DNS Servers

DNS Servers

Running your own DNS server is necessary in enterprise environments for internal service discovery, split-horizon DNS (different answers for internal vs. external clients), and reducing DNS query latency. BIND9 is the most widely deployed DNS server on Ubuntu and the reference implementation of the DNS protocol. For smaller setups, Unbound (recursive resolver) or dnsmasq (lightweight forwarder) are simpler alternatives.

DNS concepts

DNS query flow:

  Client: "What is the IP of web-01.internal?"
       |
       v
  Recursive resolver (BIND9 on 10.0.0.53):
    → Checks zone file: internal zone
    → Finds A record: web-01.internal → 10.0.0.10
    → Returns: 10.0.0.10
       |
       v
  Client connects to 10.0.0.10

DNS record types:
  A      → hostname to IPv4 address
  AAAA   → hostname to IPv6 address
  CNAME  → alias for another hostname
  MX     → mail server for domain
  PTR    → reverse DNS (IP to hostname)
  NS     → nameserver for zone
  TXT    → text data (SPF, DKIM, verification)

BIND9 installation

sudo apt update
sudo apt install -y bind9 bind9utils bind9-doc

# Check BIND9 status:
sudo systemctl status named

# Main BIND9 configuration:
sudo nano /etc/bind/named.conf.options

/etc/bind/named.conf.options

options {
    directory "/var/cache/bind";

    // Accept queries from internal network only:
    listen-on { 10.0.0.53; 127.0.0.1; };
    allow-query { 10.0.0.0/24; 127.0.0.1; };

    // Forward unresolvable queries to upstream DNS:
    forwarders { 8.8.8.8; 8.8.4.4; };
    forward only;

    dnssec-validation auto;
    recursion yes;
};

Zone file configuration

sudo nano /etc/bind/named.conf.local

/etc/bind/named.conf.local — define zones

zone "internal" {
    type master;
    file "/etc/bind/zones/db.internal";
};

zone "0.0.10.in-addr.arpa" {    // Reverse DNS for 10.0.0.0/24
    type master;
    file "/etc/bind/zones/db.10.0.0";
};

sudo mkdir /etc/bind/zones
sudo nano /etc/bind/zones/db.internal

/etc/bind/zones/db.internal

$TTL    3600
@       IN      SOA     ns1.internal. admin.internal. (
                        2025060901 ; Serial (YYYYMMDDNN — increment each change)
                        3600       ; Refresh
                        900        ; Retry
                        604800     ; Expire
                        300 )      ; Negative TTL

; Nameservers:
@       IN      NS      ns1.internal.
ns1     IN      A       10.0.0.53

; A records (hostname to IP):
web-01  IN      A       10.0.0.10
web-02  IN      A       10.0.0.11
db-01   IN      A       10.0.0.20
api     IN      CNAME   web-01       ; alias

# Check zone file syntax:
sudo named-checkzone internal /etc/bind/zones/db.internal

# Check overall BIND9 config:
sudo named-checkconf

# Reload BIND9 (applies changes without restart):
sudo rndc reload

DNS troubleshooting

# Test DNS resolution:
dig @10.0.0.53 web-01.internal A

dig output

;; ANSWER SECTION:
web-01.internal.    3600  IN  A  10.0.0.10
;; Query time: 1 msec
;; SERVER: 10.0.0.53#53

# Reverse DNS lookup:
dig @10.0.0.53 -x 10.0.0.10

# Check BIND9 logs for errors:
sudo journalctl -u named --since "1 hour ago"

# Common issue: "zone serial not updated after edit"
# Always increment the serial number when changing zone files
# BIND9 will not load a zone with the same or lower serial

Conclusion

Always increment the zone serial number (in YYYYMMDDNN format) every time you edit a zone file. Secondary DNS servers use the serial number to detect changes and pull zone transfers — if you forget to update it, secondaries will not pick up your changes. Use named-checkzone before every reload to catch syntax errors; a zone file with a typo will prevent that zone from loading, causing DNS failures for all records in it.