Maintaining BIND DNS Records

If you don't already have a BIND DNS environment setup you should refer to How to Setup a DNS Server for a Home Lab on Ubuntu 14.04 before continuing.

This post will walk you through some of the most common activities associating with maintaining private DNS servers including adding and removing host records, adding canonical name records, and adding networks.

Add a Host to DNS

When you add a new host to your environment you'll need follow the steps below on the primary name server, ns1. In this example we'll add a host named host2 with an IP address of 10.1.100.91. If the host is on a network or subnet that has not been previously defined in DNS for reverse lookup you'll also want to follow the steps in the “Add a Network” section.

Add an A Record

Connect to the ns1 host (10.1.100.41) via SSH.

Edit the forward zone file:

$ sudo vi /etc/bind/zones/db.homelab.local

Add an A record for host2 in the ; 10.1.100.0/24 - A records section:

host2.homelab.local.        IN      A       10.1.100.91  

Increment the serial value by 1.

When done editing it should look like:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              4         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; name servers - A records
ns1.homelab.local.          IN      A       10.1.100.41  
ns2.homelab.local.          IN      A       10.1.100.42  
;
; 10.1.100.0/24 - A records
host1.homelab.local.        IN      A       10.1.100.90  
host2.homelab.local.        IN      A       10.1.100.91  

Save the file and exit the editor.

Add a PTR Record

Edit the reverse zone file:

$ sudo vi /etc/bind/zones/db.10.1.100

Add a PTR record for host2 in the ; PTR Records section:

91      IN      PTR     host2.homelab.local.  ; 10.1.100.91  

Increment the serial value by 1.

When done editing it should look like:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              3         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; PTR Records
20      IN      PTR     ns1.homelab.local.    ; 10.1.100.41  
21      IN      PTR     ns2.homelab.local.    ; 10.1.100.42  
90      IN      PTR     host1.homelab.local.  ; 10.1.100.90  
91      IN      PTR     host2.homelab.local.  ; 10.1.100.91  

Save the file and exit the editor.

Check BIND Configuration File Syntax

Check the syntax of the forward zone file:

$ cd /etc/bind/zones
$ sudo named-checkzone homelab.local db.homelab.local

If there are no syntax errors you should see something similar to the following:

zone homelab.local/IN: loaded serial 4  
OK  

Check the syntax of the reverse zone file:

$ sudo named-checkzone 100.1.10.in-addr.arpa db.10.1.100

If there are no syntax errors you should see something similar to the following:

zone 100.1.10.in-addr.arpa/IN: loaded serial 3  
OK  

Restart BIND

Restart the BIND service:

$ sudo service bind9 restart

Remove a Host from DNS

If you need to remove a host from your environment or delete the DNS record for whatever reason you'll need to reverse the steps in the previous section and increment the serial value for both the forward and reverse lookup zones. In this example, we'll remove the records for host2.

Remove an A Record

Connect to the ns1 host (10.1.100.41) via SSH.

Edit the forward zone file:

$ sudo vi /etc/bind/zones/db.homelab.local

Delete the line that begins host2.homelab.local. below and increment the serial value by 1:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              4         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; name servers - A records
ns1.homelab.local.          IN      A       10.1.100.41  
ns2.homelab.local.          IN      A       10.1.100.42  
;
; 10.1.100.0/24 - A records
host1.homelab.local.        IN      A       10.1.100.90  
host2.homelab.local.        IN      A       10.1.100.91  

When done editing it should look like:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; name servers - A records
ns1.homelab.local.          IN      A       10.1.100.41  
ns2.homelab.local.          IN      A       10.1.100.42  
;
; 10.1.100.0/24 - A records
host1.homelab.local.        IN      A       10.1.100.90  

Save the file and exit the editor.

