Home / guides   Print version

BIND setup on Debian

What is BIND and what does it do?

BIND is an implementation of the Domain Name System (DNS) protocols. The name BIND stands for "Berkeley Internet Name Domain", because the software originated in the early 1980s at the University of California at Berkeley. In recent years, the word BIND has become, like "radar" and "snafu" and "laser" and "scuba", more word than acronym.

The DNS protocols are part of the core Internet standards. They specify the process by which one computer can find another computer on the basis of its name. What it means to say "BIND is an implementation of the DNS protocols" is that the BIND software distribution contains all of the software needed both to ask name service questions and to answer such questions.

The BIND software distribution contains three parts:

  • A Domain Name System server. This is a program called "named", which is pronounced "name-dee" and stands for "name daemon". It answers questions that are sent to it, following the rules specified in the DNS protocol standards. You can provide DNS service on the internet by installing this software on a server computer and giving it correct information about your domain names.
  • A Domain Name System "resolver library". A "resolver" is a program that resolves questions about names by sending those questions to appropriate servers and responding appropriately to the servers' replies. A "resolver library" is a collection of software components that a programmer can add to software being developed, which will give that software the ability to resolve names. For example, a programmer who was programming a new web browser does not need to create the part of it that looks up names in DNS; he or she can plug in the resolver library and then send questions to the library software components. This saves time (the programmer does not need to re-invent that particular wheel) and helps ensure that the new browser correctly follows the DNS standards.
  • Software tools for testing servers. These are the tools that we use for testing, and we include them in the distribution in case you would like to do your own testing, perhaps to make sure your server configuration is working properly.

When you install an operating system on your computer, that operating system will contain whatever resolver library its developers selected for it. When you set up a server computer, its vendor usually has provided some DNS server software (usually BIND) so that the server will work as delivered. Because BIND faithfully implements the DNS protocols, there is no need for the resolver (which asks questions) and the server (which answers questions) to be running the same software.

Install bind

apt-get install bind9

Now that it is installed you still need to configure it.
The configuration files can be found in: [B]etc/bind/[/B]

  • named.conf
  • named.conf.default-zones
  • named.conf.local
  • named.conf.options
named.conf is the main-file, but it loads the other files.
Most of the work will be done in named.conf.local, here the local (your) domains are defined.
Usually by referring to other files.

example of named.conf.local:

zone "yoursite.com" {
        type master;
        file "/etc/bind/yoursite.com.hosts";
this host-file has the following information:

$ttl 3600
yoursite.com.        IN      SOA     yoursite.com. webmaster.yoursite.com. (
                        2014081508   ;serial in reverse date format
                        10800	;refresh interval (3h)
                        3600	;retry interval (1h)
                        604800	;expire (1w)
                        3600 ) ;Minimum Cache TTL in zone records (1h)
yoursite.com.        IN      NS      ns1.yoursite.com.
                     IN      NS      ns2.yoursite.com.
                     IN      MX      10      mail.yoursite.com.
yoursite.com.        IN      A
www.yoursite.com.    IN      A
mail.yoursite.com.   IN      A
ns1.yoursite.com.    IN      A
ns2.yoursite.com.    IN      A
Don't forget the trailing dot, it is important.
Here you define what ip is linked to which (sub-)domain.
for example you can have one server for your mail (MX mail.yoursite.com.), and another for you website (www.yoursite.com.).
you should always have at least one name server (NS), and a mail server (MX).

The numbers are tell how long a server should wait before "refreshing" (in seconds) the domain name again.

yoursite.com.        IN      SOA     yoursite.com. webmaster.yoursite.com. (
                        121446302           ; Serial
                        10800           ; Refresh [3h]
                        3600           ; Retry   [1h]
                        604800           ; Expire  [1week]
                        3600 )         ; Negative Cache TTL [1h]



There is a type of Distributed Denial of Service attack (DDoS) that can use/trick a open DNS server to attack other sites.
You can prevent this by adding 2 lines to the bind config-file (/var/named/chroot/etc/named.conf.options).

options {
     allow-query-cache { none; };
     recursion no;
Basically this configuration allow the DNS-server to respond with the ip-address of domains it knows,
but will not request other DNS-servers for ip's it doesn't know.


Don't forget to restart bind-server

/etc/init.d/bind9 restart


You can test your bind server with dig:

dig yourdomainname.com @ip


created 26/08/2014