Skip to content

BIND – Installation and Configuration on Linux

BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. The name stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s at the University of California at Berkeley. It is by far the most widely used DNS software on the Internet, providing a robust and stable platform on top of which organizations can build distributed computing systems with the knowledge that those systems are fully compliant with published DNS standards.

This article will show you how to install BIND in Linux and configure it to resolve domain names.

1. Installation

If you are using CentOS, you can use the yum command to install BIND and it’s Utilities packages.

yum install bind bind-utils -y

To install the above packages in Debian/Ubuntu, you can use the apt-get method.

apt-get install bind9 bind9utils bind9-doc dnsutils

2. Configuration

The next step is to configure BIND. There will be a configuration file already created, we just need to make a few modifications.

Open the /etc/named.conf file in your favorite editor. My favorite is nano.

nano -w /etc/named.conf

// named.conf for Red Hat caching-nameserver
options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
// query-source address * port 53;
recursion no;
directory “/var/named”; // the default
pid-file “/var/run/named/”;
allow-transfer { “none”; };

// a caching only nameserver config
controls {
inet allow { localhost; } keys { rndckey; };

zone “localhost” IN {
type master;
file “”;
allow-update { none; };

zone “” IN {
type master;
file “/var/named/”;
allow-update { none; };

zone “” IN {
type master;
file “/var/named/0.168.192.rev”;
allow-update { none; };

include “/etc/rndc.key”;

Please note the recursion would be set to “yes” by default the configuration file. You have to change it to “no” to prevent your server from being abused in “reflection” DDoS attacks. Also note I have added a zone for the domain in the named.conf file. Save the file and restart bind using the following command

/etc/init.d/named restart

Add the named service in startup so that it starts whenever the server reboots.

chkconfig named on

3. Add DNS Zone file

Next step is to add the DNS zone file for I will again use my favorite editor to create and edit the zone file. You can of course use and editor of your choice.

nano -w /var/named/

Add the following in the zone file

$TTL                                     86400
@                    IN           SOA  (
100                ;               serial
1H                  ;               refresh
1M                  ;               retry
1W                  ;               expiry
1D )                ;               minimum
@                    IN           NS      
@                    IN           A         
ns1                  IN           A         
@                     IN          MX       10
mail                 IN          A         
WWW             IN          A         

We will now reload the named service again. Please note that you will have to reload the service in case any changes in a zone file or configuration file or whenever you create a new zone file.

/etc/init.d/named reload

In Debian, use the following commands to stop/start/restart/reload BIND

service bind9 stop # To stop the service

service bind9 start # To start the service

service bind9 restart # To restart the service

service bind9 reload # To reload the service

4. BIND in a chrooted environment

It is generally advised to install the additional package “bind-chroot” which will drop the privileges of BIND into a chroot environment. Luckily, the CentOS package makes this extremely simple. The only aspect worth noting is that active paths will change to their chrooted equivalents, for example /var/named becomes /var/named/chroot/var/named With CentOS 6, you will not need to move any files as the package automatically creates hard symlinks to the non-chrooted directories.

If you’d like to enable this feature for the added security which it provides, you can do the following:

yum install bind-chroot -y
service named restart

5. Firewall Configuration

DNS uses both UDP and TCP  and listens on port 53 and hence it is recommended to open these ports in the firewall. DNS queries less than 512 bytes are transferred using UDP protocol and large queries are handled by TCP protocol such as zone transfer. If you use IPTables, then run the following commands to open the port 53

iptables -A INPUT -p tcp -m tcp –sport 53 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp –sport 53 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp –sport 1024:65535 –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m udp –sport 1024:65535 –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security