Difference between revisions of "Setting up a BIND DNS Server"

From SambaWiki
m (Updated links)
m (Mmuehlfeld moved page Setup a basic BIND installation to Setting up a BIND DNS Server: Update title)
(No difference)

Revision as of 19:04, 19 October 2016


This HowTo describes how to compile and configure a basic BIND installation, that can be used as Samba DC DNS backend. Skip this guide if you already have an existing BIND installation that can be used as a Samba AD backend.

If you need to setup a more complex DNS setup than what is possible with the Samba 4 internal DNS, then using BIND as the DNS backend is recommended.

Installing BIND

The use of BIND as a backend for your Samba Active Directory Domain Controller is currently only supported in versions 9.8 and 9.9. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section DNS dynamic updates via Kerberos for BIND 9.7 for instructions on configuring BIND 9.7.

If you install BIND from the repositories of your distribution, you can skip the following two steps, but make sure that it was compiled with the '--with-gssapi' and '--with-dlopen' options (see below) before using it as the Samba AD DNS backend.


Download your desired and Samba 4 supported version from https://www.isc.org/software/bind.

Compiling BIND

To use BIND 9.8.1 or later as Samba AD backend, at least the following two configure options are required:

# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes

Please check if there are other options you require for your environment. If you are building BIND 9.8.0, you must use '--with-dlz-dlopen=yes' instead of '--with-dlopen=yes'.

To build and install:

# make
# make install


Setting up a basic named.conf

The following example is a basic 'named.conf' for a pure minimal BIND installation without any Samba AD parts. See here for how to configure Bind for Samba AD.

# /etc/named.conf
# Global BIND configuration options

options {

    auth-nxdomain yes;
    directory "/var/named";
    notify no;
    empty-zones-enable no;

    allow-query {;;
        # add other networks you want to allow to query your DNS

    allow-recursion {;
        # add other networks you want to allow to do recursive queries

    forwarders {
        # Google public DNS server here - replace with your own if necessary;;

    allow-transfer {
        # this config is for a single master DNS server


# Root servers (required zone for recursive queries)
zone "." {
   type hint;
   file "named.root";

# Required localhost forward-/reverse zones 
zone "localhost" {
    type master;
    file "master/localhost.zone";

zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";

We chose '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions.

For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'.

Adding a user and group for BIND

If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group.

First check if we have an existing `named` group:

# getent group|grep named

Add the user and group if none exists (adapt the UID/GID if required) :

# groupadd -g 25 named
# useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named

Getting the root name server list

Download the root name server list from InterNIC:

# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root
# chown named:named /var/named/named.root

To have always the current file, you can add a cronjob to automatically download.

Creating the localhost zone file

Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone:


$ORIGIN localhost.

@       1D      IN     SOA     @       root (
                       2013050101      ; serial
                       8H              ; refresh
                       2H              ; retry
                       4W              ; expiry
                       1D              ; minimum

@       IN      NS      @
        IN      A

Creating the 0.0.127.in-addr.arpa zone file

Create a reverse zone file ('/var/named/master/0.0.127.zone') for your '0.0.127.in-addr.arpa' zone:


@       IN      SOA     localhost. root.localhost. (
                        2013050101      ; Serial
                        8H              ; Refresh
                        2H              ; Retry
                        4W              ; Expire
                        1D              ; Minimum TTL

       IN      NS      localhost.

1      IN      PTR     localhost.

Set permissions on the zone files

# chown named:named /var/named/master/*.zone
# chmod 640 /var/named/master/*.zone

Starting BIND

# named -u named

If the configuration is valid, you should see no errors on the console and in the system logfile.

To have BIND automatically started at boot time, it's recommended to create a init.d script or start it by systemd.

Testing your zone

Now we will try to lookup our zone entries. We tell the 'host' command to use the resolver on, so that we don't query a foreign DNS server that is also configured in '/etc/resolv.conf'.

First check the forward lookup for 'localhost':

# host localhost.
Using domain server:

localhost has address

And then the reverse lookup for '':

# host
Using domain server:
Aliases: domain name pointer localhost.

Configuring BIND as Samba Active Directory backend

See Configuring BIND9_DLZ as Back End for Samba AD.