You are not logged in.
- Topics: Active | Unanswered
#1 2016-04-16 08:01:26
- buovjaga
- Member
- Registered: 2016-04-16
- Posts: 17
[SOLVED] Getting nsd & unbound to talk to each other & outside world
My objective is to host a couple of websites and have DNS on the same server. After getting one domain to work, I would like to also point another domain to the same server and also host email (don't worry, I have some experience fiddling with SPF & DKIM). The server is a Kimsufi from OVH (Atom N2800, 4 GB mem).
I would eventually like to use the secondary nameserver that Kimsufi offers, but it requires an ownercheck TXT field, so I am trying with BuddyNS for now. BuddyNS feels better in this troubleshooting phase.
I don't know a lot about this stuff, but I am trying my best to understand and not just blindly copy & paste stuff.
It appears I am lost on how to make nsd and unbound talk to each other. The symptom is that AXFR to BuddyNS does not work.
The dig result:
; <<>> DiG 9.10.3-P4 <<>> +tcp axfr @my.ip.address.here mysite.fi
; (1 server found)
;; global options: +cmd
; Transfer failed.
Telnet from outside world to my site using port 53 works OK.
For guides I have used the wiki articles:
https://wiki.archlinux.org/index.php/Nsd
https://wiki.archlinux.org/index.php/Unbound
..and the Calomel articles:
https://calomel.org/nsd_dns.html
https://calomel.org/unbound_dns.html
They focus on LAN-facing setups and I am unable to apply them to my situation.
I have also read this to gain understanding on the concepts: https://www.digitalocean.com/community/ … untu-14-04
My configs are below.
/etc/hosts
127.0.0.1 localhost.localdomain localhost
my.ip.address.here nsxxxxxx.ip-x-xxx-xx.eu nsxxxxxx
my:ipv6:a:ddress::here nsxxxxxx.ip-x-xxx-xx.eu nsxxxxxx
/etc/hostname
nsxxxxxx
/etc/nsd/nsd.conf
server:
do-ip4: yes
ip-address: 127.0.0.1
port: 53550
username: nsd
zonesdir: "/etc/nsd"
logfile: "/var/log/nsd.log"
pidfile: "/run/nsd/nsd.pid"
# if set to "" then no disk-database is used, less memory usage.
database: ""
# these are the IPs BuddyNS told me to use
provide-xfr: 173.244.206.26 NOKEY
provide-xfr: 88.198.106.11 NOKEY
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: "/etc/nsd/nsd_server.key"
server-cert-file: "/etc/nsd/nsd_server.pem"
control-key-file: "/etc/nsd/nsd_control.key"
control-cert-file: "/etc/nsd/nsd_control.pem"
pattern:
# this pattern is supposed to eventually provide xfr to the Kimsufi secondary nameserver
name: "tokimsufi"
# the Kimsufi secondary nameserver IPs
notify: 213.186.33.199 NOKEY
provide-xfr: 213.186.33.199 NOKEY
zone:
name: "mysite.fi"
zonefile: "mysite.fi.zone"
include-pattern: "tokimsufi"
zone:
name: "here.address.ip.in-addr.arpa"
zonefile: "my.ip.address.zone"
include-pattern: "tokimsufi"
/etc/nsd/mysite.fi.zone
$ORIGIN mysite.fi.
$TTL 1800
@ IN SOA nsxxxxxx.ip-x-xxx-xx.eu. admin.mysite.fi. (
2016041501 ; serial number
3600 ; refresh
900 ; retry
1209600 ; expire
1800 ; ttl
)
; Name servers
IN NS nsxxxxxx.ip-x-xxx-xx.eu.
IN NS ns.kimsufi.com.
; A records for name servers
mysite.fi. IN A my.ip.address.here
ns IN A my.ip.address.here
; Additional A records
@ IN A my.ip.address.here
www IN CNAME mysite.fi.
ownercheck IN TXT "secretcode"
/etc/nsd/my.ip.address.zone
$ORIGIN here.address.ip.in-addr.arpa.
