Server Options
Theserver: section contains global options for the NSD server. There may only be one server: clause in the configuration file.
Network Configuration
Listening Addresses
NSD will bind to the listed IP address. Can be given multiple times to bind multiple addresses. If none are given, NSD listens to the wildcard interface (0.0.0.0 and ::0).Port specification: Optionally specify a port with
@portServer assignment: Limit which server processes handle the address:servers="1-3"- Servers 1, 2, and 3servers="1 3 5"- Servers 1, 3, and 5- By default, all servers handle all addresses
SO_BINDTODEVICE to bind socket directly to network device (performance optimization)setfib: Uses SO_SETFIB to associate routing table from the interface (FreeBSD, performance optimization)Same as
ip-address (for compatibility with unbound.conf).Allows NSD to bind to non-local addresses. Useful to answer immediately when an address is added to the network interface.
Set the
IP_FREEBIND option to bind to nonlocal addresses and interfaces that are down. Similar to ip-transparent.Port number to answer queries on.
If yes, NSD listens to IPv4 connections.
If yes, NSD listens to IPv6 connections.
Socket Options
Set the send buffer size for query-servicing sockets in bytes. Set to 0 to use system defaults. Default is 4MB.
Set the receive buffer size for query-servicing sockets in bytes. Set to 0 to use system defaults. Default is 1MB.
Use the
SO_REUSEPORT socket option and create file descriptors for every server in server-count. Improves network stack performance. Only useful with server-count higher than 1. Works on Linux, not on FreeBSD.Process Management
Number of NSD server processes to fork. Set to the number of CPU cores for optimal performance.
Overall CPU affinity for NSD processes on Linux and FreeBSD. Any server/xfrd CPU affinity value will be masked by this value.
Bind NSD server N to a specific core. Only takes effect if
cpu-affinity is enabled.Bind xfrd (zone transfer daemon) to a specific core. Only takes effect if
cpu-affinity is enabled.After binding sockets, drop user privileges and assume this username. Can be username, id, or id.gid.
NSD will chroot on startup to the specified directory. Set to "" to disable.
Change working directory to the specified directory before accessing zone files. NSD will also access
zonelistfile, logfile, pidfile, xfrdfile, xfrdir, and other files relative to this directory.File Locations
Path to the PID file. Set to "" to disable PID file creation.
The PID file is not chowned to the username for permission safety. It remains owned by the user who started the server.
Log messages to this file. Default is to log to stderr and syslog (facility LOG_DAEMON).
Log messages only to syslog. Useful with systemd to prevent duplicate log entries in journald.
File used to store the dynamically added list of zones. Used by
nsd-control addzone and delzone commands.The zone transfer daemon saves SOA timeout and state to this file. State is read back after restart. Set to "" to disable (all secondary zones are checked for updates on startup).
Directory where zone transfers are stored before processing. A subdirectory is created and removed when NSD exits.
TCP Configuration
Maximum number of concurrent, active TCP connections by each server process.
If yes, TCP connections beyond
tcp-count are immediately dropped (accepted and closed).Maximum number of queries served on a single TCP connection. Default 0 means no maximum.
TCP timeout in seconds. Also affects zone transfers over TCP.
Maximum segment size (MSS) of TCP socket for queries. Lower values (e.g., 1220) can address path MTU problems. Default 0 uses system default.
Not all platforms support the TCP_MAXSEG socket option.
Maximum segment size for outgoing XFR requests to other nameservers.
Set the TCP backlog for listening sockets. Higher values allow more pending connections and protect against flooding. Default is -1 on BSDs and Linux (selects largest allowed value), 256 on other systems.
Zone Transfer Configuration
Number of sockets for xfrd to use for outgoing zone transfers. Increase for more simultaneous zone transfers.
Number of simultaneous outgoing zone transfers possible on the TCP sockets of xfrd. Maximum is 65536.
If -1, xfrd will not trigger a reload after zone transfer. If positive, xfrd will wait this many seconds before triggering a new reload. Throttles reloads to once per N seconds.
