Bind9 Definitions

Bind9 Configuration Definitions
From: https://www.linuxbabe.com/ubuntu/set-up-authoritative-dns-server-ubuntu-18-04-bind9

What Is An Authoritative Server	Control Cmds
Master DNS Server Config	Slave DNS Server Config	More About Zone Transfer	Reverse Zone
Change NS Rcd & Make Glue Rcd	Select Advanced DNS	Things To Know	Using Wildcard in Bind Zone Files
Enabling the Resolver	Wrapping Up

Bind9 Configuration Definitions




What’s An Authoritative DNS Server? 

An authoritative DNS server is used by domain name owners to store DNS records.
It provides authoritative answers to DNS resolvers (like 8.8.8.8 or 1.1.1.1), 
which query DNS records on behalf of end users on PC, smartphone or tablet.



Control Cmds
named -v

Sample output:
BIND 9.11.3-1ubuntu1.3-Ubuntu (Extended Support Version) 

Check the version number and build options, run
named -V

BIND version number and build option

By default, BIND automatically starts after installation. Check its status with:

systemctl status bind9

bind 9 ubuntu 18.04 server

If it’s not running, then start it with:

sudo systemctl start bind9

And enable auto start at boot time:

sudo systemctl enable named

The BIND server will run as the bind user, which is created during installation,
and listens on TCP and UDP port 53, as can be seen by running the following 
command:

sudo netstat -lnptu | grep named

ubuntu 18.04 bind9 setup

The BIND demon is called named. (demon: program that runs in background) 
named installed by the bind9 package.
rndc, remote name demon controller, installed by bind9utils package. 
rndc is used to reload/stop and control other aspects of the BIND 
demon. 
Communication is done via TCP loopback (127.0.0.1:953).

Check the status of the BIND name server.

sudo rndc status

remote name demon controller



Configuration Files
The main BIND configuration file /etc/bind/named.conf sources the settings from
 3 other files.

/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones

Out of the box, the BIND9 server on Ubuntu provides recursive service for 
localhost and local network clients. 
When setting up an authoritative DNS server, disable recursion. 
Edit the /etc/bind/named.conf.options file.

sudo nano /etc/bind/named.conf.options

Add following lines in the options {...}; clause.

// hide version number from clients for security reasons.
 version "not currently available";

 // disable recursion on authoritative DNS server.
 recursion no;

 // enable the query log
 querylog yes;

 // disallow zone transfer
 allow-transfer { none; };


bind9 authoritative dns server ubuntu 18.04 LTS

Technically speaking, you only need to add recursion no; to disable recursion, 
but it’s a good practice to add the other 3 directives. Save and close the file.
Then restart BIND.

sudo systemctl restart bind9



Master DNS Server Configuration

Pick one of the two servers as the master DNS server. We will name it 
   ns1.example.com.

The master DNS server holds the master copy of the zone file. Changes of DNS 
records are made on this server. A domain can have one or more DNS zones. Each 
DNS zone has a zone file which contains every DNS record in that zone. For 
simplicity’s sake, this article assumes that you want to use a single DNS zone 
to manage all DNS records for your domain name.



named.conf.default-zones

The /etc/bind/named.conf.default-zones file defines the root zone and localhost
zone. 
 


named.conf.local
To add a zone for your domain name, edit /etc/bind/named.conf.local file.

sudo nano /etc/bind/named.conf.local

Add the following lines to this file. Replace example.com with your own domain 
name. Replace 12.34.56.78 with the IP address of slave DNS server.

zone "example.com" {
      type master;
      file "/etc/bind/db.example.com";
      allow-query { any; };
      allow-transfer { 12.34.56.78; };
}; 

In the above configuration, we created a new zone with the zone clause and we 
specified that this is the master zone. The zone file is 
/etc/bind/db.example.com, where we will add DNS records. Zone transfer will be 
only allowed for the slave DNS server. Save and close the file.

Instead of creating a zone file from scratch, we can use a zone template file. 
Copy the content of db.empty to a new file.

sudo cp /etc/bind/db.empty /etc/bind/db.example.com

A zone file can contain 3 types of entries:

Comments: start with a semicolon (;)
Directives: start with a dollar sign ($)
Resource Records: aka DNS records


A zone file typically consists of the following types of DNS records.

The SOA (Start of Authority) record: defines the key characteristics of a zone. It’s the first DNS record in the zone file and is mandatory.
NS (Name Server) record: specifies which servers are used to store DNS records and answer DNS queries for a domain name. There must be at least two NS record in a zone file.
MX (Mail Exchanger) record: specifies which hosts are responsible for email delivery for a domain name.
A (Address) record: Converts DNS names into IPv4 addresses.
AAAA (Quad A) record: Converts DNS names into IPv6 addresses.
CNAME record (Canonical Name): It’s used to create alias for a DNS name.
TXT record: SPF, DKIM, DMARC, etc.


