{"id":7059,"date":"2020-10-05T23:58:18","date_gmt":"2020-10-05T20:58:18","guid":{"rendered":"https:\/\/kifarunix.com\/?p=7059"},"modified":"2024-03-14T23:32:33","modified_gmt":"2024-03-14T20:32:33","slug":"setup-caching-only-dns-server-using-bind9-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-caching-only-dns-server-using-bind9-on-ubuntu-20-04\/","title":{"rendered":"Setup Caching-Only DNS Server using BIND9 on Ubuntu 20.04"},"content":{"rendered":"\n<p>In this tutorial, we will discuss how to install and setup caching-only DNS server using BIND9 on Ubuntu 20.04. The <a href=\"https:\/\/www.isc.org\/bind\/\" target=\"_blank\" rel=\"noreferrer noopener\">Berkeley Internet Name Domain (BIND 9)<\/a> is a versatile, classic and complete name server software that implements an Internet domain name server. It is the most widely-used name server software on the Internet. DNS on the hand refers to a distributed naming system which maps the hostnames to their respective IP addresses. This enables the end users to refer to systems by their hostnames rather than IPs which are subject to changing from time to time depending on whether the IP is static or dynamic.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setting up Caching-Only DNS Server using BIND9<\/h2>\n\n\n\n<p>There are different roles in which any DNS server can be configured to server. In this guide, we will be looking at how to setup a caching-only DNS server using Bind9 on Ubuntu 20.04. As much as all DNS servers can cache the DNS queries, the major and only role of a caching-only DNS server is to cache the DNS queries. It has no any zone data information and thus does not serve out zones.<\/p>\n\n\n\n<p>The setup of the caching-only DNS server using BIND doesn&#8217;t require the expert level experience, even a newbie can handle it, :).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Run System Update<\/h3>\n\n\n\n<p>To begin, ensure your system package repos are up-to-date.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install BIND9 on Ubuntu 20.04<\/h3>\n\n\n\n<p>Next, install Bind9 and other BIND\/DNS utilities on Ubuntu 20.04;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install bind9 bind9utils -y<\/code><\/pre>\n\n\n\n<p>Theses tools installs the name server daemon, <code><strong>named<\/strong><\/code>, the Bind administration tool, <code><strong>rndc<\/strong><\/code> and the debugging utility, <code><strong>dig<\/strong><\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Setup Caching-Only DNS Server using BIND9<\/h3>\n\n\n\n<p>Once the Bind9 package and other DNS utilities are installed, proceed to setup caching-only DNS server. <code><strong>\/etc\/bind\/named.conf<\/strong><\/code> is the main configuration file for BIND DNS server named. By default, this is how this configuration file looks like, at least on an Ubuntu 20.04;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>less \/etc\/bind\/named.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ This is the primary configuration file for the BIND DNS server named.\n\/\/\n\/\/ Please read \/usr\/share\/doc\/bind9\/README.Debian.gz for information on the \n\/\/ structure of BIND configuration files in Debian, *BEFORE* you customize \n\/\/ this configuration file.\n\/\/\n\/\/ If you are just adding zones, please do that in \/etc\/bind\/named.conf.local\n\ninclude \"\/etc\/bind\/named.conf.options\";\ninclude \"\/etc\/bind\/named.conf.local\";\ninclude \"\/etc\/bind\/named.conf.default-zones\";<\/code><\/pre>\n\n\n\n<p>From the file above;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>comment lines begin with double forward slashes, <code><strong>\/\/<\/strong><\/code>. <code><strong>#<\/strong><\/code> is also accepted for comments.<\/li>\n\n\n\n<li>include statements are used to include other named configuration files.<\/li>\n\n\n\n<li>All statements must be terminated by a semi colon, <strong><code>;<\/code><\/strong>.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Defining Bind global configuration options<\/h4>\n\n\n\n<p>The&nbsp;<code>options<\/code>&nbsp;statement is used to define global named configuration options, set defaults for other statements, specify the location of the&nbsp;<code>named<\/code>&nbsp;working directory, the types of queries allowed e.t.c.<\/p>\n\n\n\n<p>As per this configuration, on Ubuntu 20.04, all Bind options are stored under the <code><strong>\/etc\/bind\/named.conf.options<\/strong><\/code> configuration file.<\/p>\n\n\n\n<p>Create a backup of the default options configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/etc\/bind\/named.conf.options{,.bak}<\/code><\/pre>\n\n\n\n<p>Next, open the options configuration file for editing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/bind\/named.conf.options<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Configure Access Control List<\/h5>\n\n\n\n<p>To begin with, configure DNS server access control list. This can be done using the <code><strong>acl<\/strong><\/code> statement. