Skip to content

Instantly share code, notes, and snippets.

@mrpeardotnet

mrpeardotnet/Bind9-caching.md

Last active November 17, 2022 12:36
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save mrpeardotnet/3f423a5efd86b87b0cf0d07220aca5cb to your computer and use it in GitHub Desktop.
Save mrpeardotnet/3f423a5efd86b87b0cf0d07220aca5cb to your computer and use it in GitHub Desktop.
Download ZIP
Configure BIND9 as caching nameserver
Raw
Bind9-caching.md

Install and configure BIND9 as caching DNS nameserver [Debian/Ubuntu]

This tutorial shows how to set-up and configure BIND9 as domain name server (DNS) in caching mode on Debian/Ubuntu based Linux system.

Instalation

sudo apt-get install bind9

BIND configuration

Edit configuration file /etc/bind/named.conf.options and insert following acl section on top of the configuration file:

acl goodclients {
	localhost;
	localnets;
};

In the same configuration file search for options section and put there these lines as new options:

recursion yes;
allow-query { goodclients; };

If we are using IPv4 only, then update listen-on-v6 option, or simply comment it out:

listen-on-v6 { none; };

Also edit the bind startup options to enforce IPv4 in /etc/default/bind9, add -4 parameter:

OPTIONS="-u bind -4"

We can check BIND configuration for errors by this command:

named-checkconf

And then we can restart BIND service to apply changes:

service bind9 restart

System configuration

To use local DNS resolver edit /etc/resolv.conf and change nameserver to local address:

nameserver 127.0.0.1

Test your DNS resolver

We can test DNS resolution for example by nslookup command:

nslookup google.com

This should give us output something like this:

Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 216.58.201.110
Name:   google.com
Address: 2a00:1450:4014:801::200e

Configure BIND logging

BIND logs all information to syslog by default, so we may want to change this behaviour. Follow this example to configure BIND to use dedicated log at /var/log/bind/bind.log.

Create log directory

First of all we need to create BIND's log directory and set it's owner:

mkdir /var/log/bind
chown bind:bind /var/log/bind

Create BIND log configuration file

Create new /etc/bind/named.conf.logs file with this configuration with this configuration:

logging {
  channel bind_log {
    file "/var/log/bind/bind.log" versions 3 size 5m;
    severity info;
    print-category yes;
    print-severity yes;
    print-time yes;
  };

  category default { bind_log; };
  category update { bind_log; };
  category update-security { bind_log; };
  category security { bind_log; };
  category queries { bind_log; };
  category lame-servers { bind_log; };
};

Then edit the main /etc/bind/named.config and include this newly creted config file adding this line:

include "/etc/bind/named.conf.logs";

Check BIND configuration and restart BIND service

Check your configuration for errors:

named-checkconf

And restart BIND service to apply changes:

service bind9 restart

That's it!

@McPetya
Copy link

McPetya commented Nov 17, 2022

AppArmor policy for named forbids writing logfiles except for /var/log/named/

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884995

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment