8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.

04 | DigitalOcean

An
NEW Introduction to Managing
NEW Introducing DigitalOceanDNS
Managed MongoDB — a fully managed, database as a service for modern apps
How To Configure Bind as a Cac…

TUTORIAL

How To Configure Bind as a Caching or Forwarding DNS

Server on Ubuntu 14.04
Ubuntu Networking DNS

By Justin Ellingwood
Published on July 1, 2014  921.7k

This article uses Ubuntu 14.04

Ubuntu 14.04 
This distro reached end of life (EOL) on Apr 2019.

We recommend upgrading to a more modern version. Read upgrade instructions.

S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 1/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

Introduction
An Introduction to Managing DNS
How To Configure Bind as a Cac…
DNS, or the Domain Name System, is often a difficult component to get right when learning
how to configure websites and servers. While most people will probably choose to use the
DNS servers provided by their hosting company or their domain registrar, there are some
advantages to creating your own DNS servers.

In this guide, we will discuss how to install and configure the Bind9 DNS server as a caching
or forwarding DNS server on Ubuntu 14.04 machines. These two configurations both have
advantages when serving networks of machines.

Prerequisites and Goals

To complete this guide, you will first need to be familiar with some common DNS
terminology. Check out this guide to learn about some of the concepts we will be
implementing in this guide.

We will be demonstrating two separate configurations that accomplish similar goals: a

caching and a forwarding DNS server.

To follow along, you will need to have access to two computers (at least one of which should
be an Ubuntu 14.04 server). One will function as the client and the other will be configured
as the DNS server. The details of our example configuration are:

Role IP Address

DNS Server 192.0.2.1

Client 192.0.2.100

We will show you how to configure the client machine to use the DNS server for queries. We
will show you how to configure the DNS server in two different configurations, depending on
your needs.

Caching DNS Server

The first configuration will be for a caching DNS server. This type of server is also known as
a resolver because it handles recursive queries and generally can handle the grunt work of
tracking down DNS data from other servers. S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 2/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

When
An a cachingtoDNS
Introduction serverDNS
Managing tracks down the answer to a client’s query, it returns the answer
to the
How Toclient. But itBind
Configure alsoasstores
a Cac…the answer in its cache for the period of time allowed by the
records’ TTL value. The cache can then be used as a source for subsequent requests in
order to speed up the total round-trip time.

Almost all DNS servers that you might have in your network configuration will be caching
DNS servers. These make up for the lack of adequate DNS resolver libraries implemented on
most client machines. A caching DNS server is a good choice for many situations. If you do
not wish to rely on your ISPs DNS or other publicly available DNS servers, making your own
caching server is a good choice. If it is in close physical proximity to the client machines, it is
also very likely to improve the DNS query times.

Forwarding DNS Server

The second configuration that we will be demonstrating is a forwarding DNS server. A
forwarding DNS server will look almost identical to a caching server from a client’s
perspective, but the mechanisms and work load are quite different.

A forwarding DNS server offers the same advantage of maintaining a cache to improve DNS
resolution times for clients. However, it actually does none of the recursive querying itself.
Instead, it forwards all requests to an outside resolving server and then caches the results to
use for later queries.

This lets the forwarding server respond from its cache, while not requiring it to do all of the
work of recursive queries. This allows the server to only make single requests (the
forwarded client request) instead of having to go through the entire recursion routine. This
may be an advantage in environments where external bandwidth transfer is costly, where
your caching servers might need to be changed often, or when you wish to forward local
queries to one server and external queries to another server.

Install Bind on the DNS Server

Regardless of which configuration choice you wish to use, the first step in implementing a
Bind DNS server is to install the actual software.

The Bind software is available within Ubuntu’s default repositories, so we just need to
update our local package index and install the software using apt . We will also include the
S C R O L L TO TO P
documentation and some common utilities:

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 3/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

An Introduction to Managing DNS

sudo apt-get update
How
sudo To Configure
apt-get Bindbind9
install as a Cac…
bind9utils bind9-doc

Now that the Bind components are installed, we can begin to configure the server. The
forwarding server will use the caching server configuration as a jumping off point, so
regardless of your end goal, configure the server as a Caching server first.

Configure as a Caching DNS Server

First, we will cover how to configure Bind to act as a caching DNS server. This configuration
will force the server to recursively seek answers from other DNS servers when a client
issues a query. This means that it is doing the work of querying each related DNS server in
turn until it finds the entire response.

