Way back in 2020, I wrote a tutorial on how to use NSD (Name Server Daemon) to create an authoritative DNS server you can run on your VPSes.  NSD doesn’t require much in the way of resources and is very lightweight compared to BIND, which makes it ideal for the hobbyists.  I also did a video tutorial on LowEndBoxTV.

When I did the tutorial here on LEB, I set it up with rsync for the zone transfers because…I honestly don’t remember why I did that.  The proper thing is to let NSD do zone transfers, which is a core part of DNS.  I corrected that in the video tutorial.

Now we’re going to go over the tutorial again in text form, updated for 2024.  This time we’ll configure a DNS zone with proper transfers.  Let’s go!

The Domain and VPSes

I’m going to be setting up two nameservers.  I spun up a couple VMs on Vultr.  They’re both Debian 12.  These will be for the lowend.vip domain.

ns1.lowend.vip 149.28.254.206
ns2.lowend.vip 144.202.76.207

Let’s start at Porkbun, actually, where is the registrar.  We need to setup authoritative nameservers and glue records.  The panel interface will be different if you’re using a different registrar, but every registrar will offer an interface to change these settings.

Authoritative nameservers answer the question “what are the legitimate nameservers (DNS servers) for this domain”.  But how does someone querying the domain where they are?  It’s a chicken-egg problem.  How can someone look up a DNS entry when they need to know where DNS is?  that’s the problem glue records solve.  They are the initial bread crumb trail to the DNS servers themselves.

At Porkbun, I go to my list of domains, click Details, and then select Glue Records.

Then I clicked Manage, and entered the hostname and IPs for ns1 and ns2.

Next we’ll update the Authoritative Nameservers.   Go back to Details and click Authoritative Nameservers:

They’re set to the Porkbun DNS servers by default.  I deleted that and added my DNS servers (defined in the glue records):

And we’re done at the registrar.

Setting Up NSD

Let’s get NSD up and running on our VPSes.

apt install nsd

cd /etc/nsd
mv nsd.conf nsd.conf.dist

Here is my nsd.conf on ns1:

server:
  ip-address: 149.28.254.206
  hide-version: yes
  database: "/var/lib/nsd/nsd.db"
  server-count: 1
  verbosity: 2

key:
  name: "my-secret"
  algorithm: hmac-sha512
  secret: abhnilvmqpVn9FODGFfCyj2gAhU21nQNLXWxLWOxVCw=

zone:
  name: lowend.vip
  zonefile: /etc/nsd/zones/lowend.vip
  notify: 144.202.76.207 my-secret
  provide-xfr: 144.202.76.207 my-secret

• ip-address: this is the IP address for ns1.lowend.vip
• hide-version: we won’t reveal the version of NSD in any of our greetings or protocol responses.  If someday there is a NSD 0-day vulnerability, at least we won’t advertise we’re running an unpatched version.
• database: where the binary database is kept (not the human-editable zone files)
• server-count: how many NSD daemons to start at run-time.  If you have busy zones, you may want to start more.
• verbosity: how verbose to be in the logs.  I’ve cranked it up for tutorial purposes.

The “secret” stanza controls authentication for zone transfers.  We define the shared secret we’re going to use.  The secret is named “my-secret”.  I generated the secret key via this command:

openssl rand -base64 32

but of course you can use whatever method you prefer.

Finally, we define zones.  If you have a lot, consider putting each zone in a file and leveraging the include: directive.  Because we are only using one for this tutorial, I’m just putting it in the base nsd.conf.

• name: the domain
• zonefile: where we save the human-editable text.  In this case, I’m putting my zones in /etc/nsd/zones
• notify: which DNS slaves to notify when there is a change, and what secret we use
• provide-xfr: which servers are allowed to get zone transfers, and what secret to use

• Port 53 udp: this should be opened to the world, because that’s how DNS records are served.
• Port 53 tcp: this needs to be opened only to your other DNS servers.  DNS zone transfers (which are only done by authorized name servers – in this case, ns2) are done over port 53 tcp.

server:
  ip-address: 144.202.76.207
  hide-version: yes
  database: "/var/lib/nsd/nsd.db"
  server-count: 1
  verbosity: 2

key:
  name: "my-secret"
  algorithm: hmac-sha512
  secret: abhnilvmqpVn9FODGFfCyj2gAhU21nQNLXWxLWOxVCw=

zone:
  name: lowend.vip
  zonefile: /etc/nsd/zones/lowend.vip
  allow-notify: 149.28.254.206 my-secret
  request-xfr: AXFR 149.28.254.206@53 my-secret

mkdir /etc/nsd/zones

$ORIGIN lowend.vip.
$TTL 3600

@ IN SOA ns1.lowend.vip admin.lowend.vip (
  202404011 ; serial number
  28800 ; Refresh
  7200 ; Retry
  864000 ; Expire
  86400 ; Min TTL
)

IN NS ns1.lowend.vip.
IN NS ns2.lowend.vip.

