BIND (Berkeley Internet Name Domain) is a popular open-source DNS server that is widely used on Unix-like systems, including Ubuntu. Here are the steps to install and configure BIND9 on Ubuntu:
Install BIND9
Before installing BIND9 DNS server, we need to update the package lists using the following command:
sudo apt updateNow that the update is done, we can install BIND9 DNS by using the following command
sudo apt install bind9After the installation, you will need to check if BIND9 DNS is running on the system using the following command:
sudo service bind9 statusIf you don’t have the service command, you can use systemctl as an alternative:
sudo systemctl status bind9This command provides information about the status of the BIND9 service, including whether it is active or inactive and any error messages if it’s not running.
If BIND9 is running, you should see output similar to:
● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: active (running) since <timestamp> ...
Docs: man:named(8)
Process: <PID>
Main PID: <Main PID>
Status: "Updates to /etc/bind named.conf.local zone configurations are now managed with include files for each zone. If you are>..."
Tasks: 6 (limit: 18928)
CGroup: /system.slice/bind9.service
└─<Child processes>
If BIND9 is not running, you might see an “inactive (dead)” status along with an error message explaining why it failed to start. You can investigate further by checking the logs for any error messages using the following command:
sudo journalctl -xe | grep namedOpen DNS port using the firewall
Port 53 is the well-known port number assigned to the Domain Name System (DNS). In this example, we’re going to use ufw firewall to open the DNS port as seen below:
sudo ufw allow 53You will also need to run the reload command as seen below:
sudo ufw reloadVerify if the DNS port is open through the firewall using the follow ufw command:
sudo ufw statusConfiguring BIND9 DNS Global Settings
The configuration files for BIND9 are located in the /etc/bind directory.
In the context of the BIND9 DNS server, global configurations refer to settings that apply to the overall behavior of the DNS server. These configurations are typically specified in the named.conf.options file, which can be accessed using the following command:
sudo nano /etc/bind/named.conf.optionsIn the above command, we’re using the nano editor to open the named.conf.options file, which should look as follows:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// connections. See https://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 8.8.8.8;
// 8.8.4.4;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};Inside the named.conf.options file, you will find the following global configuration settings:
Directory
This specifies the working directory where BIND9 will store its runtime data and zone files. Therefore, it’s important to make sure this directory exists and is writable by the BIND process.
options {
directory "/var/cache/bind";
// other options...
};Recursion
This determines whether the BIND9 DNS server will perform recursive queries. If set to yes, the server will resolve queries for any domain, potentially caching the results. If set to no, the server will only provide authoritative answers for its configured zones.
options {
recursion yes;
// other options...
};Recursive queries in the context of DNS (Domain Name System) refer to the process in which a DNS resolver (client) sends a query to a DNS server, asking the server to fully resolve the requested domain name. The server, in turn, is responsible for contacting other DNS servers to gather the necessary information to answer the query.
Allow-Query
The “Allow-Query” directive controls which hosts or networks are allowed to query the DNS server for information.
It specifies a match list of IP addresses or network ranges that are permitted to send queries to the DNS server. If a query comes from an IP address that does not match any of the criteria specified in the “Allow-Query” directive, the server will not respond to the query.
In this example (any), any host is allowed.
options {
allow-query { any; };
// other options...
};You can also specify which host IP addresses or network ranges are allowed using the allow-query directive to include the IP addresses or networks you want to allow.
options {
// Other configuration options...
allow-query { localhost; 192.168.1.0/24; 10.0.0.1; };
// Other configuration options...
};
In this example:
localhostallows queries from the local machine.192.168.1.0/24allows queries from the entire IPv4 subnet 192.168.1.0 to 192.168.1.255.10.0.0.1allows queries specifically from the host with IP address 10.0.0.1.
Forwarders
Specifies external DNS servers to which queries should be forwarded if the local server can’t resolve them. In this example, Google’s public DNS servers are used.
options {
forwarders {
8.8.8.8;
8.8.4.4;
};
// other options...
};Listen-On
The “Listen-on” directive specifies the IP addresses and ports on which the DNS server should listen for incoming queries and connections.
It determines the network interfaces and IP addresses that the DNS server will use to accept DNS queries. This directive essentially sets the listening sockets for the BIND server.
When configuring BIND (or any DNS server), you need to use the server’s IP address to specify where the DNS service should listen for incoming DNS queries. The server IP address is specified in the named.conf.options file under the listen-on or listen-on-v6 directive.
