Skip to content

BIND9 Local DNS Resolver

BIND (Berkeley Internet Name Domain) is an open-source DNS server software widely used on Unix/Linux due to it’s stability and high quality. It’s originally developed by UC Berkeley, and later in 1994 its development was moved to Internet Systems Consortium, Inc (ISC).

Installation

First we install the necessary packages:

sudo apt update && sudo apt install bind9 bind9utils bind9-doc bind9-host

Then we start and enable the service:

sudo systemctl start named && sudo systemctl enable named

The BIND server will run as the bind user, and listens on TCP and UDP port 53, as can be seen by the following command:

sudo netstat -lnptu | grep named

Configuration

Now we edit the configuration file:

sudo nano /etc/bind/named.conf.options

Add the following inside the options clause:

// hide version number from clients for security reasons.
version "not currently available";

// optional - BIND default behavior is recursion
recursion yes;

// provide recursion service to trusted clients only
allow-recursion { 127.0.0.1; };

// enable the query log
querylog yes;

Add the following after the options clause in order to disable using IP6 addresses for recursion:

server ::/0 { bogus yes; };

After saving, check the config with:

sudo named-checkconf

No response means the config is fine. Restart the service:

 sudo systemctl restart named

Ensure the firewall allows outoing DNS requests (port 53).

You can test the DNS server with:

dig A hillexplorer.com @127.0.0.1

The query log can then be viewed with:

sudo journalctl -eu named

Setting the default resolver

To set BIND as the default resolver:

sudo nano /etc/systemd/resolved.conf

In the [Resolve] section, set the following line:

DNS=127.0.0.1

Now restart the systemd-resolved service:

sudo systemctl restart systemd-resolved

To ensure that the system uses the correct DNS service, install the resolvconf package:

sudo apt install resolvconf

Start the named-resolvconf service:

sudo systemctl start named-resolvconf.service

And enable so it starts at boot:

sudo systemctl enable named-resolvconf.service

Setting the service to auto restart on failure

Do do this, we create an override for the systemd service file. Create the following directory:

sudo mkdir -p /etc/systemd/system/named.service.d/

Then create a file within this directory:

sudo nano /etc/systemd/system/named.service.d/restart.conf

Add the following lines to the file then save:

[Service]
Restart=always
RestartSec=5s

Reload Systemd:

sudo systemctl daemon-reload

Creating a DNS firewall

We will use the URLHaus service for our DNS blacklist.

First, let's grab the file and save it in the Bind config folder:

sudo wget -O /etc/bind/urlhaus.db https://urlhaus.abuse.ch/downloads/rpz/

and then give it the correct permissions:

sudo chown root:bind /etc/bind/urlhaus.db

We need to add a zone to the BIND config file.

sudo nano /etc/bind/named.conf.options

Within the options section, add the following:

response-policy { 
    zone "rpz-urlhaus";
    };

And after the options section, we add a zone:

zone "rpz-urlhaus" {
    type master;
    file "/etc/bind/urlhaus.db";
};

Finally we create a little script to regularly update the blacklist file:

sudo nano /usr/local/sbin/urlhaus-updater.sh

Enter the following and save:

wget -q -O /etc/bind/urlhaus.db https://urlhaus.abuse.ch/downloads/rpz/
chown root:bind /etc/bind/urlhaus.db
rndc reload
exit 0

Make the script executable:

sudo chmod 700 /usr/local/sbin/urlhaus-updater.sh

Add a cron job so it updates every hour:

sudo crontab -e

18 * * * * /usr/local/sbin/urlhaus-updater.sh > /dev/null 2>&1

Further Reading

https://kb.isc.org/docs/en/aa-01310