Mastering BIND: A Step‑by‑Step Guide to Build and Secure a DNS Server on Linux

What is BIND?

In a LAN you typically use BIND (Berkeley Internet Name Domain) to provide DNS services via the named daemon. BIND is maintained by the Internet Systems Consortium (ISC) and can be downloaded from the ISC website.

Installing BIND

Install with your distribution’s package manager (e.g., apt install bind9 on Ubuntu or yum install bind on CentOS). Source packages are also available at ISC download or GitHub .

# ubuntu
apt install bind9

# centos
yum install bind

Configuration Overview

Configuration files live under /etc/bind/ (Debian/Ubuntu) or /etc/named/ (RHEL/CentOS). The main file is named.conf, which includes other files such as named.conf.options, named.conf.logging, and zone definitions.

Port Settings

By default BIND listens on UDP/TCP port 53. To change the port edit named.conf.options and add a listen-on directive.

# change to port 5353
listen-on port 5353 { any; };
listen-on-v6 port 5353 { any; };

Logging

Create /etc/bind/named.conf.logging and include it from named.conf. Define channels and categories to control where logs are written.

logging {
    channel query_log {
        file "/var/log/named/query.log";
        severity info;
        print-time yes;
    };
    channel other_log {
        file "/var/log/named/other.log";
        severity info;
        print-time yes;
    };
    category queries { query_log; };
    category default { other_log; };
};

Ensure the log directory is owned by the bind user and group.

Access Control

Use the allow-query and allow-transfer options to restrict who can query the server or request zone transfers.

options {
    allow-query { any; };
    allow-transfer { none; }; # change to specific IPs as needed
};

Forwarders

If BIND cannot answer a query locally, it can forward the request to upstream servers.

options {
    forwarders { 114.114.114.114; 180.76.76.76; };
};

Zone Configuration

Define a zone with a zone block and point it to a zone file.

zone "yongshen.com." {
    type master;
    file "/etc/bind/yongshen/db.yongshen.com";
};

The zone file starts with an SOA record, followed by NS, A, and other resource records.

$TTL 86400
@   IN  SOA  master.yongshen.com. admin.yongshen.com. (
        2023102401 ; Serial
        3600       ; Refresh
        1800       ; Retry
        604800     ; Expire
        86400 )
@   IN  NS   master.yongshen.com.
master IN A 10.0.0.66
www    IN A 10.0.0.66

Testing

Use dig (or host / nslookup) to query the server. If you changed the port, add -p to dig.

# dig www.yongshen.com @10.0.0.66 -p 5353

Master‑Slave Setup

On the master, restrict allow-transfer to the slave’s IP. On the slave, set type slave, list the master in masters, and specify a file path for the transferred zone data.

# Master options
options { allow-transfer { 192.168.0.102; }; };

# Slave zone definition
zone "yongshen.com." {
    type slave;
    masters { 192.168.0.102; };
    file "/var/cache/bind/db.yongshen.com";
};

AppArmor on Ubuntu

Ubuntu’s AppArmor profile for named may block custom zone directories. Switch the profile to complain mode or edit /etc/apparmor.d/usr.sbin.named to grant read/write access to the new directory, then reload the profile.

# Set profile to complain mode
sudo aa-complain /etc/apparmor.d/usr.sbin.named
# Or add a rule
/etc/bind/zones/** lrw,
# Reload profile
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.named

Configuration Validation

After editing, run named-checkconf to validate named.conf and named-checkzone to validate each zone file.

# Check main config
named-checkconf
# Check a zone
named-checkzone yongshen.com /etc/bind/yongshen/db.yongshen.com

Key Takeaways

Install BIND via package manager or source.

Configure ports, logging, and access control in named.conf.options.

Create master zones with proper SOA, NS, and A records.

Test with dig, host, or nslookup.

Set up master‑slave replication for redundancy.

Adjust AppArmor policies on Ubuntu to allow custom directories.