The Bind configuration files are kept by default in a directory at /etc/bind . Move into that
directory now:

cd /etc/bind

We are not going to be concerned with the majority of the files in this directory. The main
configuration file is called named.conf ( named and bind are two names for the same
application). This file simply sources the named.conf.options file, the named.conf.local file,
and the named.conf.default-zones file.

For a caching DNS server, we will only be modifying the named.conf.options file. Open this
in your text editor with sudo privileges:

sudo nano named.conf.options

With the comments stripped out for readability, the file looks like this:

options {
directory "/var/cache/bind";

dnssec-validation auto;
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 4/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

auth-nxdomain no; # conform to RFC1035

An Introduction to Managing DNS
listen-on-v6 { any; };
How To Configure Bind as a Cac…
};

To configure caching, the first step is to set up an access control list, or ACL.

As a DNS server that will be used to resolve recursive queries, we do not want the DNS
server to be abused by malicious users. An attack called a DNS amplification attack is
especially troublesome because it can cause your server to participate in distributed denial
of service attacks.

A DNS amplification attack is one way that malicious users try to take down servers or sites
on the internet. To do so, they try to find public DNS servers that will resolve recursive
queries. They spoof the victim’s IP address and send a query that will return a large
response to the DNS server. In doing so, the DNS server responds to a small request with a
large payload directed at the victims server, effectively amplifying the available bandwidth
of the attacker.

Hosting a public, recursive DNS server requires a great deal of special configuration and
administration. To avoid the possibility of your server being used for malicious purposes, we
will configure a list of IP addresses or network ranges that we trust.

Above the options block, we will create a new block called acl . Create a label for the ACL
group that you are configuring. In this guide, we will call the group goodclients .

acl goodclients {
};

options {
. . .

Within this block, list the IP addresses or networks that should be allowed to use this DNS
server. Since both our server and client are operating within the same /24 subnet, we will
restrict the example to this network. We will also add localhost and localnets which will
attempt to do this automatically:

S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 5/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

An
aclIntroduction
goodclientsto{ Managing DNS
How 192.0.2.0/24;
To Configure Bind as a Cac…
localhost;
localnets;
};

options {
. . .

Now that we have an ACL of clients that we want to resolve request for, we can configure
those capabilities in the options block. Within this block, add the following lines:

options {
directory "/var/cache/bind";

recursion yes;
allow-query { goodclients; };
. . .

We explicitly turned recursion on, and then configured the allow-query parameter to use
our ACL specification. We could have used a different parameter, like allow-recursion to
reference our ACL group. If present and recursion is on, allow-recursion will dictate the list
of clients that can use recursive services.

However, if allow-recursion is not set, then Bind falls back on the allow-query-cache list,
then the allow-query list, and finally a default of localnets and localhost only. Since we
are configuring a caching only server (it has no authoritative zones of its own and doesn’t
forward requests), the allow-query list will always apply only to recursion. We are using it
because it is the most general way of specifying the ACL.

When you are finished making these changes, save and close the file.

This is actually all that is required for a caching DNS server. If you decided that this is the
server type you wish to use, feel free to skip ahead to learn how to check your configuration
files, restart the service, and implement client configurations.

Otherwise, continue reading to learn how to set up a forwarding DNS server Sinstead.
C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 6/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

Configure
An astoaManaging
Introduction Forwarding
DNS DNS Server
How To Configure Bind as a Cac…
If a forwarding DNS server is a better fit for your infrastructure, we can easily set that up
instead.

We will start with the configuration that we left off in the caching server configuration. The
named.conf.options file should look like this:

acl goodclients {
192.0.2.0/24;
localhost;
localnets;
};

options {
directory "/var/cache/bind";

recursion yes;
allow-query { goodclients; };

dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035

listen-on-v6 { any; };
};

We will be using the same ACL list to restrict our DNS server to a specific list of clients.
However, we need to change the configuration so that the server no longer attempts to
perform recursive queries itself.

To do this, we do not change recursion to no. The forwarding server is still providing
recursive services by answering queries for zones it is not authoritative for. Instead, we need
to set up a list of caching servers to forward our requests to.

