BIND Configuration Reference

BIND (Berkeley Internet Name Domain) is a widely used DNS server software. This reference provides an overview of BIND configuration files, directives, zone files, and common commands to help you set up and manage a DNS server effectively.

BIND Configuration Files

The main configuration file for BIND is /etc/named.conf or /etc/bind/named.conf (depending on your distribution). This file includes global options and references to zone files.

Include Statements

You can include additional configuration files using the include directive:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

Global Options

The options block contains global server configuration settings.

options {
    directory "/var/cache/bind";
    // Additional options...
};

Common Options

Option	Description
`directory`	Specifies the working directory where zone files are stored.
`listen-on`	Specifies IP addresses and ports BIND listens on.
`allow-query`	Defines which clients are allowed to query the DNS server.
`forwarders`	Specifies upstream DNS servers for recursive queries.
`recursion`	Enables or disables recursive queries.
`dnssec-validation`	Enables or disables DNSSEC validation.

Example Options Block

options {
    directory "/var/cache/bind";
    listen-on port 53 { any; };
    allow-query     { any; };
    recursion yes;
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    dnssec-validation auto;
};

Zone Definitions

Zones are defined in the named.conf file or included files using the zone directive.

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
};

Zone Types

master: The server is authoritative for the zone and holds the primary copy.
slave: The server obtains the zone data from a master server.
hint: Contains the addresses of root name servers.
forward: Forwards queries to another server.

Common Zone Options

Option	Description
`type`	Specifies the zone type (master, slave, hint, etc.).
`file`	Specifies the filename containing zone data.
`allow-transfer`	Defines which hosts are allowed zone transfers.
`allow-update`	Defines which hosts are allowed dynamic updates.
`masters`	Specifies the master servers for a slave zone.

Zone File Structure

Zone files contain DNS records for a domain. The basic structure includes a Start of Authority (SOA) record, followed by resource records (RRs).

Start of Authority (SOA) Record

@   IN  SOA ns1.example.com. admin.example.com. (
        2023101201 ; Serial
        7200       ; Refresh
        3600       ; Retry
        1209600    ; Expire
        86400 )    ; Minimum TTL

The SOA record defines global parameters for the zone.

Resource Records (RRs)

Common types of resource records:

Record Type	Description
`A`	Maps a hostname to an IPv4 address.
`AAAA`	Maps a hostname to an IPv6 address.
`CNAME`	Canonical name record (alias).
`MX`	Mail exchange record.
`NS`	Name server record.
`PTR`	Pointer record for reverse DNS.
`TXT`	Text record for arbitrary text.
`SRV`	Service locator record.

Example Zone File

$TTL    86400
@   IN  SOA ns1.example.com. admin.example.com. (
        2023101201 ; Serial
        7200       ; Refresh
        3600       ; Retry
        1209600    ; Expire
        86400 )    ; Minimum TTL

; Name Servers
    IN  NS  ns1.example.com.
    IN  NS  ns2.example.com.

; Mail Servers
    IN  MX  10 mail.example.com.

; A Records
ns1 IN  A   192.0.2.1
ns2 IN  A   192.0.2.2
www IN  A   192.0.2.3

; CNAME Records
ftp IN  CNAME www

; TXT Records
@   IN  TXT "v=spf1 mx -all"

Reverse DNS Zone Files

Reverse DNS maps IP addresses to hostnames. The zone file is similar but uses PTR records.

Example Reverse Zone File

$TTL    86400
@   IN  SOA ns1.example.com. admin.example.com. (
        2023101201 ; Serial
        7200       ; Refresh
        3600       ; Retry
        1209600    ; Expire
        86400 )    ; Minimum TTL

; Name Servers
    IN  NS  ns1.example.com.
    IN  NS  ns2.example.com.

; PTR Records
1   IN  PTR ns1.example.com.
2   IN  PTR ns2.example.com.
3   IN  PTR www.example.com.

Note: The reverse zone name is based on the IP address in reverse order. For example, the reverse zone for 192.0.2.0/24 is 2.0.192.in-addr.arpa.

BIND Command-Line Tools

named-checkconf

Checks the syntax of the BIND configuration files.

# Check the main configuration file
named-checkconf

# Specify a particular configuration file
named-checkconf /etc/bind/named.conf

named-checkzone

Verifies the syntax and consistency of a zone file.

# Check a zone file
named-checkzone example.com /etc/bind/db.example.com

rndc

Controls the operation of the BIND server.

# Reload configuration and zones
rndc reload

# Reload a specific zone
rndc reload example.com

# Restart the server
rndc restart

# Flush the server cache
rndc flush

# Show server status
rndc status

DNS Query Tools

Useful tools for testing and querying DNS records.

dig

# Query an A record
dig example.com A

# Query MX records
dig example.com MX

# Query a specific name server
dig @ns1.example.com example.com A

# Perform a reverse DNS lookup
dig -x 192.0.2.1

nslookup

# Interactive mode
nslookup

# Non-interactive query
nslookup example.com

# Specify a DNS server
nslookup example.com ns1.example.com

host

# Simple DNS lookup
host example.com

# Reverse lookup
host 192.0.2.1

Logging and Troubleshooting

Logging Options

BIND's logging is configured in the logging section.

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;
    };
};

Common Log Files

Depending on your system, BIND logs may be found in:

/var/log/syslog
/var/log/messages
/var/log/named/

Troubleshooting Steps

Check configuration syntax with named-checkconf and named-checkzone.
Verify that BIND is running and listening on the correct interfaces.
Use dig or nslookup to test DNS queries.
Check log files for error messages.
Ensure that firewall settings allow DNS traffic (UDP and TCP port 53).

Security Considerations

Access Control

Restrict queries and zone transfers:

options {
    // Allow queries only from specific networks
    allow-query { 192.0.2.0/24; localhost; };
};

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    // Allow zone transfers only to specific IPs
    allow-transfer { 198.51.100.1; };
};

Disable Recursion

If the server is authoritative only:

options {
    recursion no;
};

DNSSEC

Implement DNSSEC to secure DNS data:

options {
    dnssec-enable yes;
    dnssec-validation auto;
};

Run as Non-Root User

Configure BIND to run under a less privileged user (usually named or bind).

options {
    // Example for specifying user and group
    user bind;
    group bind;
};

Automating Zone Transfers

Configure Master Server

Define the zone and allow transfers to slave servers:

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { 198.51.100.2; }; // Slave server IP
};

Configure Slave Server

Set up the zone to pull data from the master:

zone "example.com" {
    type slave;
    file "/var/cache/bind/db.example.com";
    masters { 192.0.2.1; }; // Master server IP
};

Dynamic DNS Updates

Allow dynamic updates to DNS records, useful for DHCP integration.

Configure Zone for Updates

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-update { key "rndc-key"; };
};

Define the Key

key "rndc-key" {
    algorithm hmac-md5;
    secret "your-generated-key";
};

Chroot Environment

Enhance security by running BIND in a chroot jail.

Configure Chroot

Modify startup scripts or service configuration to specify the chroot directory, e.g., /var/named/chroot.

Adjust File Paths

Ensure all file paths in configuration files are relative to the chroot directory.

Tips and Best Practices

Keep BIND software up to date to apply security patches.
Regularly monitor logs for unusual activity.
Use access control lists (ACLs) to restrict who can query or transfer zones.
Backup configuration files and zone data regularly.
Test configurations in a staging environment before deploying to production.

Return to Home