Skip to main content

Bind9 Server Configuration

Shenzhen, China

Example Setup

I have 2 servers called service1 and service2 - the servers are:

  • located in the dc1 datacenter
  • on a 172.24.0.0/16 subnet
  • run services that belong to a web application on instar.com

The naming scheme used to refer to this private subnet or zone is dc1.instar.com. The servers should be reachable under the private Fully-Qualified Domain Names (FQDN) service1.dc1.instar.com and service2.dc1.instar.com, respectively:

HostRolePrivate FQDNPrivate IP Address
service1First web serviceservice1.dc1.instar.com172.24.0.2
service2Second web serviceservice2.dc1.instar.com172.24.0.3

I want to set up a primary DNS server, ns1 and a secondary DNS server ns2, which will serve as a backup:

HostRolePrivate FQDNPrivate IP Address
ns1Primary DNS Serverns1.nyc3.example.com172.24.0.15
ns2Secondary DNS Serverns2.nyc3.example.com172.24.0.16

Bind9 Configure

I am going to run this entire setup in Docker. But before I can start the Bind9 Docker container I first need to create the configuration files on my Debian host system:

mkdir -p /opt/dns/{ns1,ns2}

Primary DNS Server

BIND’s configuration consists of multiple files, which are included from the main configuration file, /etc/bind/named.conf:

named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.options

I will start with configuring the named.conf.options file. Above the existing block of options, I create a new ACL block called trusted. This is where I can define a list of clients that I will allow recursive DNS queries from:

nano /opt/dns/ns1/named.conf.options  # /etc/bind/named.conf.options
acl "trusted" {
        172.24.0.15; # ns1
        172.24.0.16; # ns2
        172.24.0.2;  # host1
        172.24.0.3;  # host2
};

Now I can edit the options block below and add the private IP address of ns1 to the listen-on port 53 directive for IPv4. Below those entries, change the allow-transfer directive to from none to the ns2 private IP address 172.24.0.16. Also, change allow-query directive from localhost to trusted:

options {
    directory "/var/cache/bind";

    recursion yes;
    listen-on port 53 { 127.0.0.1; 172.24.0.15; };
    #listen-on-v6 port 53 { ::1; };

    allow-transfer { 172.24.0.16; }; # disable zone transfers by default

    allow-query { trusted; };  # allows queries from "trusted" clients

    forwarders {
            8.8.8.8;
            4.4.4.4;
    };
}

The above configuration specifies that only the trusted servers will be able to query your DNS server.

named.conf.local

Next, I will configure the /etc/bind/named.local file, to specify the forward and reverse zones.

nano /opt/dns/ns1/named.conf.local  # /etc/bind/named.conf.local

First, the Forward Zone:

zone "dc1.instar.com" {
    type master;
    file "/etc/named/zones/db.dc1.instar.com"; # zone file path
};

And the Reverse Zone (note that the reverse zone name starts with 24.172 which is the octet reversal of 172.24):

zone "24.172.in-addr.arpa" {
    type master;
    file "/etc/named/zones/db.172.24";  # 172.24.0.0/16 subnet
    };

If your servers span multiple private subnets but are in the same datacenter, be sure to specify an additional zone and zone file for each subnet.