Set Up BIND Authoritative DNS Server on Ubuntu 22.04/20.04

This tutorial will be showing you how to set up and run your own authoritative name server on Ubuntu 22.04/20.04 with the widely-used BIND 9 software.

Note: This tutorial shows the command-line method. If you want to edit DNS records from a web GUI, I recommend setting up authoritative DNS servers with Webmin, which is a free and open-source server control panel.

What’s An Authoritative DNS Server?

If you own a domain name and want your own DNS server to handle name resolution for your domain name instead of using your domain registrar’s DNS server, then you will need to set up an authoritative DNS server.

An authoritative DNS server is used by domain name owners to store DNS records. It provides authoritative answers to DNS resolvers (like 8.8.8.8 or 1.1.1.1), which query DNS records on behalf of end users on PC, smartphone or tablet.

About BIND

BIND (Berkeley Internet Name Domain) is an open-source, flexible and full-featured DNS software widely used on Unix/Linux due to it’s stability and high quality. It’s originally developed by UC Berkeley, and later in 1994 its development was moved to Internet Systems Consortium, Inc (ISC).

BIND can act as an authoritative DNS server for a zone and a DNS resolver at the same time. A DNS resolver can also be called a recursive name server because it performs recursive lookups for local clients. However, taking two roles at the same time isn’t advantageous. It’s a good practice to separate the two roles on two different machines.

In a previous article, I explained the steps of setting up a local DNS resolver on Ubuntu 22.04/20.04. This tutorial will show you how to set up BIND9 on Ubuntu 22.04/20.04 as an authoritative-only DNS server with recursion disabled.

Prerequisites

To follow this tutorial, you should have already bought a domain name. I registered my domain name at NameCheap because the price is low and they give whois privacy protection free for life.

You also need two servers. One server is for the master DNS server and the other is for the slave DNS server. Ideally the two servers should be at different physical locations. If one DNS server is offline, the other DNS server can still response to DNS queries for your domain name.

Each server needs only 512MB RAM and here are the hosting providers that I recommend. I have used all of them.

  • Vultr: Start at $2.5/month. Credit card required. You can create an account at Vultr via my referral link to get $50 free credit.
  • DigitalOcean: Start at $5/month. No credit card is required. You can use Paypal. You can create an account at DigitalOcean via my referral link to get $50 free credit.

Once you have bought two servers, install Ubuntu on them and follow the instructions below.

Set up Authoritative DNS Server on Ubuntu 22.04/20.04 with BIND9

You need to run commands in this section on both servers.

Log into the two servers via SSH and run the following commands to install BIND 9 on Ubuntu 22.04/20.04 from the default repository. BIND 9 is the current version and BIND 10 is a dead project.

sudo apt update
sudo apt install bind9 bind9utils bind9-doc

Check version number.

named -v

Sample output:

BIND 9.11.3-1ubuntu1.3-Ubuntu (Extended Support Version) <id:a375815>

To check the version number and build options, run

named -V

BIND version number and build option

By default, BIND automatically starts after installation.You check its status with:

systemctl status bind9

bind 9 ubuntu 18.04 server

If it’s not running, then start it with:

sudo systemctl start bind9

And enable auto start at boot time:

sudo systemctl enable named

The BIND server will run as the bind user, which is created during installation, and listens on TCP and UDP port 53, as can be seen by running the following command:

sudo netstat -lnptu | grep named

ubuntu 18.04 bind9 setup

The BIND daemon is called named. (A daemon is a piece of software that runs in the background.) The named binary is installed by the bind9 package and there’s another important binary: rndc, the remote name daemon controller, which is installed by the bind9utils package. The rndc binary is used to reload/stop and control other aspects of the BIND daemon. Communication is done over TCP port 953.

For example, we can check the status of the BIND name server.

sudo rndc status

remote name daemon controller

The main BIND configuration file /etc/bind/named.conf sources the settings from 3 other files.

  • /etc/bind/named.conf.options
  • /etc/bind/named.conf.local
  • /etc/bind/named.conf.default-zones

Out of the box, the BIND9 server on Ubuntu provides recursive service for localhost and local network clients. Since we are setting up an authoritative DNS server, we need to disable recursion. Edit the /etc/bind/named.conf.options file.

sudo nano /etc/bind/named.conf.options

Add the following lines in the options {...}; clause.

