BIND (Berkeley Internet Name Domain) — open and the most common implementation of the DNS server, which ensures that the DNS name is converted to an IP address and vice versa.
Installing in Linux Ubuntu:
sudo apt-get install bind9
Stop / Start / Restart Bind9:
sudo /etc/init.d/bind9 stop/start/restart
View installed version:
named -v
To use the local DNS, you need to register in /etc/resolv.conf:
nameserver 127.0.0.1
We edit the configuration files in the /etc/bind/ directory for your needs.
Open the configuration file named.conf.options for example in the text editor nano:
sudo nano /etc/bind/named.conf.options
First, add ACLs with networks that will be allowed to query the DNS server:
acl localclients {
localhost;
localnets;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
In options, we specify this ACL by resolving queries:
allow-recursion { localclients; };
allow-query { localclients;};
allow-query-cache { localclients; };
If you do not specify “allow-recursion” in the configuration, then for security reasons, starting with bind 9.4.1-P1, the value of this parameter is “localnets; localhost;”, that is, the DNS server will not be publicly accessible.
You can specify the IP addresses on which bind9 will work:
listen-on {
127.0.0.1;
192.168.1.1;
};
Or at all:
listen-on { any; };
Alternatively, you can specify the addresses to which recursion is allowed, so that DNS does not serve the requests of all clients, but only those specified (all other unregistered addresses will be able to receive only the information specified in this DNS):
allow-recursion { 127.0.0.1; 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/16; };
Specify how much RAM is allowed to be used for the cache (default 90%):
max-cache-size 50%;
The correctness of the settings can be checked by the following command (if it did not say anything, it means everything is in order):
named-checkconf
Apply the changes:
sudo rndc reload
or so:
sudo /etc/init.d/bind9 restart
Verification:
rndc status
netstat -lnp | grep :53
sudo ps -ax | grep bind
From Windows, you can check with the command (where 192.168.1.1 is the address of bind9):
nslookup example.com 192.168.1.1
You can clear the cache of the DNS server with:
sudo rndc flush
Save the cache to a file (/var/cache/bind/):
sudo rndc dumpdb
I recommend checking the installed DNS server here dnsflagday.net
See also my articles:
- Configuring Bind9 logs
- Setting up a DNS zone
- How to set up RPZ in Bind9 (site blocking)
- IPTables rules for DNS
- Configure the PTR record
- Configuring Fail2Ban for Bind9
- Description of DNS Amplification Attacks
- Dnstop – monitoring of requests to the DNS server