Authoritative DNS Server BIND9 Content DNS Linux Ubuntu Ubuntu Server

Set Up Authoritative DNS Server on Ubuntu 18.04, 16.04 with BIND9

BIND version number and build option

This tutorial will probably be displaying you the way to arrange and run your personal authoritative identify server on Ubuntu 18.04/16.04 with the widely-used BIND 9 software program.

What’s An Authoritative DNS Server?

In case you personal a website identify and need your personal DNS server to deal with identify decision on your area identify as an alternative of utilizing your area registrar’s DNS server, then you will want to arrange an authoritative DNS server.

An authoritative DNS server is utilized by area identify house owners to retailer DNS data. It offers authoritative solutions to DNS resolvers (like eight.eight.eight.eight or, which question DNS data on behalf of finish customers on PC, smartphone or pill.

About BIND

BIND (Berkeley Web Identify Area) is an open-source, versatile and full-featured DNS software program extensively used on Unix/Linux as a consequence of it’s stability and top quality. It’s initially developed by UC Berkeley, and later in 1994 its improvement was moved to Web Techniques Consortium, Inc (ISC).

BIND can act as an authoritative DNS server for a zone and a DNS resolver on the similar time. A DNS resolver can be referred to as a recursive identify server as a result of it performs recursive lookups for native shoppers. Nevertheless, taking two roles on the similar time isn’t advantageous. It’s a superb follow to separate the 2 roles on two totally different machines.

In a earlier article, I defined the steps of establishing an area DNS resolver on Ubuntu 18.04/16.04. This tutorial will present you easy methods to arrange BIND9 on Ubuntu 18.04/16.04 as an authoritative-only DNS server with recursion disabled.


To comply with this tutorial, you must have already purchased a website identify. I registered my area identify at NameCheap as a result of the worth is low they usually give whois privateness safety free for all times.

You additionally want two servers. One server is for the grasp DNS server and the opposite is for the slave DNS server. Ideally the 2 servers must be at totally different bodily places. If one DNS server is offline, the opposite DNS server can nonetheless response to DNS queries in your area identify.

Every server wants solely 512MB RAM and listed here are the internet hosting suppliers that I like to recommend. I’ve used all of them.

  • Vultr (Begin at $2.5/month. Bank card required)
  • DigitalOcean (Begin at $5/month. No bank card is required. You should use Paypal).
  • Linode (Begin at $5/month. Bank card required)

After you have purchased two servers, set up Ubuntu on them and comply with the directions under.

Set up Authoritative DNS Server on Ubuntu 18.04/16.04 with BIND9

You must run instructions on this part on each servers.

Log into the 2 servers by way of SSH and run the next instructions to put in BIND 9 on Ubuntu 18.04/16.04 from the default repository. BIND 9 is the present model and BIND 10 is a lifeless undertaking.

sudo apt replace
sudo apt set up bind9 bind9utils bind9-doc

Verify model quantity.

named -v

Pattern output:

BIND 9.11.Three-1ubuntu1.Three-Ubuntu (Prolonged Help Model) <id:a375815>

To examine the model quantity and construct choices, run

named -V

BIND version number and build option

By default, BIND mechanically begins after set up.You verify its standing with:

systemctl standing bind9

bind 9 ubuntu 18.04 server

If it’s not operating, then begin it with:

sudo systemctl begin bind9

And allow auto begin at boot time:

sudo systemctl allow bind9

The BIND server will run because the bind consumer, which is created throughout set up, and listens on TCP and UDP port 53, as could be seen by operating the next command:

sudo netstat -lnptu | grep named

ubuntu 18.04 bind9 setup

The BIND daemon is known as named. (A daemon is a bit of software program that runs within the background.) The named binary is put in by the bind9 package deal and there’s one other necessary binary: rndc, the distant identify daemon controller, which is put in by the bind9utils package deal. The rndc binary is used to reload/cease and management different points of the BIND daemon. Communication is completed over TCP port 953.

For instance, we will examine the standing of the BIND identify server.

sudo rndc standing

remote name daemon controller

The primary BIND configuration file /and so forth/bind/named.conf sources the settings from Three different information.

  • /and so on/bind/named.conf.choices
  • /and so forth/bind/named.conf.native
  • /and so forth/bind/named.conf.default-zones

Out of the field, the BIND9 server on Ubuntu supplies recursive service for localhost and native community shoppers. Since we’re establishing an authoritative DNS server, we have to disable recursion. Edit the /and so forth/bind/namd.conf.choices file.

sudo nano /and so forth/bind/named.conf.choices

Add the next strains to this file.

