{"id":78519,"date":"2025-09-28T23:47:40","date_gmt":"2025-09-28T23:47:40","guid":{"rendered":"http:\/\/bangla.sitestree.com\/?p=78519"},"modified":"2025-09-28T23:47:41","modified_gmt":"2025-09-28T23:47:41","slug":"step-by-step-dns-server-installation-in-ubuntu-in-a-fresh-vm","status":"publish","type":"post","link":"http:\/\/bangla.sitestree.com\/?p=78519","title":{"rendered":"Step by step DNS Server installation in ubuntu in a fresh VM"},"content":{"rendered":"\n

“Nice \u2014 below is a complete, step-by-step, blog-ready guide<\/strong> to install and configure a simple authoritative + optional recursive BIND9 DNS server<\/strong> on a fresh Ubuntu VM. It\u2019s copyright-free and ready to paste into your notes or blog.<\/p>\n\n\n\n

\n

Notes before you begin
\u2022 This guide assumes Ubuntu 22.04 \/ 24.04 (netplan-based).
\u2022 Replace example.test<\/code> and IPs with your real domain and network. (.test<\/code> is safe for labs.)
\u2022 Use sudo<\/code> for commands or run as root.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

1 \u2014 Prepare the VM & network<\/h1>\n\n\n\n
    \n
  1. Update packages:<\/li>\n<\/ol>\n\n\n\n
    sudo apt update && sudo apt upgrade -y\n<\/code><\/pre>\n\n\n\n
      \n
    1. (Optional but recommended) Give the VM a stable IP. Find your interface name:<\/li>\n<\/ol>\n\n\n\n
      ip addr show\n<\/code><\/pre>\n\n\n\n
      Create a netplan file \/etc\/netplan\/01-netcfg.yaml<\/code> (example for static IP 192.168.56.10\/24<\/code>):<\/p>\n\n\n\n
      network:\n  version: 2\n  renderer: networkd\n  ethernets:\n    ens33:\n      dhcp4: no\n      addresses: [192.168.56.10\/24]\n      gateway4: 192.168.56.1\n      nameservers:\n        addresses: [8.8.8.8,1.1.1.1]\n<\/code><\/pre>\n\n\n\n
      Apply it:<\/p>\n\n\n\n
      sudo netplan apply\n<\/code><\/pre>\n\n\n\n
      \n\n\n\n
      2 \u2014 Install BIND9<\/h1>\n\n\n\n
      sudo apt install bind9 bind9utils bind9-doc dnsutils -y\n<\/code><\/pre>\n\n\n\n
      \n\n\n\n
      3 \u2014 Basic BIND options<\/h1>\n\n\n\n
      Edit \/etc\/bind\/named.conf.options<\/code>. Minimal example (authoritative + allow recursion to localnets):<\/p>\n\n\n\n
      sudo nano \/etc\/bind\/named.conf.options\n<\/code><\/pre>\n\n\n\n
      Inside:<\/p>\n\n\n\n
      options {\n    directory \"\/var\/cache\/bind\";\n    recursion yes;                 # set to no if this server MUST be authoritative-only\n    allow-recursion { localnets; 127.0.0.1; };\n    allow-query { any; };\n    forwarders { 8.8.8.8; 1.1.1.1; };  # for recursive queries; remove for pure-authoritative\n    dnssec-validation auto;\n    auth-nxdomain no;    # conform to RFC1035\n};\n<\/code><\/pre>\n\n\n\n
      Save and exit.<\/p>\n\n\n\n
      \n\n\n\n
      4 \u2014 Define your zones<\/h1>\n\n\n\n
      Edit \/etc\/bind\/named.conf.local<\/code> and add forward and reverse zones:<\/p>\n\n\n\n
      sudo nano \/etc\/bind\/named.conf.local\n<\/code><\/pre>\n\n\n\n
      Example:<\/p>\n\n\n\n
      zone \"example.test\" {\n    type master;\n    file \"\/etc\/bind\/db.example.test\";\n    allow-transfer { none; };   # restrict AXFRs; configure TSIG if you need slaves\n};\n\nzone \"56.168.192.in-addr.arpa\" {\n    type master;\n    file \"\/etc\/bind\/db.192.168.56\";\n    allow-transfer { none; };\n};\n<\/code><\/pre>\n\n\n\n
      \n
      Reverse zone name depends on your network (for 192.168.56.0\/24<\/code> reverse is 56.168.192.in-addr.arpa<\/code>).<\/p>\n<\/blockquote>\n\n\n\n
      \n\n\n\n
      5 \u2014 Create forward zone file<\/h1>\n\n\n\n
      Create \/etc\/bind\/db.example.test<\/code>:<\/p>\n\n\n\n
      sudo cp \/etc\/bind\/db.local \/etc\/bind\/db.example.test\nsudo nano \/etc\/bind\/db.example.test\n<\/code><\/pre>\n\n\n\n
      Example content (edit serial and IPs):<\/p>\n\n\n\n