$TTL 1800
@ IN SOA nsxxxxxx.ip-x-xxx-xx.eu. admin.mysite.fi. (
2016041501 ; serial number
3600 ; refresh
900 ; retry
1209600 ; expire
1800 ; ttl
)
; Name servers
IN NS nsxxxxxx.ip-x-xxx-xx.eu.
IN NS ns.kimsufi.com.
; PTR records
1 IN PTR nsxxxxxx.ip-x-xxx-xx.eu.
2 IN PTR ns.kimsufi.com.
3 IN PTR www.mysite.fi.
/etc/unbound/unbound.conf
server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
interface: 127.0.0.1
interface: my.ip.address.here
local-zone: "here.address.ip.in-addr.arpa." nodefault
stub-zone:
name: "mysite.fi"
stub-addr: 127.0.0.1@53550
stub-zone:
name: "here.address.ip.in-addr.arpa"
stub-addr: 127.0.0.1@53550
I also tried using the server IP in "stub-addr", but it didn't work either.
Last edited by buovjaga (2016-04-24 07:13:01)
Offline
#2 2016-04-24 07:11:47
- buovjaga
- Member
- Registered: 2016-04-16
- Posts: 17
Re: [SOLVED] Getting nsd & unbound to talk to each other & outside world
I got advice from cks the sysadmin and switched the roles around: now NSD is facing the world and Unbound is listening locally. It works 
Below are working configs.
/etc/resolv.conf
nameserver 127.0.0.1
/etc/nsd/nsd.conf
server:
ip-address: my.ip.address.here
ip-address: my:ipv6:a:ddress::here
username: nsd
zonesdir: "/etc/nsd"
logfile: "/var/log/nsd.log"
pidfile: "/run/nsd/nsd.pid"
database: ""
zone:
name: "mysite.fi"
zonefile: "mysite.fi.zone"
# provide for BuddyNS
provide-xfr: 173.244.206.26 NOKEY
provide-xfr: 88.198.106.11 NOKEY
provide-xfr: 2607:f0d0:1005:72::100 NOKEY
provide-xfr: 2a01:4f8:d12:d01::10:100 NOKEY
zone:
name: "here.address.ip.in-addr.arpa"
zonefile: "my.ip.address.zone"
/etc/nsd/mysite.fi.zone
$ORIGIN mysite.fi.
$TTL 1800
@ IN SOA nsxxxxxx.ip-x-xxx-xx.eu. admin.mysite.fi. (
2016041501 ; serial number
3600 ; refresh
900 ; retry
1209600 ; expire
1800 ; ttl
)
; Name servers
IN NS nsxxxxxx.ip-x-xxx-xx.eu.
IN NS d.ns.buddyns.com.
; A records for name servers
mysite.fi. IN A my.ip.address.here
ns IN A my.ip.address.here
; Additional A records
@ IN A my.ip.address.here
www IN CNAME mysite.fi.
/etc/nsd/my.ip.address.zone
$ORIGIN here.address.ip.in-addr.arpa.
$TTL 1800
@ IN SOA nsxxxxxx.ip-x-xxx-xx.eu. admin.mysite.fi. (
2016041501 ; serial number
3600 ; refresh
900 ; retry
1209600 ; expire
1800 ; ttl
)
; Name servers
IN NS nsxxxxxx.ip-x-xxx-xx.eu.
IN NS d.ns.buddyns.com.
; PTR records
1 IN PTR nsxxxxxx.ip-x-xxx-xx.eu.
2 IN PTR d.ns.buddyns.com.
3 IN PTR www.mysite.fi.
/etc/unbound/unbound.conf
server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
interface: 127.0.0.1
local-zone: "here.address.ip.in-addr.arpa." nodefault
stub-zone:
name: "mysite.fi"
stub-addr: my.ip.address.here
Last edited by buovjaga (2016-04-24 10:32:30)
Offline