BIND9 Configuration

BIND9 named.conf configuration, zone file records, rndc management, and access control.

Global Options

Base options block — directory and recursion control

options {
    directory "/var/named";
    recursion yes;
    allow-recursion { 10.50.0.0/16; };
};

directory sets the base path for zone files. allow-recursion restricts recursive resolution to internal networks only — never allow recursion from the internet.

Forwarding configuration — AD DNS first, public fallback

options {
    forwarders { 10.50.1.50; 8.8.8.8; };
    forward first;
};

forward first tries the forwarders before doing iterative resolution. AD DNS handles inside.domusdigitalis.dev zones; public DNS handles everything else.

Listen directive — bind to specific interfaces

options {
    listen-on port 53 { 127.0.0.1; 10.50.1.90; };
};

Prevents BIND from listening on unintended interfaces. Always explicit — never rely on the default of listening everywhere.

Zone Declarations

Master zone — authoritative for this domain

zone "inside.domusdigitalis.dev" IN {
    type master;
    file "inside.domusdigitalis.dev.zone";
};

The zone file contains the actual records. Path is relative to the directory option.

Slave zone — replicates from master via AXFR

zone "inside.domusdigitalis.dev" IN {
    type slave;
    masters { 10.50.1.90; };
    file "slaves/inside.domusdigitalis.dev.zone";
};

Slave pulls zone data automatically based on SOA refresh timers. The slaves/ subdirectory must exist and be writable by named.

Reverse zone — PTR records for IP-to-hostname resolution

zone "1.50.10.in-addr.arpa" IN {
    type master;
    file "10.50.1.rev";
};

Reverse zones follow the in-addr.arpa convention with octets reversed. Critical for RADIUS authentication and SSH host verification.

Zone File Records

Default TTL — applies to records without explicit TTL

$TTL 3600

One hour is reasonable for internal DNS. Lower for records that change frequently (e.g., during migrations).

SOA record — zone authority and replication timers

@ IN SOA ns1.inside.domusdigitalis.dev. admin.domusdigitalis.dev. (
    2026041001  ; Serial (YYYYMMDDNN)
    3600        ; Refresh (1h)
    900         ; Retry (15m)
    604800      ; Expire (7d)
    86400       ; Negative TTL (1d)
)

Serial must increment on every zone edit or slaves will not pull updates. The YYYYMMDDNN format allows 100 changes per day.

NS record — nameserver delegation

@ IN NS ns1.inside.domusdigitalis.dev.

Trailing dot is mandatory — it marks an absolute (fully qualified) domain name. Without the dot, BIND appends the zone origin.

A record — hostname to IPv4 mapping

ns1     IN A  10.50.1.90
ise-01  IN A  10.50.1.20

The fundamental DNS record. One record per hostname-IP pair.

CNAME record — alias to canonical name

www IN CNAME webserver.inside.domusdigitalis.dev.

Points to the canonical name. Cannot coexist with other record types at the same name (no CNAME + MX at the same node).

MX record — mail routing

@ IN MX 10 mail.inside.domusdigitalis.dev.

Lower preference value means higher priority. Multiple MX records with different priorities provide failover.

TXT record — SPF, DKIM, DMARC, verification

@ IN TXT "v=spf1 mx -all"

Used for email authentication (SPF, DKIM, DMARC) and domain ownership verification.

SRV record — service location for AD and Kerberos

_kerberos._tcp IN SRV 0 100 88 dc01.inside.domusdigitalis.dev.

Format: priority weight port target. AD clients use SRV records to discover domain controllers, KDCs, and LDAP servers.

PTR record — reverse lookup

20.1.50.10.in-addr.arpa. IN PTR ise-01.inside.domusdigitalis.dev.

ISE and RADIUS require matching forward and reverse records. Mismatched PTR records cause authentication failures.

rndc Commands

Reload all zones — re-read zone files without restart

sudo rndc reload

No downtime. Named re-reads all zone files and applies changes.

Reload a single zone — surgical update

sudo rndc reload inside.domusdigitalis.dev

Faster than full reload when only one zone changed.

Server status — version, uptime, zone count

sudo rndc status

Flush cache — clear all cached records

sudo rndc flush

Forces fresh resolution on the next query. Use after fixing upstream records.

Force zone transfer — slave pulls immediately

sudo rndc retransfer inside.domusdigitalis.dev

Don’t wait for the refresh timer. Useful after updating the master zone serial.

Validation

Check named.conf syntax — before every reload

sudo named-checkconf /etc/named.conf

Catches syntax errors before they take down DNS. Run this before every rndc reload.

Validate zone file — record syntax and consistency

sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone

Checks SOA serial, NS records, and individual record syntax.

Access Control

Zone transfer ACL — restrict AXFR to authorized slaves

allow-transfer { 10.50.1.91; };

Place inside the zone block. Never use allow-transfer { any; } — it exposes your entire zone to anyone.

Named ACL — reusable network list

acl "internal" { 10.50.0.0/16; 172.16.0.0/12; };

Reference in allow-query, allow-recursion, allow-transfer. Keeps configs DRY and auditable.

Logging

Dedicated log channel with rotation

logging {
    channel default_log {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity info;
        print-time yes;
        print-category yes;
    };
    category default { default_log; };
};

Always log to a dedicated file — never rely on syslog alone for DNS debugging. print-time and print-category make logs parseable with awk.

Split-Horizon DNS

View-based DNS — different answers for internal vs external

view "internal" {
    match-clients { internal; };
    recursion yes;
    zone "example.com" IN {
        type master;
        file "example.com.internal.zone";
    };
};

view "external" {
    match-clients { any; };
    recursion no;
    zone "example.com" IN {
        type master;
        file "example.com.external.zone";
    };
};

Views are evaluated in order — first match wins. Internal clients get internal IPs and recursion; external clients get public IPs and no recursion.