DNS server installation

The DNS [Domain Name System] is a key component of a network infrastructure. It allows you to use NAMES instead of IP addresses.


A quick DNS overview is available here: DNS server split principle#Simple DNS zone


apt-get install bind9 dnsutils bind9-doc

DNS server configuration

You need to configure the OVERRALL behavior of the DNS server.

  • What are the external DNS?
  • Enable DNSSEC?
  • IP v6 support?

Set the external DNS

This is the list of DNS your server will use to populate its own cache.

The external DNS can either be your ISP's DNS or Google's servers.

!! Mind the order !! First DNS have a higher priority.

Edit configuration file:

vim /etc/bind/named.conf.options

Uncomment and adjust the file content

forwarders {
     # Your ISP DNS IP’s;;

     # Google's DNS;;

Disable DNS SEC

DNS is one of the most vulnerable protocols. Therefore the next generation called "DNS-SEC" is being implemented right now.

But... enabling DNS SEC can lead to security error and forward blocking if you don't have a proper certificate.

I don't have enough time to setup the correct certificate so I disabled DNS-SEC.

Edit configuration file:

vim /etc/bind/named.conf.options

Disable the DNS-SEC options:

dnssec-enable no;
dnssec-validation no;

Disable IPv6 DNS requests

You can still be listening on your local IPv6 interface, however if your router is not IPv6 compatible you should disable IPv6 requests. If you do not disable IPv6 requests then you'll see the following errors in your /var/log/syslog:

error (network unreachable) resolving './DNSKEY/IN': 2001:: ...

Edit the configuration file:

vim /etc/default/bind9

Add / update the options:


That means if the host is capable of IPv4 then IPv4 should be preferred.

Register zone and reverse

Create zone(s)

>> See DNS server unique zone

>> If you plan to share some resources with Internet then have a look to DNS server split howto

Don't forget to restart BIND when your configuration is complete.

Test zone(s) # server side

Run the following commands to check your configuration.

  • All commands should output OK or be a ping success. :)
  • Adjust both the DNS "smartcards.vehco.com" and ping test to your OWN situation !

Check the local zone:

## Internal zone "smartcards.vehco.com"
named-checkzone smartcards.vehco.com /etc/bind/smartcards.vehco.com

#### DNS split horizon ####
## External zone for "smartcards.vehco.com"
named-checkzone smartcards.vehco.com /etc/bind/external.smartcards.vehco.com

Check the reverse zone:

named-checkzone 50.16.172.in-addr.arpa. /etc/bind/db.172

Now you can try to ping something / someone in the INTERNAL zone:

ping cisco-router
ping smartcard-prod-00

Now you can try to ping something on INTERNET:

ping dev.daxiongmao.eu

Set the new DNS server as local default

You can register your DNS server in:

  • DHCP configuration: all the clients will get their configuration from DHCP, including default DNS (see DHCP server).
  • Locally: on the local server (= where the DNS service is installed), you can use the new DNS for all other services and applications

Local changes on DNS server

vim /etc/network/interfaces

Adjust it like that:

# The primary network interface [static IP]
auto eth0
iface eth0 inet static

        # Local DNS server on as default. Then the DNS server itself will forward the requests to external DNS servers.
        # It's better to put your IP @ than because some services do not support the "loopback"
        dns-search smartcards.local
        dns-domain smartcards.local

'Replace "smartcard.local" by your own internal zone.

Don't forget to reboot to take on your configuration changes !

DNS server logs

Logs are in /var/log/syslog