Mastering DNS with BIND: Complete Guide to Zones, Commands, and Advanced Features
This comprehensive tutorial explains DNS fundamentals, record types, static and dynamic mappings, common query tools, BIND installation, primary and secondary zone configuration, reverse zones, sub‑domain delegation, forwarding, ACLs, view‑based responses, and how to compile BIND from source on Linux systems.
1. DNS Overview
DNS (Domain Name System) is a distributed database that maps human‑readable domain names to IP addresses. It operates over UDP/TCP on port 53, using static mappings (e.g., /etc/hosts) and dynamic mappings (e.g., /etc/resolv.conf) to resolve names.
1.1 DNS Structure
Typical name format: hostname.subdomain.domain.tld. Top‑level domains are managed by the Internet Assigned Numbers Authority (IANA).
1.2 DNS Functions
Provides host‑name to IP mapping (A/AAAA records).
Supports reverse lookup (PTR records).
Offers additional information such as NS, MX, CNAME, SOA, and SRV records.
1.3 Resource Record Formats
name [TTL] IN rr_type valueCommon fields include TTL (time‑to‑live), class (IN for Internet), and record type.
2. Common DNS Commands
2.1 dig
Flexible query tool; default queries the servers listed in /etc/resolv.conf. Example:
dig -t NS wsescape.com @172.16.242.1782.2 host
Simple lookup utility. Example:
host -t A www.wsescape.com 172.16.242.1782.3 nslookup
Interactive or non‑interactive mode for DNS queries. Example:
nslookup -t MX wsescape.com 172.16.242.1782.4 rndc
Remote name daemon control for BIND. Common commands include status, reload, flush, stop, and restart. Example:
rndc status3. BIND Installation and Basic Configuration
Install the bind, bind-libs, and bind-utils packages. The main configuration file is /etc/named.conf, and zone files reside under /var/named/. Example options block:
options {
listen-on port 53 { 127.0.0.1; };
directory "/var/named";
allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
};3.1 Primary (Master) Zone
Create a zone definition in /etc/named.rfc1912.zones and a corresponding zone file, e.g., wsescape.com.zone:
$TTL 86400
$ORIGIN wsescape.com.
@ IN SOA ns1.wsescape.com. admin.wsescape.com. (
2016042201 ; serial
1H ; refresh
5M ; retry
7D ; expire
1D )
IN NS ns1
IN NS ns2
ns1 IN A 172.16.100.11
ns2 IN A 172.16.100.18
www IN A 172.16.100.11
* IN A 172.16.100.113.2 Secondary (Slave) Zone
Define a slave zone that pulls data from the master:
zone "wsescape.com" IN {
type slave;
masters { 172.16.242.178; };
file "slaves/wsescape.com.zone";
};3.3 Reverse Zones
Configure reverse mapping using in-addr.arpa (IPv4) or ip6.arpa (IPv6). Example:
$TTL 86400
$ORIGIN 16.172.in-addr.arpa.
@ IN SOA ns1.wsescape.com. admin.wsescape.com. (
2016042201 ; serial
1H ; refresh
5M ; retry
7D ; expire
1D )
IN NS ns1.wsescape.com.
IN NS ns2.wsescape.com.
11 IN PTR ns1.wsescape.com.
12 IN PTR mx1.wsescape.com.4. Advanced DNS Features
4.1 Sub‑domain Delegation
Delegate sub‑domains (e.g., ops.wsescape.com) to separate name servers by adding NS records in the parent zone and creating a new zone file for the child.
ops.wsescape.com. IN NS ns1.ops.wsescape.com.
ops.wsescape.com. IN NS ns2.ops.wsescape.com.
ns1.ops.wsescape.com. IN A 172.16.100.124.2 Forwarding
Global forwarding : All non‑authoritative queries are sent to a specified upstream server.
Zone forwarding : Only queries for a particular zone are forwarded.
options {
forward first;
forwarders { 172.16.0.1; };
};
zone "wsescape.com" IN {
type forward;
forward only;
forwarders { 172.16.100.11; };
};4.3 Access Control Lists (ACLs)
Define named groups of IP addresses and use them in allow-query, allow-transfer, etc.
acl mynet { 172.16.1.100; 172.16.0.0/16; };
options { allow-query { mynet; }; };4.4 Views
Provide different answers based on the client’s source address. Example with an internal view and an external view:
view "internal" {
match-clients { 172.16.0.0/16; };
allow-recursion { any; };
zone "." { type hint; file "named.ca"; };
zone "wsescape.com" { type master; file "wsescape.com.zone"; };
};
view "external" {
match-clients { any; };
zone "wsescape.com" { type master; file "wsescape.com.external"; };
};5. Compiling BIND from Source
Install development tools, download the source tarball, and configure with desired options (disable IPv6, disable chroot, enable threads, set install prefix). Example:
./configure --prefix=/usr/local/bind9 \
--sysconfdir=/etc/named \
--disable-ipv6 --disable-chroot --enable-threads
make
make installAfter installation, create required directories ( /var/named), generate the root hints file with dig -t NS . @gateway > /var/named/named.ca, create minimal zones ( localhost, 0.0.127.in‑addr.arpa), set proper permissions, and start the daemon with named -u named. Use rndc-confgen to generate rndc.key and rndc.conf for remote control.
6. Summary
The article provides a step‑by‑step guide to understanding DNS concepts, configuring BIND for authoritative and caching services, managing primary/secondary zones, setting up reverse lookups, delegating sub‑domains, applying forwarding and view‑based responses, securing the server with ACLs, and compiling BIND from source on a Linux system.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.