Setting up a BIND DNS Server

From SambaWiki
Jump to: navigation, search


If you are planning to set up a Samba Active Directory (AD) domain controller (DC) using the BIND9_DLZ back end, you have to install and configure the BIND DNS server first.

The following describes how to set up a basic BIND installation you can use as Samba AD DC back end.

Installing BIND

For a list of supported BIND versions, see Configuring the BIND9_DLZ module.

Package Installation

Installing BIND using packages provided with your distribution is the recommended way. Select this installation mode for an easy installation and to automatically receive updates when available. For details how to install packages, see the distribution's package manager documentation.

Make sure that your package provider compiled BIND using the following options:

  • --with-gssapi=yes for secure dynamic DNS updates using Kerberos
  • --with-dlopen dynamically loadable zones (DLZ)

To list the build options:

# named -V
BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...

Compiling and Installing BIND

Use this installation mode if you are an advanced user and know how to compile software.

Downloading the Sources

Download a supported BIND version from

Compiling BIND

  • Pass at least the following parameters to the configure command:
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
Add further parameters, if required.
  • To build and install, run:
# make
# make install

Adding a User and Group for BIND

For security reasons, do not run BIND as root user.

To create a named group using GID 25:

# groupadd -g 25 named

To create a named account with UID 25, primary group named, home directory /var/named/, and without a valid shell:

# useradd -u 25 -g named -d /var/named -M -s /sbin/nologin named

For details, see the useradd (8) and groupadd (8) man page.

Configuring BIND

Setting up a named.conf file

To locate the directory, BIND uses to read the named.conf file:

# named -V
BIND 9.x.y built with ... '--sysconfdir=/etc' ...

In the previous example, BIND reads the configuration from the /etc/named.conf file.

The following is a basic configuration file:

# Global Configuration Options
options {

    auth-nxdomain yes;
    directory "/var/named";
    notify no;
    empty-zones-enable no;

    # IP addresses and network ranges allowed to query the DNS server:
    allow-query {;;

    # IP addresses and network ranges allowed to run recursive queries:
    # (Zones not served by this DNS server)
    allow-recursion {;;

    # Forward queries that can not be answered from own zones
    # to these DNS servers:
    forwarders {;;

    # Disable zone transfers 
    allow-transfer {

# Root Servers
# (Required for recursive DNS queries)
zone "." {
   type hint;
   file "named.root";

# Forward zone: localhost
zone "localhost" {
    type master;
    file "master/";

# Reverse zone: 127.0.0.
zone "" {
    type master;
    file "master/";

For details about the used parameters and options, see the named.conf (5) man page.

Downloading the DNS Root Servers List

  • Download the latest list of the DNS root servers to the /var/named/named.root file:
# wget -q -O /var/named/named.root
  • Enable the BIND user to read the root servers list:
# chown root:named /var/named/named.root
# chmod 640 /var/named/named.root

Creating the localhost Zone File

  • Create the localhost forward zone in the /var/named/master/ file:

$ORIGIN localhost.

@       1D      IN     SOA     @       root (
                       2013050101      ; serial
                       8H              ; refresh
                       2H              ; retry
                       4W              ; expiry
                       1D              ; minimum

@       IN      NS      @
        IN      A
  • Enable the BIND user to read the zone file:
# chown named:named /var/named/master/
# chmod 640 /var/named/master/

Creating the Zone File

  • Create the reverse zone in the /var/named/master/ file:

@       IN      SOA     localhost. root.localhost. (
                        2013050101      ; Serial
                        8H              ; Refresh
                        2H              ; Retry
                        4W              ; Expire
                        1D              ; Minimum TTL

       IN      NS      localhost.

1      IN      PTR     localhost.

  • Enable the BIND user to read the zone file:
# chown named:named /var/named/master/
# chmod 640 /var/named/master/

Starting the Daemon

To start the BIND daemon as the named user, run

# named -u named

Alternatively, use your operating system tools, such as systemctl or service, to start the daemon. See you distribution's documentation for details.

Testing Your Zones

The following examples query the DNS service on the local machine (

To test the localhost forward zone:

# host -t A localhost
Using domain server:
localhost has address

To test the reverse zone:

# host -t PTR
Using domain server:
Aliases: domain name pointer localhost.

Configuring the BIND9_DLZ module

For details, see See BIND9_DLZ DNS Back End.