This will be done within the options {} block. First, we create a block inside called
forwarders that contains the IP addresses of the recursive name servers that we want to
forward requests to. In our guide, we will use Google’s public DNS servers ( 8.8.8.8 and
8.8.4.4 ):
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 7/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

An Introduction to Managing DNS

. . .
How To Configure
options { Bind as a Cac…
directory "/var/cache/bind";

recursion yes;
allow-query { goodclients; };

forwarders {
8.8.8.8;
8.8.4.4;
};
. . .

Afterward, we should set the forward directive to “only” since this server will forward all
requests and should not attempt to resolve requests on its own.

The configuration file will look like this when you are finished:

acl goodclients {
192.0.2.0/24;
localhost;
localnets;
};

options {
directory "/var/cache/bind";

recursion yes;
allow-query { goodclients; };

forwarders {
8.8.8.8;
8.8.4.4;
};
forward only;

dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035

listen-on-v6 { any; };
S C R O L L TO TO P
};

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 8/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

An Introduction to Managing DNS

One To
How final change Bind
Configure we should make is to the dnssec parameters. With the current
as a Cac…
configuration, depending on the configuration of forwarded DNS servers, you may see some
errors that look like this in the logs:

Jun 25 15:03:29 cache named[2512]: error (chase DS servers) resolving 'in-addr.arpa/DS/IN': 8.

Jun 25 15:03:29 cache named[2512]: error (no valid DS) resolving '111.111.111.111.in-addr.arpa

To avoid this, change the dnssec-validation setting to “yes” and explicitly enable dnssec:

. . .
forward only;

dnssec-enable yes;
dnssec-validation yes ;

auth-nxdomain no; # conform to RFC1035

. . .

Save and close the file when you are finished. You should now have a forwarding DNS server
in place. Continue to the next section to validate your configuration files and restart the
daemon.

Test your Configuration and Restart Bind

Now that you have your Bind server configured as either a caching DNS server or a
forwarding DNS server, we are ready to implement our changes.

Before we take the plunge and restart the Bind server on our system, we should use Bind’s
included tools to check the syntax of our configuration files.

We can do this easily by typing:

sudo named-checkconf

If there are no syntax errors in your configuration, the shell prompt will returnS Cimmediately
R O L L TO TO P
without displaying any output.
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 9/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

If you
An have syntax
Introduction errors in your
to Managing DNS configuration files, you will be alerted to the error and line
number
How where it occurs.
To Configure If Cac…
Bind as a this happens, go back and check your files for errors.

When you have verified that your configuration files do not have any syntax errors, restart
the Bind daemon to implement your changes:

sudo service bind9 restart

Afterwards, keep an eye on the server logs while you set up your client machine to make
sure that everything goes smoothly. Leave this running on the server:

sudo tail -f /var/log/syslog

Now, open a new terminal window to configure your client machines.

Configure the Client Machine

Now that you have your server up and running, you can configure your client machine to use
this DNS server for queries.

Log into your client machine. Make sure that the client you are using was specified in the
ACL group you set for your DNS server. Otherwise the DNS server will refuse to serve
requests for the client.

We need to edit the /etc/resolv.conf file to point our server to the name server. Changes
made here will only last until reboot, which is great for testing. If we are satisfied with the
results of our tests, we can make these changes permanent.

Open the file with sudo privileges in your text editor:

sudo nano /etc/resolv.conf

The file will list the DNS servers to use to resolve queries by setting the nameserver
directives. Comment out all of the current entries and add a nameserver line that points to
your DNS server:
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 10/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

An Introduction to Managing DNS

nameserver 192.0.2.1
How To Configure Bind as a Cac…
# nameserver 8.8.4.4
# nameserver 8.8.8.8
# nameserver 209.244.0.3

Save and close the file.

Now, you can test to make sure queries can resolve correctly by using some common tools.

You can use ping to test that connections can be made to domains:

ping -c 1 google.com

PING google.com (173.194.33.1) 56(84) bytes of data.

64 bytes from sea09s01-in-f1.1e100.net (173.194.33.1): icmp_seq=1 ttl=55 time=63.8 ms

--- google.com ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 63.807/63.807/63.807/0.000 ms

This means that our client can connect with google.com using our DNS server.

