Setup BIND9 DNS Server on Debian 10 in an internal network

DNS Selfhosting
Posted on May 9, 2020

When running different systems on your internal network (e.g. as services on your homelab) it would be nice not to have to memorize the IP addresses of all the servers.

You can achieve this by either using the given DNS functionality of your router (e.g. on a tomato router firmware) or by setting up an internal DNS server yourself using the BIND9 DNS server.

Let's see how to quickly do it on Debian 10!

Prerequisite

  • a Debian 10 system running in your internal network and access to the internet. You should have shell access to this server (via SSH)

    • Installing the BIND9 DNS server

  • log into your Debian 10 system as root or use sudo in front of all your commands below.
  • update your APT repository:
    • sudo apt-get update
  • install the BIND9 DNS server with additional utils:
    • sudo apt-get install bind9 bind9utils

    Now that you have installed the BIND9 server you can config it in different ways to provide useful services inside your network. For example you could use it in following ways:

  • "only" as an internal DNS resolver: have an internal DNS resolver which will cache all DNS requests in your network
  • as an authorative server for a internal network domain: use easier to remember names for all relevant system in your internal network (e.g. nas.foo.local for your internal NAS storage).

    • 1. using BIND9 as an internal DNS resolver

    The BIND9 server can provide recursive DNS resolution and thus can be used for resolving and caching all DNS requests from your internal network clients.

    To use BIND9 in this way we would mostly keep the existing default settings of BIND9 and only define the DNS server which will be queried for DNS resolution.

  • For this you can edit the main BIND9 config file /etc/bind/named.conf.options as follow:
    • options {
directory "/var/cache/bind";

  forwarders { // define the target DNS server
    9.9.9.9;
  };

  listen-on { any; }; // listen to all interfaces on the BIND9 server
};
  • restart the BIND9 server in the command line to use the new config:
    • /etc/init.d/bind9 restart
  • check if the recursive DNS resolution works using the command nslookup (which is part of the debian package net-tools):
    • nslookup www.google.com localhost
  • With the localhost in the end you instruct nslookup to use an specific DNS server for resolution (in our case the one just configured running on our localhost). You should get an output something like this:
    • Server:		localhost
Address:	::1#53

Non-authoritative answer:
Name:	www.google.com
Address: 216.58.207.68
Name:	www.google.com
Address: 2a00:1450:4001:821::2004

    Let's assume you'll use the internal domain foo.local for naming all your internal systems. To get the BIND server to resolve this domain for you you need to define this domain in the BIND9 config file:

  • For this you can edit the main BIND9 config file /etc/bind/named.conf.options as follow:
    • options {
directory "/var/cache/bind";

  forwarders { // define the target DNS server
    9.9.9.9;
  };

  listen-on { any; }; // listen to all interfaces on the BIND9 server
};

zone "foo.local" { // define a master zone for the domain "foo.local"
      type master;
      file "/etc/bind/db.foo.local"; // location of the zone file
      allow-transfer { none; };
};
  • To define all your system in the domain "foo.local" you need to provide the necessary zonefile under /etc/bind/db.foo.local:
    • $TTL    604800
@       IN      SOA     dns1.foo.local. webmaster.foo.local. (
                              4         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; name the BIND9 DNS server
@	IN      NS      dns1.foo.local.
dns1	IN      A       192.168.2.141

;also list other computers
router     	IN      A       192.168.2.1
nas     	IN      A       192.168.2.20
  • here, too, restart the BIND9 server…:
    • /etc/init.d/bind9 restart

    … and check if the local DNS resolution for the domain foo.local works: 

    root@dns1:~# nslookup nas.foo.local localhost
Server:		localhost
Address:	::1#53

Name:	nas.foo.local
Address: 192.168.2.20

    Conclusion

    In this article we've setup an BIND9 DNS server as an internal DNS resolver and an authoritative DNS server for an internal domain.