Install BIND9 on Debian 10 Buster

BIND (Berkeley Internet Name Domain) is an open-source DNS server software widely used on Unix/Linux due to it’s stability and high quality. It’s originally developed by UC Berkeley, and later in 1994 its development was moved to Internet Systems Consortium, Inc (ISC).

Run the following command to install BIND 9 on Debian 10 Buster from the default repository. BIND 9 is the current version and BIND 10 is a dead project.

sudo apt update
sudo apt install bind9 bind9utils bind9-doc bind9-host

Check version information.

sudo named -v

Sample output:

BIND 9.11.5-P4-5.1-Debian (Extended Support Version) <id:998753c>

To check the version number and build options, run

sudo named -V


By default, BIND automatically starts after installation. You can check its status with:

systemctl status bind9

Hint: If the above command doesn’t quit immediately, press Q.

If it’s not running, then start it with:

sudo systemctl start bind9

And enable auto start at boot time:

sudo systemctl enable bind9

The BIND server will run as the bind user, which is created during installation, and listens on TCP and UDP port 53, as can be seen by running the following command:

sudo netstat -lnptu | grep named


Usually DNS queries are sent to the UDP port 53. The TCP port 53 is for responses size larger than 512 bytes.

The BIND daemon is called named. (A daemon is a piece of software that runs in the background.) The named binary is installed by the bind9 package and there’s another important binary: rndc, the remote name daemon controller, which is installed by the bind9utils package. The rndc binary is used to reload/stop and control other aspects of the BIND daemon. Communication is done over TCP port 953.

For example, we can check the status of the BIND name server.

sudo rndc status


Configurations for a Local DNS Resolver

/etc/bind/ is the directory that contains configurations for BIND.

  • named.conf: the primary config file which includes configs of three other files.
  • db.127: localhost IPv4 reverse mapping zone file.
  • db.local: localhost forward IPv4 and IPv6 mapping zone file.
  • db.empty: an empty zone file

The bind9 package on Debian 10 doesn’t ship with a db.root file, it now uses the root hints file at /usr/share/dns/root.hints. The root hints file is used by DNS resolvers to query root DNS servers. There are 13 groups of root DNS servers, from a.root-servers.net to m.root-servers.net.

Out of the box, the BIND9 server on Debian provides recursive service for localhost and local network clients only. Outside queries will be denied. So you don’t have to edit the configuration files. To get you familiar with BIND 9 configurations, I will show you how to enable recursion service anyway.

The main BIND configuration file /etc/bind/named.conf sources the settings from 3 other files.

  • /etc/bind/named.conf.options
  • /etc/bind/named.conf.local
  • /etc/bind/named.conf.default-zones

To enable recursion service, edit the first file.

sudo nano /etc/bind/named.conf.options

In the options clause, add the following lines. Replace IP addresses in the allow-recursion statement with your own local network addresses.

 // hide version number from clients for security reasons.
 version "not currently available";

 // optional - BIND default behavior is recursion
 recursion yes;

 // provide recursion service to trusted clients only
 allow-recursion { 127.0.0.1; 192.168.0.0/24; 10.10.10.0/24; };

 // enable the query log
 querylog yes;


Save and close the file. Then test the config file syntax.

sudo named-checkconf

If the test is successful (indicated by a silent output), then restart BIND9.

sudo systemctl restart bind9

If you have a firewall running on the BIND server, then you need to open port 53 to allow LAN clients to send DNS queries. If you use UFW firewall, you can run the following command.

sudo ufw allow in from 192.168.0.0/24 to any port 53

This will open TCP and UDP port 53 to the private network 192.168.0.0/24. Then from another computer in the same LAN, we can run the following command to query the A record of google.com. Replace 192.168.0.102 with the IP address of your BIND resolver.

dig A google.com @192.168.0.102

Now on the BIND resolver, check the query log with the following command.

sudo journalctl -eu bind9

This will show the latest log message of the bind9 service unit. I can find the following line in the log, which indicates that a DNS query for google.com’s A record has been received from port 57806 of  IP address 192.168.0.103.

named[1162]: client @0x7f4d2406f0f0 192.168.0.103#57806 (google.com): query: google.com IN A +E(0)K (192.168.0.102)

Setting the Default DNS Resolver on Debian 10 Buster Server

On the BIND server, we need to set 127.0.0.1 as the default DNS resolver. You can check the current DNS resolver on Debian 10 with the following command.

cat /etc/resolv.conf

Sample output:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#      DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 2001:19f0:300:1704::6
nameserver 108.61.10.10

The bind9 package on Debian 10 ships with a Systemd service unit bind9-resolvconf.service, which will help us set BIND as default DNS resolver on Debian server. By default, this service is disabled, we need to start it and enable auto-start at boot time.

sudo systemctl start bind9-resolvconf

sudo systemctl enable bind9-resolvconf

You can now check the content of /etc/resolv.conf again. As you can see, 127.0.0.1 (BIND) is now the default DNS resolver on Debian 10 Buster.


thx. https://www.linuxbabe.com/debian/dns-resolver-debian-10-buster-bind9