Home » DNS Server on Ubuntu

DNS Server on Ubuntu using BIND9

A DNS (Domain Name System) server translates human-readable domain names into IP addresses. Setting up your own DNS server gives you control over domain resolution on your network and is a fundamental skill for system administrators.

Prerequisites

  • Ubuntu Server 20.04 LTS or newer
  • Root or sudo privileges
  • Static IP address configured on your server
  • Basic knowledge of Linux command line

1 Install BIND9 DNS Server

Update your package list and install BIND9 (Berkeley Internet Name Domain):

sudo apt update
sudo apt install bind9 bind9-utils bind9-doc -y

BIND9 is the most widely used DNS software on the Internet, providing both authoritative and recursive name services.

2 Configure BIND9 Options

Edit the main BIND9 configuration file:

sudo nano /etc/bind/named.conf.options

Add the following configuration inside the options block:

options {
  directory "/var/cache/bind";
  
  // If your DNS server should be recursive (open DNS)
  recursion yes;
  allow-recursion { any; };
  
  // If your DNS server should be authoritative only
  // recursion no;
  // allow-recursion { none; };
  
  // Allow queries from any client
  allow-query { any; };
  
  // Forwarders to use for DNS resolution
  forwarders {
      8.8.8.8;
      8.8.4.4;
  };
  
  // DNS security extensions
  dnssec-validation auto;
  
  listen-on { any; };
  listen-on-v6 { any; };
};
Note: For a production environment, restrict recursion and queries to your local network only for security reasons.

3 Create a Forward Lookup Zone

Create a new zone file for your domain. First, edit named.conf.local:

sudo nano /etc/bind/named.conf.local

Add the following zone configuration (replace example.com with your domain):

zone "example.com" {
  type master;
  file "/etc/bind/zones/db.example.com";
};

Create the zones directory and the zone file:

sudo mkdir /etc/bind/zones
sudo nano /etc/bind/zones/db.example.com

4 Verify Configuration and Restart BIND9

Check your configuration files for syntax errors:

sudo named-checkconf
sudo named-checkzone example.com /etc/bind/zones/db.example.com

If all checks pass without errors, restart BIND9:

sudo systemctl restart bind9

Check the status to ensure it's running properly:

sudo systemctl status bind9

5 Configure Firewall and Test DNS Server

Allow DNS traffic through the firewall (if enabled):

sudo ufw allow 53/tcp
sudo ufw allow 53/udp

Test your DNS server using dig or nslookup:

dig @localhost www.example.com
nslookup www.example.com localhost

6 Security Considerations

  • Run BIND in a chroot jail for increased security
  • Limit zone transfers to specific IP addresses
  • Use TSIG (Transaction Signature) for secure server-to-server communication
  • Keep BIND9 updated with security patches
  • Regularly monitor logs for suspicious activities
Next: Web Server
Command copied to clipboard!