In this tutorial, you will learn how to install and setup BIND DNS server on Ubuntu 24.04. The Berkeley Internet Name Domain (BIND 9) is a versatile, classic and complete name server software that implements an Internet domain name server. It is the most widely-used name server software on the Internet. DNS on the other hand is a distributed naming system which maps the hostnames to their respective IP addresses. This enables the end users to refer to systems by their hostnames rather than IPs which are subject to changing from time to time depending on whether the IP is static or dynamic.
Table of Contents
How to Setup BIND DNS Server on Ubuntu 24.04
Run System Update
To begin, ensure your system package repos are up-to-date.
sudo apt update
Install BIND 9 on Ubuntu 24.04
Next, install Bind 9 and other BIND/DNS utilities on Ubuntu 24.04;
sudo apt install bind9 bind9utils -y
Theses tools install:
- the name server daemon,
named - the Bind administration tool,
rndcand - the debugging utility,
dig.
Setup BIND DNS Server on Ubuntu 24.04
Once the Bind 9 package and other DNS utilities are installed, proceed to setup the DNS server.
/etc/bind/named.conf is the main configuration file for BIND DNS server named. By default, this is how this configuration file looks like, at least on an Ubuntu 24.04;
cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
From the file above;
- comment lines begin with double forward slashes,
//.#is also accepted for comments. - include statements are used to include other named configuration files.
- All statements must be terminated by a semi colon,
;.
Define BIND Access Control Lists
BIND ACL gives you a finer control over who can access the name server and thus help prevent spoofing and denial of service (DoS) attacks against the server.
Therefore, create an Access Control List called allowed (you can use any name that suits you instead of allowed) containing IP addresses or networks of the hosts allowed to query the DNS server before the options configuration sections in the configuration file.
sudo vim /etc/bind/named.conf.optionsIn our setup, we will only allow hosts in the network, 192.168.122.0/24 use our DNS server.
acl allowed {
192.168.122.0/24;
};
options {
Defining Bind Global Configuration Options
The options statement is used to define global named configuration options, set defaults for other statements, specify the location of the named working directory, the types of queries allowed e.t.c.
As per this configuration, on Ubuntu 24.04, all Bind options are stored in the /etc/bind/named.conf.options configuration file.
Next, open the options configuration file for editing;
vim /etc/bind/named.conf.options
BIND DNS server global configuration options are defined under the options statement.
...
options {
directory "/var/cache/bind";
recursion yes;
allow-recursion { localhost; allowed; };
listen-on port 53 { localhost; 192.168.122.52; };
allow-query { localhost; allowed; };
allow-transfer { none; };
forwarders {
8.8.8.8;
9.9.9.9;
};
dnssec-validation auto;
listen-on-v6 { any; };
};
Where:
- recursion – Specifies whether to act as a recursive server.
- allow-recursion – Defines hosts to allow recursive queries from.
- listen-on – Specifies the
IPv4network interface on which to listen for queries. - allow-query – Specifies which hosts are allowed to query the nameserver for authoritative resource records.
- allow-transfer – Specifies which secondary servers are allowed to request a transfer of the zone’s information.
forwarders— specify external DNS servers to which DNS queries should be forwarded if the local server is unable to resolve them directly.- dnssec-validation – Specifies whether to prove that resource records are authentic through DNSSEC. The default option is
yes. - listen-on-v6 – Specifies the
IPv6network interface on which to listen for queries.
In the basic form, this is how our DNS server configuration looks like;
acl allowed {
192.168.122.0/24;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-recursion { localhost; allowed; };
listen-on port 53 { localhost; 192.168.122.52; };
allow-query { localhost; allowed; };
allow-transfer { none; };
forwarders {
8.8.8.8;
9.9.9.9;
};
dnssec-validation auto;
listen-on-v6 { any; };
};
Define BIND DNS Zones
Zone files define various types of Resource Records (RR) that define the DNS settings for a domain. The most common records include: AA, SOA, MX, CNAME, NS, PTR…
We will create forward and reverse lookup zones. You can create them in the /etc/bind/named.conf.local configuration file.
Define Forward and reverse zone files.
sudo vim /etc/bind/named.conf.localzone "kifarunix-demo.com" IN {
type master;
file "/etc/bind/forward.kifarunix-demo.com";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "/etc/bind/reverse.kifarunix-demo.com";
allow-update { none; };
};
Save and exit the file.
We have defined two zones for both forward and reverse DNS lookup where:
- Type: Master (Primary DNS server for this domain).
- Zone file: Contains forward and reverse DNS records.
- Updates: Not allowed (No dynamic DNS updates).
Create Forward and Reverse Zone Records
Create forward zone records file;
sudo vim /etc/bind/forward.kifarunix-demo.com$ORIGIN kifarunix-demo.com.
$TTL 86400
@ IN SOA ns1.kifarunix-demo.com. admin.kifarunix-demo.com. (
2025022301 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum TTL
;
; define nameservers
IN NS ns1.kifarunix-demo.com.
;
; DNS Server IP addresses and hostnames
ns1 IN A 192.168.122.52
;
;client records
k8s-ms-01 IN A 192.168.122.58
k8s-ms-02 IN A 192.168.122.59
k8s-ms-03 IN A 192.168.122.60
k8s-wk-01 IN A 192.168.122.61
k8s-wk-02 IN A 192.168.122.62
k8s-wk-03 IN A 192.168.122.63
Create a reverse zone records file;
sudo vim /etc/bind/reverse.kifarunix-demo.com$ORIGIN 122.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA ns1.kifarunix-demo.com. admin.kifarunix-demo.com. (
2025022302 ; serial
31220 ; refresh
1800 ; retry
1224800 ; expire
86400 ) ; minimum TTL
;
;nameservers
@ IN NS ns1.kifarunix-demo.com.
