# NSD configuration for Authoritative name server



## selflessscoundrel (Oct 14, 2018)

Ok, so I am having weird issues with NSD.  I thought they were firewall issues but my pf rules seem good.  To rule out firewall issues, I disabled pf and installed nsd on the main server instead of in any kind of jail.

Once I have my config and zone file set, I run `service nsd start` and when I run the command `drill @external-ip ANY mydomain.test` from the nameserver itself I get a response

However, if I go to an external box and try drill or dig I get errors:


```
C:\Users\administrator>nslookup mydomain.test external-ip
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  external-ip

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
```


Here is my NSD config:


```
server:                                       #Server options
        server-count: 1                       #number of CPU cores
        ip-address: external-ip               #IP address
        port: 53                              #Specify port to listen on.  53 is default
        database: ""                          #or use "/var/db/nsd/nsd.db"
        identity: "Server X"                  #String returned for Identity requests
        hide-version: yes                     #Prevents NSD from replying with VER string on CHAOS class queries.
        tcp-count: 100                        #Limit amount of TCP connections - default is 100
        #tcp-query-count: 0                   #Limit number of queries per TCP connection.  Default is 0.
        zonelistfile: "/var/db/nsd/zone.list" #this is used by NSD to dynamically add and remove zones.
                                              #This is the default location.
                                              #Specifically used by nsd-control addzone and deletezone commands
        username: nsd                         #After binding the soccet drop user privs and assume the username
        logfile: "/var/log/nsd.log"
        pidfile: "/var/run/nsd/nsd.pid"
        xfrdfile: "/var/db/nsd/xfrd.state"    #The SOA timeout and zone tranfer daemon in NSD will save state to this fil
e.

zone:
        name: mydomain.test
        zonefile: /usr/local/etc/nsd/mydomain.test.zone
```


----------



## ShelLuser (Oct 14, 2018)

Double check the firewall on the main host, are you sure that allows for incoming DNS traffic? I still recall that other thread and those rules wouldn't work in this scenario.

(edit) and a time-out is nearly always an indication that traffic got blocked somewhere, where the usual suspect is a firewall of some sorts.


----------



## selflessscoundrel (Oct 15, 2018)

ShelLuser said:


> Double check the firewall on the main host, are you sure that allows for incoming DNS traffic? I still recall that other thread and those rules wouldn't work in this scenario.
> 
> (edit) and a time-out is nearly always an indication that traffic got blocked somewhere, where the usual suspect is a firewall of some sorts.



Thank you for following me around these forums, haha.

I asked the hosting provider and they informed me that they do not block port 53.  And I disabled pf so I don't know what firewall would be running.


----------



## rigoletto@ (Oct 15, 2018)

Are you behind of any router/UTM? Did you opened (port forwarded) the port 53 to your machine in there?

You can test if the port is really open using something like THIS site.


----------



## selflessscoundrel (Oct 15, 2018)

Rigoletto said:


> Are you behind of any router/UTM? Did you opened (port forwarded) the port 53 to your machine in there?
> 
> You can test if the port is really open using something like THIS site.



Results - <<edit deleted>>

<<< edit deleted >>>

Edit - also NMAP - note reverse DNS resolution works because the hosting provider specifically provides reverse DNS.  That is not coming from the NSD daemon.


```
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-15 02:30 Eastern Daylight Time
Nmap scan report for << edit deleted >>

Host is up (0.22s latency).
Not shown: 97 closed ports

PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds
```


----------



## ShelLuser (Oct 15, 2018)

Well, if a portscan does show some kind of result then the conclusion should be obvious: the problem seems to be caused by nsd itself. First verify that it really is NSD listening and not some other service: `# sockstat -4l | grep 53`.

I only have experience with Bind (and to a lesser degree with PowerDNS) but both services provided the ability to raise logging verbosity. Assuming that it is indeed NSD listening on 53 I'd start there. Raise logging verbosity, perform requests and check what your logfiles tell you.


----------



## selflessscoundrel (Oct 15, 2018)

I'm done with nsd - switching to bind to see if I have the same issues.  Raised verbosity in the config to 2 (default is 0) and didn't see anything in the log.


----------



## selflessscoundrel (Oct 16, 2018)

The final update.  My cloud server is fine.  It's my ISP blocking responses apparantly.  I tested other nameservers on other domains - nslookup and drill commands don't work locally on my machine but they work on my cloud server.

Thank you all, and sorry for dragging you all through it.


----------

