Guide: How to setup NSD as a secondary nameserver for Mail-in-a-Box

Guides
1

If you for whatever reason don’t want to use a secondary name server provider, but still want to have a secondary name server for your Mail-in-a-Box instance, it’s relatively easy to set up NSD as a secondary nameserver yourself on a second VPS. I installed it on a Debian 11 VPS but this should work exactly the same on Ubuntu.

1. Preparations

1.1 Spin up a VPS:

Spin up a VPS with Debian 11 or Ubuntu 20.04. The cheapest plan with 1 core and 512MB of RAM should be more than enough. But make sure they offer you a “real” virtual machine e.g. KVM and not something like an OpenVZ container…

1.2 Create an A Record:

Go to the “Custom DNS” section of the Mail-in-a-Box admin interface and create an A record for your secondary nameserver and point it to the IP address of the VPS.

Important! You cannot use ns2.box.yourdomain.tld. Other than that you can use whatever subdomain you want. In this example we keep it simple and use ns3.box.yourdomain.tld .

ns3.box.yourdomain.tld    IN    A    22.22.22.22  # IP address of the second VPS

1.3 Change the Glue records and nameserver settings at your registrar:

Login to the DNS-Settings-Panel of your registrar and change the second glue record for the domain name you’re hosting your Mail-in-a-Box instance on:

ns1.box.yourdomain.tld 11.11.11.11  # IP address of your MiaB (stays as is)
ns3.box.yourdomain.tld 22.22.22.22  # name and IP address of the 2ndry server / new VPS`

Then change the secondary nameserver entries for all the domain names you’re hosting on your Mail-in-a-Box instance:

Nameserver 1: ns1.box.yourdomain.tld  # name of your MiaB instance (stays as is)
Nameserver 2: ns3.box.yourdomain.tld  # name of the 2ndry server / new VPS

1.4 Prepare your VPS

Log into your newly created VPS via SSH and change to a root shell:

sudo -i

Upgrade all packages:

apt update && apt dist-upgrade -y

Set the correct timezone:

timedatectl set-timezone "Europe/Zurich"

Install nsd and additional tools

apt install -y nsd dnsutils lnav

Create the directory for the zone files (Probably not needed but I wanted it to be identical to MiaB)

mkdir /etc/nsd/zones

2. Setup NSD

Edit the file /etc/nsd/nsd.conf as in the example below:

server:
        ip-address: 22.22.22.22 #IP address of the 2ndry server (this server)
        hide-version: yes
        verbosity: 2
        server-count: 1
        zonesdir: "/etc/nsd/zones" # probably not needed but I wanted it to be identical to MiaB

zone:
        name: yourdomain.tld
        zonefile: yourdomain.tld.zone
        allow-notify: 11.11.11.11 NOKEY # IP address of your MiaB server 
        request-xfr: 11.11.11.11 NOKEY  # IP address of your MiaB server

# If you are hosting more than one domain on your MiaB instance add them like this...

zone:
        name: yourotherdomain.tld
        zonefile: yourotherdomain.tld.zone
        allow-notify: 11.11.11.11 NOKEY # IP address of your MiaB server 
        request-xfr: 11.11.11.11 NOKEY  # IP address of your MiaB server

After you’re done you can use nsd-control to reconfigure NSD…

nsd-control reconfig

or simply restart the service:

systemctl restart nsd

3. Using the secondary nameserver with Mail-in-a-Box

Enter the name e.g. ns3.box.yourdomain.tld of your newly created secondary
nameserver to the “Using a secondary nameserver” field in the “Custom DNS” section of the Mail-in-a-Box admin interface. The zone information should get automatically transfred to your secondary server.

4. Check if your setup is working

Check the syslog…

lnav /var/log/syslog

If the zone transfer was successful, you should see a line similiar to that in the syslog:

Apr 19 13:56:06 ns3 nsd[21052]: [2022-04-19 13:56:06.755] nsd[21052]: info: notify for yourdomian.tld from 11.11.11.11

Of course you can also check with the dig command from another server or from your PC…

dig NS yourdomain.tld @ns3.box.yourdomain.tld

…or you could use one of the many online tools like DNS Check and DNS Report Tools - Comprehensive DNS Tests - MxToolBox or https://dnschecker.org etc…

Hope this helps somebody
Cheers :slight_smile:

3 Likes
2

I don’t use MiaB’s DNS and choose to use external DNS. However if I was using MiaB’s DNS I would definitely set this up.

Thanks for the guide.

1 Like
3

Thanks for sharing your set up. Useful information.

1 Like
4

@miabuser I was part of the way through this setup when I hit a snag on restarting NSD. it looks like it was unable to start in the first place and I get errors when trying to start it. Any advice? I am on an EC2 with port 53 open on both UDP and TCP. I had a clean install of Ubuntu 22.04 and have done much to the setup besides the steps listed above.

Error code

$ sudo systemctl restart nsd
Job for nsd.service failed because the control process exited with error code.
See "systemctl status nsd.service" and "journalctl -xeu nsd.service" for details.

Let me know if you need to see anything else or if you have any ideas.