 // hide version number from clients for security reasons.
 version "not currently available";

 // disable recursion on authoritative DNS server.
 recursion no;

 // enable the query log
 querylog yes;

 // disallow zone transfer
 allow-transfer { none; };

bind9 authoritative dns server ubuntu 18.04 LTS

Technically speaking, you only need to add recursion no; to disable recursion, but it’s a good practice to add the other 3 directives. Save and close the file. Then restart BIND.

sudo systemctl restart bind9

Master DNS Server Configuration

Pick one of the two servers as the master DNS server. We will name it ns1.example.com.

The master DNS server holds the master copy of the zone file. Changes of DNS records are made on this server. A domain can have one or more DNS zones. Each DNS zone has a zone file which contains every DNS record in that zone. For simplicity’s sake, this article assumes that you want to use a single DNS zone to manage all DNS records for your domain name.

The /etc/bind/named.conf.default-zones file defines the root zone and localhost zone. To add a zone for your domain name, edit /etc/bind/named.conf.local file.

sudo nano /etc/bind/named.conf.local

Add the following lines to this file. Replace example.com with your own domain name. Replace 12.34.56.78 with the IP address of slave DNS server.

zone "example.com" {
      type master;
      file "/etc/bind/db.example.com";
      allow-query { any; };
      allow-transfer { 12.34.56.78; };
};

In the above configuration, we created a new zone with the zone clause and we specified that this is the master zone. The zone file is /etc/bind/db.example.com, where we will add DNS records. Zone transfer will be only allowed for the slave DNS server. Save and close the file.

Instead of creating a zone file from scratch, we can use a zone template file. Copy the content of db.empty to a new file.

sudo cp /etc/bind/db.empty /etc/bind/db.example.com

A zone file can contain 3 types of entries:

  • Comments: start with a semicolon (;)
  • Directives: start with a dollar sign ($)
  • Resource Records: aka DNS records

A zone file typically consists of the following types of DNS records.

  • The SOA (Start of Authority) record: defines the key characteristics of a zone. It’s the first DNS record in the zone file and is mandatory.
  • NS (Name Server) record: specifies which servers are used to store DNS records and answer DNS queries for a domain name. There must be at least two NS record in a zone file.
  • MX (Mail Exchanger) record: specifies which hosts are responsible for email delivery for a domain name.
  • A (Address) record: Converts DNS names into IPv4 addresses.
  • AAAA (Quad A) record: Converts DNS names into IPv6 addresses.
  • CNAME record (Canonical Name): It’s used to create alias for a DNS name.
  • TXT record: SPF, DKIM, DMARC, etc.

Now let’s edit the zone file.

sudo nano /etc/bind/db.example.com

By default, it looks like this:

BIND9 zone transfer ubuntu

You can change it to this instead.

bind9 master zone file

Where

  • The $TTL directive defines the default Time to Live value for the zone, which is the time a DNS record can be cached on a DNS resolver. This directive is mandatory. The time is specified in seconds.
  • The $ORIGIN directive defines the base domain.
  • Domain names must end with a dot (.), which is the root domain. When a domain name ends with a dot, it is a fully qualified domain name (FQDN).
  • The @ symbol references to the base domain.
  • IN is the DNS class. It stands for Internet. Other DNS classes exist but are rarely used.

The first record in a zone file is the SOA (Start of Authority) record. This record contains the following information:

  • The master DNS server.
  • Email address of the zone administrator. RFC 2142 recommends the email address [email protected]. In the zone file, this email address takes this form: hostmaster.example.com because the @ symbol has special meaning in zone file.
  • Zone serial number. The serial number is a way of tracking changes in zone by the slave DNS server. By convention, the serial number takes a date format: yyyymmddss, where yyyy is the four-digit year number, mm is the month, dd is the day, and ss is the sequence number for the day. You must update the serial number when changes are made to the zone file.
  • Refresh value. When the refresh value is reached, the slave DNS server will try to read of the SOA record from the master DNS server. If the serial number becomes higher, a zone transfer is initiated.
  • Retry value. Defines the retry interval in seconds if the slave DNS server fails to connect to the master DNS server.
  • Expiry: If the slave DNS server has been failing to make contact with master DNS server for this amount of time, the slave will stop responding to DNS queries for this zone.
  • Negative cache TTL: Defines the time to live value of DNS responses for non-existent DNS names (NXDOMAIN).

TXT records are usually enclosed in double quotes. If you add DKIM record, you also need to enclose the value with parentheses.

