NSD

Last updated
NSD
Developer(s) NLnet Labs
Initial releaseMay 30, 2002;21 years ago (2002-05-30)
Stable release
4.8.0 / December 6, 2023;54 days ago (2023-12-06) [1]
Repository
Operating system Unix-like
Type DNS server
License BSD license
Website www.nlnetlabs.nl/projects/nsd/about/   OOjs UI icon edit-ltr-progressive.svg

In Internet computing, NSD (for "name server daemon") is an open-source Domain Name System (DNS) server. It was developed by NLnet Labs of Amsterdam in cooperation with the RIPE NCC, from scratch as an authoritative name server (i.e., not implementing the recursive caching function by design). The intention of this development is to add variance to the "gene pool" of DNS implementations used by higher level name servers and thus increase the resilience of DNS against software flaws or exploits.

Contents

NSD uses BIND-style zone-files (zone-files used under BIND can usually be used unmodified in NSD, once entered into the NSD configuration).

NSD uses zone information compiled via zonec into a binary database file (nsd.db) which allows fast startup of the NSD name-service daemon, and allows syntax-structural errors in Zone-Files to be flagged at compile-time (before being made available to NSD service itself).

The collection of programs/processes that make-up NSD are designed so that the NSD daemon itself runs as a non-privileged user and can be easily configured to run in a Chroot jail, such that security flaws in the NSD daemon are not so likely to result in system-wide compromise as without such measures.

As of May, 2018, four of the Internet root nameservers are using NSD:

Several other TLDs use NSD for part of their servers.

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

BIND is a suite of software for interacting with the Domain Name System (DNS). Its most prominent component, named, performs both of the main DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver in the network. As of 2015, it is the most widely used domain name server software, and is the de facto standard on Unix-like operating systems. Also contained in the suite are various administration tools such as nsupdate and dig, and a DNS resolver interface library.

The djbdns software package is a DNS implementation. It was created by Daniel J. Bernstein in response to his frustrations with repeated security holes in the widely used BIND DNS software. As a challenge, Bernstein offered a $1000 prize for the first person to find a security hole in djbdns, which was awarded in March 2009 to Matthew Dempsky.

A name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.

<span class="mw-page-title-main">Root name server</span> Name server for the DNS root zone

A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate top-level domain (TLD). The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Microsoft DNS is the name given to the implementation of domain name system services provided in Microsoft Windows operating systems.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

<span class="mw-page-title-main">Open Root Server Network</span>

Open Root Server Network (ORSN) was a network of Domain Name System root nameservers for the Internet. ORSN DNS root zone information was kept in synchronization with the "official" Domain Name System root nameservers coordinated by ICANN. The networks were 100% compatible, though ORSN was operated independently. The ORSN servers were primarily placed in Europe. ORSN is also used by public name servers, providing Domain Name System access freely for everyone, without any limitation until the project closed in May 2019. ORSN was primarily started to reduce the over-dependence of Internet users on the United States and Department of Commerce/IANA/ICANN/VeriSign, limit the control over the Internet that this gives, while ensuring that domain names remain unambiguous. It also helps avoid the technical possibility of global "Internet shutdown" by one party. They also expect their network to make domain name resolutions faster for everyone.

A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (RR). A zone file may be either a DNS master file, authoritatively describing a zone, or it may be used to list the contents of a DNS cache.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

The domain name .local is a special-use domain name reserved by the Internet Engineering Task Force (IETF) so that it may not be installed as a top-level domain in the Domain Name System (DNS) of the Internet. As such it is similar to the other special domain names, such as .localhost. However, .local has since been designated for use in link-local networking, in applications of multicast DNS (mDNS) and zero-configuration networking (zeroconf) so that DNS service may be established without local installations of conventional DNS infrastructure on local area networks.

DNS management software is computer software that controls Domain Name System (DNS) server clusters. DNS data is typically deployed on multiple physical servers. The main purposes of DNS management software are:

Unbound is a validating, recursive, and caching DNS resolver product from NLnet Labs. It is distributed free of charge in open-source form under the BSD license.

MaraDNS is an open-source Domain Name System (DNS) implementation, which acts as either a caching, recursive, or authoritative nameserver.

<span class="mw-page-title-main">Response policy zone</span> Internet firewall mechanism for DNS

A response policy zone (RPZ) is a mechanism to introduce a customized policy in Domain Name System servers, so that recursive resolvers return possibly modified results. By modifying a result, access to the corresponding host can be blocked.

NLnet Labs is a network research laboratory founded in Amsterdam in 1999 by the board members of NLnet. They develop DNS-related software, such as NSD, Unbound, OpenDNSSEC and getDNS.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

References

  1. Wijngaards, Wouter (6 December 2023). "NSD 4.8.0 released". nsd-users (Mailing list). Retrieved 29 January 2024.
  2. Karrenberg, Daniel (14 February 2003). "k.root-servers.net Changing DNS Software at on 19.2.2003" . Retrieved 14 May 2014.
  3. ""Stichting NLnet; Annual Report 2003" mentioning NSD on h.root-servers.net". Stichting NLnet Labs. 18 May 2004. p. 13. Retrieved 30 January 2007.
  4. Patrick Jones (2014-09-09). Lightning Talk on L-root (PDF). ENOG 8 . Retrieved 2016-01-04.
  5. "D-Root History Page".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.