BIND
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
Contents
Installation
These few steps show you how to install BIND and set it up as a local caching-only server.
Install the bind package which can be found in the official repositories.
Optionally edit /etc/named.conf
and add this under the options section, to only allow connections from the localhost:
listen-on { 127.0.0.1; };
Edit /etc/resolv.conf
to use the local DNS server:
nameserver 127.0.0.1
Start the named daemon.
A configuration template for running a domain
This is a simple tutorial in howto setup a simple home network DNS-server with bind. In our example we use "domain.tld" as our domain.
For a more elaborate example see Two-in-one DNS server with BIND9.
1. Creating a zonefile
# nano /var/named/domain.tld.zone
$TTL 7200 ; domain.tld @ IN SOA ns01.domain.tld. postmaster.domain.tld. ( 2007011601 ; Serial 28800 ; Refresh 1800 ; Retry 604800 ; Expire - 1 week 86400 ) ; Minimum IN NS ns01 IN NS ns02 ns01 IN A 0.0.0.0 ns02 IN A 0.0.0.0 localhost IN A 127.0.0.1 @ IN MX 10 mail imap IN CNAME mail smtp IN CNAME mail @ IN A 0.0.0.0 www IN A 0.0.0.0 mail IN A 0.0.0.0 @ IN TXT "v=spf1 mx"
$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
2. Configuring master server
Add your zone to /etc/named.conf
:
zone "domain.tld" IN { type master; file "domain.tld.zone"; allow-update { none; }; notify no; };
Restart the daemon (systemctl restart named
) or reload the configuration files (systemctl reload named
) and you are done. The latter option will keep your nameserver available while still allowing the configuration change.
3. Setting this to be your default DNS server
If you are running your own DNS server, you might as well use it for all DNS lookups. This will require the ability to do recursive lookups. In order to prevent DNS Amplification Attacks, recursion is turned off by default for most resolvers. The default Arch /etc/named.conf
file allows for recursion only on the loopback interface:
allow-recursion { 127.0.0.1; };
So to facilitate general DNS lookups from your host, your /etc/resolv.conf
file must include this line:
nameserver 127.0.0.1
Since /etc/resolv.conf
is a generated file, edit /etc/resolvconf.conf
and uncomment the
# name_servers=127.0.0.1
line. /etc/resolvconf.conf
will consequently be set up properly on subsequent reboots.
If you want to provide name service for your local network; e.g. 192.168.0, you must add the appropriate range of IP addresses to /etc/named.conf
:
allow-recursion { 192.168.0.0/24; 127.0.0.1; };
BIND as simple DNS forwarder
If you have problems with, for example, VPN connections, they can sometimes be solved by setting-up a forwarding DNS server. This is very simple with BIND. Add these lines to /etc/named.conf
in either the global options section or in a specific zone, and change IP address according to your setup.
options { listen-on { 192.168.66.1; }; forwarders { 8.8.8.8; 8.8.4.4; }; };
Don't forget to restart the service!
Running BIND in a chrooted environment
Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.
Configuring BIND to serve DNSSEC signed zones
See DNSSEC#BIND (serving signed DNS zones)
Automatically listen on new interfaces
By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hours. You can tune this value by adding :
interface-interval <rescan-timeout-in-minutes>;
parameter into named.conf
options section. Max value is 28 days. (40320 min)
You can disable this feature by setting its value to 0.
Then restart the service.