- Listen to any IP address
To configure BIND9 to listen on any network interface attached to the server, you can use the wildcard 0.0.0.0. This essentially means that BIND will listen on all available network interfaces. Here’s an example configuration snippet for the listen-on directive:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on { 0.0.0.0; };
};
The above configuration allows BIND to listen on all available network interfaces (any) on port 53, which is the default DNS port.
- Listen to Specific IPv4 addresses
It is allowed to use multiple IP addresses under the listen-on directive in BIND9 DNS. This directive allows you to specify the IP addresses and ports on which the DNS server should listen for incoming queries and connections.
You can specify the IPv4 addresses you want BIND9 to listen on. Here’s an example
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on port 53 { 192.168.1.1; 10.0.0.1; };
};
In this example, the BIND DNS server will listen on both the IP addresses 192.168.1.1 and 10.0.0.1. You can extend the list with additional IP addresses if needed. Each IP address in the list is separated by a semicolon.
You have to make sure that the IP addresses you specify are valid for the network interfaces available on the server, and ensure that the firewall or network configuration allows traffic to the specified IP addresses and ports.
- Listen to specific IPv6 addresses
Specify the IPv6 addresses you want BIND9 to listen on. Here’s an example:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { 2001:db8::1; 2a02:1234::5678; };
};
In this example, BIND9 will listen on IPv6 addresses 2001:db8::1 and 2a02:1234::5678. Add more IPv6 addresses as needed.
- Listen to specific IPv4 & IPv6 addresses
Locate the listen-on and listen-on-v6 directives in the options block. If they don’t exist, you can add them. Specify the IPv4 and IPv6 addresses you want BIND9 to listen on. Here’s an example:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
// Add any other specific IPv4 addresses you want to listen on.
listen-on port 53 { 192.168.1.1; 10.0.0.1; };
// Add any other specific IPv6 addresses you want to listen on.
listen-on-v6 { 2001:db8::1; 2a02:1234::5678; };
};
In this example, BIND9 will listen on IPv4 addresses 192.168.1.1 and 10.0.0.1, and IPv6 addresses 2001:db8::1 and 2a02:1234::5678. Add more IPv4 and IPv6 addresses as needed.
It’s important to note that the IP addresses specified in the listen-on directive in BIND9 DNS configuration should belong to the network interfaces of the server on which BIND is installed. These IP addresses represent the interfaces on which the BIND DNS server will listen for incoming queries.
When you configure BIND to listen on specific IP addresses, it means that the DNS server will bind to those addresses and respond to queries coming through those interfaces. It’s essential to ensure that the specified IP addresses are valid and associated with the network interfaces on the server. If you try to use IP addresses that are not assigned to the server or are not reachable through its network interfaces, BIND may encounter issues or fail to start.
DNSSEC
Enables DNSSEC (Domain Name System Security Extensions) for the server. dnssec-enable yes enables DNSSEC, and dnssec-validation yes validates DNSSEC signatures on received data.
options {
dnssec-enable yes;
dnssec-validation yes;
// other options...
};Logging
Configures logging settings, such as the log file location, severity levels, and rotation settings.
options {
logging {
channel default_file {
file "/var/log/named/named.log" versions 3 size 5m;
severity dynamic;
};
// other logging options...
};
// other options...
};It’s important to note that all the above settings can be put into a single file as seen below:
options {
directory "/var/named"; // Set your preferred directory path
recursion yes; // Enable recursion
allow-query { any; }; // Allow queries from any IP address
allow-query-cache { any; }; // Allow queries to be cached from any IP address
forwarders {
8.8.8.8;
8.8.4.4;
// Add your preferred forwarders here
}; // Specify DNS servers for forwarding queries
listen-on port 53 { any; }; // Listen on all available interfaces on port 53
dnssec-enable yes; // Enable DNSSEC validation
dnssec-validation yes; // Enable DNSSEC validation
/*
* Logging settings - customize as needed
*/
logging {
channel default_syslog {
syslog local2;
severity info;
};
channel audit_log {
file "/var/log/named/audit.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category dispatch { audit_log; };
category dnssec { audit_log; };
category lame-servers { audit_log; };
};
};
```
These configurations, among others, allow you to customize the behavior of your BIND9 DNS server to suit your specific requirements and security considerations.
Various configuration scenarios
The named.conf.options file in BIND is used to configure various global options for the DNS server. Below are examples of different configurations for the sudo nano /etc/bind/named.conf.options file. Choose or modify the options based on your specific requirements.
Example 1: Basic Configuration
The following represents the basic BIND9 DNS setup:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};You can use the above configuration for a simple setup without going into complex details.
