Configure BIND as DNS Server on Ubuntu 18.04

4
6799

In this guide, we are going to learn how to install and configure BIND as DNS server on Ubuntu 18.04. BIND (Berkeley Internet Name Domain system), or named, is the most widely used Domain Name System software on the Internet.

Configure BIND as DNS Server on Ubuntu 18.04

Install BIND 9 on Ubuntu 18.04

To begin with, update system pakcages.

apt update
apt upgrade

Next, install BIND 9 package and Utilities on Ubuntu 18.04.

apt install bind9 bind9utils

Configuring BIND as Master DNS Server on Ubuntu 18.04

Once the installation of BIND packages is done, proceed to configure BIND as Master DNS server.

Configure Access Control List

The acl statement can be used to define groups of hosts that can be permitted or denied access to the nameserver.. Hence, open the named options configuration file and define the acl block as shown below.

vim /etc/bind/named.conf.options
acl "allowed" {
        192.168.2.0/24;
};

options {
  directory "/var/cache/bind";
...

This create an ACL called allowed which allows the hosts on the local network (192.168.2.0/24, in this demo).

Define global server configuration options

The options statement allows you to define global server configuration options, set defaults for other statements, specify the location of the named working directory, the types of queries allowed…

...
options {
  directory "/var/cache/bind";

        recursion yes;
        allow-recursion { localhost; allowed; };
        listen-on port 53 { localhost; 192.168.2.5; };
        allow-query { localhost; allowed; };
        allow-transfer { none; };

        forwarders {
                192.168.2.1;
                8.8.8.8;
        };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
};

Where:

  • recursion – Specifies whether to act as a recursive server.
  • allow-recursion – Defines hosts to allow recursive queries from.
  • listen-on – Specifies the IPv4 network interface on which to listen for queries.
  • allow-query – Specifies which hosts are allowed to query the nameserver for authoritative resource records.
  • allow-transfer – Specifies which secondary servers are allowed to request a transfer of the zone’s information. 
  • forwarders – Defines one or more IP addresses of name servers to query.
  • dnssec-validation – Specifies whether to prove that resource records are authentic through DNSSEC. The default option is yes.
  • auth-nxdomain – defines whether the server should answer authoritatively.
  • listen-on-v6 – Specifies the IPv6 network interface on which to listen for queries. 

Save the configuration file and check for any syntax errors by running the command below. If there is not output, then the syntax is correct;

named-checkconf /etc/bind/named.conf.options

Configure DNS Server Zone Statements

The zone statement can be used to define the characteristics of a zone, such as the location of its configuration file and zone-specific options. To define the forward and reverse Zone statements, see below;

vim /etc/bind/named.conf.local
# Zone statement for forward DNS lookup
zone "kifarunix-demo.com" IN {
        type master;
        file "kifarunix-demo.com";
};
# Zone statement for reverse DNS lookup
zone "2.168.192.in-addr.arpa" IN {
        type master;
        file "rev-kifarunix-demo.com";
};

Create Forward and Reverse Zone Files

Zone file is a text file that describes a DNS zone. It contains mappings between domain names and IP addresses and other DNS resource records (RR).

  • Forward zone file is used to translate hostnames into IP addresses
  • Reverse zone file defines how to resolve IP addresses into hostnames.

The Zone files can be created in the BIND working directory as defined in the options statement configuration.

vim /var/cache/bind/kifarunix-demo.com
$TTL    86400
@       IN      SOA     ns1.kifarunix-demo.com. root.kifarunix-demo.com. (
                2019061401   ; serial
                7200         ; refresh after 2 hours 
                3600         ; retry after 1 hour
                604800       ; expire after 1 week
                86400 )      ; minimum TTL of 1 day
;
; Primary Nameserver
        IN      NS      ns1.kifarunix-demo.com.
;
; Define A records (forward lookups)
ns1     IN      A       192.168.2.5
server01        IN      A       192.168.2.100

Create Reverse Zone File

vim /var/cache/bind/rev-kifarunix-demo.com
$TTL    86400
@       IN      SOA     ns1.kifarunix-demo.com. root.kifarunix-demo.com. (
                2019061401   ; serial
                7200         ; refresh after 2 hours 
                3600         ; retry after 1 hour
                604800       ; expire after 1 week
                86400 )      ; minimum TTL of 1 day
;
; Primary nameserver
@       IN      NS      ns1.kifarunix-demo.com.
; PTR records for reverse lookup
5       IN      PTR     ns1.kifarunix-demo.com.
100     IN      PTR     server01.kifarunix-demo.com.