// cover model quantity from shoppers for safety causes.
model “not currently available”;

// disable recursion on authoritative DNS server.
recursion no;

// allow the question log
querylog sure;

// disallow zone switch
allow-transfer none; ;

Technically talking, you solely want so as to add recursion no; to disable recursion, nevertheless it’s a great follow so as to add the opposite Three directives. Save and shut the file. Then restart BIND.

sudo systemctl restart bind9

Grasp DNS Server Configuration

Decide one of many two servers because the grasp DNS server. We’ll identify it

The grasp DNS server holds the grasp copy of the zone file. Modifications of DNS data are made on this server. A website can have a number of DNS zones. Every DNS zone has a zone file which accommodates each DNS report in that zone. For simplicity’s sake, this text assumes that you simply need to use a single DNS zone to handle all DNS data on your area identify.

The /and so forth/bind/named.conf.default-zones file defines the basis zone and localhost zone. So as to add a zone in your area identify, edit /and so forth/bind/named.conf.native file.

sudo nano /and so forth/bind/named.conf.native

Add the next strains to this file. Substitute with your personal area identify. Substitute with the IP tackle of slave DNS server.

zone “”
sort grasp;
file “/etc/bind/”;
allow-transfer; ;

Within the above configuration, we created a brand new zone with the zone clause and we specified that that is the grasp zone. The zone file is /and so forth/bind/, the place we’ll add DNS data. Zone switch can be solely allowed for the slave DNS server.

As an alternative of making a zone file from scratch, we will use a zone template file. Copy the content material of db.empty to a brand new file.

sudo cp /and so on/bind/db.empty /and so on/bind/

A zone file can include Three kinds of entries:

  • Feedback: begin with a semicolon (;)
  • Directives: begin with a greenback signal ($)
  • Useful resource Data: aka DNS data

A zone file sometimes consists of the next varieties of DNS data.

  • The SOA (Begin of Authority) document: defines the important thing traits of a zone. It’s the primary DNS report within the zone file and is obligatory.
  • NS (Identify Server) report: specifies which servers are used to retailer DNS data and reply DNS queries for a website identify. There have to be at the least two NS document in a zone file.
  • MX (Mail Exchanger) report: specifies which hosts are liable for e mail supply for a website identify.
  • A (Handle) document: Converts DNS names into IPv4 addresses.
  • AAAA (Quad A) document: Converts DNS names into IPv6 addresses.
  • CNAME document (Canonical Identify): It’s used to create alias for a DNS identify.
  • TXT report: SPF, DKIM, DMARC, and so forth.

Now let’s edit the zone file.

sudo nano /and so forth/bind/

By default, it seems like this:

BIND9 zone transfer ubuntu

You possibly can change it to this as an alternative.

bind9 master zone file

The place

  • The $TTL directive defines the default Time to Stay worth for the zone, which is the time a DNS report may be cached on a DNS resolver. This directive is obligatory. The time is laid out in seconds.
  • The $ORIGIN directive defines the bottom area.
  • Domains should finish with a dot (.), which is the basis area. When a website identify ends with a dot, it’s a absolutely certified area identify (FQDN).
  • The @ image references to the bottom area.
  • IN is the DNS class. It stands for Web. Different DNS courses exist however are not often used.

The primary document in a zone file is the SOA (Begin of Authority) document. This document accommodates the next info:

  • The grasp DNS server.
  • E-mail handle of the zone administrator. RFC 2142 recommends the e-mail handle [email protected]. Within the zone file, this e mail tackle takes this type: as a result of the @ image has particular which means in zone file.
  • Zone serial quantity. The serial quantity is a approach of monitoring modifications in zone by the slave DNS server. By conference, the serial quantity takes a date format: yyyymmddss, the place yyyy is the four-digit yr quantity, mm is the month, dd is the day, and ss is the sequence quantity for the day. You need to replace the serial quantity when modifications are made to the zone file.
  • Refresh worth. When the refresh worth is reached, the slave DNS server will attempt to learn of the SOA document from the grasp DNS server. If the serial quantity turns into larger, a zone switch is initiated.
  • Retry worth. Defines the retry interval in seconds if the slave DNS server fails to hook up with the grasp DNS server.
  • Expiry: If the slave DNS server has been failing to make contact with grasp DNS server for this period of time, the slave will cease responding to DNS queries for this zone.
  • Destructive cache TTL: Defines the time to stay worth of DNS responses for non-existent DNS names (NXDOMAIN).

TXT data are often enclosed in double quotes. When you add DKIM document, you additionally want to surround the worth with parentheses.

