@ IN NS ns .
10 IN PTR ns . example . com .
TheSerial Number in the Reverse zone needs to be incremented on each change as well. For eachA record you configure in /etc/bind/db.example.com, that is for a different address, you need to create aPTR record in /etc/bind/db.192.
After creating the reverse zone file restart BIND9:
sudo s y s t e m c t l r e s t a r t bind9 . s e r v i c e
Secondary Server
Once aPrimary Serverhas been configured aSecondary Server is highly recommended in order to maintain the availability of the domain should the Primary become unavailable.
First, on the Primary server, the zone transfer needs to be allowed. Add the allow−transfer option to the example Forward and Reverse zone definitions in /etc/bind/named.conf.local:
zone ” example . com” { type master ;
f i l e ”/ e t c / bind /db . example . com ” ; a l l o w−t r a n s f e r { 1 9 2 . 1 6 8 . 1 . 1 1 ; } ; } ;
zone ” 1 . 1 6 8 . 1 9 2 . in−addr . arpa ” { type master ;
f i l e ”/ e t c / bind /db . 1 9 2 ” ;
a l l o w−t r a n s f e r { 1 9 2 . 1 6 8 . 1 . 1 1 ; } ; } ;
Note
Replace 192.168.1.11 with the IP Address of your Secondary nameserver.
Restart BIND9 on the Primary server:
sudo s y s t e m c t l r e s t a r t bind9 . s e r v i c e
Next, on the Secondary server, install the bind9 package the same way as on the Primary. Then edit the /etc/bind/named.conf.local and add the following declarations for the Forward and Reverse zones:
zone ” example . com” { type s l a v e ;
f i l e ”db . example . com ” ; m a s t e r s { 1 9 2 . 1 6 8 . 1 . 1 0 ; } ; } ;
zone ” 1 . 1 6 8 . 1 9 2 . in−addr . arpa ” { type s l a v e ;
f i l e ”db . 1 9 2 ” ;
m a s t e r s { 1 9 2 . 1 6 8 . 1 . 1 0 ; } ; } ;
Note
Replace 192.168.1.10 with the IP Address of your Primary nameserver.
Restart BIND9 on the Secondary server:
sudo s y s t e m c t l r e s t a r t bind9 . s e r v i c e
In /var/log/syslog you should see something similar to the following (some lines have been split to fit the format of this document):
c l i e n t 1 9 2 . 1 6 8 . 1 . 1 0 # 3 9 4 4 8 : r e c e i v e d n o t i f y f o r zone ’ 1 . 1 6 8 . 1 9 2 . in−addr . arpa ’ zone 1 . 1 6 8 . 1 9 2 . in−addr . arpa /IN : T r a n s f e r s t a r t e d .
t r a n s f e r o f ’ 1 0 0 . 1 8 . 1 7 2 . in−addr . arpa /IN ’ from 1 9 2 . 1 6 8 . 1 . 1 0 # 5 3 : c o n n e c t e d u s i n g 1 9 2 . 1 6 8 . 1 . 1 1 # 3 7 5 3 1
zone 1 . 1 6 8 . 1 9 2 . in−addr . arpa /IN : t r a n s f e r r e d s e r i a l 5
t r a n s f e r o f ’ 1 0 0 . 1 8 . 1 7 2 . in−addr . arpa /IN ’ from 1 9 2 . 1 6 8 . 1 . 1 0 # 5 3 : T r a n s f e r completed : 1 messages ,
6 r e c o r d s , 212 bytes , 0 . 0 0 2 s e c s ( 1 0 6 0 0 0 b y t e s / s e c )
zone 1 . 1 6 8 . 1 9 2 . in−addr . arpa /IN : s e n d i n g n o t i f i e s ( s e r i a l 5 )
c l i e n t 1 9 2 . 1 6 8 . 1 . 1 0 # 2 0 3 2 9 : r e c e i v e d n o t i f y f o r zone ’ example . com ’ zone example . com/IN : T r a n s f e r s t a r t e d .
