig.net.

# dig @localhost www.openbsd.org +short    
129.128.5.194

Everything is still working. Great news.

2 Comments

  • Anonymous Tue, 14 Jul 2015 22:17:30 +0000 Reply

    Nice post!

    You should use unified diff(1), i.e: diff -u. It’s more readable than context format IMHO.

    • Joel Carnat Wed, 15 Jul 2015 10:10:19 +0000 Reply Author

      Thanks Bryan. I’ll use it next time.

Leave a Reply

%d bloggers like this: