Set Up BIND Authoritative DNS Server on CentOS 8/RHEL 8



This tutorial might be displaying you methods to arrange and run your individual authoritative identify server on CentOS 8/RHEL Eight with the widely-used BIND 9 software program.

What’s An Authoritative DNS Server?

In case you personal a website identify and need your individual DNS server to deal with identify decision to your area identify as a substitute of utilizing your area registrar’s DNS server, then you will have to arrange an authoritative DNS server.

An authoritative DNS server is utilized by area identify homeowners to retailer DNS data. It gives authoritative solutions to DNS resolvers (like 8.8.8.Eight or, which question DNS data on behalf of end-users on PC, smartphone, or pill.

Set Up BIND Authoritative DNS Server on CentOS 8/RHEL 8

About BIND

BIND (Berkeley Web Identify Area) is an open-source, versatile and full-featured DNS software program extensively used on Unix/Linux attributable to its stability and top quality. It’s initially developed by UC Berkeley, and later in 1994, its growth was moved to Web Techniques Consortium, Inc (ISC).

BIND can act as an authoritative DNS server for a zone and a DNS resolver on the similar time. A DNS resolver may also be known as a recursive identify server as a result of it performs recursive DNS lookups for finish customers. Nonetheless, taking two roles on the similar time isn’t advantageous. It’s an excellent observe to separate the 2 roles on two totally different hosts.

In a earlier article, I defined the steps of organising an area DNS resolver on CentOS 8/RHEL 8. This tutorial will present you methods to arrange BIND9 on CentOS 8/RHEL Eight as an authoritative-only DNS server with recursion disabled.


To comply with this tutorial, it’s best to have already purchased a website identify. I registered my area identify at NameCheap as a result of the worth is low and so they give whois privateness safety free for all times.

You additionally want two servers. One server is for the grasp DNS server and the opposite is for the slave DNS server. Ideally the 2 servers must be at totally different bodily places. If one DNS server is offline, the opposite DNS server can nonetheless reply DNS queries to your area identify.

Every server wants solely 512MB RAM and listed here are the internet hosting suppliers that I like to recommend. I’ve used all of them.

  • Vultr: Begin at $2.5/month. You possibly can create an account at Vultr through my referral hyperlink to get $50 free credit score.
  • DigitalOcean: Begin at $5/month. You possibly can create an account at DigitalOcean through my referral hyperlink to get $100 free credit score.

Observe that you might want to deposit a small quantity ($5) to confirm you aren’t a bot, in an effort to get the credit. Upon getting purchased two servers, set up CentOS 8/RHEL Eight on them and comply with the directions under.

Please notice that you just want root privilege when putting in software program. You possibly can add sudo firstly of a command, or use su – command to modify to the foundation person.

Arrange Authoritative DNS Server on CentOS 8/RHEL Eight with BIND9

You want to run instructions on this part on each servers.

Log into the 2 servers through SSH and run the next instructions to put in BIND 9 on CentOS 8/RHEL Eight server from the default repository. BIND 9 is the present model and BIND 10 is a lifeless undertaking.

sudo dnf replace
sudo dnf set up bind bind-utils

Verify the model info.

named -v

Pattern output:

BIND 9.11.13-RedHat-9.11.13-6.el8_2.1 (Prolonged Assist Model)

To test the model quantity and construct choices, run

named -V

Set Up BIND Authoritative DNS Server on CentOS 8/RHEL 8

Now we are able to begin BIND 9 with:

sudo systemctl begin named

And allow auto begin at boot time:

sudo systemctl allow named

You possibly can test its standing with:

systemctl standing named

Trace: If the above command doesn’t give up instantly, press Q.

The BIND server will run because the named person, which is created throughout set up, and listens on TCP and UDP port 53, as may be seen by operating the next command:

sudo ss -lnptu | grep named

Set Up BIND Authoritative DNS Server on CentOS 8/RHEL 8

Normally, DNS queries are despatched to the UDP port 53. The TCP port 53 is for responses dimension bigger than 512 bytes.

