Skip to main content

Bind9 Server Configuration

Shenzhen, China

Example Setup

I have 2 servers called service1 and service2 - the servers are:

  • located in the dc1 datacenter
  • on a subnet
  • run services that belong to a web application on

The naming scheme used to refer to this private subnet or zone is The servers should be reachable under the private Fully-Qualified Domain Names (FQDN) and, respectively:

HostRolePrivate FQDNPrivate IP Address
service1First web serviceservice1.dc1.instar.com172.24.0.2
service2Second web serviceservice2.dc1.instar.com172.24.0.3

I want to set up a primary DNS server, ns1 and a secondary DNS server ns2, which will serve as a backup:

HostRolePrivate FQDNPrivate IP Address
ns1Primary DNS Serverns1.nyc3.example.com172.24.0.15
ns2Secondary DNS Serverns2.nyc3.example.com172.24.0.16

Bind9 Configure

I am going to run this entire setup in Docker. But before I can start the Bind9 Docker container I first need to create the configuration files on my Debian host system:

mkdir -p /opt/dns/{ns1,ns2}

Primary DNS Server

BIND’s configuration consists of multiple files, which are included from the main configuration file, /etc/bind/named.conf:


// This is the primary configuration file for the BIND DNS server named.
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";


I will start with configuring the named.conf.options file. Above the existing block of options, I create a new ACL block called trusted. This is where I can define a list of clients that I will allow recursive DNS queries from:

nano /opt/dns/ns1/named.conf.options  # /etc/bind/named.conf.options
acl "trusted" {; # ns1; # ns2;  # host1;  # host2

Now I can edit the options block below and add the private IP address of ns1 to the listen-on port 53 directive for IPv4. Below those entries, change the allow-transfer directive to from none to the ns2 private IP address Also, change allow-query directive from localhost to trusted:

options {
    directory "/var/cache/bind";

    recursion yes;
    listen-on port 53 {;; };
    #listen-on-v6 port 53 { ::1; };

    allow-transfer {; }; # disable zone transfers by default

    allow-query { trusted; };  # allows queries from "trusted" clients

    forwarders {

The above configuration specifies that only the trusted servers will be able to query your DNS server.


Next, I will configure the /etc/bind/named.local file, to specify the forward and reverse zones.

nano /opt/dns/ns1/named.conf.local  # /etc/bind/named.conf.local

First, the Forward Zone:

zone "" {
    type master;
    file "/etc/named/zones/"; # zone file path

And the Reverse Zone (note that the reverse zone name starts with 24.172 which is the octet reversal of 172.24):

zone "" {
    type master;
    file "/etc/named/zones/db.172.24";  # subnet

If your servers span multiple private subnets but are in the same datacenter, be sure to specify an additional zone and zone file for each subnet.