Dns_configuration
Chapter 26: DNS Configuration and Troubleshooting
Section titled “Chapter 26: DNS Configuration and Troubleshooting”Overview
Section titled “Overview”DNS (Domain Name System) is critical infrastructure for all network services. This chapter covers BIND9 configuration, DNS troubleshooting, and advanced DNS concepts essential for Linux system administrators.
24.1 DNS Fundamentals
Section titled “24.1 DNS Fundamentals”DNS Query Types
Section titled “DNS Query Types” DNS Query Flow+------------------------------------------------------------------+| || Client || | || v || +----------+ || | Resolver | || +-----+----+ || | || | Query || v || +----------+ || | TLD Server| (.com, .org) || +-----+----+ || | || | Response || v || +----------+ || | Authoritative| (example.com) || | Server | || +-----+----+ || | || | Answer || v || +----------+ || | Client | || +----------+ || |+------------------------------------------------------------------+DNS Record Types
Section titled “DNS Record Types”# A Record - IPv4 addressexample.com. IN A 192.0.2.1
# AAAA Record - IPv6 addressexample.com. IN AAAA 2001:db8::1
# CNAME - Canonical name (alias)www.example.com. IN CNAME example.com.
# MX Record - Mail exchangeexample.com. IN MX 10 mail.example.com.
# TXT Record - Text records (SPF, DKIM, DMARC)example.com. IN TXT "v=spf1 mx -all"
# NS Record - Name serverexample.com. IN NS ns1.example.com.
# SOA Record - Start of Authorityexample.com. IN SOA ns1.example.com. admin.example.com. ( 2024022201 ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ) ; Minimum TTL
# SRV Record - Service location_http._tcp.example.com. IN SRV 10 5 80 www.example.com.
# PTR Record - Reverse DNS1.2.0.192.in-addr.arpa. IN PTR example.com.24.2 BIND9 Installation and Configuration
Section titled “24.2 BIND9 Installation and Configuration”Installing BIND9
Section titled “Installing BIND9”# Install BINDsudo pacman -S bind
# Check versionnamed -vnamed -V
# Enable and startsudo systemctl enable --now namedBasic Configuration
Section titled “Basic Configuration”options { directory "/var/named"; pid-file "/run/named/named.pid";
// Allow queries allow-query { localhost; 192.168.0.0/16; 10.0.0.0/8; };
// Recursion for internal clients allow-recursion { localhost; 192.168.0.0/16; };
// Forwarders (use ISP or public DNS) forwarders { 8.8.8.8; 8.8.4.4; };
// DNSSEC validation dnssec-validation auto;
// Listen on listen-on { any; };
// Port port 53;
// Logging logging { channel default_log { file "/var/log/named/default.log" versions 3 size 5m; severity info; print-time yes; print-category yes; }; category default { default_log; }; };};
// Include zone filesinclude "/etc/named.conf.local";Local Zones
Section titled “Local Zones”// Forward zonezone "example.com" { type master; file "/var/named/zones/db.example.com"; allow-transfer { 192.168.1.0/24;; };};
// Reverse zone for 192.168.1.0/24zone "1.168.192.in-addr.arpa" { type master; file "/var/named/zones/db.192.168.1"; allow-transfer { 192.168.1.0/24; };};
// Local-only zonezone "localdomain" { type master; file "/dev/null";};24.3 Zone Files
Section titled “24.3 Zone Files”Forward Zone File
Section titled “Forward Zone File”$TTL 86400
@ IN SOA ns1.example.com. admin.example.com. ( 2024022201 ; Serial (YYYYMMDDNN) 3600 ; Refresh (1 hour) 1800 ; Retry (30 minutes) 604800 ; Expire (1 week) 86400 ) ; Minimum TTL (1 day)
; Name servers@ IN NS ns1.example.com.@ IN NS ns2.example.com.
; A records@ IN A 192.0.2.1ns1 IN A 192.0.2.10ns2 IN A 192.0.2.11www IN A 192.0.2.1mail IN A 192.0.2.20api IN A 192.0.2.30
; CNAME recordsblog IN CNAME wwwshop IN CNAME www
; MX records (priority 10 and 20)@ IN MX 10 mail.example.com.@ IN MX 20 mail2.example.com.
; TXT records (SPF)@ IN TXT "v=spf1 mx -all"
; DMARC_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
; DKIMmail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQE..."Reverse Zone File
Section titled “Reverse Zone File”$TTL 86400
@ IN SOA ns1.example.com. admin.example.com. ( 2024022201 ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ) ; Minimum TTL
@ IN NS ns1.example.com.@ IN NS ns2.example.com.