The BIND daemon known as named. (A daemon is a bit of software program that runs within the background.) The named binary is put in by the bind package deal and there’s one other essential binary: rndc, the distant identify daemon controller. The rndc binary is used to reload/cease and management different features of the BIND daemon. Communication is finished over TCP port 953.

For instance, we are able to test the standing of the BIND identify server.

sudo rndc standing

Set Up BIND Authoritative DNS Server on CentOS 8/RHEL 8

By default, the BIND9 server on CentOS 8/RHEL Eight listens on localhost solely. To offer authoritiave DNS service to resolvers on the general public Web, we have to configure it hear on the general public IP tackle. Edit the BIND foremost configuration file /and so on/named.conf with a command-line textual content editor like Nano.

sudo dnf set up nano

sudo nano /and so on/named.conf

Within the choices clause, yow will discover the next two strains.

listen-on port 53 {; };
listen-on-v6 port 53 { ::1; };

This makes named hear on localhost solely. Remark out these two strains (add double slashes firstly of every line), so BIND will hear on public IP tackle.

// listen-on port 53 {; };
// listen-on-v6 port 53 { ::1; };

Since we’re organising an authoritative DNS server, we have to disable recursion. Discover the next line on this file.

recursion sure;

Change the worth to no to disable recursion.

recursion no;

I additionally advocate including the next directives within the choices clause.

// conceal model quantity from shoppers for safety causes.
model “not at present out there”;

// allow the question log
querylog sure;

// disallow zone switch
allow-transfer { none; };

Set Up BIND Authoritative DNS Server on CentOS 8/RHEL 8

Save and shut the file. (To avoid wasting a file in Nano textual content editor, press Ctrl+O, then press Enter to substantiate. To exit, press Ctrl+X.)

Then take a look at the config file syntax.

sudo named-checkconf

If the take a look at is profitable (indicated by a silent output), then restart named.

sudo systemctl restart named

Now we have to port 53 within the firewall to permit resolvers to ship DNS queries.

sudo firewall-cmd –permanent –add-port={53/udp,53/tcp}

Reload firewall for the change to take impact.

sudo systemctl reload firewalld

Grasp DNS Server Configuration

Decide one of many two servers because the grasp DNS server. We’ll identify it

The grasp DNS server holds the grasp copy of the zone file. Modifications of DNS data are made on this server. A site can have a number of DNS zones. Every DNS zone has a zone file which incorporates each DNS report in that zone. For simplicity’s sake, this text assumes that you just need to use a single DNS zone to handle all DNS data to your area identify.

By default, BIND permits the foundation zone and a localhost zone. So as to add a zone to your area identify, edit /and so on/named.conf file.

sudo nano /and so on/named.conf

Add the next strains on the backside of this file. Substitute with your individual area identify. Substitute with the IP tackle of slave DNS server.

zone “” {
sort grasp;
file “/var/named/”;
allow-transfer {; };

Within the above configuration, we created a brand new zone with the zone clause and we specified that that is the grasp zone. The zone file is /var/named/, the place we’ll add DNS data. Zone switch might be solely allowed for the slave DNS server.

As a substitute of making a zone file from scratch, we are able to use a zone template file. Copy the content material of named.empty to a brand new file.

sudo cp /var/named/named.empty /var/named/

A zone file can comprise three varieties of entries:

  • Feedback: begin with a semicolon (;)
  • Directives: begin with a greenback signal ($)
  • Useful resource Information: aka DNS data

A zone file usually consists of the next varieties of DNS data.

  • The SOA (Begin of Authority) report: defines the important thing traits of a zone. It’s the primary DNS report within the zone file and is obligatory.
  • NS (Identify Server) report: specifies which servers are used to retailer DNS data and reply DNS queries for a website identify. There have to be at the very least two NS data in a zone file.
  • MX (Mail Exchanger) report: specifies which hosts are answerable for e mail supply for a website identify.
  • A (Tackle) report: Converts DNS names into IPv4 addresses.
  • AAAA (Quad A) report: Converts DNS names into IPv6 addresses.
  • CNAME report (Canonical Identify): It’s used to create alias for a DNS identify.
  • TXT report: SPF, DKIM, DMARC, and so on.

Now let’s edit the zone file.

sudo nano /var/named/

By default, it appears to be like like this:

Set Up BIND Authoritative DNS Server on CentOS 8/RHEL 8

You possibly can change it to this as a substitute.

Set Up BIND Authoritative DNS Server on CentOS 8/RHEL 8

The place

  • The $TTL directive defines the default Time to Reside worth for the zone, which is the time a DNS report may be cached on a DNS resolver. This directive is obligatory.
  • The $ORIGIN directive defines the bottom area.
  • Domains should finish with a dot (.), which is the foundation area. When a website identify ends with a dot, it’s a absolutely certified area identify (FQDN).
  • The @ image references to the bottom area.
  • IN is the DNS class. It stands for Web. Different DNS courses exist however are hardly ever used.

The primary report in a zone file is the SOA (Begin of Authority) report. This report incorporates the next info:

  • The grasp DNS server.
  • E-mail tackle of the zone administrator. RFC 2142 recommends the e-mail tackle [email protected] Within the zone file, this e mail tackle takes this manner: as a result of the @ image has particular which means in zone file.
  • Zone serial quantity. The serial quantity is a means of monitoring modifications in zone by the slave DNS server. By conference, the serial quantity takes a date format: yyyymmddss, the place yyyy is the four-digit 12 months quantity, mm is the month, dd is the day, and ss is the sequence quantity for the day. It’s essential to replace the serial quantity when modifications are made to the zone file.
  • Refresh worth. When the refresh worth is reached, the slave DNS server will attempt to learn of the SOA report from the grasp DNS server. If the serial quantity turns into larger, a zone switch is initiated.
  • Retry worth. Defines the retry interval if the slave DNS server fails to hook up with the grasp DNS server.
  • Expiry: If the slave DNS server has been failing to make contact with grasp DNS server for this period of time, the slave will cease responding to DNS queries for this zone.
  • Adverse cache TTL: Defines the time to dwell worth of DNS responses for non-existent DNS names (NXDOMAIN).

TXT data are normally enclosed in double quotes. In case you add DKIM report, you additionally want to surround the worth with parentheses.

Save and shut the file. Subsequent, we should always set named because the group proprietor of the /var/named/ file, or named received’t be capable to load this zone.

sudo chown root:named /var/named/

Then run the next command to test if there are syntax errors in the principle configuration file. A silent output signifies no errors are discovered.

sudo named-checkconf

Then test the syntax of zone information.

sudo named-checkzone /var/named/

If there are syntax errors within the zone file, you might want to repair it, or this zone received’t be loaded. The next message signifies there aren’t any syntax errors.

zone loaded serial 2020111216

Then restart BIND9.

sudo systemctl restart named

Slave DNS Server Configuration

Now we use the opposite server because the slave DNS server, which might be named

First, edit the named.conf file.

sudo nano /and so on/named.conf

Add the next line on the finish of this file. This can add a slave zone. Substitute with the IP tackle of the grasp DNS server.

zone “” {
sort slave;
file “/var/named/slaves/”;
masters {; };

Within the above configuration, we specified that this can be a slave DNS server for the zone and it’ll settle for zone transfers solely from the grasp DNS server.

Save and shut the file. Then run the next command to test if there are syntax errors in the principle configuration file.

sudo named-checkconf

If no errors are discovered, restart BIND9.

sudo systemctl restart named

The zone file on slave DNS server are loaded from a zone switch, which is used to synchronize DNS report modifications from grasp DNS server to slave DNS server. After BIND9 restarts, zone tranfer will begin instantly. Verify the BIND9 log with the next command.

sudo journalctl -eu named

You possibly can see messages like under, which signifies the zone switch is profitable.

named[31518]: switch of ‘’ from Switch accomplished: 1 messages, 16 data, 886 bytes, 0.004 secs (221500 bytes/sec)

Extra about Zone Switch

The slave DNS server will contact the grasp once more when the refresh time in SOA report is reached and if the serial quantity on the grasp is bigger than that on the slave, a zone switch might be initiated. There are two varieties of zone transfers:

  • Full zone switch (AXFR): The total copy of zone file is transferred.
  • Incremental zone switch (IXFR): Solely DNS data which can be modified are transferred.

