This tutorial shows how to set-up and configure BIND9 as domain name server (DNS) in caching mode on Debian/Ubuntu based Linux system.
sudo apt-get install bind9
Edit configuration file /etc/bind/named.conf.options
and insert following acl
section on top of the configuration file:
acl goodclients {
localhost;
localnets;
};
In the same configuration file search for options
section and put there these lines as new options:
recursion yes;
allow-query { goodclients; };
If we are using IPv4 only, then update listen-on-v6
option, or simply comment it out:
listen-on-v6 { none; };
Also edit the bind startup options to enforce IPv4 in /etc/default/bind9
, add -4
parameter:
OPTIONS="-u bind -4"
We can check BIND configuration for errors by this command:
named-checkconf
And then we can restart BIND service to apply changes:
service bind9 restart
To use local DNS resolver edit /etc/resolv.conf
and change nameserver
to local address:
nameserver 127.0.0.1
We can test DNS resolution for example by nslookup
command:
nslookup google.com
This should give us output something like this:
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 216.58.201.110
Name: google.com
Address: 2a00:1450:4014:801::200e
BIND logs all information to syslog
by default, so we may want to change this behaviour. Follow this example to configure BIND to use dedicated log at /var/log/bind/bind.log
.
First of all we need to create BIND's log directory and set it's owner:
mkdir /var/log/bind
chown bind:bind /var/log/bind
Create new /etc/bind/named.conf.logs
file with this configuration with this configuration:
logging {
channel bind_log {
file "/var/log/bind/bind.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category update { bind_log; };
category update-security { bind_log; };
category security { bind_log; };
category queries { bind_log; };
category lame-servers { bind_log; };
};
Then edit the main /etc/bind/named.config
and include this newly creted config file adding this line:
include "/etc/bind/named.conf.logs";
Check your configuration for errors:
named-checkconf
And restart BIND service to apply changes:
service bind9 restart
That's it!
AppArmor policy for named forbids writing logfiles except for /var/log/named/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884995