1. Install required packages.
apt install bind9 bind9utils bind9-docCheck the installed version.
named -v2. Enable bind9 to start at boot.
systemctl enable bind9
bind user.named and is installed by the bind9 package.rndc (remote name daemon controller) is used to reload/stop and control the BIND daemon. Uses port 953/tcp.rndc statusModify /etc/bind/named.conf.options
vim /etc/bind/named.conf.optionsYou should have the top portion of this config file already. I've added to the bottom.
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
version "redacted"; <--- Hide the server version for security purposes.
recursion no; <--- Disable recursion if building an Authoritative Server
querylog yes; <--- Log queries (your choice)
allow-transfer { slave-servers; }; <--- Allow zone transfers to these hosts (I'm using an alias called 'slave-servers')
auth-nxdomain no; # conform to RFC1035
// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interface state {UP|DOWN}.
interface-interval 0;
minimal-responses yes;
};A zone file can contain 3 types of entries:
- Comments: start with a semicolon (;)
- Directives: start with a dollar sign ($)
- Resource Records: aka DNS records
/etc/bind/named.conf.local
vim /etc/bind/named.conf.localThis is where you'll declare your zones (I've also declared my ACLs here).
I do like to put my db files in a subdirectory called master, which BIND does not create, it has to be created manually.
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// ACLs for BIND configuration
acl slave-servers {
192.168.255.1
192.168.255.5
};
// Zone declarations
zone "rlskeels.com" {
type master;
file "/etc/bind/master/db.rlskeels.com";
allow-query { any; };
allow-transfer { slave-servers; };
};
zone "example.com" {
type master;
file "/etc/bind/master/db.example.com";
allow-query { any; };
allow-transfer { slave-servers; };
};
Check if there are syntax errors in the main configuration file. A silent output indicates no errors are found.
named-checkconfThen check the syntax of zone files.
named-checkzone example.com /etc/bind/db.example.com;#
;# example.com zone file
;#
;# Ross Skeels <[email]>
;#
$TTL 3600 ; 1 Hour
$ORIGIN example.com.
@ IN SOA ns1.master-ns.com. dns-webmaster.example.com. (
1 ; Serial
3600 ; Refresh
600 ; Retry
1800000 ; Expire
180 ) ; Negative Cache TTL
86400 IN NS ns1.master-ns.com.
86400 IN NS ns2.master-ns.com.
example.com. IN MX 10 mail-server.net.
@ 300 IN TXT "v=spf1 include:mail-server.net -all"
@ IN A x.x.x.x
www IN CNAME example.com.