BIND Authoritative-Only DNS Server on Ubuntu Server 14.04 or Debian 7

This post will explain how to get a DNS server setup going on Ubuntu Server 14.04 or Debian 7 using BIND. The arrangement assumes the following:

  • You’re using a master/slave configuration.
  • Your server host provides the rDNS for you. Most VPS hosting services handle the rDNS, so you’re not required to configure it on your own DNS server.
  • Your hostnames for the servers have been configured as fully qualified domain names.

For the example, the master server will be located at ns1.mydomain.com with an IP address of 10.0.0.1 and the slave server will be located at ns2.mydomain.com with an IP address of 10.0.0.2. Our test domain that is being handled by the DNS servers will be testdomain.com and will be configured to point to the same IP address as the master DNS, which is where we would assume the web server servicing the domain will be located.

For the commands shown in the explanations, it’s assumed that you’re logged in or acting as the root user. If not, you need to precede the commands with sudo, this includes when opening configuration files for editing. You’ll get a permissions error when you try to save the file if you don’t.

Installation

Start by installing BIND on both servers:

apt-get update
apt-get install bind9 bind9utils bind9-doc

If you’re notified that the file /etc/init.d/bind9 already exists on the server, and asked what you would like to do about it, respond with Y or I to install the version that is included with the package.

Configuration

Once the installation is complete, you already have a DNS server running on your Ubuntu installation. We only have to make some configuration changes to ensure master and slave servers are communicating with each other and that the master has been configured with the zone information for the domains being serviced by the DNS servers.

First, open /etc/bind/named.conf.options for editing. You should have something like the following:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

We need to add the following two lines anywhere within the brackets defining the options block:

recursion no;
allow-transfer { none; };

Example with added lines:

options {
        directory "/var/cache/bind";

        recursion no;
        allow-transfer { none; };

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Save the changes and close the file.

Next, we need to configure the local file to point to the zone files for the domains that will be serviced by the DNS servers. Assuming that we’re servicing a domain called testdomain.com, open /etc/bind/named.conf.local and add the following – as designated for master and slave configurations:

Master

zone "testdomain.com" {
        type master; also-notify { 10.0.0.2; };
        file "/etc/bind/zones/db.testdomain.com";
};

Slave

zone "testdomain.com" {
        type slave; masters { 10.0.0.1; };
        file "/etc/bind/zones/db.testdomain.com";
};

Since the zone block within the local file is pointing to a sub-directory within BIND’s primary directory to house the zone files, we need to create the zones directory and change its owner to the bind user. This needs to be done for both the master and slave servers:

mkdir /etc/bind/zones
chown bind: /etc/bind/zones

Now, you can create the zone file for the domain. For the example, we called the file db.testdomain.com, and configured BIND to look for the file in the /etc/bind/zones directory.

An example of our zone file would look like:

$ORIGIN testdomain.com.
$TTL 1800
@       IN      SOA     ns1.mydomain.com.       admin.testdomain.com. (
                        2015010101              ; serial number
                        3600                    ; refresh
                        900                     ; retry
                        1209600                 ; expire
                        1800                    ; ttl
                        )
; Name servers
                    IN      NS      ns1.mydomain.com.	; master DNS
                    IN      NS      ns2.mydomain.com.	; slave DNS

; A records for name servers
ns1                 IN      A       10.0.0.1		; master DNS IP
ns2                 IN      A       10.0.0.2		; slave DNS IP

; Additional A records
@                   IN      A       10.0.0.1		; www IP

; CNAME records
www                 IN      CNAME   testdomain.com.	; www IP

The settings above are fairly straightforward for configuring a zone with NS records and records to point to a web server for serving pages. Just be aware that the value for serial needs to be changed every time the zone file is updated, otherwise the DNS server will not update other servers. For the appended www, you could include an A record that points to the web server’s IP address, just like the origin does, but I believe it is more appropriate to point it to the origin with a CNAME record, as I updated this example to do. Feel free to correct me if you know better.

Check Configurations

At this point, all configuration is done. You simply need to check the configuration and zone files for errors, and then restart the servers.

You can check the local configuration by issuing:

named-checkconf /etc/bind/named.conf.local

If it returns nothing (line-breaks directly back to the command prompt), then everything checked good.

You can then check the zone configuration with (on the master server):

named-checkzone testdomain.com /etc/bind/zones/db.testdomain.com

If all checked well, it should return something like:

zone testdomain.com/IN: loaded serial 2015010101
OK

Now, simply restart the two servers.

service bind9 restart

After waiting for the configurations to propogate (varies in time – could be over 24 hours), you can pull up a prompt on your local linux machine and issue the following to see if the DNS has updated the domain to point to your master DNS server’s IP address:

nslookup testdomain.com

A successful setup should return something similar to:

Non-authoritative answer:
Name:	testdomain.com
Address: 10.0.0.1

An unsuccessful setup would return something more like this:

** server can't find testdomain.com: SERVFAIL

If you get an error, it could be that you didn’t give the servers enough time to update the information for the domains. Either way, you can view the system log on the servers to see if there are any errors:

tail -f /var/log/syslog

Look for the following to indicate successful zone information loading and communication between master and slave servers:

named[4215]: zone testdomain.com/IN: loaded serial 2015010101
named[4215]: zone testdomain.com/IN: sending notifies (serial 2015010101)

Anything else, pertaining specifically to the domain you configured, might indicate there is a problem with either the zone file or that the master and slave are not communicating. Ensure your firewall is allowing traffic on port 53.