Each varieties of zone switch use TCP port 53. By default, BIND on the slave DNS server will request an incremental zone switch and BIND on the grasp DNS server will solely permit incremental zone switch when the zone is dynamic.

The zone switch interval is a significant component of the propagation velocity of DNS report modifications. As a substitute of ready for the slave DNS server to make contact, the BIND grasp will notify the slave when modifications are made to the zone. This could significantly cut back the time to propagate zone modifications to the Web.

Reverse Zone

A reverse zone incorporates PTR report that maps an IP tackle to a DNS identify. It’s the counterpart of DNS A report. PTR report usually is critical for mail servers to cross spam filters. This report doesn’t belong to a website. It’s managed by the group that provides you an IP tackle. You want to create PTR report at your internet hosting supplier’s management panel or ask your ISP, so I’m not going to cowl creating reverse zones in BIND.

Change NS File and Create Glue File

Now you might want to go to your area registrar’s web site to vary the NS report to your area, so the Web would know that you’re now utilizing your individual DNS server. Usually you employ hostnames within the NS report like and

identify server 1:
identify server 2:

You probably have a website identify and you employ a subdomain for the authoritative DNS servers ( and, then you definitely additionally have to create a glue report at your area registrar, so the Web can know the IP tackle of your DNS server. The glue report is an A report for and IP-address-of-master-server IP-address-of-slave-server

The above info might be despatched to a registry operator who runs TLD DNS servers through the Extensible Provisioning Protocol (EPP), in order that TLD DNS servers know the identify and IP addresses of the authoritative DNS servers to your area identify.

After the glue report and NS report have been propagated to the Web, you DNS servers could be responding to DNS queries to your area identify. You possibly can test the question log with:

sudo journalctl -eu named

Issues to Know

  • The time period grasp DNS server solely implies that this server shops the grasp copy of the zone file. It has no larger precedence in relation to DNS decision.
  • At all times replace the SOA serial quantity whenever you make modifications to a zone file.

Named Computerized Restart

If for any purpose your Named course of is killed, you might want to run the next command to restart it.

sudo systemctl restart named

As a substitute of manually typing this command, we are able to make Named routinely restart by modifying the named.service systemd service unit. To override the default systemd service configuration, we create a separate listing.

sudo mkdir -p /and so on/systemd/system/named.service.d/

Then create a file beneath this listing.

sudo nano /and so on/systemd/system/named.service.d/restart.conf

Add the next strains within the file, which can make Named routinely restart 5 seconds after a failure is detected.

[Service] Restart=all the time

Save and shut the file. Then reload systemd.

sudo systemctl daemon-reload

To test if this may work, kill Named with:

sudo pkill named

Then test Named standing. You can find Named routinely restarted.

systemctl standing named

That’s it! I hope this tutorial helped you arrange authoritative DNS server on CentOS 8/RHEL Eight with BIND9. As all the time, for those who discovered this submit helpful, then subscribe to our free e-newsletter to get extra suggestions and tips. Take care ?

Price this tutorial

[Total: 0 Average: 0]

centos 8 dns client,bind dns in linux,tecmint bind,bind tutorial,install bind centos 7,centos 8 network config,resolv.conf in rhel 8,centos 8 configure dns,what is caching-only dns server,how to create cache server in linux,rhel dns cache,centos 8 configure dns client,centos 8 dns not resolving,centos 8 dhcp,rhel 7 dns client configuration,linux domain specific dns servers,rhel8 dnsmasq,centos 8 dns cache server,red hat 7 set dns,dns configuration redhat,setup bind server centos 8,centos 8 dns server gui,centos 8 set dns ip,centos 8 change nameserver,centos 8 configure dns resolver,resolv.conf centos 8,centos 8 change dns server,how to configure dns server in centos 7 step by step,centos 8 bind chroot

Latest Posts