How to configure bind with Debian 11

Guides 11792 Published by

This guide gives a no‑frills walk‑through for turning a Debian 11 machine into a working DNS server with BIND9. It starts by installing the official packages, enabling the bind9 service at boot, and then shows how to create a simple zone file that defines an SOA record before wiring it into named.conf.local. The next steps harden the daemon by restricting recursion to localhost or a LAN subnet, opening public query access, and provide commands for restarting BIND and verifying functionality with dig. Finally, it explains how to expose the server to the internet if desired, tweak firewall rules accordingly, and set up unattended security upgrades so your DNS stays patched without manual intervention.





Configuring BIND on Debian 11: A Quick‑Start Guide

If you’re running a Debian 11 box that needs to answer DNS queries, the most common way is to install and tune BIND (bind9). Below is a no‑frills walkthrough that gets your server listening on 53/UDP for the world, or just for your LAN if that’s what you want. We’ll cover the basics: installation, security hardening, and a couple of gotchas that I’ve seen in real deployments.

1. Install BIND9 from the official repositories
sudo apt update && sudo apt install bind9 bind9utils bind9-doc dnsutils -y

Why this matters: The Debian package includes a pre‑compiled daemon that is already patched for known vulnerabilities. Skipping this step and compiling from source is overkill unless you need a custom build.

2. Verify the service starts automatically
systemctl status bind9

You should see “active (running)”. If not, start it manually:

sudo systemctl start bind9
sudo systemctl enable bind9

Why this matters: BIND listens on port 53 by default only if the daemon is up. Without systemd enabling it, a reboot will leave your DNS dead.

3. Set up a basic zone file

Create a directory for your zones and add an example:

sudo mkdir -p /etc/bind/zones
echo "\$TTL 1H\n@ IN SOA ns1.example.com. admin.example.com. (
    2024021001 ; serial
    3600       ; refresh
    1800       ; retry
    604800     ; expire
    86400 )    ; minimum" | sudo tee /etc/bind/zones/example.com.db

Why this matters: The SOA record tells clients who the authoritative server is and how often they should check for updates. A missing or malformed zone file will make BIND refuse to serve queries.

4. Wire your zone into named.conf.local
sudo tee /etc/bind/named.conf.local <<EOF
zone "example.com" {
    type master;
    file "/etc/bind/zones/example.com.db";
};
EOF

Why this matters: named.conf.local is the place where custom zones go. Editing named.conf.options directly can get overwritten by package upgrades, so keep it separate.

5. Harden your options: recursion and ACLs
sudo sed -i '/options {/a\
    // allow-recursion { 127.0.0.1; }; \
    // allow-query     { any; };' /etc/bind/named.conf.options

Why this matters: By default Debian BIND allows recursion from anywhere, which turns your server into a rogue resolver for the world (and a potential source of abuse). The snippet above restricts recursive queries to localhost only and keeps public query access open. Change 127.0.0.1 to your LAN subnet if you need internal recursion.

6. Restart BIND and test locally
sudo systemctl restart bind9
dig @localhost example.com +short

You should see an empty response because we haven’t added any A or CNAME records yet. That’s fine – it confirms the server is up and listening.

Real scenario: I once had a Debian 11 host where dig @127.0.0.1 google.com returned “;; connection timed out”. The culprit was that recursion was disabled in named.conf.options. Once I added allow-recursion { 127.0.0.1; };, the queries started working again.

7. Expose your DNS to the world (optional)

If you’re running a public authoritative server, edit /etc/bind/named.conf.options:

sudo sed -i 's/allow-query { localhost; };/allow-query { any; };/' /etc/bind/named.conf.options

Why this matters: Without changing that line, external clients won’t get answers. Be sure your firewall allows inbound UDP/TCP port 53.

8. Keep BIND up to date with unattended upgrades

Add the following to /etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
};

Why this matters: BIND often receives security patches. Letting unattended upgrades handle them saves you from having to manually reboot after each update.

That’s it. With those steps, your Debian 11 machine should be a functioning DNS server that won’t accidentally turn into an open resolver or silently ignore zone files. Happy troubleshooting—and may your queries always resolve!

PostgreSQL 14 RC 1 released

How To Configure PostgreSQL to Allow Remote Connections

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...