t r a n s f e r o f ’ example . com/IN ’ from 1 9 2 . 1 6 8 . 1 . 1 0 # 5 3 : c o n n e c t e d u s i n g 1 9 2 . 1 6 8 . 1 . 1 1 # 3 8 5 7 7
zone example . com/IN : t r a n s f e r r e d s e r i a l 5
t r a n s f e r o f ’ example . com/IN ’ from 1 9 2 . 1 6 8 . 1 . 1 0 # 5 3 : T r a n s f e r completed : 1 messages ,
8 r e c o r d s , 225 bytes , 0 . 0 0 2 s e c s ( 1 1 2 5 0 0 b y t e s / s e c ) Note
Note: A zone is only transferred if the Serial Number on the Primary is larger than the one on the Secondary. If you want to have your Primary DNS notifying other Secondary DNS Servers of zone changes, you can add also−notify { ipaddress; }; to /etc/bind/named.conf.local as shown in the example below:
zone ” example . com” { type master ;
f i l e ”/ e t c / bind /db . example . com ” ; a l l o w−t r a n s f e r { 1 9 2 . 1 6 8 . 1 . 1 1 ; } ; a l s o−n o t i f y { 1 9 2 . 1 6 8 . 1 . 1 1 ; } ; } ;
zone ” 1 . 1 6 8 . 1 9 2 . in−addr . arpa ” { type master ;
f i l e ”/ e t c / bind /db . 1 9 2 ” ;
a l l o w−t r a n s f e r { 1 9 2 . 1 6 8 . 1 . 1 1 ; } ; a l s o−n o t i f y { 1 9 2 . 1 6 8 . 1 . 1 1 ; } ; } ;
Note
The default directory for non-authoritative zone files is /var/cache/bind/. This directory is also configured in AppArmor to allow the named daemon to write to it. For more information on AppArmor see Security - AppArmor.
Troubleshooting
This section covers diagnosing problems with DNS and BIND9 configurations.
Testing
resolv.conf
The first step in testing BIND9 is to add the nameserver’s IP Address to a hosts resolver. The Primary nameserver should be configured as well as another host to double check things. Refer to DNS client configuration for details on adding nameserver addresses to your network clients. In the end your nameserver line in /etc/resolv .conf should be pointing at 127.0.0.53 and you should have a search parameter for your domain. Something like this:
nameserver 1 2 7 . 0 . 0 . 5 3 s e a r c h example . com
To check which DNS server your local resolver is using, run:
systemd−r e s o l v e −−s t a t u s Note
You should also add the IP Address of the Secondary nameserver to your client configuration in case the Primary becomes unavailable.
dig
If you installed the dnsutils package you can test your setup using the DNS lookup utility dig:
• After installing BIND9 use dig against the loopback interface to make sure it is listening on port 53.
From a terminal prompt:
d i g −x 1 2 7 . 0 . 0 . 1
You should see lines similar to the following in the command output:
; ; Query time : 1 msec
; ; SERVER: 1 9 2 . 1 6 8 . 1 . 1 0 # 5 3 ( 1 9 2 . 1 6 8 . 1 . 1 0 )
• If you have configured BIND9 as a Caching nameserver “dig” an outside domain to check the query time:
d i g ubuntu . com
Note the query time toward the end of the command output:
; ; Query time : 49 msec
After a second dig there should be improvement:
; ; Query time : 1 msec
ping
Now to demonstrate how applications make use of DNS to resolve a host name use the ping utility to send an ICMP echo request:
p i n g example . com
This tests if the nameserver can resolve the name ns.example.com to an IP Address. The command output should resemble:
PING ns . example . com ( 1 9 2 . 1 6 8 . 1 . 1 0 ) 5 6 ( 8 4 ) b y t e s o f data . 64 b y t e s from 1 9 2 . 1 6 8 . 1 . 1 0 : icmp_seq=1 t t l =64 time =0.800 ms 64 b y t e s from 1 9 2 . 1 6 8 . 1 . 1 0 : icmp_seq=2 t t l =64 time =0.813 ms
named-checkzone
A great way to test your zone files is by using the named−checkzone utility installed with the bind9 package.
This utility allows you to make sure the configuration is correct before restarting BIND9 and making the changes live.