Save and close the file. Then run the following command to check if there are syntax errors in the main configuration file. A silent output indicates no errors are found.

sudo named-checkconf

Then check the syntax of zone files.

sudo named-checkzone example.com /etc/bind/db.example.com

If there are syntax errors in the zone file, you need to fix it, or this zone won’t be loaded. The following message indicates there are no syntax errors.

zone example.com/IN: loaded serial 2019011503
OK

Then restart BIND9.

sudo systemctl restart bind9

If you are using the uncomplicated firewall (UFW), then open TCP and UDP port 53.

sudo ufw allow 53/tcp

sudo ufw allow 53/udp

If you are using iptables firewall directly, then run the following command.

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT

sudo iptables -A INPUT -p udp --dprot 53 -j ACCEPT

Slave DNS Server Configuration

Now we use the other server as the slave DNS server, which will be named ns2.example.com.

First, edit the named.conf.local file.

sudo nano /etc/bind/named.conf.local

Add a zone like below. Replace 12.34.56.78 with the IP address of the master DNS server.

zone "example.com" {
        type slave;
        file "db.example.com";
        allow-query { any; };
        masters { 12.34.56.78; };
};

In the above configuration, we specified that this is a slave DNS server for the example.com zone and it will accept zone transfers only from a trusted IP address.

Save and close the file. Then run the following command to check if there are syntax errors in the main configuration file.

sudo named-checkconf

If no errors are found, restart BIND9.

sudo systemctl restart bind9

The zone file on slave DNS server are loaded from a zone transfer, which is used to synchronize DNS record changes from master DNS server to slave DNS server. After BIND9 restarts, zone tranfer will start immediately. Check the BIND9 log with the following command.

sudo journalctl -eu bind9

You can see messages like below, which indicates the zone transfer is successful.

named[31518]: transfer of 'example.com/IN' from 12.34.56.78#53: Transfer completed: 1 messages, 16 records, 886 bytes, 0.004 secs (221500 bytes/sec)

The zone file will be save as /var/cache/bind/db.example.com.

If you are using the uncomplicated firewall (UFW), then open TCP and UDP port 53.

sudo ufw allow 53/tcp

sudo ufw allow 53/udp

If you are using iptables firewall directly, then run the following command.

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT

sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT

More about Zone Transfer

The slave DNS server will contact the master again when the refresh time in SOA record is reached and if the serial number on the master is greater than that on the slave, a zone transfer will be initiated. There are two types of zone transfers:

  • Full zone transfer (AXFR): The full copy of zone file is transferred.
  • Incremental zone transfer (IXFR): Only DNS records that are changed are transferred.

Both types of zone transfer use TCP port 53. By default, BIND on the slave DNS server will request an incremental zone transfer and BIND on the master DNS server will only allow incremental zone transfer when the zone is dynamic.

The zone transfer interval is a major factor of the propagation speed of DNS record changes. Instead of waiting for the slave DNS server to make contact, the BIND master will notify the slave when changes are made to the zone. This can considerably reduce the time to propagate zone changes to the Internet.

Reverse Zone

A reverse zone contains PTR record that maps an IP address to a DNS name. It is the counterpart of DNS A record. PTR record often is necessary for mail servers to pass spam filters. This record does not belong to a domain. You need to create PTR record at your hosting provider’s control panel, or ask your ISP, so I’m not going to cover creating reverse zones in BIND.

You can create a reverse zone in BIND, but to make it answer the PTR query for your own IP address, you need to ask for DNS delegation from your hosting provider/ISP. They are very likely to refuse your request, so you might as well ask them to create the PTR record.

Change NS Record and Create Glue Record

Now you need to go to your domain registrar’s website to change the NS record for your domain, so the Internet would know that you are now using your own DNS server. Normally you use hostnames in the NS record like ns1.example.com and ns2.example.com.

name server 1:     ns1.example.com
name server 2:     ns2.example.com

If you have a domain name example.com and you use a subdomain for the authoritative DNS servers (ns1.example.com and ns2.example.com), then you also need to create a glue record at your domain registrar, so the Internet can know the IP address of your DNS server. The glue record is an A record for ns1.example.com and ns2.example.com.

ns1.example.com        IP-address-of-master-server
ns2.example.com        IP-address-of-slave-server

The above information will be sent to a registry operator who runs TLD DNS servers via the Extensible Provisioning Protocol (EPP), so that TLD DNS servers know the hostnames and IP addresses of the authoritative DNS servers for your domain name. Depending on the domain registrar you use, your NS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://dnsmap.io to check if your new NS record is active.

