DNS – BIND9 nameserver configuration – Part3

To his own DNS server on Ubuntu, just have one BIND install:

sudo apt-get install bind9

and configure easily yourself, as shown in the following.

The operation of BIND

The main file /etc/bind/named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

In this file are only 3 other files included, the functionality includes:

The etc/bind/named.CONF.options contains general configuration parameters for the name server, e.g.. whether recursive requests are allowed or whether the data should be propagated to other name servers.

The etc/bind/named.CONF.default-zones includes the reference to the root name server database, which are obtained from a DNS first lookup:

zone "." {
    type hint;
    file "/etc/bind/db.root";

Also contains the configuration, your host for the localhost domain is responsible:

zone "localhost" {
    type master;
    file "/etc/bind/db.local";

and for broadcast and special other IP blocks:

zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";

zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";

zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";

The etc/bind/named.CONF.local is there for all customizations, that should make the user himself:

Setting up a master

zone "example.com" in{
  type master ;
  file "example.com.db" ;
  notify explicit;
  also-notify {; };

This is set, that requests according to the IP address will be answered by example.com itself and the data that is in the file example.com.db. When changes of computers with the IP notifies (because he's probably a slave) and notify only this and not all may have globally defined, what the parameter notify explicit says.

Slave configuration

Slaves have the task to support the master usually for load balancing. You obtain your data from one or more masters:

zone "example.net" in{
   type           slave ;
   master        {};
   file          "slave/example.net.db" ;

This slave supports the computer with the IP in his work, and is responsible for the domain example.NET. He synchronizes his data with the master, If this him via the notify parameters to trigger.


To the debug log file can be specified:

logging {
  channel default-log { file "logs/named.log"; severity debug; print-severity yes; };
   category default    { default-log; };

Create the zone file for the master

Rules: It must be just a SOA Resource record and at least one NS Resource record exist. The SOA RR is usually at the beginning of a zone file.

The file example.com.DB:

$TTL    86400
$ORIGIN example.com.
@    IN    SOA    ns1.example.com. admin.example.com(
                  1        ; Versionsnummer, für die Slaves
             604800        ; Refresh
              86400        ; Retry
            2419200        ; Expire
              86400 )      ; Negative Cache TTL

@                  IN NS ns1.example.com.   ;primärer Nameserver, das ist derselbige, den wir gerade konfigurieren
@                  1800 IN A    ;IPv4-Adresse unseres Servers
@                  1800 IN AAAA 2001:db8::1:2:3:4   ;IPv6-Adresse unseres Servers
ns1.example.com.   1800 IN A    ;IPv4 des primären Nameservers
www                1800 IN A   ;IPv4 der Subdomain www.example.com
mail               1800 IN CNAME www    ;mail.example.com hat dieselbe IPv4 wie die Subdomainwww

There are rules for the syntax of the zone file Wikipedia.

The @ is substituted by $ORIGIN, so our domain.

To all domain, that does not end on a point, appended to the domain:

www 1800 IN A ; IPv4 der Subdomain www.example.com

To the creating and editing of read-only files of the good old text editor can be used (Root rights necessary):

sudo touch example.com.db
sudo gedit example.com.db &

Man kann kontrollieren, ob der Syntax richtig angewendet wurde mit:

named-checkconf named.conf.local


named-checkzone example.com example.com.db


Last step:Restart bind

sudo /etc/init.d/bind9 restart

Now can use the dig command Part1 be tested, that the DNS server is working:

dig example.com

If the section “ANSWER SECTION” is not included, something did not work.

Problems with the zone transfer from the master to the slave

Today, the problem is often, that he may not write the file due to lack of rights (whether it is classic Unix- Write or SELinux/AppArmor).

To do this the write permission for the BIND user from readonly on read/write must be global /etc/AppArmor.d/usr.sbin.named:

The line

etc/bind/** r,

must be changed to

etc/bind/** rw,

In the last step, you must assign group write permissions on the bind folder:

sudo chmod -R 775 /etc/bind

Problems? A recommended tutorial: Configuring BIND9 master / Slave on Ubuntu.

There is a safe configuration template for Bind9 here.


DNS – Basics with dig – Part1

DNS name resolution with name servers - part 2

DNS - Bind9 nameserver configuration - part 3

  1. In this guide, we will discuss how to install and configure the Bind9 DNS server as authoritative-only DNS servers on Ubuntu 14.04 machines. We will set these up two Bind servers for our domain in a master-slave configuration.