We can get more detailed information by using DNS specific tools like dig . Try a different
domain this time:

dig linuxfoundation.org

; <<>> DiG 9.9.5-3-Ubuntu <<>> linuxfoundation.org

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35417
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
S C R O L L TO TO P
;linuxfoundation.org. IN A

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 11/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

An Introduction to Managing DNS

;; ANSWER SECTION:
How To Configure Bind as a Cac…
linuxfoundation.org. 6017 IN A 140.211.169.4

;; Query time: 36 msec

;; SERVER: 192.0.2.1#53(192.0.2.1)
;; WHEN: Wed Jun 25 15:45:57 EDT 2014
;; MSG SIZE rcvd: 64

You can see that the query took 36 milliseconds. If we make the request again, the server
should pull the data from its cache, decreasing the response time:

dig linuxfoundation.org

; <<>> DiG 9.9.5-3-Ubuntu <<>> linuxfoundation.org

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18275
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;linuxfoundation.org. IN A

;; ANSWER SECTION:
linuxfoundation.org. 6012 IN A 140.211.169.4

;; Query time: 1 msec

;; SERVER: 192.0.2.1#53(192.0.2.1)
;; WHEN: Wed Jun 25 15:46:02 EDT 2014
;; MSG SIZE rcvd: 64

As you can see, the cached response is significantly faster.

We can also test the reverse lookup by using the IP address that we found ( 140.211.169.4
in our case) with dig’s -x option:

S C R O L L TO TO P
dig -x 140.211.169.4

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 12/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

An Introduction to Managing DNS

How To DiG
; <<>> Configure Bind as a Cac…
9.9.5-3-Ubuntu <<>> -x 140.211.169.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61516
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.169.211.140.in-addr.arpa. IN PTR

;; ANSWER SECTION:
4.169.211.140.in-addr.arpa. 3402 IN CNAME 4.0-63.169.211.140.in-addr.arpa.
4.0-63.169.211.140.in-addr.arpa. 998 IN PTR load1a.linux-foundation.org.

;; Query time: 31 msec

;; SERVER: 192.0.2.1#53(192.0.2.1)
;; WHEN: Wed Jun 25 15:51:23 EDT 2014
;; MSG SIZE rcvd: 117

As you can see, the reverse lookup also succeeds.

Back on your DNS server, you should see if any errors have been recorded during your tests.
One common error that may show up looks like this:

. . .
Jun 25 13:16:22 cache named[2004]: error (network unreachable) resolving 'ns4.apnic.net/A/IN':
Jun 25 13:16:22 cache named[2004]: error (network unreachable) resolving 'ns4.apnic.com/A/IN':
Jun 25 13:16:23 cache named[2004]: error (network unreachable) resolving 'sns-pb.isc.org/AAAA/
Jun 25 13:16:23 cache named[2004]: error (network unreachable) resolving 'ns3.nic.fr/A/IN': 2a

These indicate that the server is trying to resolve IPv6 information but that the server is not
configured for IPv6. You can fix this issue by telling Bind to only use IPv4.

To do this, open the /etc/default/bind9 file with sudo privileges:

sudo nano /etc/default/bind9

S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 13/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

Inside,
An modify the
Introduction OPTIONS parameter
to Managing DNS to include the -4 flag to force IPv4 only behavior:
How To Configure Bind as a Cac…

OPTIONS="-u bind -4 "

Save and close the file.

Restart the server:

sudo service bind9 restart

You should not see these errors in the logs again.

Making Client DNS Settings Permanent

As mentioned before, the /etc/resolv.conf settings that point the client machine to our
DNS server will not survive a reboot. To make the changes last, we need to modify the files
that are used to generate this file.

If the client machine is running Debian or Ubuntu, open the /etc/network/interfaces file
with sudo privileges:

sudo nano /etc/network/interfaces

Look for the dns-nameservers parameter. You can remove the existing entries and replace
them with your DNS server or just add your DNS server as one of the options:

. . .
iface eth0 inet static
address 111.111.111.111
netmask 255.255.255.0
gateway 111.111.0.1
dns-nameservers 192.0.2.1
. . .

Save and close the file when you are finished. Next time you boot up, your settings will be
S C R O L L TO TO P
applied.

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 14/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

If the
An client is running
Introduction CentOS
to Managing or Fedora, you need to open the
DNS
/etc/sysconfig/network/network-scripts/ifcfg-eth0
How To Configure Bind as a Cac… file instead:

sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0

Inside, look for the lines that begin with DNS . Change DNS1 to your DNS server. If you don’t
want to use the other DNS servers as a fallback, remove the other entries:

DNS1= 192.0.2.1

Save and close the file when you are finished. Your client should use those settings at next
boot.

Conclusion
You should now have either a caching or forwarding DNS server configured to serve your
clients. This can be a great way to speed up DNS queries for the machines you are
managing.