EDNS Configuration
Preferred EDNS buffer size for IPv4 in bytes.
Preferred EDNS buffer size for IPv6 in bytes.
Logging and Debugging
Verbosity level for logging:
- 0: Warnings, errors, and important operational events
- 1: Successful notifies, successful zone transfers, failed transfers
- 2: Soft errors like TCP connection resets, notify refusals, AXFR refusals
- 3: Additional detailed information
Turns on debugging mode. Does not fork a daemon process, stays in foreground. Useful for debugging and with supervisor processes.
Log time in ASCII format (y-m-d h:m:s.msec). If no, log in seconds since epoch.
Log time in ISO8601 format when
log-time-ascii is also enabled.Server Identity
String returned for CH TXT ID.SERVER queries. Default is hostname from
gethostname(3). See hide-identity to disable responses.Prevent NSD from replying with identity string on CHAOS class queries.
String returned for CH TXT version.server and version.bind queries. Default is the compiled package version. See
hide-version to disable.Prevent NSD from replying with version string on CHAOS class queries.
Add the specified NSID to the EDNS section when queried with NSID EDNS enabled packet. Can be hex string or ascii_ prefix with ASCII string.
Query Processing
Enable round robin rotation of records in answers. Changes record order for load balancing.
Enable minimal responses for smaller answers. Extra data only added for referrals when necessary. Makes packets as small as possible.
If yes, additional information will not be added to responses if the apex zone doesn’t match the initial query apex zone (e.g., CNAME resolution).
Refuse queries of type ANY. Useful to stop query floods. When off, NSD follows RFC 8482 and minimizes response with one RRset.
If yes, drop received packets with the UPDATE opcode.
Zone File Management
Check mtime of zone files on start and SIGHUP. Disabling starts faster with many zones.
Write updated secondary zones to zonefile every N seconds. If zonefile option is "" (empty), no file is written.
Reload configuration file and update TSIG keys and zones on SIGHUP.
Statistics
Produce statistics every N seconds. Default 0 means no statistics. Statistics are logged to the logfile.
Response Rate Limiting (RRL)
Number of buckets in RRL hashtable. More buckets use more memory but reduce hash collisions.
Maximum queries per second allowed from one source. Default 200 qps. Set to 0 to disable.When rate limit is reached, NSD begins dropping responses. One in every
rrl-slip responses is sent with TC bit set.Number of packets discarded before sending a SLIP response (truncated response). 0 disables SLIP, 1 means every query gets SLIP response. Default 2 cuts traffic in half.
IPv4 prefix length. Addresses are grouped by netblock for rate limiting.
IPv6 prefix length. Addresses are grouped by netblock for rate limiting.
Maximum qps for whitelisted query types. Default 2000 qps. Set to 0 for unlimited.
DNS Cookies
Enable answering requests containing DNS Cookies (RFC 7873). Provides limited protection against DoS amplification attacks.When enabled, clients with valid server cookies are not subject to rate limiting.
Cookie secret used to create and verify server cookies. Required for anycast deployments to verify each other’s cookies.
Staging cookie secret for cookie rollover in anycast setups. Can verify but not create cookies. Requires
cookie-secret to be set.File from which secrets are read for DNS Cookie calculations. Managed with
nsd-control commands.TLS Configuration
Private key file for DNS-over-TLS service. Default "" (disabled).Requires restart to take effect.
Public certificate file for DNS-over-TLS service.
OCSP stapling data file. Must be updated by external process.
Port number for DNS-over-TLS service. Only interfaces configured with @853 get TLS service.
Port for authenticated DNS-over-TLS (XFR-over-TLS with mutual authentication). Uses
tls-cert-bundle for client verification.Allow zone transfers only on
tls-auth-port and only to authenticated clients. Refuses XFR requests on other ports.Certificate bundle for authenticating XFR-over-TLS connections. Default uses system verify locations.