OpenBSD DNS name server
autoritative nameserver for domain names
Dithematic configuration and guide for self-hosting DNS
PowerDNS features on OpenBSD's NSD shoulders
Minimum requirements
- 512MB RAM, 10GB SSD
- reverse DNS (record type PTR) for each nameserver IP configured on hosting provider, with the primary DOMAIN_NAME
Grab a copy of this repository, and put overrides in "Makefile.local" e.g.
# Makefile.local
EGRESS = vio0
DOMAIN_NAME = example.com
MASTER = yes
MASTER_HOST = dot
IPv4 = 203.0.113.3
IPv6 = 2001:0db8::3
UPGRADE = yes
n.b. UPGRADE uses sdiff
side-by-side diff (with new on the right side)
Test
make beforeinstall
Install
make install
Edit zoneadd
to match (or use env
)
# Dithematic IP
MASTER_IP="${MASTER_IP:-\
203.0.113.3 \
2001:0db8::3 \
}"
SLAVE_IP="${SLAVE_IP:-\
203.0.113.4 \
2001:0db8::4 \
}" # empty to disable
# Vendor
FREE_SLAVE="${FREE_SLAVE:-\
1984.is \
FreeDNS.afraid.org \
GratisDNS.com \
HE.net \
Puck.nether.net \
}" # empty to disable
n.b. rename and place zone templates in /var/nsd/zones/master
(or start with a blank slate.)
Install DNS zone(s), e.g. on master: example.com
and ddns.example.com
zoneadd example.com
env DDNS=true zoneadd ddns.example.com
Edit a zone
env EDITOR="${EDITOR:-vi}" pdnsutil edit-zone example.com
n.b. place existing TSIG key as tsig.example.com
, CSK (or ZSK) as example.com.CSK
in /etc/ssl/dns/private
(or let zoneadd
generate new keys.)
Setup the TSIG user on all dithematic nameservers, i.e. tsig
su - tsig
ssh-keygen -t ed25519 -C [email protected]
exit
Share TSIG user's public key with all dithematic slave nameservers, and update "known_hosts"
ssh -4 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"
ssh -6 -i /home/tsig/.ssh/id_ed25519 -l tsig dig.example.com "exit"
Edit tsig-share
on master to add slave nameserver names
NS="${NS:-dig.example.com}" # (space-separated) domain name(s), or IP(s)
Share master TSIG secret with slave nameservers, e.g.: dig.example.com
env NS="dig.example.com" tsig-share tsig.example.com
DNS UPDATE allowed IPs are managed with authpf(8) i.e. user "puffy" first needs to SSH login on the master name server host to authenticate the IP from which they will next update ddns.example.com zone using e.g. nsupdate (pkg_add isc-bind
) or dnspython (pkg_add py-dnspython
) on their device (skip if not using dynamic DNS)
user add -L authpf -G authdns -c "DDNS user" -s /sbin/nologin -m puffy
Edit "smtpd.conf" and "secrets"
Edit pf table "msa" to add Message Submission Agent IP(s)
Enjoy
dig example.com any
Contributions welcome, fork