      $TTL 604800\n@   IN  SOA ns1.example.test. admin.example.test. (\n        2025092801 ; serial (YYYYMMDDnn)\n        604800     ; refresh\n        86400      ; retry\n        2419200    ; expire\n        604800 )   ; negative cache TTL\n;\n@       IN  NS      ns1.example.test.\nns1     IN  A       192.168.56.10\nwww     IN  A       192.168.56.11\nmail    IN  A       192.168.56.12\n@       IN  MX 10   mail.example.test.\n<\/code><\/pre>\n\n\n\n
      Important:<\/strong> Always update the serial when changing the file (format YYYYMMDDnn<\/code> is convenient).<\/p>\n\n\n\n
      \n\n\n\n
      6 \u2014 Create reverse zone file<\/h1>\n\n\n\n
      Create \/etc\/bind\/db.192.168.56<\/code>:<\/p>\n\n\n\n
      sudo cp \/etc\/bind\/db.127 \/etc\/bind\/db.192.168.56\nsudo nano \/etc\/bind\/db.192.168.56\n<\/code><\/pre>\n\n\n\n
      Example:<\/p>\n\n\n\n
      $TTL 604800\n@   IN  SOA ns1.example.test. admin.example.test. (\n        2025092801 ; serial\n        604800\n        86400\n        2419200\n        604800 )\n;\n@       IN  NS  ns1.example.test.\n10      IN  PTR ns1.example.test.      ; 192.168.56.10 -> ns1\n11      IN  PTR www.example.test.      ; 192.168.56.11 -> www\n12      IN  PTR mail.example.test.     ; 192.168.56.12 -> mail\n<\/code><\/pre>\n\n\n\n
      \n\n\n\n
      7 \u2014 Syntax check & load zones<\/h1>\n\n\n\n
      Check config & zones:<\/p>\n\n\n\n
      sudo named-checkconf                 # checks named.conf syntax\nsudo named-checkzone example.test \/etc\/bind\/db.example.test\nsudo named-checkzone 56.168.192.in-addr.arpa \/etc\/bind\/db.192.168.56\n<\/code><\/pre>\n\n\n\n
      Fix any errors the commands print.<\/p>\n\n\n\n
      Restart BIND:<\/p>\n\n\n\n
      sudo systemctl restart bind9\nsudo systemctl enable bind9\nsudo systemctl status bind9\n<\/code><\/pre>\n\n\n\n
      \n\n\n\n
      8 \u2014 Firewall (allow DNS)<\/h1>\n\n\n\n
      Allow DNS ports (adjust to your security policy):<\/p>\n\n\n\n
      sudo ufw allow 53\/tcp\nsudo ufw allow 53\/udp\n# Or restrict to a management net:\n# sudo ufw allow from 192.168.56.0\/24 to any port 53 proto udp\n<\/code><\/pre>\n\n\n\n
      \n\n\n\n
      9 \u2014 Test your DNS server<\/h1>\n\n\n\n
      From the server itself:<\/p>\n\n\n\n
      dig @127.0.0.1 example.test A +short    # should return 192.168.56.11 if configured\ndig @127.0.0.1 ns1.example.test A +short # should return 192.168.56.10\ndig -x 192.168.56.11 @127.0.0.1 +short   # reverse lookup -> www.example.test.\n<\/code><\/pre>\n\n\n\n
      From a remote machine (replace with server IP):<\/p>\n\n\n\n
      dig @192.168.56.10 www.example.test A +short\nnslookup www.example.test 192.168.56.10\n<\/code><\/pre>\n\n\n\n
      If you enabled recursion and forwarders, test recursive queries:<\/p>\n\n\n\n
      dig @192.168.56.10 www.google.com A +short\n<\/code><\/pre>\n\n\n\n
      \n\n\n\n
      10 \u2014 Make it authoritative-only (optional)<\/h1>\n\n\n\n
      If you plan to host a public authoritative server and must not<\/strong> recursively resolve for the public, edit named.conf.options<\/code>:<\/p>\n\n\n\n
      recursion no;\nallow-query { any; };\nforwarders { };   # remove forwarders\n<\/code><\/pre>\n\n\n\n
      Restart BIND. Authoritative-only servers should never<\/strong> allow open recursion.<\/p>\n\n\n\n
      \n\n\n\n
      11 \u2014 Slave server configuration (optional)<\/h1>\n\n\n\n
      If you want a slave:
      In the slave \/etc\/bind\/named.conf.local<\/code>:<\/p>\n\n\n\n
      zone \"example.test\" {\n    type slave;\n    file \"\/var\/cache\/bind\/db.example.test\";\n    masters { 198.51.100.5; };   # master IP\n};\n<\/code><\/pre>\n\n\n\n
      On master, allow transfer to slave IP or use TSIG keys for secure zone transfers.<\/p>\n\n\n\n
      \n\n\n\n
      12 \u2014 Troubleshooting & logs<\/h1>\n\n\n\n