How To Check bind9 (DNS Server) Configuration Files By RahulApril 20, 20222 Mins Read Command named-checkconf checks the syntax only of a DNS (bind) configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If there is no file specified with the command, /etc/named.conf is read by default.
1. Check bind9 (DNS) Configuration In case of any changes done in the bind configuration, I recommend checking the DNS configuration file before restarting the service (in /etc/bind). named-checkconf named.conf If the bind is running in chroot environment use the below command also along with the above command named-checkconf -t /var/named/chroot /etc/named.conf The above command will show nothing if there is no error found in the configuration file. In case of any error will be displayed as output.
2. Check Bind Zone File To check the syntax of the zone file using the command below. It will show the result in both cases. named-checkzone demotecadmin.net /var/named/demotecadmin.net.db Sample Output; zone demotecadmin.net/IN: loaded serial 3013040200 OK
3. Check Configuration file in Older version of Bind If you are using an older version of the bind, you can have also checked the configuration using the below command. service named configtest Sample Ouput: zone tool.com/IN: loaded serial 42 zone localhost/IN: loaded serial 42 zone 1.168.192.in-addr.arpa/IN: loaded serial 1997022700 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700 zone 255.in-addr.arpa/IN: loaded serial 42 zone 0.in-addr.arpa/IN: loaded serial 42 ======================================================= TXT records are usually enclosed in double quotes. If you add DKIM record, you also need to enclose the value with parentheses. Note: As of 11/19/23, AT&T does my reverse @ "uvs.rcsntx.sbcglobal.net" To set up my AT&T reverse PTR send mail to: prov-dns@att.com Include IP, mail server name "mail.ary.com" and AT&T account # Save and close the file. Then run the following command to check if there are syntax errors in the main configuration file. A silent output indicates no errors are found. sudo named-checkconf Then check the syntax of zone files. sudo named-checkzone example.com /etc/bind/db.example.com If there are syntax errors in the zone file, you need to fix it, or this zone won’t be loaded. The following message indicates there are no syntax errors. zone example.com/IN: loaded serial 2019011503 OK Then restart BIND9. sudo systemctl restart bind9 If you are using the uncomplicated firewall (UFW), then open TCP and UDP port 53. sudo ufw allow 53/tcp sudo ufw allow 53/udp If you are using iptables firewall directly, then run the following command. sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT sudo iptables -A INPUT -p udp --dprot 53 -j ACCEPT
named-checkconf Man named-checkconf: NAMED-CHECKCONF(1) BIND 9 NAMED-CHECKCONF(1) NAME named-checkconf - named configuration file syntax checking tool SYNOPSIS named-checkconf [-chjlvz] [-p [-x ]] [-t directory] {filename} DESCRIPTION named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file, along with all files included by it, is parsed and checked for syntax errors. If no file is specified, /etc/bind/named.conf is read by default. Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. However, named-checkconf can be run on these files explicitly. OPTIONS -h This option prints the usage summary and exits. -j When loading a zonefile, this option instructs named to read the journal if it exists. -l This option lists all the configured zones. Each line of output contains the zone name, class (e.g. IN), view, and type (e.g. primary or secondary). -c This option specifies that only the "core" configuration should be checked. This suppresses the loading of plugin modules, and causes all parameters to plugin statements to be ignored. -i This option ignores warnings on deprecated options. -p This option prints out the named.conf and included files in canonical form if no errors were detected. See also the -x op‐ tion. -t directory This option instructs named to chroot to directory, so that in‐ clude directives in the configuration file are processed as if run by a similarly chrooted named. -v This option prints the version of the named-checkconf program and exits. -x When printing the configuration files in canonical form, this option obscures shared secrets by replacing them with strings of question marks (?). This allows the contents of named.conf and related files to be shared - for example, when submitting bug reports - without compromising private data. This option cannot be used without -p. -z This option performs a test load of all zones of type primary found in named.conf. filename This indicates the name of the configuration file to be checked. If not specified, it defaults to /etc/bind/named.conf. RETURN VALUES named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise. SEE ALSO named(8), named-checkzone(8), BIND 9 Administrator Reference Manual. AUTHOR Internet Systems Consortium COPYRIGHT 2023, Internet Systems Consortium 9.18.12-0ubuntu0.22.04.3-Ubuntu 2023-02-03 NAMED-CHECKCONF(1)
