My initial experience of using NSD as a simple authoritative DNS server

March 31, 2016

I've been running djb's tinydns for a long time, but for a while I've been planning to replace it someday. The direct reason for replacing tinydns is that I want support for IPv6, for new DNS record types, and for best practices things like rate limiting; the indirect reason is that all of djb's software has been abandoned and on the Internet, unmaintained software rots. When I found myself adding an AAAA record using raw bytes, my irritation started rising slowly and eventually pushed me over the edge.

After ruling out PowerDNS for entirely personal reasons, my two primary options were Knot DNS and NSD. I looked a bit at both and wound up settling on NSD for now, partly because OpenBSD has switched to NSD and we run OpenBSD nameservers at work, so I'm going to wind up having to work with it someday.

(Interested parties can see eg the Wikipedia comparison of DNS server software, which I found helpful in making sure I wasn't missing anything obvious.)

NSD on Fedora 23 is pleasingly easy to configure and get operating, with configuration split across multiple files so that I can drop in my customizations without having to change any standard files. NSD's configuration syntax is simple, straightforward, and minimal, which makes it easy to write. Anyways, I only needed to set a very few things (like what IP address to listen on and then basic information about my one zone). NSD uses Bind format zone files, which meant that I had to rewrite my existing tinydns zone file, but that's not a particularly big job with a small zone.

(Had I wanted to I could have set up NSD as a secondary and done a zone transfer to get a Bind-format zonefile, but I decided I wanted to hand-write a clean zone file. I did wind up doing AXFRs from both tinydns and NSD to verify that my new rewritten version of the zone was the same apart from some unimportant things, like SOA refresh times.)

So far I've been running NSD instead of tinydns for a few days and basically haven't noticed anything different. Things continue to work as they did before without any problems or fuss.

NSD does use (much) more memory than tinydns ever did, but I'm resigned to that. RAM is at least inexpensive these days and a resident set size of 20 to 30 Mbytes is small beans, even if tinydns used to have a total memory size of only a couple of Mbytes and a RSS in the hundreds of kilobytes. It's possible I could tune NSD to use less memory if I wanted to spend the time on it, which I don't particularly.

PS: based on scanning over the Knot documentation, I suspect that setting it up would have been equally easy (and I may try doing so someday, just out of curiosity). It's possible that Knot is easier if you want to do DNSSEC, which I don't particularly.


Comments on this page:

One feature to Knot DNS that won me last year was how easy it is to setup on-the-fly IPv6 reverse generation. See slides 6 & 7 of last year's Knot DNS presentation in FOSDEM.

For the record, memory is saved most easily if you disable the rate-limiting again ;)

       rrl-ratelimit: 0
       rrl-whitelist-ratelimit: 0
       rrl-size: 1

Results in ~2MB RSS with my tiny zones.

Written on 31 March 2016.
« I've now used Python's argparse module and I like it
A surprise to watch out for with Go's expvar package (in expvar.Var) »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Mar 31 23:37:07 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.