I will show you how to do this at NameCheap.

If you bought a domain name at NameCheap, then log into your NameCheap account. Select the Domain list menu on the left sidebar, then click the Manage button on the far right.

namecheap personal name servers

Select Advanced DNS.

namecheap advanced dns

Scroll to the bottom of the page, you will find the personal DNS server section. Click the Add NameServer button to add your own name servers: ns1.example.com and ns2.example.com. You need to enter the IP addresses of your name servers.

namecheap glue records

After adding your two name servers, click the search button to check if they are added successfully. If so, the glue records will appear at the bottom of this page.

Now click the Domain tab, and use your custom DNS server.

namecheap custom DNS record

Depending on the domain registrar you use, your NS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://dnsmap.io to check if your new NS record is active.

After the NS record and glue record have been propagated to the Internet, your DNS servers would be responding to DNS queries for your domain name. You can check the query log with:

sudo journalctl -eu bind9

You can also use the dig utility to check the NS record of your domain name.

dig NS example.com

If the NS record and glue record have been propagated to the Internet, you should see your name servers in the answer section. If you see the SERVFAIL error, it’s probably because you didn’t open UDP port 53 on your name servers.

BIND NS record servfail

Things to Know

  • The term master DNS server only implies that this server stores the master copy of the zone file. It has no higher priority when it comes to DNS resolution.
  • Always update the SOA serial number when you make changes to a zone file.

Using Wildcard in BIND Zone File

If you want to point all subdomains to the same IP address, you can use wildcard to achieve that. For example, the following line will make all your subdomains point to 1.2.3.4 IP address.

*.your-domain.com  IN   A   1.2.3.4

Enabling the Resolver

BIND can act as an authoritative DNS server for a zone and a DNS resolver at the same time. It’s a good practice to separate the two roles on two different hosts and in this article we disabled the resolver in BIND. If you really want to enable the resolver, follow the instructions below.

Edit the BIND configuration file.

sudo nano /etc/bind/named.conf.options

Find the following lines.

 // disable recursion on authoritative DNS server.
 recursion no;

Change them to the following, so only trusted IP address can send recursive queries to your DNS resolver and your server won’t be an open resolver.

 // allow recursion for trusted clients only.
 recursion yes;
 allow-query { localhost; 12.34.56.78; };

Replace 12.34.56.78 with your own IP address. Save and close the file. Make sure your zone definition in the /etc/bind/named.conf.local file has the following option, so the Internet can query DNS records in your zone.

allow-query { any; };

Then restart BIND.

sudo systemctl restart bind9

Go to https://openresolver.com/ to test if your BIND server is an open resolver.

Wrapping Up

That’s it! I hope this tutorial helped you set up authoritative DNS server on Ubuntu with BIND9. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 10 Average: 5]

65 Responses to “Set Up BIND Authoritative DNS Server on Ubuntu 22.04/20.04

  • THANK YOU!!!!

  • Thank you

  • Thank you for the helpful doc!
    Is there such thing as “chroot” for this installation?
    cheers

    • Xiao Guo An (Admin)
      5 years ago

      BIND9 on Ubuntu by default doesn’t run in a chroot environment.

    • Gabriel
      2 years ago

      That IP is local IP or public?

  • Paul Kubu
    5 years ago

    When i setup an .eu Domain it works fine, but when i setup an .com Domain and then Dig this Domain with GoogleToolbox i get an ServerFail….

    Does anyone know how i could fix this?

    • Xiao Guo An (Admin)
      5 years ago

      Maybe you forgot to add a dot at the end of your domain name in the zone file. Maybe your didn’t add the glue record. Can you tell me what’s your domain name?

    • Xiao Guo An (Admin)
      5 years ago

      To add a second domain, you need to create a separate zone in /etc/bind/named.conf.local on the Master DNS server.

      zone "domain1.com" {
            type master;
            file "/etc/bind/db.domain1.com";
            allow-transfer { IP-address-of-slave-server; };
      };
      
      zone "domain2.com" {
            type master;
            file "/etc/bind/db.domain2.com";
            allow-transfer { IP-address-of-slave-server; };
      };
      

      Then create the zone file for domain2. Here we copy the domain1 zone as a template.

      sudo cp /etc/bind/db.domain1.com /etc/bind/db.domain2.com

      Modify the /etc/bind/db.domain2.com file to add DNS records.