Example 2: Forwarding Configuration
If you want your BIND server to forward DNS queries to external DNS servers:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
forwarders {
8.8.8.8;
8.8.4.4;
};
forward only;
};Replace 8.8.8.8 and 8.8.4.4 with the IP addresses of the DNS servers you want to forward queries to.
Example 3: Disabling IPv6
If your network doesn’t use IPv6 and you want to disable it:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};Example 4: Configuring Logging
Configure logging to a separate file for better troubleshooting:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
logging {
channel query_log {
file "/var/log/query.log";
severity info;
print-time yes;
};
category queries { query_log; };
};
};Example 5: Customizing Cache Size
Adjust the cache size based on your server’s available memory:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
max-cache-size 512M;
};These are just examples, and you should tailor the configurations to your specific needs. Always make sure to test your BIND configuration after making changes by restarting the service and checking for any error messages in the logs:
Creating DNS records using BIND9 DNS server
To create DNS records for the domain name “ugacomp.com” using BIND, you’ll need to perform the following steps. This example assumes a basic setup with an A record for the domain and a couple of additional records. Adjust the information based on your specific needs.
Open the named.conf.local file
The primary purpose of named.conf.local is to include zone-specific configuration information for domains that the DNS server is authoritative for.
We can use the nano editor or any editor of your choice as seen below:
sudo nano /etc/bind/named.conf.localAdd a zone definition
We use the named.conf.local to add the zone definition for the domain we want to add. It involves specifying the location of the zone file that contains the actual DNS resource records (RR) for the domain. The file directive within the zone statement points to the zone file.
zone "ugacomp.com" {
type master;
file "/etc/bind/zones/db.ugacomp.com";
};In this example:
- Zone Name: “ugacomp.com”
- Zone Type: Master (indicating that this server is authoritative for the zone)
- Zone File: “/etc/bind/zones/ugacomp.com.zone” (location of the zone file)
This configuration tells BIND9 that it is the master server for the “ugacomp.com” zone, and the authoritative DNS information for “example.com” is stored in the specified zone file.
BIND9 can also be configured to handle slave zones, forwarding zones, and other specialized zone types depending on the requirements of the DNS infrastructure. The named.conf.local file is often used to define these zones in a more organized manner, as mentioned in the previous response.
Create the zone file for “ugacomp.com”
Since we’re using ugacomp.com as the domain in this example, we will create it’s zone file under the zones subdirectory. This means that our zone file will be named db.ugacomp.com as seen below:
sudo nano /etc/bind/zones/ugacomp.com.dbYou can name your zone file like example.com.db or anything that fits your domain name.
It’s important to note that the use of the .db extension for zone files in BIND is a convention that has been commonly followed for many years. While the choice of file extension doesn’t affect the functionality of the zone file or how BIND processes it, it’s more of a tradition and a way to indicate that the file contains a database of DNS information.
The .db extension is just a file naming convention and is not a strict requirement. You could use any file extension you prefer, or even none at all, as long as the file contains valid DNS zone data in the correct format.
In the examples I provided, I used the .db extension to follow the traditional naming convention, but you could choose a different extension if you find that more suitable for your organization’s naming conventions or if you prefer a different naming style. The important thing is to ensure that the file content adheres to the correct DNS zone file syntax and format that BIND expects.
Add the DNS records in the zone file
In this example, our zone file we’ve created is ugacomp.com.db so, we’rev using it to add the following records
$TTL 604800
@ IN SOA ns1.ugacomp.com. admin.ugacomp.com. (
2024011101 ; Serial
86400 ; Refresh
7200 ; Retry
604800 ; Expire
86400 ) ; Negative Cache TTL
; Name servers
@ IN NS ns1.ugacomp.com.
IN NS ns2.ugacomp.com.
; A records
ns1 IN A your_server_ip
www IN A your_server_ip
mail IN A your_server_ip
; Mail server
mail IN A mail_server_ip
IN MX 10 mail.ugacomp.com.
; Alias (CNAME) record
ftp IN CNAME www.ugacomp.com.
Replace the following:
your_server_ip: Replace with the actual IP addresses of your server and adjust any other settings according to your requirements.ns1.ugacomp.com: Change the nameservers to fit your Domain naming
Test your DNS server
To test your BIND DNS server, you need to first restart it using the following command:
sudo systemctl restart bind9
And now, you need to use tools like dig or nslookup to test your DNS server.In this example, we’re using the nslookup tool
nslookup ugacomp.comEnsure that your DNS server is resolving queries correctly.
Remember to replace ugacomp.com with your actual domain and adjust IP addresses accordingly. This is just a basic setup, and you may need to customize it based on your specific requirements.