; nameserver PTR records
52 IN PTR ns1.kifarunix-demo.com.
;
; client PTR records
58 IN PTR k8s-ms-01.kifarunix-demo.com.
59 IN PTR k8s-ms-02.kifarunix-demo.com.
60 IN PTR k8s-ms-03.kifarunix-demo.com.
61 IN PTR k8s-wk-01.kifarunix-demo.com.
62 IN PTR k8s-wk-02.kifarunix-demo.com.
63 IN PTR k8s-wk-03.kifarunix-demo.com.
- The
@symbol is used in resource records (RRs) to refer to the zone’s root domain (kifarunix-demo.comin this case), so you don’t have to write it explicitly. - In a DNS record entry, a dot at the end of a domain name signifies that it is a “fully qualified domain name” (FQDN), meaning it is a complete domain name including the top-level domain and indicates that the DNS server should not append any additional information to it; essentially, it tells the system to interpret the name exactly as written.
Checking Bind Configuration Syntax
named-checkconf is a utility that can be used to check Bind/named configurations syntax errors.
You can simply run named-checkconf. However, you can as well pass the path to the configuration file as the command argument.
sudo named-checkconf
or simply;
sudo named-checkconf /etc/bind/named.conf
If there is no any syntax error in the configuration file, the command will exit without any output, otherwise, it will show the affected line and the specific error.
Open DNS Port on Firewall
If UFW is running, run the command below to allow DNS queries from your specific LAN network, 192.168.57.0/24 in our case.
sudo ufw allow from 192.168.122.0/24 to 192.168.122.52 port 53 proto udp
Iptables
sudo iptables -A INPUT -p udp -s 192.168.122.0/24 -d 192.168.122.52 --dport 53 -j ACCEPT
sudo mv /etc/iptables/rules.v4{,.bak}sudo iptables-save > /etc/iptables/rules.v4If using Firewalld;
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.122.0/24" destination address="192.168.122.52" port protocol="udp" port="53" accept'sudo firewall-cmd --reloadControlling BIND DNS Service
You can start, stop, restart, reload Bind DNS named service using its named systemd unit file. For example, to start and enable it to run on system boot,
sudo systemctl enable --now named
To check the status;
systemctl status named
● named.service - BIND Domain Name Server
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; preset: enabled)
Active: active (running) since Fri 2025-02-07 10:39:43 UTC; 2h 14min ago
Docs: man:named(8)
Main PID: 3456 (named)
Status: "running"
Tasks: 8 (limit: 4614)
Memory: 5.8M (peak: 6.2M)
CPU: 172ms
CGroup: /system.slice/named.service
└─3456 /usr/sbin/named -f -u bind
Feb 07 10:39:43 noble named[3456]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Feb 07 10:39:43 noble named[3456]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Feb 07 10:39:43 noble named[3456]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Feb 07 10:39:43 noble named[3456]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Feb 07 10:39:43 noble named[3456]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Feb 07 10:39:43 noble named[3456]: network unreachable resolving './NS/IN': 2001:7fe::53#53
Feb 07 10:39:43 noble named[3456]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Feb 07 10:39:43 noble named[3456]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete)
Feb 07 10:39:43 noble named[3456]: no longer listening on 192.168.122.52#53
Feb 07 10:39:43 noble named[3456]: listening on IPv4 interface enp1s0, 192.168.122.52#53
You can as well check the DNS port;
sudo netstat -alunp | grep 53Testing DNS Resolution
On a client system, configure the DNS server IP to your caching-only DNS server IP.
In this example setup, we use CentOS/RHEL as our DNS client;
So, find an active connection name;
sudo nmcli -t --fields NAME con show --active
Wired connection 1Based on the currently active connection, find the DNS server IP address set;
sudo nmcli --fields ip4.dns con show 'Wired connection 1'
Then you can set or modify the DNS server IP address;
sudo nmcli con mod 'Wired connection 1' ipv4.dns 192.168.122.52
Or you can add the DNS server IP instead;
sudo nmcli con mod 'Wired connection 1' +ipv4.dns 192.168.122.52
Reload the interface;
nmcli con down 'Wired connection 1'nmcli con up 'Wired connection 1'Now check the DNS server IP;
nmcli --fields ip4.dns con show 'Wired connection 1'IP4.DNS[1]: 192.168.122.52Also check if the /etc/resolv.conf file is updated with the same IP.
Verify the DNS resolution (Assuming you already have bind-utils package installed);
dig google.com
; <<>> DiG 9.11.13-RedHat-9.11.13-6.el8_2.1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54634
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 064887612bf0e630010000005f7b8519e3b270a5437d1619 (good)
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 90 IN A 216.58.223.110
;; Query time: 1 msec
;; SERVER: 192.168.122.52#53(192.168.122.52)
;; WHEN: Mon Oct 05 23:41:59 EAT 2020
;; MSG SIZE rcvd: 83
nslookup google.com
Server: 192.168.122.52
Address: 192.168.122.52#53
Non-authoritative answer:
Name: google.com
Address: 216.58.223.110
Name: google.com
Address: 2a00:1450:401a:805::200e
And your DNS server is now up and running. You can add more records as you see fit.
That closes our guide on how to setup BIND DNS server on Ubuntu 24.04.
Other Related Tutorials
Configure BIND as DNS Server on Ubuntu 18.04
How to Setup Master-Slave DNS Server using BIND on CentOS 7
