Installing An Ubuntu Hardy 8.04 LTS DNS Server With BIND - Page 4

Want to support HowtoForge? Become a subscriber!
Submitted by msghaleb (Contact Author) (Forums) on Tue, 2008-06-03 11:44. ::

10 Install the DNS Server


apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

vi /etc/default/bind9

OPTIONS="-u bind -t /var/lib/named"
# Set RESOLVCONF=no to not run resolvconf

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":

vi /etc/default/syslogd

# Top configuration file for syslogd

# Full documentation of possible arguments are found in the manpage
# syslogd(8).

# For remote UDP logging use SYSLOGD="-r"
SYSLOGD="-a /var/lib/named/dev/log"

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start


11 Configure BIND

Now the main configuration file in BIND is named.conf, however named.conf.local is already included in named.conf and its there for customized configuration, so we will edit named.conf.local and we will add our zones, here I added a zone camed tm.local as well as a reverse zone for

vi /etc/bind/named.conf.local

zone "tm.local" {
        type master;
        file "/etc/bind/zones/tm.local.db";

zone "" {
     type master;
     file "/etc/bind/zones/";

Please note that if you want to add a comment in named.conf or named.conf.local use //, also you can see above the zone file for tm.local is called tm.local.db and is located in /etc/bind/zone, the most important thing that the zone file uses as the prefix for a comment and not //, as I saw confusions in a lot of forums so I thought to add it here - (same for the reverse zone).


12 Configure the Zones

We will start with the zone tm.local

mkdir /etc/bind/zones

vi /etc/bind/zones/tm.local.db

$TTL 1500
@  IN SOA root (
                             2007062703        ;serial
                             28800             ;refresh
                             3600              ;retry
                             604800            ;expire
                             38400 )           ;minimum 25 minutes
tm.local.      IN      NS
server1        IN      A
webserver1     IN      A
webserver2     IN      A
loadb1         IN      A
loadb2         IN      A
tm.local.      IN      MX      10

Feel free to replace the above zone name (tm.local) or your dns server name (server1) as needed,  just note the DOT after the zone name.

Now let's go ahead with the reverse zone.

vi /etc/bind/zones/

$TTL 1500
@  IN SOA root (
                             2007062703        ;serial
                             28800             ;refresh
                             3600              ;retry
                             604800            ;expire
                             38400 )           ;minimum 25 minutes

                     IN    NS
100                  IN    PTR
103                  IN    PTR
104                  IN    PTR
101                  IN    PTR
102                  IN    PTR

Now configure the server to forward any requests to your ISP server so it case resolve external IPs.

vi /etc/bind/named.conf.options

Uncomment the forwarder section to look like this:

forwarders {
      # Replace the address below with the address of your ISP DNS server;


13 Configure the server to use itself as DNS

vi /etc/resolv.conf

search tm.local


14 References and Sources

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Bill Gallafent (not registered) on Mon, 2009-11-23 16:04.

When you add the reverse lookup zone for the local domain, surely this should have the same IP as the statement inside! You have:

zone "" {
type master;
file "/etc/bind/zones/";

Surely this should read:

zone "" {
type master;
file "/etc/bind/zones/";

 (or have I misunderstood something deep?)

Submitted by Lord Rybec (not registered) on Wed, 2009-04-29 20:33.
Actually, you do not have to enable the root account to get a root command line in Ubuntu.  If you would rather keep the extra little security a locked root account provides, just run 'sudo su' and put in your password.

Lord Rybec
Submitted by Aloa (not registered) on Tue, 2008-10-21 19:39.
how to is good .. but if i do update|upgrade before chrooted to /var/lib/named, after all modifications bind can't start .. tell permisions problem ..
Submitted by heath (not registered) on Wed, 2008-12-10 00:03.
After I did updates, appamor was enabled again.  After disabling it one more time, everything went as described.
Submitted by spauldingsmails (registered user) on Mon, 2008-06-16 02:24.

There is absolutely no reason to disable apparmor and the fact that this howto not only shows you how to disable it but actively encourages it is irresponsible.

Apparmor is much easier to configure than SELinux. With apparmor enabled you will not really need to chroot bind but if you would like to, you could use the default /var/lib/bind directory instead of chrooting in /var/lib/named or alternatively, you could edit /etc/apparmor.d/usr.sbin.named and change the path /var/lib/bind/** to /var/lib/named/**, then restart apparmor; /etc/init.d/apparmor restart.

Submitted by arturgajowy (registered user) on Sat, 2008-07-05 19:36.
Actually, there IS a reason to disable AppArmor:
If you don't do this, the whole procedure above simply DOESN'T WORK.
You just keep getting

rndc: connect failed: connection refused

error whenever you try to access your DNS server with rndc. [it also occurs when you use /etc/init.d/bind9 which - I suppose - uses rndc]

There should be a neater way to work this around - maybe some AppArmor settings?
Submitted by Jamie Strandboge (not registered) on Mon, 2009-12-28 17:02.
What you have described is (possibly) a reason to disable the bind9 profile, not all of apparmor. See my blog for details.
Submitted by Adam Sweet (not registered) on Tue, 2009-07-07 20:33.

To fix the remaining issue I needed to add an extra line to /etc/apparmor.d/usr-sbin-named:

 /var/lib/named/dev/random r,

 I think it's already in there in 9.04.