named-checkzone NAMED-CHECKZONE(1) BIND 9 NAMED-CHECKZONE(1) NAME named-checkzone - zone file validity checking or converting tool SYNOPSIS named-checkzone [-d] [-h] [-j] [-q] [-v] [-c class] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-M mode] [-n mode] [-l ttl] [-L serial] [-o filename] [-r mode] [-s style] [-S mode] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {zonename} {file‐ name} DESCRIPTION named-checkzone checks the syntax and integrity of a zone file. It per‐ forms the same checks as named does when loading a zone. This makes named-checkzone useful for checking zone files before configuring them into a name server. OPTIONS -d This option enables debugging. -h This option prints the usage summary and exits. -q This option sets quiet mode, which only sets an exit code to in‐ dicate successful or failed completion. -v This option prints the version of the named-checkzone program and exits. -j When loading a zone file, this option tells named to read the journal if it exists. The journal file name is assumed to be the zone file name with the string .jnl appended. -J filename When loading the zone file, this option tells named to read the journal from the given file, if it exists. This implies -j. -c class This option specifies the class of the zone. If not specified, IN is assumed. -i mode This option performs post-load zone integrity checks. Possible modes are full (the default), full-sibling, local, local-sib‐ ling, and none. Mode full checks that MX records refer to A or AAAA records (both in-zone and out-of-zone hostnames). Mode local only checks MX records which refer to in-zone hostnames. Mode full checks that SRV records refer to A or AAAA records (both in-zone and out-of-zone hostnames). Mode local only checks SRV records which refer to in-zone hostnames. Mode full checks that delegation NS records refer to A or AAAA records (both in-zone and out-of-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode local only checks NS records which refer to in-zone hostnames or verifies that some required glue exists, i.e., when the name server is in a child zone. Modes full-sibling and local-sibling disable sibling glue checks, but are otherwise the same as full and local, respec‐ tively. Mode none disables the checks. -f format This option specifies the format of the zone file. Possible for‐ mats are text (the default), and raw. -F format This option specifies the format of the output file specified. For named-checkzone, this does not have any effect unless it dumps the zone contents. Possible formats are text (the default), which is the standard textual representation of the zone, and raw and raw=N, which store the zone in a binary format for rapid loading by named. raw=N specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of named; if N is 1, the file can only be read by release 9.9.0 or higher. The de‐ fault is 1. -k mode This option performs check-names checks with the specified fail‐ ure mode. Possible modes are fail, warn (the default), and ig‐ nore. -l ttl This option sets a maximum permissible TTL for the input file. Any record with a TTL higher than this value causes the zone to be rejected. This is similar to using the max-zone-ttl option in named.conf. -L serial When compiling a zone to raw format, this option sets the "source serial" value in the header to the specified serial num‐ ber. This is expected to be used primarily for testing purposes. -m mode This option specifies whether MX records should be checked to see if they are addresses. Possible modes are fail, warn (the default), and ignore. -M mode This option checks whether a MX record refers to a CNAME. Possi‐ ble modes are fail, warn (the default), and ignore. -n mode This option specifies whether NS records should be checked to see if they are addresses. Possible modes are fail, warn (the default), and ignore. -o filename This option writes the zone output to filename. If filename is -, then the zone output is written to standard output. -r mode This option checks for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are fail, warn (the default), and ignore. -s style This option specifies the style of the dumped zone file. Possi‐ ble styles are full (the default) and relative. The full format is most suitable for processing automatically by a separate script. The relative format is more human-readable and is thus suitable for editing by hand. This does not have any effect un‐ less it dumps the zone contents. It also does not have any mean‐ ing if the output format is not text. -S mode This option checks whether an SRV record refers to a CNAME. Pos‐ sible modes are fail, warn (the default), and ignore. -t directory This option tells named to chroot to directory, so that include directives in the configuration file are processed as if run by a similarly chrooted named. -T mode This option checks whether Sender Policy Framework (SPF) records exist and issues a warning if an SPF-formatted TXT record is not also present. Possible modes are warn (the default) and ignore. -w directory This option instructs named to chdir to directory, so that rela‐ tive filenames in master file $INCLUDE directives work. This is similar to the directory clause in named.conf. -D This option dumps the zone file in canonical format. -W mode This option specifies whether to check for non-terminal wild‐ cards. Non-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 4592). Possible modes are warn (the default) and ignore. zonename This indicates the domain name of the zone being checked. filename This is the name of the zone file. RETURN VALUES named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise. SEE ALSO named(8), named-checkconf(8), named-compilezone(8), RFC 1035, BIND 9 Administrator Reference Manual. AUTHOR Internet Systems Consortium COPYRIGHT 2023, Internet Systems Consortium 9.18.12-0ubuntu0.22.04.3-Ubuntu 2023-02-03 NAMED-CHECKZONE(1)
