Never Ending Security

It starts all here

Tag Archives: DNS Server

How To Linux DNS Server


How to: Linux DNS Server

Domain Name Service (DNS) is an internet service that maps IP addresses to fully qualified domain names (FQDN) and vice versa.

BIND is an implementation of the Domain Name System (DNS) protocols. The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s at the University of California at Berkeley. In recent years, the word BIND has become, like “radar” and “laser”, more word than acronym.

The DNS protocols are part of the core Internet standards. They specify the process by which one computer can find another computer on the basis of its name. ‘An implementation of DNS protocols’ means our software distribution contains all of the software necessary for asking and answering name service questions.


Install the bind9 package using the appropriate package management utilities for your Linux distributions.

On Debian/Ubuntu flavors, do the following:

$ sudo apt-get install bind9

On Redhat/CentOS/Fedora flavors, do the following:

# yum install bind9

All the DNS configurations are stored under /etc/bind directory. The primary configuration is /etc/bind/named.conf which will include other needed files. The file named /etc/bind/db.root describes the root nameservers in the world.

Configure Cache NameServer

The job of a DNS caching server is to query other DNS servers and cache the response. Next time when the same query is given, it will provide the response from the cache. The cache will be updated periodically. Please note that even though you can configure bind to work as a Primary and as a Caching server, it is not advised to do so for security reasons.

All we have to do to configure a Cache NameServer is to add your ISP (Internet Service Provider)’s DNS server or any OpenDNS server to the file /etc/bind/named.conf.options. For Example, we can use Google’s public DNS servers, and

Uncomment and edit the following line as shown below in /etc/bind/named.conf.options file.

forwarders {;;

After the above change, restart the DNS server.

$ sudo service bind9 restart

Test the Cache NameServer

You can use the dig command to test DNS services. DIG command examples explains more about how to perform DNS lookups.

$ dig

;; Query time: 1323 msec

Now when the second time you execute the dig, there should be an improvement in the Query time. As you see below, it took only 3 msec the second time, as it is getting the info from our caching DNS server.

$ dig

;; Query time: 3 msec

Configure Primary/Master Nameserver

Next, we will configure bind9 to be the Primary/Master for the domain/zone “”.

As a first step in configuring our Primary/Master Nameserver, we should add Forward and Reverse resolution to bind9.

To add a DNS Forward and Reverse resolution to bind9, edit /etc/bind9/named.conf.local.

zone "" {
    type master;
    file "/etc/bind/";
zone "" {
        type master;
        notify no;
        file "/etc/bind/db.192";

Now the file /etc/bind/ will have the details for resolving hostname to IP address for this domain/zone, and the file /etc/bind/db.192 will have the details for resolving IP address to hostname.

Build the Forward Resolution for Primary/Master NameServer

Now we will add the details which is necessary for forward resolution into /etc/bind/

First, copy /etc/bind/db.local to /etc/bind/

$ sudo cp /etc/bind/db.local /etc/bind/

Next, edit the /etc/bind/ and replace the following.

  1. In the line which has SOA: localhost. – This is the FQDN of the server in charge for this domain. I’ve installed bind9 in, whose hostname is “ns”. So replace the “localhost.” with “”. Make sure it end’s with a dot(.).
  2. In the line which has SOA: root.localhost. – This is the E-Mail address of the person who is responsible for this server. Use dot(.) instead of @. I’ve replaced with
  3. In the line which has NS: localhost. – This is defining the Name server for the domain (NS). We have to change this to the fully qualified domain name of the name server. Change it to “”. Make sure you have a “.” at the end.

Next, define the A record and MX record for the domain. A record is the one which maps hostname to IP address, and MX record will tell the mailserver to use for this domain.

Once the changes are done, the /etc/bind/ file will look like the following:

$TTL    604800
@   IN  SOA (
             1024       ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
@   IN  NS    IN      MX      10
ns  IN  A
web IN  A
mail IN A

Build the Reverse Resolution for Primary/Master NameServer

We will add the details which are necessary for reverse resolution to the file /etc/bind/db.192. Copy the file /etc/bind/db.127 to /etc/bind/db.192

$ sudo cp /etc/bind/db.127 /etc/bind/db.192

Next, edit the /etc/bind/db.192 file, and basically changing the same options as /etc/bind/

$TTL    604800
@   IN  SOA (
             20         ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
@   IN  NS  ns.

Next, for each A record in /etc/bind/, add a PTR record.

$TTL    604800
@   IN  SOA (
             20     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
@    IN  NS  ns.
5   IN  PTR
7   IN  PTR
6   IN  PTR

Whenever you are modifying the file and db.192, you need to increment the “Serial” number as well. Typically admin uses DDMMYYSS for serial numbers and when they modify, the change the serial number appropriately.

Finally, restart the bind9 service:

$ sudo service bind9 restart

Test the DNS server

Now we have configured the DNS server for our domain. We will test our DNS server by pinging from

If the ping is success, then we have configured the DNS successfully.

You can also use nslookup and dig to test DNS servers.

On server, add the following to /etc/resolv.conf


Now ping,, which should resolve the address appropriately from the DNS server that we just configured.

$ ping

PING ( 56(84) bytes of data.
64 bytes from ( icmp_req=1 ttl=64 time=0.482 ms
64 bytes from ( icmp_req=2 ttl=64 time=0.532 ms