      Restart BIND9.

      sudo systemctl restart bind9

      After that, create a separate zone in /etc/bind/named.conf.local on the slave DNS server.

      zone "domain1.com" {
              type slave;
              file "db.domain1.com";
              masters { IP-address-of-master-server; };
      };
      
      zone "domain2.com" {
              type slave;
              file "db.domain2.com";
              masters { IP-address-of-master-server; };
      };

      Then Restart BIND9.

      sudo systemctl restart bind9
      • I followed your advice to add sub domain, but i got some erros :
        zone “urbaneindonesia.com” {
        type master;
        file “/etc/bind/db.urbaneindonesia.com”;
        allow-transfer { 192.168.2.48; };
        also-notify { 192.168.2.48; };
        };

        zone “cloud.urbaneindonesia.com” {
        type master;
        file “/etc/bind/db.cloud.urbaneindonesia.com”;
        allow-transfer { 192.168.2.48; };
        also-notify { 192.168.2.48; };
        };

        ns1@ns1:/etc/bind$ sudo named-checkzone cloud.urbaneindonesia.com db.cloud.urbaneindonesia.com
        db.cloud.urbaneindonesia.com:7: ignoring out-of-zone data (urbaneindonesia.com)
        db.cloud.urbaneindonesia.com:21: ignoring out-of-zone data (www.urbaneindonesia.com)
        db.cloud.urbaneindonesia.com:22: ignoring out-of-zone data (urbaneindonesia.com)
        db.cloud.urbaneindonesia.com:23: ignoring out-of-zone data (ns1.urbaneindonesia.com)
        db.cloud.urbaneindonesia.com:24: ignoring out-of-zone data (ns2.urbaneindonesia.com)
        db.cloud.urbaneindonesia.com:25: ignoring out-of-zone data (mail.urbaneindonesia.com)
        db.cloud.urbaneindonesia.com:28: ignoring out-of-zone data (ftp.urbaneindonesia.com)

        could you help me to resolve this problem..? many thanks

  • Hello,
    First thank you for this tutorial its really great. I’ve get everything set up, with little issues. But I was hoping you could elaborate on next steps for me. Once I have these servers up, is the next step. Just to notify my registrar of my DNS’s ip addresses? Is this the glue record? Thank you again.

    • Xiao Guo An (Admin)
      5 years ago

      You need to go to your domain registrar’s website to change the NS record for your domain, so the Internet would know that you are now using your own DNS server. Normally you use hostname in the NS record like ns1.example.com and ns2.example.com

      You also need to create glue record at your domain registrar’s website so the Internet can know the IP address of your DNS server.

      If you don’t know how to create glue record, then create a support ticket at your domain registrar.

      I just updated the create glue record section in this article to make it more understandable.

  • Mohamed
    5 years ago

    Hello Xiao Guo An,

    Thanks for the tutorial. I have the bind9 dns server and also made the delegation. we’re using our DNS now but with recursion being enabled. if i disable recursion i can not use the internet, my dns no longer resolves the domains on the internet. I really need to disable recursion and be able to browser the internet using my own dns. what do i do? thanks again.

    • Xiao Guo An (Admin)
      5 years ago

      Hi, normally it’s a good practice to run authoritative dns server and dns resolver on separate boxes for large DNS query traffic.

      If you really need to run them on the same box, you can enable recursion on the authoritative DNS server. I only do this when the DNS query traffic is small.

  • This was just what I needed! Thank you for taking the time to create this easy to follow guide 🙂

  • Hi

    Please help me. I want to make server as web server so i decided to install bind to connect with bigrock.I have 1 server and 5 websites.So how to do this?

  • In the text you mention this part:

    “Add the following lines to this file. Replace example.com with your own domain name. Replace 12.34.56.78 with the IP address of slave DNS server.

    zone “example.com” {
    type master;
    file “/etc/bind/db.example.com”;
    allow-transfer { 12.34.56.78; };
    };”

    Is the ip-address 12.34.56.78 a local one like 192.168.1.10 or the fixed global one you got from your isp? I guess the last, but to be shure.

    • Xiao Guo An (Admin)
      5 years ago

      If the slave server contacts the master server via local network, for example 192.168.1.0/24, then use the local network address.

      If the communication happens over the public Internet, then use public IP address.

  • Bratella
    5 years ago

    THANKS!!!!