named-compilezone Info: https://kb.isc.org/docs/aa-00608 NAMED-COMPILEZONE(1) BIND 9 NAMED-COMPILEZONE(1) NAME named-compilezone - zone file validity checking or converting tool SYNOPSIS named-compilezone [-d] [-h] [-j] [-q] [-v] [-c class] [-f format] [-F format] [-J filename] [-i mode] [-k mode] [-m mode] [-M mode] [-n mode] [-l ttl] [-L serial] [-r mode] [-s style] [-S mode] [-t directory] [-T mode] [-w directory] [-D] [-W mode] {-o filename} {zonename} {filename} DESCRIPTION named-compilezone checks the syntax and integrity of a zone file, and dumps the zone contents to a specified file in a specified format. It applies strict check levels by default, since the dump output is used as an actual zone file loaded by named. When manually specified other‐ wise, the check levels must at least be as strict as those specified in the named configuration file. OPTIONS -d This option enables debugging. -h This option prints the usage summary and exits. -q This option sets quiet mode, which only sets an exit code to in‐ dicate successful or failed completion. -v This option prints the version of the named-checkzone program and exits. -j When loading a zone file, this option tells named to read the journal if it exists. The journal file name is assumed to be the zone file name with the string .jnl appended. -J filename When loading the zone file, this option tells named to read the journal from the given file, if it exists. This implies -j. -c class This option specifies the class of the zone. If not specified, IN is assumed. -i mode This option performs post-load zone integrity checks. Possible modes are full (the default), full-sibling, local, local-sib‐ ling, and none. Mode full checks that MX records refer to A or AAAA records (both in-zone and out-of-zone hostnames). Mode local only checks MX records which refer to in-zone hostnames. Mode full checks that SRV records refer to A or AAAA records (both in-zone and out-of-zone hostnames). Mode local only checks SRV records which refer to in-zone hostnames. Mode full checks that delegation NS records refer to A or AAAA records (both in-zone and out-of-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode local only checks NS records which refer to in-zone hostnames or verifies that some required glue exists, i.e., when the name server is in a child zone. Modes full-sibling and local-sibling disable sibling glue checks, but are otherwise the same as full and local, respec‐ tively. Mode none disables the checks. -f format This option specifies the format of the zone file. Possible for‐ mats are text (the default), and raw. -F format This option specifies the format of the output file specified. For named-checkzone, this does not have any effect unless it dumps the zone contents. Possible formats are text (the default), which is the standard textual representation of the zone, and raw and raw=N, which store the zone in a binary format for rapid loading by named. raw=N specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of named; if N is 1, the file can only be read by release 9.9.0 or higher. The de‐ fault is 1. -k mode This option performs check-names checks with the specified fail‐ ure mode. Possible modes are fail (the default), warn, and ig‐ nore. -l ttl This option sets a maximum permissible TTL for the input file. Any record with a TTL higher than this value causes the zone to be rejected. This is similar to using the max-zone-ttl option in named.conf. -L serial When compiling a zone to raw format, this option sets the "source serial" value in the header to the specified serial num‐ ber. This is expected to be used primarily for testing purposes. -m mode This option specifies whether MX records should be checked to see if they are addresses. Possible modes are fail, warn (the default), and ignore. -M mode This option checks whether a MX record refers to a CNAME. Possi‐ ble modes are fail, warn (the default), and ignore. -n mode This option specifies whether NS records should be checked to see if they are addresses. Possible modes are fail (the de‐ fault), warn, and ignore. -o filename This option writes the zone output to filename. If filename is -, then the zone output is written to standard output. This is mandatory for named-compilezone. -r mode This option checks for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are fail, warn (the default), and ignore. -s style This option specifies the style of the dumped zone file. Possi‐ ble styles are full (the default) and relative. The full format is most suitable for processing automatically by a separate script. The relative format is more human-readable and is thus suitable for editing by hand. -S mode This option checks whether an SRV record refers to a CNAME. Pos‐ sible modes are fail, warn (the default), and ignore. -t directory This option tells named to chroot to directory, so that include directives in the configuration file are processed as if run by a similarly chrooted