Boyang Yan

BIND 9

7 min read

Bind 9 GUI management interface

If you would prefer a GUI management interface, you might consider a Commercial Product based on BIND.

What is BIND DNS?

BIND is a full-featured, scalable, and open-source software suite for DNS services. BIND’s name comes from the fact it was originally developed at the University of California Berkeley.

Prerequisites

Ubuntu 22.04 LTS PVE Container Images Download NOTE: Please, disable Nesting, enable Unprivileged container, disk 10G, vCPU 2, and RAM 1024 MB for Domain Name Service (DNS).

Install the latest updates

Before we install any packages, we will first update download and install the latest updates

apt update -y && apt upgrade -y

Install BIND 9 on the DNS server

Next, we’re going to install three packages on our DNS server:

  • bind9 - The BIND 9 DNS server software.
  • bind9utils - Utilities that make working with BIND 9 easier.
  • bind9-doc - A documentation package for BIND 9.

To install those packages, use this command:

apt install bind9 bind9utils bind9-doc -y

After installation, the BIND 9 service should be running. You can check the status with this command:

systemctl status bind9

Bind9 Settings

Two DNS servers for the domain testbed.com with forward and reverse zones, where:

  • Primary DNS (Master): 192.168.1.21
  • Secondary DNS (Slave): 192.168.1.22
  • Network: 192.168.1.0/24

This will allow you to resolve hostnames like www.testbed.com → 192.168.1.100 and also do reverse lookups 192.168.1.100 → www.testbed.com.

Edit the named.conf.options file

The named.conf file is BIND 9’s main configuration file. That main file includes a reference to /etc/bind/named.conf.options where we can specify options we need for our configuration. We’ll make four modifications to the /etc/bind/named.conf.options file:

  • An acl directive that defines our local area network (LAN).
  • An allow-query directive that defines what IP addresses can send DNS queries to the server.
  • A forwarders directive that defines what DNS servers this server will forward recursive queries to.
  • A recursion directive that allows recursive DNS queries to the server.

To make those changes, open /etc/bind/named.conf.options in a text editor (e.g., nano or vim) and modify the files.

Primary

// allow only LAN traffic from 192.168.1.0-192.168.1.255
acl LAN {
192.168.1.0/24;
};
options {
        directory "/var/cache/bind"; // default directory
        allow-query { localhost; LAN; }; // allow queries from localhost and LAN
          // Forwarders (UVA DNS servers)
          forwarders {
            128.143.2.7;
            128.143.22.119;
            128.143.3.7;
          };
          // Forward first tries forwarders, if they fail, BIND will resolve normally
          forward first;
          // Allow recursion only for internal network
          allow-recursion { LAN; localhost; };
          // Optional: Hide version for security
          version "not currently available";
          // Listen on IPv4 only for local network
          listen-on port 53 { 127.0.0.1; 192.168.1.21; };
          // Listen on IPv6 (if needed), or disable
          listen-on-v6 { none; };
          // DNSSEC settings
          dnssec-validation auto;
          auth-nxdomain no;    # RFC1035 compliance
};

  • Verify Configuration

    After you make the changes, check the syntax of the file with the named-checkconf command:

    sudo named-checkconf /etc/bind/named.conf.options

    If the syntax is correct, the command should not return any output. If you want to see more verbose output on a successful test, add the -p switch to the command (named-checkconf -p). If there are no errors, reload BIND:

    sudo systemctl reload bind9

  • Test External DNS Resolution

    From a client in the 192.168.1.0/24 network or from either DNS server, test queries:

    Test against Primary

    dig @192.168.1.21 google.com

Secondary

On the secondary DNS (192.168.1.22), you need to make a similar named.conf.options but change the listen-on IP to its own address:

listen-on port 53 { 127.0.0.1; 192.168.1.22; };

  • Verify Configuration

    After you make the changes, check the syntax of the file with the named-checkconf command:

    named-checkconf /etc/bind/named.conf.options

    If the syntax is correct, the command should not return any output. If you want to see more verbose output on a successful test, add the -p switch to the command (named-checkconf -p). If there are no errors, reload BIND:

    sudo systemctl reload bind9

  • Test External DNS Resolution

    From a client in the 192.168.1.0/24 network or from either DNS server, test queries: Test against Secondary

    dig @192.168.1.22 google.com

Edit the named.conf.local file

The named.conf.local is typically used to define local DNS zones for a private domain. We will update this file to include our forward and reverse DNS zones.

  • Zone File: where all the DNS records for a particular zone are stored. It typically includes records like A (address) records, MX (mail exchange) records, CNAME (canonical name) records, and others.
  • Forward Zone: Used for normal forward DNS lookups, resolving domain names to IP addresses.
  • Reverse Zone: Used for reverse DNS lookups, resolving IP addresses to domain names.