; PTR records (reverse)1 IN PTR www.example.com.10 IN PTR ns1.example.com.11 IN PTR ns2.example.com.20 IN PTR mail.example.com.30 IN PTR api.example.com.24.4 DNS Security
Section titled “24.4 DNS Security”DNSSEC Configuration
Section titled “DNSSEC Configuration”# Generate keys for zonednssec-keygen -a RSASHA256 -b 2048 -n ZONE example.comdnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK example.com
# Sign zonednssec-signzone -A -3 $(head -c 1000 /dev/urandom | tr -dc 'a-z0-9' | head -c 16) \ -o example.com -t db.example.com
# Enable in named.confzone "example.com" { type master; file "db.example.com.signed"; inline-signing yes; auto-dnssec maintain;};
# Verify DNSSECdig +sigchase example.com @localhostAccess Control
Section titled “Access Control”# Allow zone transferallow-transfer { 192.168.1.0/24; };
# Allow queriesallow-query { trusted-networks; };
# Rate limitingrate-limit { responses-per-second 10; window 5;};24.5 DNS Troubleshooting
Section titled “24.5 DNS Troubleshooting”Common Commands
Section titled “Common Commands”# Query DNSdig example.comdig example.com Adig example.com MXdig example.com TXTdig -x 192.0.2.1 # Reverse lookup
# Query specific serverdig @8.8.8.8 example.com
# Trace DNS pathdig +trace example.com
# Short outputdig +short example.com
# DNS zone transferdig axfr example.com @ns1.example.com
# Using nslookupnslookup example.comnslookup -type=mx example.comnslookup -query=ANY example.com
# Using hosthost example.comhost -t mx example.comhost -r example.com # Short outputDebugging Issues
Section titled “Debugging Issues”# Check named configurationnamed-checkconfnamed-checkconf /etc/named.conf
# Check zone filenamed-checkzone example.com /var/named/zones/db.example.com
# Test with digdig @localhost example.com
# Check logsjournalctl -u named -ftail -f /var/log/named/default.log
# DNS cache flush# systemd-resolvedsudo systemd-resolve --flush-caches
# nscdsudo nscd -i hosts
# BINDsudo rndc flushCommon DNS Issues
Section titled “Common DNS Issues”# 1. Zone not loading# Check syntax: named-checkzone# Check file permissions
# 2. Recursive queries failing# Check allow-recursion
# 3. Zone transfer blocked# Check allow-transfer
# 4. TTL issues# Check SOA records# Lower TTL before migration
# 5. Cached negative responses# Check negative cache TTL in SOA
# 6. Firewall blocking port 53# iptables -A INPUT -p udp --dport 53 -j ACCEPT# iptables -A INPUT -p tcp --dport 53 -j ACCEPT24.6 BIND Views (Split DNS)
Section titled “24.6 BIND Views (Split DNS)”view "internal" { match-clients { 192.168.0.0/16; 10.0.0.0/8; };
recursion yes;
zone "example.com" { type master; file "internal/db.example.com"; };};
view "external" { match-clients { any; };
recursion no;
zone "example.com" { type master; file "external/db.example.com"; };};24.7 Dynamic DNS (DDNS)
Section titled “24.7 Dynamic DNS (DDNS)”DHCP + DDNS Configuration
Section titled “DHCP + DDNS Configuration”# In named.confddns-updates on;ddns-update-style standard;update-static-leases on;
key "ddns-key" { algorithm hmac-md5; secret "YourSecretKey==";};
zone "example.com" { primary 127.0.0.1; key ddns-key;}nsupdate Command
Section titled “nsupdate Command”# Interactive updatensupdate> server ns1.example.com> key ddns-key YourSecretKey==> update add host.example.com 3600 A 192.168.1.50> send
# Command linensupdate -k /etc/bind/ddns.key << EOFserver ns1.example.comupdate delete host.example.com Aupdate add host.example.com 3600 A 192.168.1.50sendEOF24.8 Caching DNS Server (Unbound)
Section titled “24.8 Caching DNS Server (Unbound)”Unbound Configuration
Section titled “Unbound Configuration”# Installsudo pacman -S unbound
server: interface: 0.0.0.0 access-control: 10.0.0.0/8 allow access-control: 192.168.0.0/16 allow access-control: ::1 allow
verbosity: 1
# Forward to upstream forward-zone: name: "." forward-addr: 8.8.8.8 forward-addr: 8.8.4.4
# Enable and startsudo systemctl enable --now unboundSummary
Section titled “Summary”In this chapter, you learned:
- ✅ DNS fundamentals and record types
- ✅ BIND9 installation and configuration
- ✅ Zone file creation and management
- ✅ DNSSEC security
- ✅ DNS troubleshooting commands
- ✅ Common DNS issues and solutions
- ✅ Split DNS with views
- ✅ Dynamic DNS updates
- ✅ Unbound caching DNS
Next Chapter
Section titled “Next Chapter”Chapter 25: Network Troubleshooting
Last Updated: February 2026