named. -T mode This option checks whether Sender Policy Framework (SPF) records exist and issues a warning if an SPF-formatted TXT record is not also present. Possible modes are warn (the default) and ignore. -w directory This option instructs named to chdir to directory, so that rela‐ tive filenames in master file $INCLUDE directives work. This is similar to the directory clause in named.conf. -D This option dumps the zone file in canonical format. This is al‐ ways enabled for named-compilezone. -W mode This option specifies whether to check for non-terminal wild‐ cards. Non-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 4592). Possible modes are warn (the default) and ignore. zonename This indicates the domain name of the zone being checked. filename This is the name of the zone file. RETURN VALUES named-compilezone returns an exit status of 1 if errors were detected and 0 otherwise. SEE ALSO named(8), named-checkconf(8), named-checkzone(8), :rfc:`1035, BIND 9 Administrator Reference Manual. AUTHOR Internet Systems Consortium COPYRIGHT 2023, Internet Systems Consortium 9.18.12-0ubuntu0.22.04.3-Ubuntu 2023-02-03 NAMED-COMPILEZONE(1)
named-journalprint NAMED-JOURNALPRINT(1) BIND 9 NAMED-JOURNALPRINT(1) NAME named-journalprint - print zone journal in human-readable form SYNOPSIS named-journalprint [-c serial] [-dux] {journal} DESCRIPTION named-journalprint scans the contents of a zone journal file, printing it in a human-readable form, or, optionally, converting it to a differ‐ ent journal file format. Journal files are automatically created by named when changes are made to dynamic zones (e.g., by nsupdate). They record each addition or deletion of a resource record, in binary format, allowing the changes to be re-applied to the zone when the server is restarted after a shut‐ down or crash. By default, the name of the journal file is formed by appending the extension .jnl to the name of the corresponding zone file. named-journalprint converts the contents of a given journal file into a human-readable text format. Each line begins with add or del, to indi‐ cate whether the record was added or deleted, and continues with the resource record in master-file format. The -c (compact) option provides a mechanism to reduce the size of a journal by removing (most/all) transactions prior to the specified se‐ rial number. Note: this option must not be used while named is running, and can cause data loss if the zone file has not been updated to con‐ tain the data being removed from the journal. Use with extreme caution. The -x option causes additional data about the journal file to be printed at the beginning of the output and before each group of changes. The -u (upgrade) and -d (downgrade) options recreate the journal file with a modified format version. The existing journal file is replaced. -d writes out the journal in the format used by versions of BIND up to 9.16.11; -u writes it out in the format used by versions since 9.16.13. (9.16.12 is omitted due to a journal-formatting bug in that release.) Note that these options must not be used while named is running. SEE ALSO named(8), nsupdate(1), BIND 9 Administrator Reference Manual. AUTHOR Internet Systems Consortium COPYRIGHT 2023, Internet Systems Consortium 9.18.12-0ubuntu0.22.04.3-Ubuntu 2023-02-03 NAMED-JOURNALPRINT(1)
named-nzd2nzf NAMED-NZD2NZF(1) BIND 9 NAMED-NZD2NZF(1) NAME named-nzd2nzf - convert an NZD database to NZF text format SYNOPSIS named-nzd2nzf {filename} DESCRIPTION named-nzd2nzf converts an NZD database to NZF format and prints it to standard output. This can be used to review the configuration of zones that were added to named via rndc addzone. It can also be used to re‐ store the old file format when rolling back from a newer version of BIND to an older version. ARGUMENTS filename This is the name of the .nzd file whose contents should be printed. SEE ALSO BIND 9 Administrator Reference Manual. AUTHOR Internet Systems Consortium COPYRIGHT 2023, Internet Systems Consortium 9.18.12-0ubuntu0.22.04.3-Ubuntu 2023-02-03 NAMED-NZD2NZF(1)
named-rrchecker
Introducing the named-rrchecker tool The named-rrchecker tool (introduced in BIND 9.10) can be used to verify the syntactic correctness of individual resource records, or to convert them into a canonical format so that a newly defined record type can be loaded into an older name server that doesn't recognize it. The tool itself reads one DNS resource record (without an owner name) from standard input and checks to see if its syntax is correct. If the syntax is incorrect, it prints an error message and exits with an exit code of 1 (failure). If the syntax is correct, and none of its "print" options have been invoked, then it is silent and exits with an exit code of 0 (success). It is intended for use inside shell scripts that use those exit codes to control their iteration. Options available are:
| -h | Print a help menu and exit |
| -o | origin Specify an origin to be used when interpreting the record; this
provides the same information as the $ORIGIN statement in a text zone file |
| -p | Print out the resulting record in canonical form |
| -u | Print out the resulting record in unknown record form |
| -C | Print known classes mnemonic |
| -T | Print known standard types mnemonic |
| -P | Print known private types mnemonic |