HxHippy

BIND DNS Server Setup

Configure BIND as an authoritative DNS server with zone files and security.

Last updated: 2025-01-15

BIND DNS Server

BIND (Berkeley Internet Name Domain) is the most widely used DNS server software.

Installation

# Debian/Ubuntu
sudo apt update
sudo apt install bind9 bind9utils bind9-doc

# RHEL/CentOS
sudo dnf install bind bind-utils

# Check version
named -v

Configuration Files

/etc/bind/
├── named.conf           # Main configuration
├── named.conf.options   # Server options
├── named.conf.local     # Local zone definitions
├── named.conf.default-zones  # Default zones
└── zones/
    └── db.example.com   # Zone file

Main Configuration

/etc/bind/named.conf.options

options {
    directory "/var/cache/bind";

    // Forwarders
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };

    // Security
    recursion yes;
    allow-recursion { trusted; };
    allow-query { any; };
    allow-transfer { none; };

    // DNSSEC
    dnssec-validation auto;

    // IPv6
    listen-on-v6 { any; };

    // Logging
    querylog yes;
};

// Define trusted networks
acl "trusted" {
    192.168.1.0/24;
    10.0.0.0/8;
    localhost;
};

Zone Configuration

/etc/bind/named.conf.local

// Forward zone
zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
    allow-transfer { 192.168.1.3; };  // Secondary NS
};

// Reverse zone
zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.192.168.1";
};

Zone File

/etc/bind/zones/db.example.com

$TTL    604800
@       IN      SOA     ns1.example.com. admin.example.com. (
                        2025011501      ; Serial
                        604800          ; Refresh
                        86400           ; Retry
                        2419200         ; Expire
                        604800 )        ; Negative TTL

; Name servers
@       IN      NS      ns1.example.com.
@       IN      NS      ns2.example.com.

; A records for name servers
ns1     IN      A       192.168.1.2
ns2     IN      A       192.168.1.3

; Main domain
@       IN      A       192.168.1.10
www     IN      CNAME   @

; Mail
@       IN      MX      10 mail.example.com.
mail    IN      A       192.168.1.20

; Other hosts
ftp     IN      A       192.168.1.30
api     IN      A       192.168.1.40

Reverse Zone File

/etc/bind/zones/db.192.168.1

$TTL    604800
@       IN      SOA     ns1.example.com. admin.example.com. (
                        2025011501      ; Serial
                        604800          ; Refresh
                        86400           ; Retry
                        2419200         ; Expire
                        604800 )        ; Negative TTL

@       IN      NS      ns1.example.com.
@       IN      NS      ns2.example.com.

2       IN      PTR     ns1.example.com.
3       IN      PTR     ns2.example.com.
10      IN      PTR     example.com.
20      IN      PTR     mail.example.com.

Validation and Management

# Check configuration syntax
sudo named-checkconf

# Check zone file syntax
sudo named-checkzone example.com /etc/bind/zones/db.example.com

# Reload configuration
sudo rndc reload

# Reload specific zone
sudo rndc reload example.com

# View server status
sudo rndc status

# Flush cache
sudo rndc flush

Logging Configuration

logging {
    channel default_log {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };

    channel query_log {
        file "/var/log/named/query.log" versions 5 size 10m;
        severity info;
        print-time yes;
    };

    category default { default_log; };
    category queries { query_log; };
};

Best Practices

  1. Use TSIG keys - For zone transfers
  2. Limit recursion - Only for trusted networks
  3. Regular serial updates - Increment on changes
  4. Monitor logs - Watch for abuse
  5. Secondary servers - Always have backup NS
intermediate DNS Updated 2025-01-15
  • bind
  • named
  • dns server
  • zone file
  • authoritative dns