If you want to create a DNS server that is authoritative for your own domain zones, you can
configure an authoritative-only DNS server or combine these solutions.

Next in series: How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04


About the authors

jellingwood Justin Ellingwood

Senior Technical Writer
@DigitalOcean

Tutorial Series
S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 15/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

AnIntroduction
An Introduction to Managing
to Managing DNS DNS
DNS,
How Toor the domain
Configure name
Bind as system, is an essential component of modern internet
a Cac…
communication. It allows us to reference computers by names instead of IP
addresses. In this series, we will cover the basic ideas behind DNS so that you
feel comfortable working with it. Afterwards, we will walk through various ways
that you can gain greater control over your domains and DNS resolution.

Next in series: How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04


Still looking for an answer?

 Ask a question  Search for more help

REL ATED

Join the DigitalOcean Community

Join 1M+ other developers and:

Get help and share knowledge in Q&A
Subscribe to topics of interest
Get courses & tools that help you grow as a developer or small business owner

Join Now

How To Use Foreign Keys in SQL

Tutorial S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 16/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

An
HowIntroduction
To Speed UptoStatic
Managing DNS with Varnish Cache Server on Ubuntu 20.04
Web Pages
How To Configure Bind as a Cac…
Tutorial

Comments

13 Comments
trycatch9264 July 18, 2014

0 Amazing! I can’t believe I got my own DNS server. Thank you!

The only problem is all queries are denied, the /var/log/syslog logs are like below:

MyServer named[24685]: client MyClientIP#7288 (client79.dropbox.com): query (cache) 'c

MyServer named[24685]: client MyClientIP#39385 (safebrowsing.google.com): query (cache

Here is my config:

acl goodclients{
MyClientIP;
localhost;
localnets;
};

options {
directory "/var/cache/bind";

recursion yes;
allow-query { goodclients; };

forwarders {
8.8.8.8;
8.8.4.4;
};

forward only;

dnssec-enable yes;
dnssec-validation yes; S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 17/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

auth-nxdomain no; # conform to RFC1035

An Introduction to Managing DNS
listen-on-v6 { any; };
How To Configure Bind as a Cac…
};

Reply Report

aghansen December 1, 2014

0 Hi Justin thanks for this article, I have my DNS up and running on my Ubuntu machine. I do have
one small problem I can’t seem to figure out. I am running my web server on the same computer
as the DNS server, when I type in the domain name of my webpage from within the LAN it takes
me to the router login page which is the gateway, it works fine from outside the LAN as the
domain is registered with no-ip.com and the router forwards the request to the correct
computer, the problem is only when within the LAN. if I put in 127.0.0.1, localhost or 192.168.1.20
I get the website if I put in the actual domain name I get this page can’t be found or the router
login page, I must have something not setup correctly within the local settings of my new DNS,
I hope you can help me sort this out.
Reply Report

ryanpq  December 1, 2014

0
It sounds like you are running these services on a home server rather than a droplet. From
what you have described I would guess that your router is configured to port forward
requests from the outside world to your server but is not forwarding requests that come
from inside your network the same way. The quickest solution to this (depending on the
size of your network) may simply be to add a hosts file entry on the computers inside your
network that will need to access your service directing the domain to the LAN IP
(192.168.1.20). On Linux/OSX this would be /etc/hosts and on Windows it is
C:\Windows\system32\drivers\etc\hosts
Reply Report

aghansen December 2, 2014

0
Thanks for your info I have done that and all is working fine on my desktops. Is there a way
to fix my problem on my mobile items eg. phones, tablets, this is one of the reasons I
wanted the DNS setup so everything on the inside network would work the same as when
it was outside the network. I have pointed my routers DNS # 1 to my DNS server and DNS #
2 & 3 as isp
Reply Report

swp October 15, 2015

S C R O L L TO TO P
0

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 18/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

You can!
An Introduction In fact, that’s
to Managing DNS exactly the reason why I set up my own DNS server just now,
and it works
How To Configure great.
Bind as This tutorial on caching/forwarding is actually a great starting point,
a Cac…
so you can keep the configurations you made following this tutorial.

