Kõrgkäigeldav pädev nimeserveri lahendus - NSD: erinevus redaktsioonide vahel

Sissejuhatus

TODO

Tööpõhimõte

Võrgujoonis

TODO

kus

• TODO

Fortigate tulemüüri seadistus

TODO

ans-node-01 seadistus

TOSO

ans-node-02 seadistus

TODO

Lahenduse opereerimine

Tsoonide sisu kontrollimine

TODO

Misc

# sysctl -w net.ipv4.conf.ens18.arp_ignore=1
# sysctl -w net.ipv4.conf.ens18.arp_announce=2

# cat /etc/netplan/01-netcfg.yaml 
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    ens18:
      dhcp4: no
      dhcp6: no
      accept-ra: no
      addresses:
        - 10.90.16.247/28
        - 2001:cc8::247/64
      nameservers:
          search: [ auul.pri.ee ]
          addresses: [ 10.90.16.245, 10.90.0.12 ]

      routes:
      - to: 0.0.0.0/0
        via: 10.90.16.241
      - to: ::/0
        via: 2001:cc8::241

    ens19:
      dhcp4: no
      dhcp6: no
      accept-ra: no
      addresses:
        - 10.208.16.247/24


  dummy-devices:
    dummy0:
      addresses:
        - 10.90.16.242/32
      link-local: []

Konteiner-põhine lahendus

ChatGPT abiga saavutatud tulemus. Filesysten layout

nsd/
├── docker-compose.yml
├── Dockerfile
├── nsd.conf
└── zones/
    └── example.test.zone

Dockerfile

# Base OS
FROM ubuntu:24.04

# Install nsd + tini
RUN apt-get update && \
    apt-get install -y nsd tini && \
    rm -rf /var/lib/apt/lists/*

# Copy configuration and zones
COPY nsd.conf /etc/nsd/nsd.conf
COPY zones /etc/nsd/zones

# Expose DNS ports
EXPOSE 53/tcp 53/udp

# Use tini as init for clean signal handling
ENTRYPOINT ["/usr/bin/tini", "--"]

# Run NSD in the foreground
CMD ["nsd", "-d", "-c", "/etc/nsd/nsd.conf"]

docker-compose.yml

services:
  nsd:
    build: .
    container_name: nsd
    restart: unless-stopped
    ports:
      - "53:53/tcp"
      - "53:53/udp"
    volumes:
      - ./nsd.conf:/etc/nsd/nsd.conf:ro
      - ./zones:/etc/nsd/zones:ro
    cap_add:
      - NET_BIND_SERVICE     # allow binding to port 53 if non-root
    user: "nsd"              # run as nsd user inside container
    init: true               # enable tini (redundant but safe)

nsd.conf

server:
    username: nsd
    database: "/var/db/nsd/nsd.db"
    logfile: "/var/log/nsd.log"
    pidfile: "/var/run/nsd.pid"
    port: 53
    verbosity: 2
    zonesdir: "/etc/nsd/zones"

zone:
    name: "example.test"
    zonefile: "example.test.zone"

zones/example.test.zone

$ORIGIN example.test.
@   3600 IN SOA ns1.example.test. admin.example.test. (
        1       ; serial
        3600    ; refresh
        600     ; retry
        604800  ; expire
        3600 )  ; minimum
    IN NS ns1.example.test.
ns1 IN A 127.0.0.1

Käsundamine

docker compose up -d
Check logs:

bash
Copy code
docker compose logs -f nsd
You should see:

css
Copy code
nsd[1]: nsd started (NSD 4.x.x), serving 1 zone(s)
Query test:

bash
Copy code
dig @127.0.0.1 example.test NS

Notes

The init: true key in Compose automatically runs Docker’s built-in tini, even without the manual entrypoint. You can omit the ENTRYPOINT line in Dockerfile if you prefer this simpler route.

You can change user: "nsd" to a custom unprivileged UID if desired.

You can also bind it to port 8053 inside the container and map externally to 53 if you’re not comfortable with the privilege cap:

ports:
  - "53:8053/tcp"
  - "53:8053/udp"


and adjust port: 8053 in nsd.conf.

prosessid

nsd@0a3d7a8174ea:/$ ps auxf
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
nsd           10  0.1  0.3   4588  3840 pts/0    Ss   13:19   0:00 bash
nsd           21  0.0  0.4   7888  3968 pts/0    R+   13:19   0:00  \_ ps auxf
nsd            1  0.0  0.1   2692  1408 ?        Ss   13:18   0:00 /usr/bin/tini -- nsd -d -c /etc/nsd/nsd.conf
nsd            7  0.0  1.1  33224 11648 ?        S    13:18   0:00 nsd -d -c /etc/nsd/nsd.conf
nsd            8  0.0  3.5  45484 35164 ?        S    13:18   0:00  \_ nsd -d -c /etc/nsd/nsd.conf
nsd            9  0.0  0.4  61336  4840 ?        S    13:18   0:00      \_ nsd -d -c /etc/nsd/nsd.conf

at host

dhcpcd     16074  0.0  0.1   2692  1280 ?        Ss   13:19   0:00  \_ /usr/bin/tini -- nsd -d -c /etc/nsd/nsd.conf
dhcpcd     16114  0.0  1.1  33224 11520 ?        S    13:19   0:00      \_ nsd -d -c /etc/nsd/nsd.conf
dhcpcd     16118  0.0  3.5  45488 35424 ?        S    13:19   0:00          \_ nsd -d -c /etc/nsd/nsd.conf
dhcpcd     16119  0.0  0.4  61340  4844 ?        S    13:19   0:00              \_ nsd -d -c /etc/nsd/nsd.conf

logi

root@xxz:/opt/nsd/dc# docker compose -f docker-compose-nsd-gpt.yml logs
nsd  | [2025-10-23 15:21:34.753] nsd[7]: error: Cannot open /var/log/nsd.log for appending (Permission denied), logging to stderr
nsd  | [2025-10-23 15:21:34.753] nsd[7]: warning: chown /var/log/nsd.log failed: No such file or directory
nsd  | [2025-10-23 15:21:34.753] nsd[7]: notice: nsd starting (NSD 4.8.0)
nsd  | [2025-10-23 15:21:34.755] nsd[7]: warning: fallback to UDP4, no IPv6: not supported
nsd  | [2025-10-23 15:21:34.757] nsd[7]: warning: fallback to TCP4, no IPv6: not supported
nsd  | [2025-10-23 15:21:34.765] nsd[7]: warning: fallback to TCP4, no IPv6: not supported
nsd  | [2025-10-23 15:21:34.765] nsd[7]: error: cannot open pidfile /var/run/nsd.pid: Permission denied
nsd  | [2025-10-23 15:21:34.765] nsd[7]: error: cannot overwrite the pidfile /var/run/nsd.pid: Permission denied
nsd  | [2025-10-23 15:21:34.765] nsd[7]: warning: unable to initgroups nsd: Operation not permitted
nsd  | [2025-10-23 15:21:34.799] nsd[8]: info: zone example.test read with success
nsd  | [2025-10-23 15:21:34.815] nsd[8]: notice: nsd started (NSD 4.8.0), pid 7

Kasulikud lisamatejalid

• TODO