  • Bharat Lalwani
    5 years ago

    Hello,

    I am trying to configure BIND Authoritative DNS Server on the AWS ec2 instance. however, the Elastic IP address is not visible on the output of “sudo netstat -lnptu | grep named” and zone transfer is getting stuck with connection refused error message.

    Is there any workaround there to get rid of this problem.

    • Xiao Guoan (Admin)
      5 years ago

      You should configure AWS firewall to allow connection from the slave DNS server.

  • Hello!

    I work in an small ISP since some time we used another ISP IP so there was no problem for us! But now with growing we applied for AS Number and own Public IP Addresses. We need now our Authoritative Name Servers. As I understand I can setup those Nameservers using this awesome tutorials. But I have 2 questions:
    1. If we setup out Internet clients our Nameservers with this config will they respond all DNS queries, or only for domains configured. Also will be very helpfully to know how to add PTR Zones too!
    2. Is possible to add a Web Interface to easy manage records, if yes which one you suggest and how to install it?

    Best regards,

  • IMRON HS
    4 years ago

    If I want to set up a mail server locally, I need rDNS. Which article should I start with DNS configuration from your tutorial Xiao?

    • IMRON HS
      4 years ago

      Thank you Xiao, Nice! I think everything work fine.

    • IMRON HS
      4 years ago

      And I thing need RAM 1 GB for this DNS server. This is from my VM on XCP-ng.

    • IMRON HS
      4 years ago

      I want to ask 1 question Xiao, hostmaster.example.com -> “hostmaster” for what? if I am using domain rsudpbari.com. it means hostmaster.rsudpbari.com ?

    • Xiao Guoan (Admin)
      4 years ago

      Yes.

  • Is it possible to query the BIND logs, so to inspect user traffic, by using a dashboard solution or something similar? Essentially, a solution to review which sites are by being visited by those querying BIND – think OpenDNS or the UniFi Security Gateway admin interface. I know BIND can log the traffic, but am interested in a tool that is web-based and can provide sort of like a dashboard view and search/filter capabilities (e.g. ELK). Thanks!

  • When I add the options mentioned for authoritative dns to named.conf.options I get the following error. I tried removing and adding spaces and same thing. Any ideas?

    /etc/bind/named.conf.options:26: unknown option ‘version’
    /etc/bind/named.conf.options:29: unknown option ‘recursion’
    /etc/bind/named.conf.options:32: unknown option ‘querylog’
    /etc/bind/named.conf.options:35: unknown option ‘allow-transfer’

    • Xiao Guoan (Admin)
      4 years ago

      You need to add these lines inside the options { ... }; clause.

  • I think I missed how to change the template of that zone file db.empty brings, which defaults to a reverse zone. How did you get the forward zone template from there?

    • Xiao Guoan (Admin)
      4 years ago

      Because I know how to make a forward zone file.

  • Hi Xiao,

    Thanks for the interesting tutorial.
    Everything works well internally (for example.com), but refusing any external query for other domain like example.net. Bind logs returning error like this “….query failed (REFUSED) for ntp.ubuntu.com/IN/A ….”
    Any pointers to how to fix this?

    Regards,
    Mamana

    • Xiao Guoan (Admin)
      4 years ago

      That’s because recursion service has been disabled. I just added instruction on how to enable the resolver.

      • Thanks Xiao. After adding those instructions, I now get ” … query failed (SERVFAIL) for example1.com/IN/A … ”
        Where example1.com is using ns1.example.com and ns2.example.com as non authoritative dns servers and hosted in srv1.example.com.

    • Xiao Guoan (Admin)
      4 years ago

      ns1.example.com and ns2.example.com are non authoritative dns servers? I don’t understand your setup.

      • ns1.example.com and ns2.example.com are authoritative dns servers just as in your tutorial.
        And example1.com using ns1 and ns2 as DNS.

    • Xiao Guoan (Admin)
      4 years ago

      Is exampl1.com running on the same server or on a different server?

      • example1.com is hosted in a different server srv1.example.com

    • Xiao Guoan (Admin)
      4 years ago

      your zone definition in the /etc/bind/named.conf.local file should have the following option, so the Internet can query DNS records in your zone.

      allow-query { any; };

      Like this:

      zone "example.com" {
              type slave;
              file "db.example.com";
              allow-query { any; };
              masters { 12.34.56.78; };
      };
      
    • Xiao Guoan (Admin)
      4 years ago

      I recommend running a BIND resolver on the srv1.example.com server. So example1.com will use the local DNS resolver.