Next step is to set the “zone” records (or DNS records) for your specific domain. In this
example, I’ll assume the following:

LAN: 192.168.1.0/24

IP address of DNS server: 192.168.1.10

FQDN of DNS server: ns.local.net (you can set this in /etc/hosts)

IP address of web server: 192.168.1.20 (in your case, this is the same as the
DNS server)

Web site address: www.example.com (in your case it’s a no-ip.com domain)

E-mail address of the zone’s administrator: [email protected]

1. Tell your DNS server that it’s authoritative for example.com. Edit
/etc/bind/named.conf.local:

// forward
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};

// reverse
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};

1. Now you need to create the forward and reverse zone files.

Forward zone file: /etc/bind/db.example.com

$TTL 3600
@ IN SOA ns.local.net. root.local.net. (
2015101504 ; Serial S C R O L L TO TO P
3600 ; Refresh [1h]

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 19/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

600 ; Retry [10m]

An Introduction to Managing DNS
86400 ; Expire [1d]
How To Configure Bind as a Cac…
600 ) ; Negative Cache TTL [1h]
;
@ IN NS ns.local.net.
ns IN A 192.168.1.10
www IN A 192.168.1.20

And reverse zone file: /etc/bind/db.192

$TTL 604800
@ IN SOA ns.local.net. root.local.net. (
2015101504 ; Serial
3600 ; Refresh [1h]
600 ; Retry [10m]
86400 ; Expire [1d]
600 ) ; Negative Cache TTL [1h]
;
@ IN NS ns.local.net.
10 IN PTR ns.local.net.
20 IN PTR www.example.com.

That’s it! Now, whenever someone uses your DNS server within your LAN,
www.example.com will forward them to 192.168.1.20 instead of your router. Use the
following commands to test your config:

# This will use forwarders as explained in tutorial.

$ nslookup www.google.com 192.168.1.10
Address: 64.233.184.147

# This should return the IP of your web server.

$ nslookup www.example.com 192.168.1.10
Address: 192.168.1.20 # Success!

To fully understand what all these configurations do exactly, you’ll have to do your own
research.
Reply Report

bchan February 13, 2015 S C R O L L TO TO P

[deleted]
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 20/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

Reply Report
An Introduction to Managing DNS
How To
0 Configure Bind as a Cac…

bchan February 13, 2015

0 Justin nice article. But I have one problem with the localhost address vs. a specified ip address
for my BIND DNS server. I noticed in your DIG example it’s pointing to a specific ip address. Ex:
SERVER: 192.0.2.1#53(192.0.2.1). This would be what you would expect for the setup.

How do I setup my server to point to my specified IP 172.16.y.z, instead of 127.0.0.1?

I had already tried editing /etc/network/interfaces and /etc/bind/named.conf.options. I have
Ubuntu Server LTS 14.04.1 and current installed updates. I’m running BIN9.9.5.
Reply Report

bchan February 13, 2015

0
Justin disregard previous posting. I got my BIND DNS server working!
For the dns-nameservers field, I had entered 172.x.y.z 127.0.0.1.
This is in /etc/bind/network/interfaces for those of you who may run into
the same problem when running nslookup, dig, and getting 127.0.0.1.

I was going to remove dnsmasq prior to the fix. I’m glad I did not have to resort
to this option.
Reply Report

dalanmiller February 26, 2015

0 Given that I’m setting up a DNS server on my droplet, are there any good ways to verify that
only say, my devices are able to use it as a DNS server versus just anyone on the internet?
Using an IP whitelist in this case isn’t effective given I can connect to many wifis via my laptop
and my phone IP isn’t guaranteed.

Has anyone solved this problem?

Reply Report

jseyfferdt November 7, 2015

0 Thank you so much for the great article, I want to build a DNS server for about a 100-150
devices. What would you recommend should the system requirements be for the server? I am
planning to build a DNS forwarding server as described in the article. Thank you!
Reply Report

sadbunny December 31, 2015

0 Justin, S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 21/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

It was probably
An Introduction done with DNS
to Managing permission, but did you know that someone by the name of John
HowCapital submitted
To Configure anas
Bind exact duplicate of your work to ubtutorials.com, here:-
a Cac…

http://ubtutorials.com/tutorial/440/how-configure-bind-caching-or-forwarding-dns-server-
ubuntu-1404

some 16 days after you uploaded this article? I checked the copy for attribution but found none,
so i thought I’d mention it here. Please accept my apology for troubling you if this is old news
and something you were aware of…

C
Reply Report

mickc April 22, 2016

0 Ubuntu 15.10 with LAMP

I just, successfully, installed OpenVPN on a fresh droplet. I like the idea of having a DNS cache
from both privacy and speed points of view, so I followed this tutorial in an attempt to get this.
What I know about DNS is somewhere between nada and nada+0.5. Now my DNS is all f&*ked
up. DNSLeaktest shows my apt’s ip instead of the VPN’s. Everything else takes an age to
resolve.
IP’s between my clients and my droplet (which has openVPN and the DNS server) are a mystery
to me and so probably the problem.