Now let’s edit the zone file.

sudo nano /etc/bind/db.example.com

By default, it looks like this:


BIND9 zone transfer ubuntu

You can change it to this instead.


bind9 master zone file

Where

The $TTL directive defines the default Time to Live value for the zone, 
	which is the time a DNS record can be cached on a DNS resolver. This 
	directive is mandatory. The time is specified in seconds.
The $ORIGIN directive defines the base domain.
Domain names must end with a dot (.), which is the root domain. When a 
	domain name ends with a dot, it is a fully qualified domain name (FQDN).
The @ symbol references to the base domain.
IN is the DNS class. It stands for Internet. Other DNS classes exist but 
	are rarely used.

The first record in a zone file is the SOA (Start of Authority) record. This 
record contains the following information:

The master DNS server.
Email address of the zone administrator. RFC 2142 recommends the email 
	address hostmaster@example.com. In the zone file, this email address takes 
	this form: hostmaster.example.com because the @ symbol has special meaning 
	in zone file.
Zone serial number. The serial number is a way of tracking changes in zone 
	by the slave DNS server. By convention, the serial number takes a date 
	format: yyyymmddss, where yyyy is the four-digit year number, mm is the 
	month, dd is the day, and ss is the sequence number for the day. You must 
	update the serial number when changes are made to the zone file.
Refresh value. When the refresh value is reached, the slave DNS server will
	try to read of the SOA record from the master DNS server. If the serial 
	number becomes higher, a zone transfer is initiated.
Retry value. Defines the retry interval in seconds if the slave DNS server 
	fails to connect to the master DNS server.
Expiry: If the slave DNS server has been failing to make contact with 
	master DNS server for this amount of time, the slave will stop responding to
	DNS queries for this zone.
Negative cache TTL: Defines the time to live value of DNS responses for 
	non-existent DNS names (NXDOMAIN).

TXT records are usually enclosed in double quotes. If you add DKIM record, you 
also need to enclose the value with parentheses.

Save and close the file. Then run the following command to check if there are 
syntax errors in the main configuration file. A silent output indicates no 
errors are found.

sudo named-checkconf

Then check the syntax of zone files.

sudo named-checkzone example.com /etc/bind/db.example.com

If there are syntax errors in the zone file, you need to fix it, or this zone 
won’t be loaded. The following message indicates there are no syntax errors.

zone example.com/IN: loaded serial 2019011503
OK

Then restart BIND9.

sudo systemctl restart bind9

If you are using the uncomplicated firewall (UFW), then open TCP and 
UDP port 53.

 sudo ufw allow 53/tcp
sudo ufw allow 53/udp

If you are using iptables firewall directly, then run the following command.

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dprot 53 -j ACCEPT



Slave DNS Server Configuration

Now we use the other server as the slave DNS server, which
will be named ns2.example.com.

First, edit the named.conf.local file.

sudo nano /etc/bind/named.conf.local

Add a zone like below. Replace 12.34.56.78 with the IP address of the master 
DNS server.

zone "example.com" {
        type slave;
        file "db.example.com";
        allow-query { any; };
        masters { 12.34.56.78; };
};

In the above configuration, we specified that this is a slave DNS server for the
example.com zone and it will accept zone transfers only from a trusted IP 
address.

Save and close the file. Then run the following command to check if there are 
syntax errors in the main configuration file.

sudo named-checkconf

If no errors are found, restart BIND9.

sudo systemctl restart bind9

The zone file on slave DNS server are loaded from a zone transfer, which is used
to synchronize DNS record changes from master DNS server to slave DNS server. 
After BIND9 restarts, zone tranfer will start immediately. Check the BIND9 log 
with the following command.

sudo journalctl -eu bind9

You can see messages like below, which indicates the zone transfer is successful.


named[31518]: transfer of 'example.com/IN' from 12.34.56.78#53: Transfer 
completed: 1 messages, 16 records, 886 bytes, 0.004 secs (221500 bytes/sec)


The zone file will be save as /var/cache/bind/db.example.com.

If you are using the uncomplicated firewall (UFW), then open TCP and UDP port 53.

sudo ufw allow 53/tcp
sudo ufw allow 53/udp

If you are using iptables firewall directly, then run the following command.

 sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT



More about Zone Transfer 

The slave DNS server will contact the master again when the refresh time in SOA
record is reached and if the serial number on the master is greater than that 
on the slave, a zone transfer will be initiated. There are two types of zone 
transfers:

Full zone transfer (AXFR): The full copy of zone file is transferred.
Incremental zone transfer (IXFR): Only DNS records that are changed are 
	transferred.

Both types of zone transfer use TCP port 53. By default, BIND on the slave DNS 
server will request an incremental zone transfer and BIND on the master DNS 
server will only allow incremental zone transfer when the zone is dynamic.