To make the changes, open /etc/bind/named.conf.local in a text editor (e.g., nano or vim) and add these lines:

Primary DNS Configuration

//forward
zone "testbed.com" {
      type master;
      file "/etc/bind/forward.testbed.com";
      allow-transfer { 192.168.1.22; };   // Allow the secondary DNS to pull updates
      also-notify { 192.168.1.22; };      // Notify the secondary immediately after updates
};
//reverse
zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/reverse.testbed.com";
    allow-transfer { 192.168.1.22; };
    also-notify { 192.168.1.22; };
};

NOTE: The name 1.168.192.in-addr.arpa is a reverse DNS zone name that corresponds to the IP address range 192.168.1.0/24. In reverse DNS, the name is structured in reverse order to represent the IP address octets. This is a standardized naming convention in the DNS system.

Understanding the Structure: 192.168.1.0/24 is an IP address range. In reverse DNS, the IP address octets are reversed and appended with in-addr.arpa. Thus, 192.168.1.0/24 becomes 1.168.192.in-addr.arpa.

After you make the changes, check the syntax of the file with the named-checkconf command:

named-checkconf /etc/bind/named.conf.options

  • Create Forward Zone File

    Create the forward zone file:

    sudo vi /etc/bind/forward.testbed.com

    Example contents:

    $TTL 604800
@   IN  SOA ns1.testbed.com. yanboyang713.gmail.com. (
        2025092601  ; Serial number (Note: change this number/date after each change)
        604800      ; Refresh (7 days)
        86400       ; Retry (1 day)
        2419200     ; Expire (4 weeks)
        604800 )    ; Negative Cache TTL (7 days)
 
; Name servers
@       IN  NS      ns1.testbed.com.
@       IN  NS      ns2.testbed.com.
 
; A records for DNS servers
ns1     IN  A       192.168.1.21
ns2     IN  A       192.168.1.22
 
; Example host records
server1     IN  A       192.168.1.11
server2     IN  A       192.168.1.12
server3     IN  A       192.168.1.13
server4     IN  A       192.168.1.14
server5     IN  A       192.168.1.15

    Key notes:

    • yanboyang713.gmail.com. is the administrator email but with @ replaced by a dot. Example: yanboyang713@gmail.com → yanboyang713.gmail.com.
    • Update the Serial number every time you make changes.

  • Create Reverse Zone File

    Create the reverse zone file:

    sudo vi /etc/bind/reverse.testbed.com

    Example:

    $TTL 604800
@   IN  SOA ns1.testbed.com. yanboyang713.gmail.com. (
        2025092601  ; Serial number (Note: change this number/date after each change)
        604800      ; Refresh (7 days)
        86400       ; Retry (1 day)
        2419200     ; Expire (4 weeks)
        604800 )    ; Negative Cache TTL (7 days)
 
; Name servers
@       IN  NS      ns1.testbed.com.
@       IN  NS      ns2.testbed.com.
 
; PTR Records for reverse mapping
21      IN  PTR     ns1.testbed.com.
22      IN  PTR     ns2.testbed.com.
11      IN  PTR     server1.testbed.com.
12      IN  PTR     server2.testbed.com.
13      IN  PTR     server3.testbed.com.
14      IN  PTR     server4.testbed.com.
15      IN  PTR     server5.testbed.com.

  • Verify and Reload Primary

    Run:

    sudo named-checkconf
sudo named-checkzone testbed.com /etc/bind/forward.testbed.com
sudo named-checkzone 1.168.192.in-addr.arpa /etc/bind/reverse.testbed.com

    Reload BIND:

    sudo systemctl reload bind9

Secondary DNS Configuration (Slave)

The secondary DNS will synchronize automatically from the primary.

  • Edit /etc/bind/named.conf.local

    sudo vi /etc/bind/named.conf.local

    Add:

    zone "testbed.com" {
    type slave;
    file "/var/cache/bind/forward.testbed.com";
    masters { 192.168.1.21; };
};
zone "1.168.192.in-addr.arpa" {
    type slave;
    file "/var/cache/bind/reverse.testbed.com";
    masters { 192.168.1.21; };
};

Enable ufw on both

Once the rules are set, enable the firewall:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 53/udp
sudo ufw allow 53/tcp
sudo ufw enable
sudo ufw status verbose

Verify Setup

Forward Lookup

From any client or either DNS server:

dig @192.168.1.21 server1.testbed.com
dig @192.168.1.22 server1.testbed.com

Expected output:

server1.testbed.com.    604800  IN      A       192.168.1.11

Reverse Lookup

dig @192.168.1.21 -x 192.168.1.11
dig @192.168.1.22 -x 192.168.1.11

Expected output:

11.1.168.192.in-addr.arpa. 604800 IN    PTR     server1.testbed.com.

Reference List

  1. https://www.isc.org/bind/
  2. https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CONTRIBUTING.md
  3. https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-20-04
  4. https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-20-04

https://www.cherryservers.com/blog/how-to-install-and-configure-a-private-bind-dns-server-on-ubuntu-22-04

Graph View

Backlinks