Not sure what log info to include, here’s some if more helps please ask…

Thanks.

<syslog>
Apr 22 04:35:31 Fionnuisce NetworkManager[745]: <info> (eth1): DHCPv4 state changed
unknown -> timeout
Apr 22 04:35:31 Fionnuisce NetworkManager[745]: <info> (eth1): canceled DHCP transaction,
DHCP client pid 3986
Apr 22 04:35:31 Fionnuisce NetworkManager[745]: <info> (eth1): DHCPv4 state changed
timeout -> done
Apr 22 04:35:31 Fionnuisce NetworkManager[745]: <info> (eth1): device state change: ip-
config -> failed (reason ‘ip-config-unavailable’) [70 120 5]
Apr 22 04:35:31 Fionnuisce NetworkManager[745]: <info> Connection 'Wired connection 1’
failed to autoconnect; 1 tries left
Apr 22 04:35:31 Fionnuisce NetworkManager[745]: <info> Disabling autoconnect for
connection 'Wired connection 1’. S C R O L L TO TO P
Apr 22 04:35:31 Fionnuisce NetworkManager[745]: <info> Disabling autoconnect for
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 22/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

connection 'Wired
An Introduction connection
to Managing DNS1’; setting retry of 300.
HowApr
To22 04:35:31Bind
Configure Fionnuisce NetworkManager[745]: <warn> (eth1): Activation: failed for
as a Cac…
connection 'Wired connection 1’
Apr 22 04:35:31 Fionnuisce NetworkManager[745]: <info> (eth1): device state change: failed ->
disconnected (reason 'none’) [120 30 0]
Apr 22 04:35:31 Fionnuisce NetworkManager[745]: <info> Device 'eth1’ has no connection;
scheduling activate_check in 0 seconds.
</syslog>

<etc/network/interfaces>

This file describes the network interfaces

available on your
system and how to activate them. For more
information, see
interfaces(5).
The loopback network interface
auto lo
iface lo inet loopback

The primary network interface

auto eth0
iface eth0 inet6 static
address 2604:A880:0000:1010:0000:0000:05E9:A001
netmask 64
gateway 2604:A880:0000:1010:0000:0000:0000:0001
autoconf 0
dns-nameservers 8.8.8.8

2001:4860:4860::8844
2001:4860:4860::8888 8.8.8.8
iface eth0 inet static
S C R O L L TO TO P
address xxx.xxx.x.xxx # droplet ip

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 23/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

netmask 255.255.255.0
An Introduction to Managing DNS
Howgateway xxx.xxx.x.xxx
To Configure Bind as#a droplet
Cac… ip
dns-nameservers 8.8.8.8
up ip addr add 10.13.0.5/16 dev eth0
<//etc/network/interfaces>

<DNS section of ’/etc/openvpn/server.conf’>

push “dhcp-option DNS localhost”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
</DNS section of ’/etc/openvpn/server.conf’>
Reply Report

nikhilkv246 October 20, 2017

0 Thank you so much for this wonderful tutorial. I am implementing DNS Sandbox as a part of
Masters Project. I’m replicating the entire Domain Name Servers by implementing my own set of
domains (ex: ex1.example.test.nik) in cloudlab using linux VMs. In this implementation, I have
implemented my own root(.) server, TLD(nik) server, Secondary Level Domain(test) server and
Ternary Level Domain(example). I am also implementing recursive resolver(which is explained
here as Caching DNS Server) and stub resolver.

Right now, I am stuck up with the implementation of the Recursive resolver. Any help would be
highly appreciated. Could you please let me know how to configure Recursive Resolver(RR) - I
mean how will it contact the root server? Where should I mention the information(IP) of root
server in RR’s configuration file?

Any sort of help or guidance is highly appreciated. Please let me know if you need more details
of my implementation.
Reply Report

mashkoorqadir October 23, 2017

0 Hi guys,

I am facing a strange behavior by Bind9. I am working in mixed environment (windows and linux
cleint and server machines). I have recently configured a Bind9 as a private/internal DNS server.
It’s working fine with windows clients but unable to ping the linux machines. However, nslookup
does resolve the linux hosts. Following is the configuration files.