The zone transfer interval is a major factor of the propagation speed of DNS 
record changes. Instead of waiting for the slave DNS server to make contact, 
the BIND master will notify the slave when changes are made to the zone. This 
can considerably reduce the time to propagate zone changes to the Internet.



Reverse Zone

A reverse zone contains PTR record that maps an IP address to a DNS name. It is
the counterpart of DNS A record. PTR record often is necessary for mail servers
to pass spam filters. This record does not belong to a domain. You need to 
create PTR record at your hosting provider’s control panel, or ask your ISP, so
I’m not going to cover creating reverse zones in BIND.

You can create a reverse zone in BIND, but to make it answer the PTR query for 
your own IP address, you need to ask for DNS delegation from your hosting 
provider/ISP. They are very likely to refuse your request, so you might as well
ask them to create the PTR record.



Change NS Record and Create Glue Record

Now you need to go to your domain registrar’s website to change the NS record 
for your domain, so the Internet would know that you are now using your own DNS
server. Normally you use hostnames in the NS record like ns1.example.com and 
ns2.example.com.

name server 1:     ns1.example.com
name server 2:     ns2.example.com 

If you have a domain name example.com and you use a subdomain for the 
authoritative DNS servers (ns1.example.com and ns2.example.com), then you also 
need to create a glue record at your domain registrar, so the Internet can know
the IP address of your DNS server. The glue record is an A record for 
ns1.example.com and ns2.example.com.

ns1.example.com        IP-address-of-master-server
ns2.example.com        IP-address-of-slave-server

The above information will be sent to a registry operator who runs TLD DNS 
servers via the Extensible Provisioning Protocol (EPP), so that TLD DNS servers
know the hostnames and IP addresses of the authoritative DNS servers for your 
domain name. Depending on the domain registrar you use, your NS record might be
propagated instantly, or it might take up to 24 hours to propagate. You can go 
to https://dnsmap.io to check if your new NS record is active.

I will show you how to do this at NameCheap.

If you bought a domain name at NameCheap, then log into your NameCheap account.
Select the Domain list menu on the left sidebar, then click the Manage button 
on the far right.


namecheap personal name servers



Select Advanced DNS. 


namecheap advanced dns

Scroll to the bottom of the page, you will find the personal DNS server section.
Click the Add NameServer button to add your own name servers: ns1.example.com 
and ns2.example.com. You need to enter the IP addresses of your name servers.


namecheap glue records

After adding your two name servers, click the search button to check if they are
added successfully. If so, the glue records will appear at the bottom of this 
page.


namecheap custom DNS record

Now click the Domain tab, and use your custom DNS server.



Depending on the domain registrar you use, your NS record might be propagated 
instantly, or it might take up to 24 hours to propagate. You can go to 
https://dnsmap.io to check if your new NS record is active.

After the NS record and glue record have been propagated to the Internet, your 
DNS servers would be responding to DNS queries for your domain name. You can 
check the query log with:

sudo journalctl -eu bind9

You can also use the dig utility to check the NS record of your domain name.

dig NS example.com

If the NS record and glue record have been propagated to the Internet, you 
should see your name servers in the answer section. If you see the SERVFAIL 
error, it’s probably because you didn’t open UDP port 53 on your name servers.


BIND NS record servfail



Things to Know

The term master DNS server only implies that this server stores the master copy of the zone file. It has no higher priority when it comes to DNS resolution.
Always update the SOA serial number when you make changes to a zone file.




Using Wildcard in BIND Zone File

If you want to point all subdomains to the same IP address, you can use wildcard
to achieve that. For example, the following line will make all your subdomains 
point to 1.2.3.4 IP address.

*.your-domain.com  IN   A   1.2.3.4



Enabling the Resolver

BIND can act as an authoritative DNS server for a zone and a DNS resolver at the
same time. It’s a good practice to separate the two roles on two different hosts
and in this article we disabled the resolver in BIND. If you really want to 
enable the resolver, follow the instructions below.

Edit the BIND configuration file.

sudo nano /etc/bind/named.conf.options

Find the following lines.

// disable recursion on authoritative DNS server. recursion no;


Change them to the following, so only trusted IP address can send recursive 
queries to your DNS resolver and your server won’t be an open resolver.

// allow recursion for trusted clients only.
 recursion yes;
 allow-query { localhost; 12.34.56.78; };

Replace 12.34.56.78 with your own IP address. Save and close the file. Make sure
your zone definition in the /etc/bind/named.conf.local file has the following 
option, so the Internet can query DNS records in your zone.

allow-query { any; };

Then restart BIND.

sudo systemctl restart bind9

Go to https://openresolver.com/ to test if your BIND server is an open resolver.



Wrapping Up

That’s it! I hope this tutorial helped you set up authoritative DNS server on 
Ubuntu with BIND9. As always, if you found this post useful, then subscribe to 
our free newsletter to get more tips and tricks. Take care 🙂