BIND¶
What Is It?¶
BIND (Berkeley Internet Name Domain) is the most widely deployed DNS server software. It can act as both an authoritative server and a recursive resolver. While this course primarily uses Knot DNS, BIND documentation is kept as a reference since it remains prevalent in the industry.
Installation¶
dnf install bind bind-utils
Key Files and Directories¶
| Path | Purpose |
|---|---|
| /etc/named.conf | Main configuration |
| /var/named/ | Zone files |
| /var/named/log/ | Log files |
Default Ports¶
| Port | Protocol | Purpose |
|---|---|---|
| 53 | TCP/UDP | DNS queries and zone transfers |
Configuration¶
Minimal Working Configuration¶
The main configuration file /etc/named.conf contains three major sections: options, logging, and zone declarations.
Options block — controls global server behaviour:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
allow-query { any; };
recursion yes;
dnssec-validation no;
minimal-responses no;
};
Key settings:
listen-on port 53 { any; }— listen for DNS queries on all interfacesallow-query { any; }— accept queries from any sourcerecursion yes— act as a recursive resolver (resolve external domains on behalf of clients)dnssec-validation no— disable DNSSEC validation (required when upstream zones are not DNSSEC-signed)
Zone declarations — define which domains this server is authoritative for:
zone "example.sysadm.ee" IN {
type master;
file "/etc/named/example.sysadm.ee";
allow-update { none; };
notify explicit;
};
zone "65.17.172.in-addr.arpa" IN {
type master;
file "/etc/named/reverse.example.sysadm.ee";
allow-update { none; };
};
Zone File Format¶
A zone file contains resource records for the domain. Example forward zone:
$TTL 15M
@ IN SOA ns1.example.sysadm.ee. root.example.sysadm.ee. (
2024030801 ; Serial (YYYYMMDDNN)
15M ; Refresh
5M ; Retry
120M ; Expire
600 ) ; Negative Cache TTL
@ IN NS ns1
@ IN A 172.17.64.X
ns1 IN A 172.17.64.X
example IN A 172.17.64.X
www IN CNAME example.sysadm.ee.
mail IN A 172.17.64.X
@ IN MX 10 mail
Example reverse zone (/etc/named/reverse.example.sysadm.ee):
$TTL 15M
@ IN SOA ns1.example.sysadm.ee. root.example.sysadm.ee. (
2024030801 ; Serial
15M ; Refresh
5M ; Retry
120M ; Expire
600 ) ; Negative Cache TTL
@ IN NS ns1.example.sysadm.ee.
X IN PTR ns1.example.sysadm.ee.
Important Directives¶
$TTL- Default time-to-live for all records in the zone. Controls how long resolvers cache records.
$ORIGIN- The base domain name appended to unqualified names. Usually inferred from the zone declaration in
named.conf. Serial- Must be incremented every time the zone file is modified. Slave servers compare serials to determine if a zone transfer is needed. Convention:
YYYYMMDDNN. allow-update { none; }- Prevents dynamic DNS updates. Critical for security — without this, remote clients could modify your zone.
notify explicit- Only notify explicitly listed slave servers when the zone changes.
also-notify { IP; }- List of additional servers to notify on zone changes (placed in the
optionsblock).
Common Commands¶
# Check named.conf syntax
named-checkconf
# Check zone file syntax
named-checkzone example.sysadm.ee /etc/named/example.sysadm.ee
# Start/stop/restart the service
systemctl start named
systemctl enable named
systemctl restart named
# Check service status
systemctl status named
journalctl -u named
# Query the local DNS server
dig @127.0.0.1 example.sysadm.ee
dig @127.0.0.1 example.sysadm.ee NS
dig @127.0.0.1 -x 172.17.64.X # Reverse lookup
# Query for specific record types
dig -t MX example.sysadm.ee
dig -t A www.example.sysadm.ee
# General DNS troubleshooting
nslookup example.sysadm.ee
host 172.17.64.X
Logging and Debugging¶
BIND supports detailed, channel-based logging configured in named.conf. A typical setup creates separate log files for different concerns:
logging {
channel default_log {
file "/var/named/log/default" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel queries_log {
file "/var/named/log/queries" versions 600 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
category default { default_syslog; default_debug; default_log; };
category queries { queries_log; };
};
Log directories and files must be owned by the named user/group:
mkdir -p /var/named/log
chown named:named /var/named/log
touch /var/named/log/{default,queries,auth_servers,zone_transfers,client_security,query-errors}
chown named:named /var/named/log/*
restorecon -Rv /var/named # Fix SELinux labels
Key log files to monitor:
/var/named/log/default— general server messages, zone loading/var/named/log/queries— all incoming DNS queries/var/named/log/client_security— client access and security eventsjournalctl -u named— systemd journal entries
Security Considerations¶
- Restrict recursion: In production, limit
allow-queryandallow-recursionto trusted networks to prevent your server from being used as an open resolver (DNS amplification attacks). allow-update { none; }: Always set this unless you specifically need dynamic DNS updates.- File permissions: Zone files should be owned by
root:namedwith640permissions. Thenamedprocess runs as thenameduser. - SELinux: BIND runs in a confined SELinux context. After creating new directories or files, run
restorecon -Rv /var/namedto set correct labels. - Serial number discipline: Always increment the serial when modifying a zone file. Forgetting this means slave servers will not pick up changes.
- DNSSEC: Disabled in this course because the upstream
ut.eezone is not DNSSEC-signed. In production, enablednssec-validation autofor security.
Further Reading¶
- BIND 9 Administrator Reference Manual
- Zytrax DNS Guide — Zone Records
- Wikipedia — Domain Name System
- DNS Record Types
Related Documentation¶
- Concepts: DNS
- Technologies: Knot DNS
- SOPs: DNS Management