Verify Zone Configuration Syntax

Once you are done creating the zone files, run the command below to check for syntax errors.

named-checkzone kifarunix-demo.com /var/cache/bind/kifarunix-demo.com
zone kifarunix-demo.com/IN: loaded serial 2019061401
OK
named-checkzone 2.168.192.in-addr.arpa /var/cache/bind/rev-kifarunix-demo.com
zone 2.168.192.in-addr.arpa/IN: loaded serial 2019061401
OK

Running BIND

Once you have confirmed that there are no configuration errors on your zone configuration files, proceed to restart and enable BIND to run on system boot.

systemctl restart bind9
systemctl enable  bind9

Allow BIND on Firewall

If UFW is running, run the command below to allow BIND through it.

ufw allow Bind9

Testing BIND

To test BIND resolution on the DNS server itself, edit the interface configuration file and change the nameserver address to DNS server IP as shown below;

less /etc/netplan/01-netcfg.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s3:
      dhcp4: no
      addresses: [192.168.2.5/24]
      nameservers:
              addresses:
                      - 192.168.2.5
              search: [ kifarunix-demo.com ]

Run the command below to apply the interface changes.

netplan apply

Next, check system’s DNS resolver.

systemd-resolve --status enp0s3
Link 2 (enp0s3)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.2.5
          DNS Domain: kifarunix-demo.com

If you can try to resolve the DNS server hostname, all should be well.

dig ns1.kifarunix-demo.com
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> ns1.kifarunix-demo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56448
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ns1.kifarunix-demo.com.		IN	A

;; ANSWER SECTION:
ns1.kifarunix-demo.com.	3750	IN	A	192.168.2.5

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Jun 15 14:20:12 EAT 2019
;; MSG SIZE  rcvd: 67

Configuring the client

In this example, we are using Ubuntu 18.04 server. Hence, similarly edit the interface and define the DNS server IP address as shown below;

less /etc/netplan/01-netcfg.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s3:
      dhcp4: no
      addresses: [192.168.2.100/24]
      nameservers:
              addresses:
                      - 192.168.2.5
              search: [ kifarunix-demo.com ]

Apply the changes and try name resolution.

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> server01.kifarunix-demo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4331
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;server01.kifarunix-demo.com.	IN	A

;; ANSWER SECTION:
server01.kifarunix-demo.com. 3201 IN	A	192.168.2.100

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Jun 15 11:24:36 EAT 2019
;; MSG SIZE  rcvd: 72

Reverse DNS lookup on the Client

dig -x 192.168.2.100
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> -x 192.168.2.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2338
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;100.2.168.192.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
100.2.168.192.in-addr.arpa. 86400 IN	PTR	server01.kifarunix-demo.com.

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Jun 15 11:26:32 EAT 2019
;; MSG SIZE  rcvd: 96
dig -x 192.168.2.5
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> -x 192.168.2.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22470
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;5.2.168.192.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
5.2.168.192.in-addr.arpa. 86400	IN	PTR	ns1.kifarunix-demo.com.

;; Query time: 2 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Jun 15 11:28:01 EAT 2019
;; MSG SIZE  rcvd: 89

And there you go. You have successfully installed and configure BIND as DNS server on Ubuntu 18.04. In our next tutorial, we are going to learn how to create a slave DNS server on Ubuntu 18.04.

Want to set up BIND as DNS server on CentOS 7? check the link below.

How to Setup Master-Slave DNS Server using BIND on CentOS 7

4 COMMENTS

  1. Hello! This is my first time trying this out, and I have a question.
    On the “forwarders”, what IP’s should I put there? I’m not quite understanding what “192.168.1” refers to… Is it our server? Or the DNS’s server? Thank you!

      • So if I wnat to make a simulation of a company and I want to have only one dns server to solve names only on that company, I will not have forwarders?

        • Hello Pedro , it depends if you want them to have access to the Internet through that DNS server , you will need to put some forwarders.

LEAVE A REPLY

Please enter your comment!
Please enter your name here