OpenBSD DNS Server with unbound and nsd

submited by
Style Pass
2023-11-21 20:30:08

The default installation of OpenBSD comes with both unbound(8) and nsd(8); unbound is a validating, recursive, and caching DNS resolver that provides DNSSEC validation, while nsd is an authoritative name server that holds DNS records. The combination of the two running locally, means that name server lookups (i.e., requests to resolve domain names into IP addresses and vice versa) can be handled locally without being sent upstream to your ISP or another public name server such as Google. This almost completely prevents snooping or tampering such as DNS cache poisoning or spoofing attacks. Both programs have a small memory footprint, offer a secure environment to provide lightning quick retrieval of both forward and reverse DNS requests, and are exceedingly simple to setup. This article will detail the steps to configure both unbound and nsd on your OpenBSD box.

Before testing that it's working, we need to assign it as our primary nameserver in /etc/resolv.conf by either commenting out or removing the existing nameserver, and adding unbound, which is running on localhost:

Leave a Comment