Skip to main content

Setting Up an Internal DNS Server Using NSD and Unbound

··2 mins·
Unbound Nsd Linux
Makoto Morinaga
Author
Makoto Morinaga
A personal notebook for tech notes, coding, and system experiments.
Table of Contents

Managing multiple services within a LAN environment can become challenging, especially when keeping track of which services run on which servers. Using domain names instead of IP addresses simplifies access and allows for easier migration of services without modifying bookmarks or configurations.

An internal DNS server is set up to resolve domain names within the local network. While BIND is a common choice, this setup uses NSD (for authoritative DNS functionality) and Unbound (for DNS caching functionality) on Arch Linux.

NSD (Authoritative DNS Server) Setup
#

Installing NSD
#

Execute the following command to install NSD:

Terminal 
sudo pacman -S nsd

Initial Configuration
#

Edit /etc/nsd/nsd.conf with the following settings. Since NSD is used alongside Unbound, port 53530 is set to avoid conflicts.

/etc/nsd/nsd.conf 
server:
    ip-address: 127.0.0.1
    do-ip6: no
    port: 53530
    zonesdir: "/etc/nsd/zone"
    hide-version: yes
    identity: "Home network authoritative DNS"

zone:
    name: "mkt3.dev"
    zonefile: "mkt3.dev.zone"

Zone File Configuration
#

Edit the zone file specified in nsd.conf (e.g., mkt3.dev.zone) as follows:

/etc/nsd/zone/mkt3.dev.zone 
$TTL 86400
@ IN SOA ns.mkt3.dev. postmaster.mkt3.dev. (
        2018071301 ; Serial
        28800 ; Refresh
        14400 ; Retry
        3600000 ; Expire
        86400 ) ; Minimum
@  IN NS ns.mkt3.dev.
ns IN A  192.168.10.10

Starting and Enabling NSD
#

Start the NSD service:

Terminal 
sudo systemctl start nsd.service

Enable NSD at boot:

Terminal 
sudo systemctl enable nsd.service

Verifying NSD Operation
#

Check if the internal domain resolves correctly:

Terminal 
drill @127.0.0.1 -p 53530 ns.mkt3.dev

Unbound (Caching DNS Server) Setup
#

Installing Unbound
#

Execute the following command to install Unbound:

Terminal 
sudo pacman -S unbound

Initial Configuration
#

Edit /etc/unbound/unbound.conf as follows:

/etc/unbound/unbound.conf 
server:
  interface: 0.0.0.0
  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  access-control: 192.168.10.0/24 allow
  do-ip6: no
  do-not-query-localhost: no

stub-zone:
  name: "mkt3.dev"
  stub-addr: 127.0.0.1@53530

forward-zone:
  name: "."
  forward-addr: 8.8.8.8

Starting and Enabling Unbound
#

Start the Unbound service:

Terminal 
sudo systemctl start unbound.service

Enable Unbound at boot:

Terminal 
sudo systemctl enable unbound.service

Verifying Unbound Operation
#

Ensure external and internal domains resolve correctly:

Terminal 
drill @127.0.0.1 -p 53 www.google.co.jp
drill @127.0.0.1 -p 53 ns.mkt3.dev

Configuring iptables
#

To expose the DNS server within the LAN, allow access to port 53:

Terminal 
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

For further details, refer to: iptables Configuration.

Related

iptables Configuration
··4 mins
Linux Firewall Iptables
Setting Up an NTP Server Using ntpd
··2 mins
Linux Ntp
Arch Linux Initial Setup
··2 mins
Arch-Linux