On ns1, open the named.conf.local
file for editing:
sudo nano /etc/bind/named.conf.local
Aside from a few comments, the file should be empty. Here, we will specify our forward and reverse zones. DNS zones designate a specific scope for managing and defining DNS records. Since our domains will all be within the “nyc3.example.com” subdomain, we will use that as our forward zone. Because our servers’ private IP addresses are each in the 10.128.0.0/16
IP space, we will set up a reverse zone so that we can define reverse lookups within that range.
Add the forward zone with the following lines, substituting the zone name with your own and the secondary DNS server’s private IP address in the allow-transfer
directive:/etc/bind/named.conf.local — 1 of 2
zone "nyc3.example.com" {
type master;
file "/etc/bind/zones/db.nyc3.example.com"; # zone file path
allow-transfer { 10.128.20.12; }; # ns2 private IP address - secondary
};
Assuming that our private subnet is 10.128.0.0/16
, add the reverse zone by with the following lines (note that our reverse zone name starts with “128.10” which is the octet reversal of “10.128”):/etc/bind/named.conf.local — 2 of 2
. . .
};
zone "128.10.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.10.128"; # 10.128.0.0/16 subnet
allow-transfer { 10.128.20.12; }; # ns2 private IP address - secondary
};
If your servers span multiple private subnets but are in the same datacenter, be sure to specify an additional zone and zone file for each distinct subnet. When you are finished adding all of your desired zones, save and exit the named.conf.local
file.
Now that our zones are specified in BIND, we need to create the corresponding forward and reverse zone files.
Creating the Forward Zone File
The forward zone file is where we define DNS records for forward DNS lookups. That is, when the DNS receives a name query, “host1.nyc3.example.com” for example, it will look in the forward zone file to resolve host1’s corresponding private IP address.
Let’s create the directory where our zone files will reside. According to our named.conf.local configuration, that location should be /etc/bind/zones
:
sudo mkdir /etc/bind/zones
We will base our forward zone file on the sample db.local
zone file. Copy it to the proper location with the following commands:
sudo cp /etc/bind/db.local /etc/bind/zones/db.nyc3.example.com
Now let’s edit our forward zone file:
sudo nano /etc/bind/zones/db.nyc3.example.com
Initially, it will look something like the following:/etc/bind/zones/db.nyc3.example.com — original
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost. ; delete this line
@ IN A 127.0.0.1 ; delete this line
@ IN AAAA ::1 ; delete this line
First, you will want to edit the SOA record. Replace the first “localhost” with ns1’s FQDN, then replace “root.localhost” with “admin.nyc3.example.com”. Every time you edit a zone file, you need to increment the serial value before you restart the named
process. We will increment it to “3”. It should now look something like this:/etc/bind/zones/db.nyc3.example.com — updated 1 of 3
@ IN SOA ns1.nyc3.example.com. admin.nyc3.example.com. (
3 ; Serial
. . .
Next, delete the three records at the end of the file (after the SOA record). If you’re not sure which lines to delete, they are marked with a “delete this line” comment above.
At the end of the file, add your name server records with the following lines (replace the names with your own). Note that the second column specifies that these are “NS” records:/etc/bind/zones/db.nyc3.example.com — updated 2 of 3
. . .
; name servers - NS records
IN NS ns1.nyc3.example.com.
IN NS ns2.nyc3.example.com.
Now, add the A records for your hosts that belong in this zone. This includes any server whose name we want to end with “.nyc3.example.com” (substitute the names and private IP addresses). Using our example names and private IP addresses, we will add A records for ns1, ns2, host1, and host2 like so:/etc/bind/zones/db.nyc3.example.com — updated 3 of 3
. . .
; name servers - A records
ns1.nyc3.example.com. IN A 10.128.10.11
ns2.nyc3.example.com. IN A 10.128.20.12
; 10.128.0.0/16 - A records
host1.nyc3.example.com. IN A 10.128.100.101
host2.nyc3.example.com. IN A 10.128.200.102
Save and close the db.nyc3.example.com
file.
Our final example forward zone file looks like the following:/etc/bind/zones/db.nyc3.example.com — updated
$TTL 604800
@ IN SOA ns1.nyc3.example.com. admin.nyc3.example.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
IN NS ns1.nyc3.example.com.
IN NS ns2.nyc3.example.com.
; name servers - A records
ns1.nyc3.example.com. IN A 10.128.10.11
ns2.nyc3.example.com. IN A 10.128.20.12
; 10.128.0.0/16 - A records
host1.nyc3.example.com. IN A 10.128.100.101
host2.nyc3.example.com. IN A 10.128.200.102
Now let’s move onto the reverse zone file(s).