ns1 IN A 149.28.254.206
ns2 IN A 144.202.76.207
bigvps IN A 1.23.45.100
www IN CNAME bigvps

systemctl enable nsd
systemctl restart nsd

2024-03-18T13:34:13.735090-07:00 ns1 systemd[1]: Stopped nsd.service - Name Server Daemon.
2024-03-18T13:34:13.741588-07:00 ns1 systemd[1]: Starting nsd.service - Name Server Daemon...
2024-03-18T13:34:13.767625-07:00 ns1 nsd[16395]: nsd starting (NSD 4.6.1)
2024-03-18T13:34:13.767898-07:00 ns1 nsd[16395]: [2024-03-18 13:34:13.767] nsd[16395]: notice: nsd starting (NSD 4.6.1)
2024-03-18T13:34:13.804355-07:00 ns1 nsd[16398]: zone lowend.vip read with success
2024-03-18T13:34:13.808870-07:00 ns1 nsd[16398]: [2024-03-18 13:34:13.808] nsd[16398]: info: zone lowend.vip read with success
2024-03-18T13:34:13.809132-07:00 ns1 nsd[16398]: zone lowend.vip written to db
2024-03-18T13:34:13.809291-07:00 ns1 nsd[16398]: [2024-03-18 13:34:13.809] nsd[16398]: info: zone lowend.vip written to db
2024-03-18T13:34:13.815895-07:00 ns1 nsd[16398]: nsd started (NSD 4.6.1), pid 16395
2024-03-18T13:34:13.815934-07:00 ns1 nsd[16398]: [2024-03-18 13:34:13.815] nsd[16398]: notice: nsd started (NSD 4.6.1), pid 16395
2024-03-18T13:34:13.817896-07:00 ns1 systemd[1]: Started nsd.service - Name Server Daemon.

Let’s go start on ns2:

mkdir /etc/nsd/zones
systemctl enable nsd
systemctl restart nsd

In /var/log/syslog, we see:

2024-03-18T13:47:47.869109-07:00 ns2 systemd[1]: Started nsd.service - Name Server Daemon.
2024-03-18T13:47:47.870845-07:00 ns2 nsd[15824]: xfrd: zone lowend.vip committed "received update to serial 2024104011 at 2024-03-18T13:47:47 from 149.28.254.206@53 TSIG verified with key my-secret"
2024-03-18T13:47:47.871385-07:00 ns2 nsd[15824]: [2024-03-18 13:47:47.870] nsd[15824]: info: xfrd: zone lowend.vip committed "received update to serial 2024104011 at 2024-03-18T13:47:47 from 149.28.254.206@53 TSIG verified with key my-secret"
2024-03-18T13:47:47.872244-07:00 ns2 nsd[15825]: zone lowend.vip. received update to serial 2024104011 at 2024-03-18T13:47:47 from 149.28.254.206@53 TSIG verified with key my-secret of 233 bytes in 3.2e-05 seconds
2024-03-18T13:47:47.872287-07:00 ns2 nsd[15825]: [2024-03-18 13:47:47.872] nsd[15825]: info: zone lowend.vip. received update to serial 2024104011 at 2024-03-18T13:47:47 from 149.28.254.206@53 TSIG verified with key my-secret of 233 bytes in 3.2e-05 seconds
2024-03-18T13:47:47.876295-07:00 ns2 nsd[15824]: zone lowend.vip serial 0 is updated to 2024104011
2024-03-18T13:47:47.876349-07:00 ns2 nsd[15824]: [2024-03-18 13:47:47.876] nsd[15824]: info: zone lowend.vip serial 0 is updated to 2024104011

On ns1, the log has:

2024-03-18T13:47:47.871552-07:00 ns1 nsd[16399]: axfr for lowend.vip. from 144.202.76.207
2024-03-18T13:47:47.872312-07:00 ns1 nsd[16399]: [2024-03-18 13:47:47.871] nsd[16399]: info: axfr for lowend.vip. from 144.202.76.207

Sweet!

On my home PC:

$ nslookup www.lowend.vip
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
www.lowend.vip canonical name = bigvps.lowend.vip.
Name: bigvps.lowend.vip
Address: 1.23.45.100

So we’re up and running.

Now let’s add a record.  We’ll modify /etc/nsd/zones/lowend.vip as follows:

$ORIGIN lowend.vip.
$TTL 3600

@ IN SOA ns1.lowend.vip admin.lowend.vip (
  202404012 ; serial number
  28800 ; Refresh
  7200 ; Retry
  864000 ; Expire
  86400 ; Min TTL
)

IN NS ns1.lowend.vip.
IN NS ns2.lowend.vip.

ns1 IN A 149.28.254.206
ns2 IN A 144.202.76.207
bigvps IN A 1.23.45.100
www IN CNAME bigvps
server1 IN A 4.5.6.7

I added a record for server1.lowend.vip, and then updated the serial number.  Then reload nsd.  This doesn’t stop/start, but rather tells nsd to keep serving records while reloading configs:

nsd-control reload

This will also push the change to ns2.  In the ns2 logs we see:

2024-03-18T13:53:48.758673-07:00 ns2 nsd[15824]: [2024-03-18 13:53:48.758] nsd[15824]: info: zone lowend.vip serial 2024104011 is updated to 2024104012

And at home:

$ nslookup server1.lowend.vip
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: server1.lowend.vip
Address: 4.5.6.7

NSD is how up and working on both nodes and both nodes are in sync.

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• COMMUNITY NEWS: RackNerd LLC, Global IaaS Provider, Expands European Footprint with New Dublin, Ireland Datacenter - November 16, 2024
• Hey Providers – Want Some FREE Advertising During the SuperBowl? - November 14, 2024
• Inception Hosting is Closing Its Doors - November 12, 2024