Save and shut the file. Then run the next command to examine if there are syntax errors in the primary configuration file. A silent output signifies no errors are discovered.

sudo named-checkconf

Then examine the syntax of zone information.

sudo named-checkzone /and so forth/bind/

If no errors are discovered, then restart BIND9.

sudo systemctl restart bind9

In case you are utilizing the uncomplicated firewall (UFW), then open TCP and UDP port 53.

sudo ufw permit 53/tcp

sudo ufw permit 53/udp

In case you are utilizing iptables firewall instantly, then run the next command.

sudo iptables -A INPUT -p tcp –dport 53 -j ACCEPT

sudo iptables -A INPUT -p udp –dprot 53 -j ACCEPT

Slave DNS Server Configuration

Now we use the opposite server because the slave DNS server, which will probably be named

First, edit the named.conf.native file.

sudo nano /and so on/bind/named.conf.native

Add a zone like under. Substitute with the IP tackle of the grasp DNS server.

zone “”
sort slave;
file “”;
masters; ;

Within the above configuration, we specified that this can be a slave DNS server for the zone and it’ll settle for zone transfers solely from a trusted IP tackle.

Save and shut the file. Then run the next command to verify if there are syntax errors in the primary configuration file.

sudo named-checkconf

If no errors are discovered, restart BIND9.

sudo systemctl restart bind9

The zone file on slave DNS server are loaded from a zone switch, which is used to synchronize DNS report modifications from grasp DNS server to slave DNS server. After BIND9 restarts, zone tranfer will begin instantly. Verify the BIND9 log with the next command.

sudo journalctl -eu bind9

You possibly can see messages like under, which signifies the zone switch is profitable.

named[31518]: switch of ‘’ from Switch accomplished: 1 messages, 16 data, 886 bytes, zero.zero04 secs (221500 bytes/sec)

The zone file can be save as /var/cache/bind/

In case you are utilizing the uncomplicated firewall (UFW), then open TCP and UDP port 53.

sudo ufw permit 53/tcp

sudo ufw permit 53/udp

In case you are utilizing iptables firewall instantly, then run the next command.

sudo iptables -A INPUT -p tcp –dport 53 -j ACCEPT

sudo iptables -A INPUT -p udp –dprot 53 -j ACCEPT

Extra about Zone Switch

The slave DNS server will contact the grasp once more when the refresh time in SOA document is reached and if the serial quantity on the grasp is bigger than that on the slave, a zone switch can be initiated. There are two kinds of zone transfers:

  • Full zone switch (AXFR): The complete copy of zone file is transferred.
  • Incremental zone switch (IXFR): Solely DNS data which are modified are transferred.

Each varieties of zone switch use TCP port 53. By default, BIND on the slave DNS server will request an incremental zone switch and BIND on the grasp DNS server will solely permit incremental zone switch when the zone is dynamic.

The zone switch interval is a significant factor of the propagation velocity of DNS document modifications. As an alternative of ready for the slave DNS server to make contact, the BIND grasp will notify the slave when modifications are made to the zone. This will significantly scale back the time to propagate zone modifications to the Web.

Reverse Zone

A reverse zone incorporates PTR report that map an IP tackle to a DNS identify. It’s the counterpart of DNS A document. PTR document typically is important for mail servers to cross spam filters. This document doesn’t belong to a website. It’s essential to create PTR report at your internet hosting supplier’s management panel, or ask your ISP, so I’m not going to cowl creating reverse zones in BIND.

Creating Glue Document

In case you have a website identify and you employ a subdomain for the authoritative DNS servers ( and, then you’ll want to create a glue report at your area registrar. The glue document is an A report for and After creating glue report, change the identify server at your area registrar’s management panel.

The above info might be despatched to a registry operator who runs TLD DNS servers by way of the Extensible Provisioning Protocol (EPP), in order that TLD DNS servers know the identify and IP addresses of the authoritative DNS servers on your area identify.

After the glue document and NS document have been propagated to the Web, you DNS servers can be responding to DNS queries on your area identify. You’ll be able to examine the question log with:

sudo journalctl -eu bind9

Issues to Know

  • The time period grasp DNS server solely implies that this server shops the grasp copy of the zone file. It has no greater precedence with regards to DNS decision.
  • All the time replace the SOA serial quantity once you make modifications to a zone file.

That’s it! I hope this tutorial helped you arrange authoritative DNS server on Ubuntu 18.04 and Ubuntu 16.04 with BIND9. As all the time, should you discovered this publish helpful, then subscribe to our free publication to get extra ideas and tips. Take care ?

Fee this tutorial

[Total: 0 Average: 0]

(perform(d, s, id)
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); = id;
js.src = “//”;
fjs.parentNode.insertBefore(js, fjs);
(doc, ‘script’, ‘facebook-jssdk’));