← DNS SoftwareDNS Software / Auth + Recursive

BIND 9

The most widely deployed DNS software on the internet — a full-featured authoritative and recursive server maintained by the Internet Systems Consortium.

Overview

Berkeley Internet Name Domain

BIND (Berkeley Internet Name Domain) has been the dominant DNS implementation since the 1980s and remains the reference implementation against which other DNS software is measured. BIND 9 is the current major version, maintained by the Internet Systems Consortium (ISC).

BIND 9 can act as an authoritative nameserver, a recursive/caching resolver, or both simultaneously — though running both roles on a single instance is not recommended for production. It supports DNSSEC signing and validation, Response Policy Zones (RPZ), DNS64, views for split-horizon DNS, and zone transfers (AXFR/IXFR).

  • Full DNSSEC support: signing, validation, key management with dnssec-keygen and dnssec-signzone
  • Views (view blocks) for split-horizon DNS — different answers for internal vs external clients
  • Response Policy Zones (RPZ) for DNS firewall / blocking
  • Dynamic DNS updates via nsupdate (RFC 2136)
  • Incremental zone transfers (IXFR) and NOTIFY for fast secondary sync
  • Rate limiting (RRL) to mitigate DNS amplification attacks
  • Runtime management via rndc (remote name daemon control)
When to Choose BIND 9
  • You need the widest ecosystem support and documentation
  • You require split-horizon DNS (views)
  • You need dynamic DNS updates (RFC 2136)
  • Your team already knows BIND
1984
First released (BIND 4)
ISC
Current maintainer
Configuration

Key Configuration Examples

Authoritative-only named.conf

// /etc/bind/named.conf options { directory "/var/cache/bind"; recursion no; // authoritative only allow-query { any; }; // answer for your zones allow-transfer { none; }; // restrict zone transfers dnssec-validation no; // not needed for auth-only }; zone "example.com" IN { type master; file "/etc/bind/zones/example.com.db"; allow-transfer { 192.0.2.10; }; // secondary NS IP notify yes; };

Recursive resolver named.conf

// /etc/bind/named.conf (resolver) options { directory "/var/cache/bind"; recursion yes; allow-recursion { 192.168.1.0/24; }; // internal only allow-query { 192.168.1.0/24; }; dnssec-validation auto; // validate DNSSEC forwarders { }; // empty = full recursion }; // Response Policy Zone (DNS firewall) response-policy { zone "rpz.blocklist"; };

Zone file (db.example.com)

$ORIGIN example.com. $TTL 3600 @ IN SOA ns1.example.com. admin.example.com. ( 2024041201 3600 900 604800 300 ) @ IN NS ns1.example.com. @ IN NS ns2.example.com. @ IN A 203.0.113.42 @ IN MX 10 mail.example.com. www IN CNAME example.com. mail IN A 203.0.113.50 @ IN TXT "v=spf1 ip4:203.0.113.50 ~all"

rndc management commands

# Check server status rndc status # Reload a specific zone rndc reload example.com # Flush the cache rndc flush # Reload named.conf without restart rndc reconfig # Dump cache to file rndc dumpdb -cache # Check zone statistics rndc stats tail /var/named/named_stats.txt
Installation

Getting Started

Install on Debian/Ubuntu

# Install BIND 9 apt update && apt install -y bind9 bind9-utils bind9-doc # Service management systemctl enable --now named # Verify it's running systemctl status named named -v # show version # Config check before restart named-checkconf /etc/bind/named.conf named-checkzone example.com /etc/bind/zones/example.com.db

Install on RHEL/Rocky/AlmaLinux

# Install BIND 9 dnf install -y bind bind-utils # Enable and start systemctl enable --now named # SELinux: allow BIND to write zone files setsebool -P named_write_master_zones 1 # Config check named-checkconf named-checkzone example.com /var/named/example.com.db # Firewall firewall-cmd --add-service=dns --permanent firewall-cmd --reload

Related Topics

PowerDNS

Feature-rich alternative with a database backend and REST API — popular for high-volume authoritative hosting.

Knot DNS

High-performance authoritative server from CZ.NIC — designed for TLD-scale operation.

Unbound

If you need a recursive resolver rather than an authoritative server, Unbound pairs well with BIND.