Latest revision as of 02:16, 2 May 2026

Summary

ISC BIND (Berkeley Internet Name Domain) is one of the most widely used Domain Name System (DNS) server software packages. It is developed and maintained by the Internet Systems Consortium (ISC) and provides authoritative DNS services for mapping domain names to IP addresses and vice versa. BIND is used by many organizations, from small businesses to large-scale service providers, to implement DNS resolution and zone management.

Configuration

Check Config

No output is good output ;)

named-checkconf /etc/named.conf

Zones

Reload All Zones From Config

rndc reload

Reload A Specific Zone

rndc reload [zonename]

Check A Zone's Status

rndc zonestatus [zonename]

Remove A Zone From Service

(just unloads zone from memory; doesn't delete the zone from config)

rndc delzone [zonename]

Add A Zone

(zone must have been loaded from config already)*

rndc addzone [zonename]

Cache

Flush cache of a domain and all its subdomains

 rndc flushtree name [view]

Example:

 rndc flushtree website-to-flush.com internal

Flush cache of a domain

 rndc flushname name [view]

Example:

 rndc flushname website-to-flush.com internal

Backup

A simple tar command to back up named config, while preserving permissions and SELinux contexts.

sudo tar -czvpf /root/named-backup-$(date +%Y%m%d%H%M%S).tar.gz -C /var named

Windows AD Dynamic Updates

Use these configurations to configure BIND to allow dynamic updates from Windows AD servers.

ACL

This makes later config easier, if you have more than one domain controller.

 acl "DOMAIN-CONTROLLERS" {
     10.144.30.101;  // DC1-dave
     10.144.35.2;    // DC2-dave
     10.150.30.5;    // DC-jim
 };

Zone Delcarations

Master Config

 zone "_msdcs.lambnet.us" IN {
     type master;
     file "dynamic/_msdcs.lambnet.us";
     allow-update { DOMAIN-CONTROLLERS; };
 };
 
 zone "_sites.lambnet.us" IN {
     type master;
     file "dynamic/_sites.lambnet.us";
     allow-update { DOMAIN-CONTROLLERS; };
 };
 
 zone "_tcp.lambnet.us" IN {
     type master;
     file "dynamic/_tcp.lambnet.us";
     allow-update { DOMAIN-CONTROLLERS; };
 };
 
 zone "_udp.lambnet.us" IN {
     type master;
     file "dynamic/_udp.lambnet.us";
     allow-update { DOMAIN-CONTROLLERS; };
 };

Slave Config

 zone "_msdcs.lambnet.us" IN {
     type slave;
     masters { 10.144.30.4; };
     file "dynamic/_msdcs.lambnet.us";
     allow-update-forwarding { DOMAIN-CONTROLLERS; };
 };
 
 zone "_sites.lambnet.us" IN {
     type slave;
     masters { 10.144.30.4; };
     file "dynamic/_sites.lambnet.us";
     allow-update-forwarding { DOMAIN-CONTROLLERS; };
 };
 
 zone "_tcp.lambnet.us" IN {
     type slave;
     masters { 10.144.30.4; };
     file "dynamic/_tcp.lambnet.us";
     allow-update-forwarding { DOMAIN-CONTROLLERS; };
 };
 
 zone "_udp.lambnet.us" IN {
     type slave;
     masters { 10.144.30.4; };
     file "dynamic/_udp.lambnet.us";
     allow-update-forwarding { DOMAIN-CONTROLLERS; };
 };

List of DNS records

This file contains a list of DNS records that the DC will attempt to register when the Netlogon service starts.

get-content C:\Windows\System32\Config\netlogon.dns

Logging

 channel update-log {
     file "/var/log/named/named.update" versions 5 size 5m;
     severity info;
     print-category yes;
     print-severity yes;
     print-time yes;
 };
 
 category update       { update-log; };

Sanity Checks

Good to do this periodically to validate all your DC's are registered in DNS:

dig _ldap._tcp.lambnet.us SRV
dig _kerberos._tcp.lambnet.us SRV
dig _ldap._tcp.dc._msdcs.lambnet.us SRV

Statistics Monitoring

Enable Statistics Monitoring

Add this to named.conf:

statistics-channels {
    inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};

Then rndc reconfig.

Note, if you're using selinux, you might need this:

sudo semanage port -a -t dns_port_t -p tcp 8053