NSD is an authorative-only, high performance, simple and open-source name server. Like tinydns and unlike BIND it does not do recursion and caching, but then it doesn’t need to. Currently, three of the root-nameservers run NSD. If it’s good enough to run on a root-ns, then it’s good enough for me and you. It has most of the relevant features of modern DNS servers.

NSD uses BIND-syle zone files, so there’s no need to convert anything if you are migrating from BIND. Since I was migrating from djbdns I needed to convert the data back to BIND-speech. The easiest way to accomplish this is to replicate the zone data from the master using AXFR. Well for some reason or another when I attempted to use nsd-xfer(8) do this, it failed. As I checked the axfrdns logs it turned out to be a bogus query. Then I tried to accomplish the same with dig(1) which worked fine but it doubled the SOA records for some obscure reason. NSD itself transfers the zones just fine. So far it works like a charm, regardless if it’s in master or  slave configuration.

For the DNS cache I am still using dnscache. NLnet Labs also has an alternative called Unbound.

I have recently modified this script to generate a PF ruleset from the Spamhaus DROP list in order to keep evil packets out of your network. The DROP list is a tiny subset of the SBL containing netblocks controlled entirely by spammers. The modified script you can get here. To use it, put it somewhere in your PATH and run it once a day via cron. The ruleset is loaded via an anchor. In order to load it at boot time, put the following lines in your pf.conf above the usual rules:

# anchor for Spamhaus DROP list
anchor droplist
load anchor droplist from "/etc/pf.drop"

Enjoy.