How to Set Up a BIND DNS Server on Linux: Step‑by‑Step Guide
This guide walks you through installing BIND on Linux, configuring forward and reverse DNS, setting ports, logging, access controls, forwarders, zone files, master‑slave replication, AppArmor adjustments, and testing the DNS service with tools like dig, host, and nslookup.
Linux DNS Service Setup
In a local network, you often need to deploy a DNS service, and BIND (Berkeley Internet Name Domain) is the most common software for this purpose. BIND provides the named daemon to handle DNS queries.
About BIND
BIND is developed and maintained by the Internet Systems Consortium (ISC); you can visit the ISC website for more information. Besides BIND, other DNS server software such as PowerDNS, dnsmasq, Unbound, and CoreDNS can also be used.
Setting Up Forward Lookup DNS
1. Install BIND
Typically you install BIND using the package manager of your Linux distribution (e.g., yum or apt). If you need to compile from source, download the source from the official website or GitHub.
Address: https://www.isc.org/download/
GitHub: https://github.com/isc-projects/bind9
Install via package manager:
# ubuntu
apt install bind9
# centos
yum install bind2. Modify Configuration
After installing bind9, configuration files are usually located in /etc/bind/. The main configuration file is named.conf. It includes other configuration files via the include directive.
Example of the default named.conf.options file:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/cache/bind";
forwarders { 114.114.114.114; 180.76.76.76; };
allow-query { any; };
allow-transfer { none; };
};Port configuration
BIND listens on UDP and TCP port 53 by default. You can change the port in named.conf.options if needed.
# Change both IPv4 and IPv6 ports to 5353
listen-on port 5353 { any; };
listen-on-v6 port 5353 { any; };Logging configuration
By default BIND writes logs to the system log (e.g., /var/log/messages on CentOS or /var/log/syslog on Ubuntu). To customize log locations, define a logging block.
logging {
channel query_log {
file "/var/log/named/query.log";
severity info;
print-time yes;
};
channel other_log {
file "/var/log/named/other.log";
severity info;
print-time yes;
};
category queries { query_log; };
category default { other_log; };
};Ensure the log files are owned by the bind user and the directory has appropriate permissions.
chown bind:bind /etc/bind/named.conf.logging
chown bind:bind /var/log/named
3. Access Control
Use the allow-query and allow-transfer options in the options block to control which clients can query the server and which servers can request zone transfers.
options {
allow-query { any; };
allow-transfer { none; };
};4. Forwarders (Upstream DNS)
If BIND cannot answer a query locally, it can forward the request to upstream DNS servers.
options {
forwarders { 114.114.114.114; 180.76.76.76; };
};5. Zone Configuration (Forward Lookup)
Define zones with zone blocks. Example for yongshen.com:
zone "yongshen.com." {
type master;
file "/etc/bind/yongshen/db.yongshe.com";
};Create the zone data file ( db.yongshe.com) with resource records:
$TTL 86400
@ IN SOA master.yongshe.com. admin.yongshe.com. (
2023102401 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
@ IN NS master.yongshen.com.
master IN A 10.0.0.66
www IN A 10.0.0.66Key fields:
NAME : the domain name (use @ for the zone apex).
TTL : default time‑to‑live for records.
IN : Internet class.
type : record type (e.g., A, AAAA, NS, SOA).
6. Testing
Use dig to query the server. If you changed the listening port, specify it with -p.
# dig www.yongshen.com @10.0.0.66 -p 5353Other tools such as host and nslookup can also be used, though they cannot specify a non‑standard port.
Configuration File Checks
After editing configuration files, verify syntax with named-checkconf and named-checkzone.
# Check named.conf
named-checkconf
# Check a zone file
named-checkzone yongshen.com /etc/bind/yongshen/db.yongshe.comMaster‑Slave Configuration
To provide redundancy, configure a master server and one or more slave servers.
Master Server
In the options block, restrict zone transfers to authorized slaves:
options {
allow-transfer { 192.168.0.102; };
};Define the zone as master and provide the zone file as shown earlier.
Slave Server
On the slave, disable unrestricted transfers and specify the master’s IP address:
options {
allow-transfer { none; };
};
zone "yongshen.com." {
type slave;
masters { 192.168.0.102; };
file "/var/cache/bind/db.yongshe.com";
};AppArmor Considerations (Ubuntu 20.04)
When using a custom directory for zone files on the slave, AppArmor may block access, resulting in “permission denied” errors. The default AppArmor profile for /usr/sbin/named restricts file access.
Two solutions:
Switch the profile to complain mode: sudo aa-complain /etc/apparmor.d/usr.sbin.named and reload.
Edit the profile to grant read/write access to the custom directory, e.g., add /etc/bind/zones/** lrw,, then reload with sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.named and restart BIND.
# Example edit
/etc/bind/zones/** lrw,After adjusting permissions and reloading the profile, the slave can successfully write zone data.
# Reload profile
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.named
# Restart BIND
sudo systemctl restart bind9Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Ops Community
A leading IT operations community where professionals share and grow together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.