BIND DNS Server
BIND (Berkeley Internet Name Domain) is the most widely used DNS server software.
Installation
# Debian/Ubuntu
sudo apt update
sudo apt install bind9 bind9utils bind9-doc
# RHEL/CentOS
sudo dnf install bind bind-utils
# Check version
named -vConfiguration Files
/etc/bind/
├── named.conf # Main configuration
├── named.conf.options # Server options
├── named.conf.local # Local zone definitions
├── named.conf.default-zones # Default zones
└── zones/
└── db.example.com # Zone fileMain Configuration
/etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// Forwarders
forwarders {
8.8.8.8;
8.8.4.4;
};
// Security
recursion yes;
allow-recursion { trusted; };
allow-query { any; };
allow-transfer { none; };
// DNSSEC
dnssec-validation auto;
// IPv6
listen-on-v6 { any; };
// Logging
querylog yes;
};
// Define trusted networks
acl "trusted" {
192.168.1.0/24;
10.0.0.0/8;
localhost;
};Zone Configuration
/etc/bind/named.conf.local
// Forward zone
zone "example.com" {
type master;
file "/etc/bind/zones/db.example.com";
allow-transfer { 192.168.1.3; }; // Secondary NS
};
// Reverse zone
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192.168.1";
};Zone File
/etc/bind/zones/db.example.com
$TTL 604800
@ IN SOA ns1.example.com. admin.example.com. (
2025011501 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative TTL
; Name servers
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
; A records for name servers
ns1 IN A 192.168.1.2
ns2 IN A 192.168.1.3
; Main domain
@ IN A 192.168.1.10
www IN CNAME @
; Mail
@ IN MX 10 mail.example.com.
mail IN A 192.168.1.20
; Other hosts
ftp IN A 192.168.1.30
api IN A 192.168.1.40Reverse Zone File
/etc/bind/zones/db.192.168.1
$TTL 604800
@ IN SOA ns1.example.com. admin.example.com. (
2025011501 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative TTL
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
2 IN PTR ns1.example.com.
3 IN PTR ns2.example.com.
10 IN PTR example.com.
20 IN PTR mail.example.com.Validation and Management
# Check configuration syntax
sudo named-checkconf
# Check zone file syntax
sudo named-checkzone example.com /etc/bind/zones/db.example.com
# Reload configuration
sudo rndc reload
# Reload specific zone
sudo rndc reload example.com
# View server status
sudo rndc status
# Flush cache
sudo rndc flushLogging Configuration
logging {
channel default_log {
file "/var/log/named/default.log" versions 3 size 5m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel query_log {
file "/var/log/named/query.log" versions 5 size 10m;
severity info;
print-time yes;
};
category default { default_log; };
category queries { query_log; };
};Best Practices
- Use TSIG keys - For zone transfers
- Limit recursion - Only for trusted networks
- Regular serial updates - Increment on changes
- Monitor logs - Watch for abuse
- Secondary servers - Always have backup NS
- bind
- named
- dns server
- zone file
- authoritative dns