      Set Up Local DNS Resolver on Ubuntu 20.04 with BIND9
      Set Up a Local DNS Resolver on Ubuntu 18.04, 16.04 with BIND9

    • Xiao Guoan (Admin)
      4 years ago

      I mean you shouldn’t run an authoritative DNS server and resolver on the same host. Run the resolver on another host.

      • So how does the BIND resolver server communicate with ns1 and ns2 DNS servers?

      • I guess my question is how will this work with the two authoritative dns servers ns1.example.com and ns2.example.com I set up as in this tutorial.

    • Xiao Guoan (Admin)
      4 years ago

      UDP port 53. DNS resolvers can automatically find the right authoritative DNS server of a given domain via the DNS system.

  • I have that already in my `/etc/bind/named.conf.local`

    “`

    zone “example.net” {
    type slave;
    file “/etc/bind/zones/db.example.net”; # zone file path
    allow-query { any; };
    masters { 1.2.3.4; }; # ns1 private IP address
    };

    zone “2.1.in-addr.arpa” {
    type slave;
    file “/etc/bind/zones/db.2.1”; # 1.2.3.4/29 subnet
    allow-query { any; };
    masters { 1.2.3.4; }; # ns1 IP address
    };
    “`

  • peacecop kalmer:
    4 years ago

    If I only have one box, can I have one nameserver? Or is there a requirement for at least two of them?

    • Xiao Guoan (Admin)
      4 years ago

      If your domain registrar allows you to specify only one hostname in the NS record, then you can use only one box.

  • IMRON HS
    3 years ago

    Hi Xiao Guoan, I am working on ISP. How to to configure:

    /etc/bind/db.example.com
    

    My client need PTR record, can you share how to configure db.example.com? Thank you for your help.

    • IMRON HS
      3 years ago

      Sorry I forget, my:
      Primary DNS Resolver: 116.206.214.67
      Secondary DNS Resolver: 116.206.214.68
      Master DNS Authoritative: 116.206.214.69
      Master DNS Authoritative: 116.206.214.70

    • IMRON HS
      3 years ago
      Mar 09 00:41:02 ns1.gie.co.id named[955]: client 84.200.70.40#56127 (ns1.globalinayahelektrindo.net): query (cache) 'ns1.globalinayahelektrindo.net/A/IN' denied
      Mar 09 00:41:02 ns1.gie.co.id named[955]: client 172.217.41.200#39578 (ns1.globalinayahelektrindo.net): query: ns1.globalinayahelektrindo.net IN AAAA - (116.206.214.69)
      Mar 09 00:41:02 ns1.gie.co.id named[955]: client 172.217.41.200#39578 (ns1.globalinayahelektrindo.net): query (cache) 'ns1.globalinayahelektrindo.net/AAAA/IN' denied
      Mar 09 00:41:02 ns1.gie.co.id named[955]: client 84.200.70.40#27072 (ns1.globalinayahelektrindo.net): query: ns1.globalinayahelektrindo.net IN A -EDC (116.206.214.69)
      Mar 09 00:41:02 ns1.gie.co.id named[955]: client 84.200.70.40#27072 (ns1.globalinayahelektrindo.net): query (cache) 'ns1.globalinayahelektrindo.net/A/IN' denied
      Mar 09 00:41:03 ns1.gie.co.id named[955]: client 84.200.70.40#13625 (ns1.globalinayahelektrindo.net): query: ns1.globalinayahelektrindo.net IN A -EDC (116.206.214.69)
      Mar 09 00:41:03 ns1.gie.co.id named[955]: client 84.200.70.40#13625 (ns1.globalinayahelektrindo.net): query (cache) 'ns1.globalinayahelektrindo.net/A/IN' denied
      Mar 09 00:41:03 ns1.gie.co.id named[955]: client 74.125.47.151#57430 (ns1.globalinayahelektrindo.net): query: ns1.globalinayahelektrindo.net IN A -E (116.206.214.69)
      Mar 09 00:41:03 ns1.gie.co.id named[955]: client 74.125.47.151#57430 (ns1.globalinayahelektrindo.net): query (cache) 'ns1.globalinayahelektrindo.net/A/IN' denied
      Mar 09 00:41:03 ns1.gie.co.id named[955]: client 84.200.70.40#50711 (ns1.globalinayahelektrindo.net): query: ns1.globalinayahelektrindo.net IN A -EDC (116.206.214.69)
      Mar 09 00:41:03 ns1.gie.co.id named[955]: client 84.200.70.40#50711 (ns1.globalinayahelektrindo.net): query (cache) 'ns1.globalinayahelektrindo.net/A/IN' denied
      Mar 09 00:41:03 ns1.gie.co.id named[955]: client 74.125.47.133#50579 (ns1.globalinayahelektrindo.net): query: ns1.globalinayahelektrindo.net IN A - (116.206.214.69)
      Mar 09 00:41:03 ns1.gie.co.id named[955]: client 74.125.47.133#50579 (ns1.globalinayahelektrindo.net): query (cache) 'ns1.globalinayahelektrindo.net/A/IN' denied
      