Thanks in advance!

Pre-apologies if this is resurrecting a really old thread.

5

Did you check the logs as the error message suggests? What does journalctl -eu nsd say?

My guess would be that this is caused by systemd-resolved already listening on port 53. If this is the case, the following guide should help you work around the issue: Ubuntu: How To Free Up Port 53, Used By systemd-resolved - Linux Uprising Blog

6

I found that post during my research and tried it and I still had something preventing startup. Wondering if it’s something to do with being on AWS?

7

Not sure then. Have you checked the logs?

8

I’ve looked at some. What would you suggest I look at? Most just say that NSD cannot start. Not a lot of detail.

When I check out 53 it still shows something using it, but it’s not the stuff addressed in that writeup.

9

journalctl -xeu nsd.service or journalctl -eu nsd.service.

The latter gives you a reduced view that only contains the actual log messages.

What is it then? If you’re not sure, maybe you can post the output of sudo lsof -i :53 here…

10

Here is that output

COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
named   404 bind   18u  IPv4  17794      0t0  UDP localhost:domain
named   404 bind   19u  IPv4  17795      0t0  TCP localhost:domain (LISTEN)
named   404 bind   21u  IPv4  17796      0t0  UDP 172.31.28.26:domain
named   404 bind   22u  IPv4  17797      0t0  TCP 172.31.28.26:domain (LISTEN)
named   404 bind   23u  IPv6  17798      0t0  UDP ip6-localhost:domain
named   404 bind   24u  IPv6  17799      0t0  TCP ip6-localhost:domain (LISTEN)
named   404 bind   25u  IPv6  17802      0t0  UDP [fe80::8ff:e0ff:fe19:ce83]:domain
named   404 bind   26u  IPv6  17803      0t0  TCP [fe80::8ff:e0ff:fe19:ce83]:domain (LISTEN)
11

It looks like BIND is already running on your VPS, listening on port 53. BIND can be used as a resolving or authoritative nameserver, or as both at the same time.

The question now is why it is running on your VPS, as it is not pre-installed on a standard Ubuntu cloud image. So either you installed it yourself, in which case you could simply uninstall it and install NSD instead. Or it could be specific to the Amazon Ubuntu image, in which case they may be using it as a local resolver instead of systemd-resolved, which could break the DNS functionality of your VPS if you just uninstall it.

If the latter is the case, you would either have to do some extra configuration to free up port 53, similar to what you would have to do with systemd-resolved, or you would have to get Ubuntu to use systemd-resolved again, and then uninstall BIND.

Another option would be to use BIND as a secondary nameserver for Mail-in-a-Box instead of NSD, because as I said, it can be used as both a resolver and an authoritative/secondary nameserver. However, I don’t have a tutorial on how to do this, and I’m not an expert in it either.

12

Damnit! It was staring me in the face the whole time. I didn’t realize that BIND was an app.

I spun up a new server and will check port 53 both on the bare server, then follow the opening up process if needed, and then check again after going through this process.

I’ll post up results here.

13

Okay. Here is the update:

Ran: sudo lsof -i :53
Result

COMMAND   PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd-r 320 systemd-resolve   13u  IPv4  17154      0t0  UDP localhost:domain
systemd-r 320 systemd-resolve   14u  IPv4  17155      0t0  TCP localhost:domain (LISTEN)

After doing the systemd adjustment for port 53 I get nothing after sudo lsof -i 53 BUT I did have to set the DNS=127.0.0.1 in the /etc/systemd/resolved.conf

AND after running the above writeup… success.

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nsd:\x20x 359  nsd    4u  IPv6  18165      0t0  UDP *:domain
nsd:\x20x 359  nsd    5u  IPv6  18166      0t0  TCP *:domain (LISTEN)
nsd:\x20x 359  nsd    6u  IPv4  18167      0t0  UDP *:domain
nsd:\x20x 359  nsd    7u  IPv4  18168      0t0  TCP *:domain (LISTEN)
nsd:\x20m 490  nsd    4u  IPv6  18165      0t0  UDP *:domain
nsd:\x20m 490  nsd    5u  IPv6  18166      0t0  TCP *:domain (LISTEN)
nsd:\x20m 490  nsd    6u  IPv4  18167      0t0  UDP *:domain
nsd:\x20m 490  nsd    7u  IPv4  18168      0t0  TCP *:domain (LISTEN)
nsd:\x20s 543  nsd    4u  IPv6  18165      0t0  UDP *:domain
nsd:\x20s 543  nsd    5u  IPv6  18166      0t0  TCP *:domain (LISTEN)
nsd:\x20s 543  nsd    6u  IPv4  18167      0t0  UDP *:domain
nsd:\x20s 543  nsd    7u  IPv4  18168      0t0  TCP *:domain (LISTEN)

No idea what happened the first time besides the following things I did differently this time:

  • I used 127.0.0.1 in the resolved.conf
  • I did the opening of :53 before I ran this tutorial.

Thanks again for everyone’s help. Glad I was the guinea pig of what not to do for those with Ubuntu!

1 Like
14

Glad it worked out. :slight_smile:

1 Like