Creating the Reverse Zone File(s)
Reverse zone files are where we define DNS PTR records for reverse DNS lookups. That is, when the DNS receives a query by IP address, “10.128.100.101” for example, it will look in the reverse zone file(s) to resolve the corresponding FQDN, “host1.nyc3.example.com” in this case.
On ns1, for each reverse zone specified in the named.conf.local
file, create a reverse zone file. We will base our reverse zone file(s) on the sample db.127
zone file. Copy it to the proper location with the following commands (substituting the destination filename so it matches your reverse zone definition):
sudo cp /etc/bind/db.127 /etc/bind/zones/db.10.128
Edit the reverse zone file that corresponds to the reverse zone(s) defined in named.conf.local
:
sudo nano /etc/bind/zones/db.10.128
Initially, it will look something like the following:/etc/bind/zones/db.10.128 — original
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost. ; delete this line
1.0.0 IN PTR localhost. ; delete this line
In the same manner as the forward zone file, you will want to edit the SOA record and increment the serial value. It should look something like this:/etc/bind/zones/db.10.128 — updated 1 of 3
@ IN SOA ns1.nyc3.example.com. admin.nyc3.example.com. (
3 ; Serial
. . .
Now delete the two records at the end of the file (after the SOA record). If you’re not sure which lines to delete, they are marked with a “delete this line” comment above.
At the end of the file, add your name server records with the following lines (replace the names with your own). Note that the second column specifies that these are “NS” records:/etc/bind/zones/db.10.128 — updated 2 of 3
. . .
; name servers - NS records
IN NS ns1.nyc3.example.com.
IN NS ns2.nyc3.example.com.
Then add PTR
records for all of your servers whose IP addresses are on the subnet of the zone file that you are editing. In our example, this includes all of our hosts because they are all on the 10.128.0.0/16
subnet. Note that the first column consists of the last two octets of your servers’ private IP addresses in reversed order. Be sure to substitute names and private IP addresses to match your servers:/etc/bind/zones/db.10.128 — updated 3 of 3
. . .
; PTR Records
11.10 IN PTR ns1.nyc3.example.com. ; 10.128.10.11
12.20 IN PTR ns2.nyc3.example.com. ; 10.128.20.12
101.100 IN PTR host1.nyc3.example.com. ; 10.128.100.101
102.200 IN PTR host2.nyc3.example.com. ; 10.128.200.102
Save and close the reverse zone file (repeat this section if you need to add more reverse zone files).
Our final example reverse zone file looks like the following:/etc/bind/zones/db.10.128 — updated
$TTL 604800
@ IN SOA nyc3.example.com. admin.nyc3.example.com. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers
IN NS ns1.nyc3.example.com.
IN NS ns2.nyc3.example.com.
; PTR Records
11.10 IN PTR ns1.nyc3.example.com. ; 10.128.10.11
12.20 IN PTR ns2.nyc3.example.com. ; 10.128.20.12
101.100 IN PTR host1.nyc3.example.com. ; 10.128.100.101
102.200 IN PTR host2.nyc3.example.com. ; 10.128.200.102
We’re done editing our files, so next we can check our files for errors.
Checking the BIND Configuration Syntax
Run the following command to check the syntax of the named.conf*
files:
sudo named-checkconf
If your named configuration files have no syntax errors, you will return to your shell prompt and see no error messages. If there are problems with your configuration files, review the error message and the “Configure Primary DNS Server” section, then try named-checkconf
again.
The named-checkzone
command can be used to check the correctness of your zone files. Its first argument specifies a zone name, and the second argument specifies the corresponding zone file, which are both defined in named.conf.local
.
For example, to check the “nyc3.example.com” forward zone configuration, run the following command (change the names to match your forward zone and file):
sudo named-checkzone nyc3.example.com db.nyc3.example.com
And to check the “128.10.in-addr.arpa” reverse zone configuration, run the following command (change the numbers to match your reverse zone and file):
sudo named-checkzone 128.10.in-addr.arpa /etc/bind/zones/db.10.128
When all of your configuration and zone files have no errors in them, you should be ready to restart the BIND service.
Restarting BIND
Restart BIND:
sudo systemctl restart bind9
If you have the UFW firewall configured, open up access to BIND by typing:
sudo ufw allow Bind9
Your primary DNS server is now setup and ready to respond to DNS queries. Let’s move on to creating the secondary DNS server.