      What is mean of DENIED, I got the error Xiao Guoan?

    • Xiao Guoan (Admin)
      3 years ago

      Sorry, I have never worked in an ISP and I don’t know how to manage PTR record at an ISP.

  • Lucian Filote
    3 years ago

    Thank you! Most complete tutorial I have found on BIND9. Works perfectly!

  • Howard Barnes
    3 years ago

    If I do not generate a slave zone, and use the same i.p. for both, will this work as long as my master server is online?
    Thanks.

    • Xiao Guoan (Admin)
      3 years ago

      If your domain registrar allows you to enter the same IP address for both primary and secondary DNS servers, I think it can work as long as you make sure the primary is online.

  • Jeroen D
    3 years ago

    Thanks for your clear tutorial. It is possible to use this Authoritative setup to use internal a different server than external for the same external domain name? I have tried to setup a RPZ zone to overwrite an external domain name for an internal server. This works on my Windows computer, but my Mac looks for an Authoritative DNS response, and ignores the overwrite

    • Xiao Guoan (Admin)
      3 years ago

      Yes. You can overwrite the NS record for this particular domain in the RPZ, so the DNS resolver will use your authoritative DNS zone.

      It’s strange that RPZ doesn’t work on your Mac. I have an iPhone and it works with RPZ.

  • Jeroen D
    3 years ago

    Thank you for your reply. I found it was much easier to fix: add domain name in my DHCP server, and the rpz zone started to work as expected.

  • Hi friend Xi, almost everything works for me the only error that bind9 aurorevole gives me is the following:

     Main PID: 1686 (named)
          Tasks: 14 (limit: 1985)
         CGroup: /system.slice/named.service
                 └─1686 /usr/sbin/named -f -u bind
    
    Jul 17 02:08:38 ServerDnsMast named[1686]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
    Jul 17 02:08:38 ServerDnsMast named[1686]: network unreachable resolving './NS/IN': 2001:7fd::1#53
    Jul 17 02:08:38 ServerDnsMast named[1686]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
    Jul 17 02:08:38 ServerDnsMast named[1686]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
    Jul 17 02:08:38 ServerDnsMast named[1686]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
    Jul 17 02:08:38 ServerDnsMast named[1686]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
    Jul 17 02:08:38 ServerDnsMast named[1686]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance tim>
    Jul 17 02:08:38 ServerDnsMast named[1686]: resolver priming query complete
    

    I can’t understand where I went wrong. You can help me in this too, Thanks you are a Great

    • Xiao Guoan (Admin)
      2 years ago

      This means your server can’t use IPv6. You need to disable IPv6 in BIND. Open the /etc/default/named file

      sudo nano /etc/default/named

      Add -4 to the OPTIONS.

      OPTIONS="-u bind -4"

      Save and close the file. Then restart BIND and you are done.

      sudo systemctl restart named

      You can also disable IPv6 at OS level.
      2 Ways to Disable IPv6 on Ubuntu Desktop & Server

  • Hi Friend thank you for your help and everything went ok. Last request if possible. When And enable auto start at boot time – I have the following answer.

    sudo systemctl enable bind9

    Failed to enable unit: Refusing to operate on alias name or linked unit file: bi nd9.service
    Once again, so much Thank you

    • Xiao Guoan (Admin)
      2 years ago

      The latest version of BIND should use the following command to enable autostart.

      sudo systemctl enable named
  • when tried to reach my website i got this error : DNS_PROBE_FINISHED_NXDOMAIN

  • Great guide. Was wondering if it’s possible to do a guide on enabling RFC2136 DNS updates for Let’s Encrypt? Been trying to set it up for automated updates works with Certbot but not Acme.sh.

    Regards

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here