📋 Prerequisites
| Component | Requirement | Description |
|---|---|---|
| VPS OS | Ubuntu 20.04+ / CentOS 8+ | Fresh Linux installation with root/sudo access |
| Memory | 1GB RAM minimum | 2GB+ recommended for production |
| Storage | 20GB free space | For OS, BIND, and zone files |
| Network | Static IP address | Essential for DNS server stability |
| Firewall | Port 53 open | TCP/UDP for DNS queries |
🚀 Installation Steps
| Step | Command | Purpose | Expected Output |
|---|---|---|---|
| 1 Update System | sudo apt update && sudo apt upgrade -y | Get latest packages and security updates | Packages updated successfully |
| 2 Install BIND9 | sudo apt install bind9 bind9utils bind9-doc -y | Install BIND DNS server with utilities | BIND9 installed and service created |
| 3 Check Version | named -v | Verify BIND installation | BIND 9.18.x (version number) |
| 4 Start Service | sudo systemctl start named sudo systemctl enable named |
Start and enable auto-start on boot | Service active and enabled |
⚙️ Configuration Files Structure
| File Path | Purpose | Example Content | Security |
|---|---|---|---|
| /etc/bind/named.conf | Main configuration file | include "/etc/bind/named.conf.options"; | Root ownership |
| /etc/bind/named.conf.options | Server options and ACLs | options { directory "/var/cache/bind"; listen-on { any; }; }; |
bind:bind ownership |
| /etc/bind/named.conf.local | Local zones and domains | zone "example.com" { type master; file "/etc/bind/db.example.com"; }; |
bind:bind ownership |
| /etc/bind/db.example.com | Forward zone file | @ IN A 192.168.1.10 www IN A 192.168.1.20 |
bind:bind ownership |
| /etc/bind/db.192.168.1 | Reverse zone file | 10 IN PTR example.com. 20 IN PTR www.example.com. |
bind:bind ownership |
📝 DNS Record Types Explained
| Record Type | Syntax | Purpose | Example | TTL |
|---|---|---|---|---|
| A (Address) | NAME IN A IPV4 | Points to IPv4 address | www IN A 192.168.1.10 | 3600 |
| AAAA (IPv6 Address) | NAME IN AAAA IPV6 | Points to IPv6 address | www IN AAAA 2001:db8::1 | 3600 |
| CNAME (Canonical Name) | ALIAS IN CNAME REALNAME | Creates domain alias | web IN CNAME www | 3600 |
| MX (Mail Exchange) | DOMAIN IN MX PRIORITY SERVER | Mail server routing | @ IN MX 10 mail | 14400 |
| NS (Name Server) | DOMAIN IN NS NAMESERVER | Authoritative name servers | @ IN NS ns1.example.com. | 172800 |
| SOA (Start of Authority) | @ IN SOA PRIMARY CONTACT (...) | Zone authority information | @ IN SOA ns1 admin (2024010101 ...) | 3600 |
| TXT (Text) | NAME IN TXT "text" | Arbitrary text data | @ IN TXT "v=spf1 mx ~all" | 3600 |
| PTR (Pointer) | IP IN PTR FQDN | Reverse DNS lookup | 10 IN PTR example.com. | 3600 |
🔍 Testing & Validation Commands
| Tool | Command | Purpose | Expected Result |
|---|---|---|---|
| named-checkconf | sudo named-checkconf | Validate BIND configuration syntax | No output = Success |
| named-checkzone | sudo named-checkzone example.com /etc/bind/db.example.com | Validate zone file syntax | OK = Zone validated |
| dig | dig @localhost example.com A | Test DNS resolution locally | Returns A record with NOERROR |
| nslookup | nslookup example.com localhost | Alternative DNS testing tool | Returns IP address |
| rndc | sudo rndc status | Check BIND server status | Server is up and running |
| systemctl | sudo systemctl status named | Check service status | Active (running) |
🛡️ Security Best Practices
| Security Measure | Implementation | Purpose | Risk Mitigated |
|---|---|---|---|
| ACL (Access Control) | acl "trusted" { 192.168.1.0/24; }; | Restrict query access | Unauthorized access |
| Rate Limiting | rate-limit { responses-per-second 10; }; | Prevent DNS amplification attacks | DDoS attacks |
| DNSSEC | dnssec-validation auto; | DNS response validation | DNS spoofing |
| Version Hiding | version "DNS Server"; | Hide BIND version info | Information disclosure |
| Firewall Rules | ufw allow 53/tcp ufw allow 53/udp |
Control network access | Port scanning |
| Chroot Jail | install bind9-chroot | Isolate BIND process | Privilege escalation |
🐛 Troubleshooting Common Issues
| Issue | Symptoms | Solution | Prevention |
|---|---|---|---|
| rndc connection refused | rndc: connect failed | sudo rndc-confgen -a include rndc.key in config |
Proper rndc setup during install |
| Zone not loading | zone: loaded serial 0 | Check zone file syntax Increment serial number |
Validate zone files before reload |
| Permission denied | open: permission denied | chown bind:bind /etc/bind/* chmod 640 zone files |
Set correct ownership during setup |
| Query timeouts | timed out resolving | Check forwarders Verify network connectivity |
Use reliable forwarders |
| DNS amplification | High traffic from spoofed IPs | Implement rate limiting Restrict recursion |
Proper ACL configuration |
💡 Teaching Tip: Use this table as a reference guide during DNS setup workshops.
Each section can be demonstrated live with actual command execution on a VPS.
⚠️ Important: Always backup your configuration before making changes and
test thoroughly in a non-production environment first.