Setup Caching-Only DNS Server using BIND9 on Ubuntu 20.04

|
Last Updated:
|
|

In this tutorial, we will discuss how to install and setup caching-only DNS server using BIND9 on Ubuntu 20.04. The Berkeley Internet Name Domain (BIND 9) is a versatile, classic and complete name server software that implements an Internet domain name server. It is the most widely-used name server software on the Internet. DNS on the hand refers to a distributed naming system which maps the hostnames to their respective IP addresses. This enables the end users to refer to systems by their hostnames rather than IPs which are subject to changing from time to time depending on whether the IP is static or dynamic.

Setting up Caching-Only DNS Server using BIND9

There are different roles in which any DNS server can be configured to server. In this guide, we will be looking at how to setup a caching-only DNS server using Bind9 on Ubuntu 20.04. As much as all DNS servers can cache the DNS queries, the major and only role of a caching-only DNS server is to cache the DNS queries. It has no any zone data information and thus does not serve out zones.

The setup of the caching-only DNS server using BIND doesn’t require the expert level experience, even a newbie can handle it, :).

Run System Update

To begin, ensure your system package repos are up-to-date.

apt update

Install BIND9 on Ubuntu 20.04

Next, install Bind9 and other BIND/DNS utilities on Ubuntu 20.04;

apt install bind9 bind9utils -y

Theses tools installs the name server daemon, named, the Bind administration tool, rndc and the debugging utility, dig.

Setup Caching-Only DNS Server using BIND9

Once the Bind9 package and other DNS utilities are installed, proceed to setup caching-only DNS server. /etc/bind/named.conf is the main configuration file for BIND DNS server named. By default, this is how this configuration file looks like, at least on an Ubuntu 20.04;

less /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

From the file above;

  • comment lines begin with double forward slashes, //. # is also accepted for comments.
  • include statements are used to include other named configuration files.
  • All statements must be terminated by a semi colon, ;.

Defining Bind global configuration options

The options statement is used to define global named configuration options, set defaults for other statements, specify the location of the named working directory, the types of queries allowed e.t.c.

As per this configuration, on Ubuntu 20.04, all Bind options are stored under the /etc/bind/named.conf.options configuration file.

Create a backup of the default options configuration file.

cp /etc/bind/named.conf.options{,.bak}

Next, open the options configuration file for editing;

vim /etc/bind/named.conf.options
Configure Access Control List

To begin with, configure DNS server access control list. This can be done using the acl statement.

// DNS Server ACL
acl "allowed" {
        192.168.57.0/24;
};

The acl statement defines groups of hosts that can be permitted or denied access to the nameserver. In this case, allowed is the name of the access control list of course the 192.168.57.0/24 is the network that will be allowed to use our DNS server.

Define global server configuration options

BIND DNS server global configuration options are defined under the options statement.

...
options {
        directory "/var/cache/bind";

        recursion yes;
        allow-recursion { localhost; allowed; };
        listen-on port 53 { localhost; 192.168.57.6; };
        allow-query { localhost; allowed; };
        allow-transfer { none; };
        
        dnssec-validation auto;

        listen-on-v6 { any; };
};

Where:

  • recursion – Specifies whether to act as a recursive server.
  • allow-recursion – Defines hosts to allow recursive queries from.
  • listen-on – Specifies the IPv4 network interface on which to listen for queries.
  • allow-query – Specifies which hosts are allowed to query the nameserver for authoritative resource records.
  • allow-transfer – Specifies which secondary servers are allowed to request a transfer of the zone’s information. 
  • dnssec-validation – Specifies whether to prove that resource records are authentic through DNSSEC. The default option is yes.
  • listen-on-v6 – Specifies the IPv6 network interface on which to listen for queries.

For our basic caching-only DNS server, here is how our /etc/bind/named.conf.options looks like;

acl "allowed" {
        192.168.57.0/24;
};
options {
        directory "/var/cache/bind";

        recursion yes;
        allow-recursion { localhost; allowed; };
        listen-on port 53 { localhost; 192.168.57.6; };
        allow-query { localhost; allowed; };
        allow-transfer { none; };
        
        dnssec-validation auto;

        listen-on-v6 { none; };
};

Checking Bind Configuration Syntax

named-checkconf is a utility that can be used to check Bind/named configurations syntax errors.

You can simply run named-checkconf. However, you can as well pass the path to the configuration file as the command argument.

named-checkconf

or simply;

named-checkconf /etc/bind/named.conf

If there is any syntax error in the configuration file, the command will show the affected line and the specific error. Below is an example;

/etc/bind/named.conf.options:10: missing ';' before 'allow-query'

Open DNS Port on Firewall

If UFW is running, run the command below to allow DNS queries from your specific LAN network, 192.168.57.0/24 in our case.

ufw allow from 192.168.57.0/24 to 192.168.57.6 port 53 proto udp
ufw status numbered
[ 2] 192.168.57.6 53/udp        ALLOW IN    192.168.57.0/24

Controlling Bind Service

You can start, stop, restart, reload Bind DNS named service using its named systemd unit file. For example, to start and enable it to run on system boot,

systemctl enable --now named

To check the status;

systemctl status named
● named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2020-10-05 20:11:40 UTC; 43s ago
       Docs: man:named(8)
   Main PID: 17452 (named)
      Tasks: 8 (limit: 2282)
     Memory: 17.8M
     CGroup: /system.slice/named.service
             └─17452 /usr/sbin/named -f -u bind

Oct 05 20:11:40 ubuntu20 named[17452]:...

You can as well check the DNS port;

netstat -alunp | grep 53

Testing BIND DNS Resolution

On a client system, configure the DNS server IP to your caching-only DNS server IP. In this example setup, we use CentOS 8 as our DNS client;

So, find an active connection name;

nmcli -t --fields NAME con show --active
Wired connection 1

Based on the currently active connection, find the DNS server IP address set;

nmcli --fields ip4.dns con show 'Wired connection 1'

Then you can set or modify the DNS server IP address;

nmcli con mod 'Wired connection 1' ipv4.dns 192.168.57.6

Or you can add the DNS server IP instead;

nmcli con mod 'Wired connection 1' +ipv4.dns 192.168.57.6

Reload the interface;

nmcli con down 'Wired connection 1'
nmcli con up 'Wired connection 1'

Now check the DNS server IP;

nmcli --fields ip4.dns con show 'Wired connection 1'
IP4.DNS[1]:                             192.168.57.6

Also check if the /etc/resolv.conf file is updated with the same IP.

Verify the DNS resolution (Assuming you already have bind-utils package installed);

dig google.com
; <<>> DiG 9.11.13-RedHat-9.11.13-6.el8_2.1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54634
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 064887612bf0e630010000005f7b8519e3b270a5437d1619 (good)
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		90	IN	A	216.58.223.110

;; Query time: 1 msec
;; SERVER: 192.168.57.6#53(192.168.57.6)
;; WHEN: Mon Oct 05 23:41:59 EAT 2020
;; MSG SIZE  rcvd: 83
nslookup google.com
Server:		192.168.57.6
Address:	192.168.57.6#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.223.110
Name:	google.com
Address: 2a00:1450:401a:805::200e

And that pretty summarizes our guide.

Other Related Tutorials

Configure BIND as DNS Server on Ubuntu 18.04

How to Setup Master-Slave DNS Server using BIND on CentOS 7

Configure BIND DNS Server using Webmin on CentOS 8

Setup Bind DNS Using Webmin on Debian 10

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
gen_too
Co-founder of Kifarunix.com, Linux Tips and Tutorials. Linux/Unix admin and author at Kifarunix.com.

Leave a Comment