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ DNS Server ACL\nacl \"allowed\" {\n        192.168.57.0\/24;\n};<\/code><\/pre>\n\n\n\n<p>The&nbsp;<strong>acl<\/strong>&nbsp;statement defines groups of hosts that can be permitted or denied access to the nameserver. In this case, <strong><code>allowed<\/code><\/strong> is the name of the access control list of course the <code><strong>192.168.57.0\/24<\/strong><\/code> is the network that will be allowed to use our DNS server.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Define global server configuration options<\/h5>\n\n\n\n<p>BIND DNS server global configuration options are defined under the <code><strong>options<\/strong><\/code> statement. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\noptions {\n        directory \"\/var\/cache\/bind\";\n\n        recursion yes;\n        allow-recursion { localhost; allowed; };\n        listen-on port 53 { localhost; 192.168.57.6; };\n        allow-query { localhost; allowed; };\n        allow-transfer { none; };\n        \n        dnssec-validation auto;\n\n        listen-on-v6 { any; };\n};<\/code><\/pre>\n\n\n\n<p>Where:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>recursion<\/strong>&nbsp;\u2013 Specifies whether to act as a recursive server.<\/li>\n\n\n\n<li><strong>allow-recursion<\/strong>&nbsp;\u2013 Defines hosts to allow recursive queries from.<\/li>\n\n\n\n<li><strong>listen-on<\/strong>&nbsp;\u2013 Specifies the&nbsp;<code>IPv4<\/code>&nbsp;network interface on which to listen for queries.<\/li>\n\n\n\n<li><strong>allow-query<\/strong>&nbsp;\u2013 Specifies which hosts are allowed to query the nameserver for authoritative resource records.<\/li>\n\n\n\n<li><strong>allow-transfer<\/strong>&nbsp;\u2013 Specifies which secondary servers are allowed to request a transfer of the zone\u2019s information.&nbsp;<\/li>\n\n\n\n<li><strong>dnssec-validation<\/strong>&nbsp;\u2013 Specifies whether to prove that resource records are authentic through DNSSEC. The default option is&nbsp;<code>yes<\/code>.<\/li>\n\n\n\n<li><strong>listen-on-v6<\/strong>&nbsp;\u2013 Specifies the&nbsp;<code>IPv6<\/code>&nbsp;network interface on which to listen for queries.<\/li>\n<\/ul>\n\n\n\n<p>For our basic caching-only DNS server, here is how our <code><strong>\/etc\/bind\/named.conf.options<\/strong><\/code> looks like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>acl \"allowed\" {\n        192.168.57.0\/24;\n};\noptions {\n        directory \"\/var\/cache\/bind\";\n\n        recursion yes;\n        allow-recursion { localhost; allowed; };\n        listen-on port 53 { localhost; 192.168.57.6; };\n        allow-query { localhost; allowed; };\n        allow-transfer { none; };\n        \n        dnssec-validation auto;\n\n        listen-on-v6 { none; };\n};<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Checking Bind Configuration Syntax<\/h3>\n\n\n\n<p><code><strong>named-checkconf<\/strong><\/code> is a utility that can be used to check Bind\/named configurations syntax errors.<\/p>\n\n\n\n<p>You can simply run <code><strong>named-checkconf<\/strong><\/code>. However, you can as well pass the path to the configuration file as the command argument.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>named-checkconf<\/code><\/pre>\n\n\n\n<p>or simply;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>named-checkconf \/etc\/bind\/named.conf<\/code><\/pre>\n\n\n\n<p>If there is any syntax error in the configuration file, the command will show the affected line and the specific error. Below is an example;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/etc\/bind\/named.conf.options:10: missing ';' before 'allow-query'<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Open DNS Port on Firewall<\/h3>\n\n\n\n<p>If UFW is running, run the command below to allow DNS queries from your specific LAN network, 192.168.57.0\/24 in our case.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow from 192.168.57.0\/24 to 192.168.57.6 port 53 proto udp<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw status numbered<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91; 2] 192.168.57.6 53\/udp        ALLOW IN    192.168.57.0\/24<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Controlling Bind Service<\/h3>\n\n\n\n<p>You can start, stop, restart, reload Bind DNS named service using its <code>named<\/code> systemd unit file. For example, to start and enable it to run on system boot, <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now named<\/code><\/pre>\n\n\n\n<p>To check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status named<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\u25cf named.service - BIND Domain Name Server\n     Loaded: loaded (\/lib\/systemd\/system\/named.service; enabled; vendor preset: enabled)\n     Active: active (running) since Mon 2020-10-05 20:11:40 UTC; 43s ago\n       Docs: man:named(8)\n   Main PID: 17452 (named)\n      Tasks: 8 (limit: 2282)\n     Memory: 17.8M\n     CGroup: \/system.slice\/named.service\n             \u2514\u250017452 \/usr\/sbin\/named -f -u bind\n\nOct 05 20:11:40 ubuntu20 named&#91;17452]:...