$ sudo cat /etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named. S C R O L L TO TO P
//
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 24/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

// Please readto/usr/share/doc/bind9/README.Debian.gz
An Introduction Managing DNS for information on the
How//To
structure of BIND
Configure as a Cac… files in Debian, BEFORE you customize
Bindconfiguration
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;

$ sudo cat /etc/bind/named.options

options {
directory “/var/cache/bind”;

// If there is a firewall between you and nameservers you want

// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable

// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
allow-query { localhost; 10.0.0.0/24; };
allow-transfer { localhost; 10.0.0.0/24; };
allow-recursion { localhost; 10.0.0.0/24; };
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035

listen-on-v6 { none; };

}; S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 25/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

$ sudo cat /etc/bind/named.conf.local

An Introduction to Managing DNS
How To Configure Bind as a Cac…
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include “/etc/bind/zones.rfc1918”;
zone “test.local” {
type master;
file “/etc/bind/db.test.local”;
};

zone “0.0.10.in-addr.arpa” {
type master;
file “/etc/bind/db.10”;
};

Zone files details.

//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;

$ sudo cat /etc/bind/db.test.local

; BIND reverse data file for empty rfc1918 zone

;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400

@ IN SOA ns1.test.local. root.test.local. (

1 ; Serial
604800 ; Refresh
86400 ; Retry S C R O L L TO TO P

2419200 ; Expire
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 26/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

86400 ) ; Negative
An Introduction Cache TTL
to Managing DNS
How; To Configure Bind as a Cac…
IN NS ns1.test.local
IN A 10.0.0.88
;A Records
ns1 IN A 10.0.0.88

;Linux host A record.

host1 IN A 10.0.0.80

;Windows host A record.

host2 IN A 10.0.0.81

$ sudo cat /etc/bind/db.10

; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400

@ IN SOA ns1.test.local. root.test.local. (

1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
IN NS ns1.test.local.
IN A 255.255.255.0
88 IN PTR test.local
80 IN PTR host1.
81 IN PTR host2.

Windows clients are communicating 100% perfect nslookup and ping both are fine but when I
use to ping a linux client machine the message I get is

“C:\Users\userq>ping host1
Ping request could not find host host1. Please check the name and try again.”
S C R O L L TO TO P
However nslookup resolve the name.

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 27/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

How to diagnose
An Introduction it.
to Managing DNS
HowThanks in advance.
To Configure Bind as a Cac…
Reply Report

This work is licensed under a Creative

Commons Attribution-NonCommercial-
ShareAlike 4.0 International License.

GET OUR BIWEEKLY NEWSLETTER

Sign up for Infrastructure as a

Newsletter.

HOLLIE'S HUB FOR GOOD

Working on improving health and

S C R O L L TO TO P
education, reducing inequality,
and spurring economic growth?
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 28/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean
and spurring economic growth?
An Introduction to Managing DNS
How To Configure Bind as a Cac… We'd like to help.

BECOME A CONTRIBUTOR

You get paid; we donate to tech

nonprofits.

Featured on Community Kubernetes Course Learn Python 3 Machine Learning in Python

Getting started with Go Intro to Kubernetes

DigitalOcean Products Virtual Machines Managed Databases Managed Kubernetes Block Storage
Object Storage Marketplace VPC Load Balancers

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the

cloud and scale up as you grow – whether you’re
running one virtual machine or ten thousand.

Learn More

S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 29/30
8/19/2021 How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04 | DigitalOcean

An Introduction to Managing DNS

How To Configure Bind as a Cac…

Company

About
Leadership
© 2021 DigitalOcean, LLC. All rights reserved.
Blog
Careers
Partners
Referral Program
Press
Legal
Security & Trust Center

Products Community Contact

Pricing Tutorials Get Support

Products Overview Q&A Trouble Signing In?
Droplets Tools and Integrations Sales
Kubernetes Tags Report Abuse
Managed Databases Product Ideas System Status
Spaces Write for DigitalOcean
Marketplace Presentation Grants
Load Balancers Hatch Startup Program
Block Storage Shop Swag
API Documentation Research Program
Documentation Open Source
Release Notes Code of Conduct

S C R O L L TO TO P

https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 30/30