DNS Server

BIND9 zone management, rndc commands, and authoritative DNS server operations.

BIND9 Service Management

Check named status — is the daemon running and healthy?

systemctl status named

Reload zones without full restart — graceful update

sudo rndc reload

Reload a single zone — surgical when you touched one file

sudo rndc reload inside.domusdigitalis.dev

Flush the entire cache — nuclear option for stale records

sudo rndc flush

Show server status — uptime, queries, cache stats

sudo rndc status

Dump the cache to a file for inspection

sudo rndc dumpdb -cache
cat /var/named/data/cache_dump.db | head -100

Show running configuration — what named is actually using

sudo rndc reconfig

Configuration Validation

Check named.conf syntax before reload — catches typos before they hurt

sudo named-checkconf /etc/named.conf

Check named.conf with included files — full resolution

sudo named-checkconf -z /etc/named.conf

Validate a zone file — catches SOA errors, missing periods, bad records

sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone

Validate reverse zone file

sudo named-checkzone 1.50.10.in-addr.arpa /var/named/1.50.10.in-addr.arpa.zone

Zone File Syntax

Forward zone file structure — SOA, NS, then records

$TTL 86400
@   IN  SOA ns1.inside.domusdigitalis.dev. admin.inside.domusdigitalis.dev. (
        2026041001  ; Serial (YYYYMMDDNN)
        3600        ; Refresh
        900         ; Retry
        604800      ; Expire
        86400       ; Minimum TTL
)

; Name servers
@           IN  NS  ns1.inside.domusdigitalis.dev.

; A records
ns1         IN  A   10.50.1.90
ise-01      IN  A   10.50.1.20
vault-01    IN  A   10.50.1.60
home-dc01   IN  A   10.50.1.50
vyos-01     IN  A   10.50.1.2
vyos-02     IN  A   10.50.1.3

Reverse zone file — PTR records map IPs back to names

$TTL 86400
@   IN  SOA ns1.inside.domusdigitalis.dev. admin.inside.domusdigitalis.dev. (
        2026041001  ; Serial
        3600        ; Refresh
        900         ; Retry
        604800      ; Expire
        86400       ; Minimum TTL
)

@       IN  NS  ns1.inside.domusdigitalis.dev.

90      IN  PTR ns1.inside.domusdigitalis.dev.
20      IN  PTR ise-01.inside.domusdigitalis.dev.
60      IN  PTR vault-01.inside.domusdigitalis.dev.
50      IN  PTR home-dc01.inside.domusdigitalis.dev.

Record Types

A record — hostname to IPv4 address

modestus-razer  IN  A   10.50.10.5

CNAME record — alias pointing to canonical name

dns     IN  CNAME   ns1.inside.domusdigitalis.dev.

MX record — mail routing with priority

@       IN  MX  10  mail-01.inside.domusdigitalis.dev.

SRV record — service location (Kerberos, LDAP)

_kerberos._tcp  IN  SRV 0 100 88 home-dc01.inside.domusdigitalis.dev.
_ldap._tcp      IN  SRV 0 100 389 home-dc01.inside.domusdigitalis.dev.

TXT record — arbitrary text (SPF, DKIM, verification)

@       IN  TXT "v=spf1 mx -all"

PTR record — reverse lookup (in reverse zone)

20      IN  PTR ise-01.inside.domusdigitalis.dev.

named.conf Patterns

Forwarders — upstream DNS servers for external resolution

options {
    directory "/var/named";
    forwarders {
        1.1.1.1;
        8.8.8.8;
    };
    forward only;
    dnssec-validation auto;
    listen-on { 10.50.1.90; 127.0.0.1; };
    allow-query { 10.50.0.0/16; 127.0.0.1; };
};

ACL definition — named networks for clean policy

acl "trusted" {
    10.50.0.0/16;
    127.0.0.1;
};

acl "lab" {
    10.50.10.0/24;
    10.50.20.0/24;
};

Zone declaration — forward zone

zone "inside.domusdigitalis.dev" IN {
    type master;
    file "inside.domusdigitalis.dev.zone";
    allow-update { none; };
    allow-transfer { none; };
};

Zone declaration — reverse zone

zone "1.50.10.in-addr.arpa" IN {
    type master;
    file "1.50.10.in-addr.arpa.zone";
    allow-update { none; };
};

Views (Split-Horizon DNS)

Split-horizon — internal clients get private IPs, external get public

view "internal" {
    match-clients { trusted; };

    zone "inside.domusdigitalis.dev" {
        type master;
        file "inside.domusdigitalis.dev.internal.zone";
    };
};

view "external" {
    match-clients { any; };

    zone "domusdigitalis.dev" {
        type master;
        file "domusdigitalis.dev.external.zone";
    };
};

Logging and Troubleshooting

BIND query logging — enable temporarily for debugging

logging {
    channel query_log {
        file "/var/log/named/query.log" versions 3 size 10m;
        severity info;
        print-time yes;
        print-category yes;
    };

    category queries { query_log; };
};

Enable query logging at runtime — no restart needed

sudo rndc querylog on

Disable query logging — do not leave this on in production

sudo rndc querylog off

Watch named logs for errors

journalctl -u named -f

Test resolution against your server directly

dig @10.50.1.90 ise-01.inside.domusdigitalis.dev A +short

Test reverse lookup

dig @10.50.1.90 -x 10.50.1.20 +short

AXFR zone transfer test — verify allow-transfer restrictions

dig @10.50.1.90 inside.domusdigitalis.dev AXFR

DNSSEC Basics

Check if a domain has DNSSEC — look for RRSIG records

dig @1.1.1.1 domusdigitalis.dev +dnssec +short

Verify DNSSEC chain of trust

dig @1.1.1.1 domusdigitalis.dev +dnssec +multi | grep -E "RRSIG|DNSKEY|DS"

Generate DNSSEC keys for a zone

dnssec-keygen -a ECDSAP256SHA256 -n ZONE inside.domusdigitalis.dev

Sign a zone with DNSSEC

dnssec-signzone -A -N INCREMENT -o inside.domusdigitalis.dev inside.domusdigitalis.dev.zone