• To test our example Forward zone file enter the following from a command prompt:
named−c h e c k z o n e example . com / e t c / bind /db . example . com If everything is configured correctly you should see output similar to:
zone example . com/IN : l o a d e d s e r i a l 6 OK
• Similarly, to test the Reverse zone file enter the following:
named−c h e c k z o n e 1 . 1 6 8 . 1 9 2 . in−addr . arpa / e t c / bind /db . 1 9 2 The output should be similar to:
zone 1 . 1 6 8 . 1 9 2 . in−addr . arpa /IN : l o a d e d s e r i a l 3 OK
Note
TheSerial Numberof your zone file will probably be different.
Quick temporary query logging
With the rndc tool, you can quickly turn query logging on and off, without restarting the service or changing the configuration file.
To turn query logging on, run:
sudo rndc q u e r y l o g on Likewise, to turn it off, run:
sudo rndc q u e r y l o g o f f
The logs will be sent to syslog and will show up in /var/log/syslog by default:
Jan 20 1 9 : 4 0 : 5 0 new−n1 named [ 8 1 6 ] : r e c e i v e d c o n t r o l c h a n n e l command ’ q u e r y l o g on ’
Jan 20 1 9 : 4 0 : 5 0 new−n1 named [ 8 1 6 ] : query l o g g i n g i s now on
Jan 20 1 9 : 4 0 : 5 7 new−n1 named [ 8 1 6 ] : c l i e n t @0x7f48ec101480 1 9 2 . 1 6 8 . 1 . 1 0 # 3 6 1 3 9 ( ubuntu . com ) : query : ubuntu . com IN A +E( 0 )K ( 1 9 2 . 1 6 8 . 1 . 1 0 )
Note
The amount of logs generated by enabling querylog could be huge!
Logging
BIND9 has a wide variety of logging configuration options available, but the two main ones arechanneland category, which configure where logs go, and what information gets logged, respectively.
If no logging options are configured the default configuration is:
l o g g i n g {
c a t e g o r y d e f a u l t { d e f a u l t _ s y s l o g ; de f a u l t _ d e b u g ; } ; c a t e g o r y unmatched { n u l l ; } ;
} ;
Let’s instead configure BIND9 to senddebugmessages related to DNS queries to a separate file.
We need to configure achannelto specify which file to send the messages to, and acategory. In this example, thecategorywill log all queries. Edit /etc/bind/named.conf.local and add the following:
l o g g i n g {
c h a n n e l query . l o g {
f i l e ”/ var / l o g /named/ query . l o g ” ; s e v e r i t y debug 3 ;
} ;
c a t e g o r y q u e r i e s { query . l o g ; } ; } ;
Note
Thedebugoption can be set from 1 to 3. If a level isn’t specified, level 1 is the default.
• Since thenamed daemonruns as thebind user the /var/log/named directory must be created and the ownership changed:
sudo mkdir / var / l o g /named
sudo chown bind : bind / var / l o g /named
• Now restart BIND9 for the changes to take effect:
sudo s y s t e m c t l r e s t a r t bind9 . s e r v i c e
You should see the file /var/log/named/query.log fill with query information. This is a simple example of the BIND9 logging options. For coverage of advanced options see More Information.
References
Common Record Types
This section covers some of the most common DNS record types.
• A record: This record maps an IP Address to a hostname.
www IN A 1 9 2 . 1 6 8 . 1 . 1 2
• CNAME record: Used to create an alias to an existing A record. You cannot create a CNAME record pointing to another CNAME record.
web IN CNAME www
• MX record: Used to define where email should be sent to. Must point to an A record, not a CNAME.
@ IN MX 1 m a i l . example . com . m a i l IN A 1 9 2 . 1 6 8 . 1 . 1 3
• NS record: Used to define which servers serve copies of a zone. It must point to an A record, not a CNAME. This is where Primary and Secondary servers are defined.
@ IN NS ns . example . com .
@ IN NS ns2 . example . com .
ns IN A 1 9 2 . 1 6 8 . 1 . 1 0 ns2 IN A 1 9 2 . 1 6 8 . 1 . 1 1 More Information
• Upstream BIND9 Documentation
• Bind9.net has links to a large collection of DNS and BIND9 resources.
• DNS and BIND is a popular book now in it’s fifth edition. There is now also a DNS and BIND on IPv6 book.
• A great place to ask for BIND9 assistance, and get involved with the Ubuntu Server community, is the
#ubuntu-server IRC channel on freenode.