Bind9 Server Configuration
Example Setup
I have 2 servers called service1 and service2 - the servers are:
- located in the
dc1
datacenter - on a
172.24.0.0/16
subnet - run services that belong to a web application on
instar.com
The naming scheme used to refer to this private subnet or zone is dc1.instar.com
. The servers should be reachable under the private Fully-Qualified Domain Names (FQDN) service1.dc1.instar.com
and service2.dc1.instar.com
, respectively:
Host | Role | Private FQDN | Private IP Address |
---|---|---|---|
service1 | First web service | service1.dc1.instar.com | 172.24.0.2 |
service2 | Second web service | service2.dc1.instar.com | 172.24.0.3 |
I want to set up a primary DNS server, ns1
and a secondary DNS server ns2
, which will serve as a backup:
Host | Role | Private FQDN | Private IP Address |
---|---|---|---|
ns1 | Primary DNS Server | ns1.nyc3.example.com | 172.24.0.15 |
ns2 | Secondary DNS Server | ns2.nyc3.example.com | 172.24.0.16 |
Bind9 Configure
I am going to run this entire setup in Docker. But before I can start the Bind9 Docker container I first need to create the configuration files on my Debian host system:
mkdir -p /opt/dns/{ns1,ns2}
Primary DNS Server
BIND’s configuration consists of multiple files, which are included from the main configuration file, /etc/bind/named.conf
:
named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
named.conf.options
I will start with configuring the named.conf.options
file. Above the existing block of options, I create a new ACL block called trusted
. This is where I can define a list of clients that I will allow recursive DNS queries from:
nano /opt/dns/ns1/named.conf.options # /etc/bind/named.conf.options
acl "trusted" {
172.24.0.15; # ns1
172.24.0.16; # ns2
172.24.0.2; # host1
172.24.0.3; # host2
};
Now I can edit the options block below and add the private IP address of ns1
to the listen-on
port 53 directive for IPv4. Below those entries, change the allow-transfer directive to from none
to the ns2
private IP address 172.24.0.16
. Also, change allow-query directive from localhost
to trusted
:
options {
directory "/var/cache/bind";
recursion yes;
listen-on port 53 { 127.0.0.1; 172.24.0.15; };
#listen-on-v6 port 53 { ::1; };
allow-transfer { 172.24.0.16; }; # disable zone transfers by default
allow-query { trusted; }; # allows queries from "trusted" clients
forwarders {
8.8.8.8;
4.4.4.4;
};
}
The above configuration specifies that only the trusted servers will be able to query your DNS server.
named.conf.local
Next, I will configure the /etc/bind/named.local
file, to specify the forward and reverse zones.
nano /opt/dns/ns1/named.conf.local # /etc/bind/named.conf.local
First, the Forward Zone:
zone "dc1.instar.com" {
type master;
file "/etc/named/zones/db.dc1.instar.com"; # zone file path
};
And the Reverse Zone (note that the reverse zone name starts with 24.172
which is the octet reversal of 172.24
):
zone "24.172.in-addr.arpa" {
type master;
file "/etc/named/zones/db.172.24"; # 172.24.0.0/16 subnet
};
If your servers span multiple private subnets but are in the same datacenter, be sure to specify an additional zone and zone file for each subnet.