<\/code><\/pre>\n\n\n\n<p>You can as well check the DNS port;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>netstat -alunp | grep 53<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Testing BIND DNS Resolution<\/h4>\n\n\n\n<p>On a client system, configure the DNS server IP to your caching-only DNS server IP. In this example setup, we use CentOS 8 as our DNS client;<\/p>\n\n\n\n<p>So, find an active connection name;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli -t --fields NAME con show --active<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Wired connection 1<\/code><\/pre>\n\n\n\n<p>Based on the currently active connection, find the DNS server IP address set;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli --fields ip4.dns con show 'Wired connection 1'<\/code><\/pre>\n\n\n\n<p>Then you can set or modify the DNS server IP address;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli con mod 'Wired connection 1' ipv4.dns 192.168.57.6<\/code><\/pre>\n\n\n\n<p>Or you can add the DNS server IP instead;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli con mod 'Wired connection 1' +ipv4.dns 192.168.57.6<\/code><\/pre>\n\n\n\n<p>Reload the interface;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli con down 'Wired connection 1'<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli con up 'Wired connection 1'<\/code><\/pre>\n\n\n\n<p>Now check the DNS server IP;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nmcli --fields ip4.dns con show 'Wired connection 1'<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>IP4.DNS&#91;1]:                             192.168.57.6<\/code><\/pre>\n\n\n\n<p>Also check if the \/etc\/resolv.conf file is updated with the same IP.<\/p>\n\n\n\n<p>Verify the DNS resolution (Assuming you already have bind-utils package installed);<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dig google.com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>; &lt;&lt;&gt;&gt; DiG 9.11.13-RedHat-9.11.13-6.el8_2.1 &lt;&lt;&gt;&gt; google.com\n;; global options: +cmd\n;; Got answer:\n;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 54634\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4096\n; COOKIE: 064887612bf0e630010000005f7b8519e3b270a5437d1619 (good)\n;; QUESTION SECTION:\n;google.com.\t\t\tIN\tA\n\n;; ANSWER SECTION:\ngoogle.com.\t\t90\tIN\tA\t216.58.223.110\n\n;; Query time: 1 msec\n;; SERVER: 192.168.57.6#53(192.168.57.6)\n;; WHEN: Mon Oct 05 23:41:59 EAT 2020\n;; MSG SIZE  rcvd: 83<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nslookup google.com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Server:\t\t192.168.57.6\nAddress:\t192.168.57.6#53\n\nNon-authoritative answer:\nName:\tgoogle.com\nAddress: 216.58.223.110\nName:\tgoogle.com\nAddress: 2a00:1450:401a:805::200e<\/code><\/pre>\n\n\n\n<p>And that pretty summarizes our guide.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-bind-as-dns-server-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure BIND as DNS Server on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-setup-master-slave-dns-server-using-bind-on-centos-7\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Setup Master-Slave DNS Server using BIND on CentOS 7<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-bind-dns-server-using-webmin-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure BIND DNS Server using Webmin on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-bind-dns-using-webmin-on-debian-10\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup Bind DNS Using Webmin on Debian 10<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, we will discuss how to install and setup caching-only DNS server using BIND9 on Ubuntu 20.04. The Berkeley Internet Name Domain (BIND<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,979,971,128],"tags":[2588,2587,2589,2585,2586,1200],"class_list":["post-7059","post","type-post","status-publish","format-standard","hentry","category-howtos","category-bind","category-dns","category-lpic-2","tag-caching-only-dns-server","tag-caching-only-dns-server-ubuntu-20-04","tag-configure-bind-9-caching-only-dns-server","tag-install-bind-9-ubuntu-20-04","tag-setup-cache-only-dns-server-ubuntu-20-04","tag-ubuntu-20-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/7059"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=7059"}],"version-history":[{"count":3,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/7059\/revisions"}],"predecessor-version":[{"id":21542,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/7059\/revisions\/21542"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=7059"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=7059"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=7059"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}