[nsd-users] Testing DoH

Chris Croome chris at webarchitects.co.uk
Mon Dec 8 15:16:01 UTC 2025 

Hi Anand

On Mon 08-Dec-2025 at 03:40:34PM +0100, Anand Buddhdev wrote:
> 
> You need to look at the server log, because that may reveal something such
> as a permissions issue, or some other conflict or mismatch. You may also
> want to set "verbosity: 2" to get as much detailed logging as possible from
> the server.

Thanks, I have set the verbosity to 2 but nothing is being written to
/var/log/syslog (I have syslog-ng installed).

The default Debian systemd unit file,
/usr/lib/systemd/system/nsd.service doesn't have a nsd user specified:

  [Unit]
  Description=Name Server Daemon
  Documentation=man:nsd(8)
  After=network.target

  [Service]
  Type=notify
  Restart=always
  ExecStart=/usr/sbin/nsd -d -P ""
  ExecReload=+/bin/kill -HUP $MAINPID
  # CAP_NET_ADMIN and CAP_NET_RAW required for IP_TRANSPARENT
  CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
  KillMode=mixed
  MemoryDenyWriteExecute=true
  NoNewPrivileges=true
  PrivateDevices=true
  PrivateTmp=true
  ProtectHome=true
  ProtectControlGroups=true
  ProtectKernelModules=true
  ProtectKernelTunables=true
  ProtectSystem=strict
  ReadWritePaths=/var/lib/nsd /etc/nsd /run
  RuntimeDirectory=nsd
  RestrictRealtime=true
  SystemCallArchitectures=native
  SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources

  [Install]
  WantedBy=multi-user.target

So I was assuming that the service was running as root and that does eem to be the case:

  systemctl show --property=User,DynamicUser,MainPID,Group nsd
  MainPID=2349
  User=
  Group=
  DynamicUser=no

However there is a nsd user and group:

  grep nsd /etc/passwd
  nsd:x:103:105::/var/lib/nsd:/usr/sbin/nologin

  grep nsd /etc/group
  nsd:x:105:

So I have chowned and chmodded the key and cert so that the nsd user can read them:

  -rw-r-----   1 root nsd   306 Nov 28 13:23 dns5.webarch.org.uk.privkey.secp384r1.pem
  -rw-r-----   1 root nsd  2.9K Nov 28 13:23 dns5.webarch.org.uk.pubcert.secp384r1.pem

I have also checked that these are the same files that Apache is using:

  diff /etc/nsd/dns5.webarch.org.uk.privkey.secp384r1.pem /etc/apache2/md/domains/dns5.webarch.org.uk/privkey.secp384r1.pem
  diff /etc/nsd/dns5.webarch.org.uk.pubcert.secp384r1.pem /etc/apache2/md/domains/dns5.webarch.org.uk/pubcert.secp384r1.pem

I have restarted the service, I have tried to test using doh-cli again and
nothing has been written to /var/log/syslog by nsd.

I'm tempted to simply give up since I'm also not sure if any service will
actually use DoH -- I only tried to enable it since it looked like an easy
option to switch on...

All the best

Chris

-- 
Webarchitects Co-operative
http://webarchitects.coop/
http://webarch.info/
+44 114 276 9709
@webarchcoop

More information about the nsd-users mailing list