Remove a PTR Record

Edit the reverse zone file:

$ sudo vi /etc/bind/zones/db.10.1.100

Delete the line indicated below and increment the serial value by 1:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              3         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; PTR Records
20      IN      PTR     ns1.homelab.local.     ; 10.1.100.41  
21      IN      PTR     ns2.homelab.local.     ; 10.1.100.42  
90      IN      PTR     host1.homelab.local.   ; 10.1.100.90  
91      IN      PTR     host2.homelab.local.   ; 10.1.100.91  

When done editing it should look like:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              4         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; PTR Records
20      IN      PTR     ns1.homelab.local.     ; 10.1.100.41  
21      IN      PTR     ns2.homelab.local.     ; 10.1.100.42  
90      IN      PTR     host1.homelab.local.   ; 10.1.100.90  

Save the file and exit the editor.

Check BIND Configuration File Syntax

Check the syntax of the forward zone file:

$ cd /etc/bind/zones
$ sudo named-checkzone homelab.local db.homelab.local

If there are no syntax errors you should see something similar to the following:

zone homelab.local/IN: loaded serial 5  
OK  

Check the syntax of the reverse zone file:

$ sudo named-checkzone 100.1.10.in-addr.arpa db.10.1.100

If there are no syntax errors you should see something similar to the following:

zone 100.1.10.in-addr.arpa/IN: loaded serial 4  
OK  

Restart BIND

Restart the BIND service:

$ sudo service bind9 restart

Add a Canonical Name Record

A Canonical Name (CNAME) DNS record maps a single alias name to the real or canonical name. The real or canonical name may be outside the current DNS zone. In the first example we'll map www to host1.homelab.local. We'll follow that with an example mapping ftp to host3.labnet.local.

Add a CNAME Record Mapping www to host1

Connect to the ns1 host (10.1.100.41) via SSH.

Edit the forward zone file:

$ sudo vi /etc/bind/zones/db.homelab.local

Add a new section called ; 10.1.100.0/24 - CNAME records and a CNAME record for www mapped to host1:

; 10.1.100.0/24 - CNAME records
www                         IN      A       host1  

Increment the serial value by 1.

When done editing it should look like:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              6         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; name servers - A records
ns1.homelab.local.          IN      A       10.1.100.41  
ns2.homelab.local.          IN      A       10.1.100.42  
;
; 10.1.100.0/24 - A records
host1.homelab.local.        IN      A       10.1.100.90  
;
; 10.1.100.0/24 - CNAME records
www                         IN      CNAME   host1  

Save the file and exit the editor.

Add a CNAME Record Mapping ftp to host3.labnet.local

Edit the forward zone file:

$ sudo vi /etc/bind/zones/db.homelab.local

Add a CNAME record mapping ftp to host3.labnet.local in the ; 10.1.100.0/24 - CNAME records section:

ftp                         IN      CNAME   host3.labnet.local.  

Increment the serial value by 1.

When done editing it should look like:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              7         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; name servers - A records
ns1.homelab.local.          IN      A       10.1.100.41  
ns2.homelab.local.          IN      A       10.1.100.42  
;
; 10.1.100.0/24 - A records
host1.homelab.local.        IN      A       10.1.100.90  
;
; 10.1.100.0/24 - CNAME records
www                         IN      CNAME   host1  
ftp                         IN      CNAME   ftp.openstack.com.  

Save the file and exit the editor.

Check BIND Configuration File Syntax

Check the syntax of the forward zone file:

$ cd /etc/bind/zones
$ sudo named-checkzone homelab.local db.homelab.local

If there are no syntax errors you should see something similar to the following:

zone homelab.local/IN: loaded serial 7  
OK  

Restart BIND

Restart the BIND service:

$ sudo service bind9 restart

Add a New Network

If you add a new subnet to your home lab that contains clients that need to query your DNS servers and hosts that you want to create FQDNs for you'll need to update your DNS server configuration. Follow the steps below to add the 10.1.101.0/24.

Configure Options File

The BIND options file needs to be edited to permit recursive DNS queries from clients on the 10.1.101.0/24 network. If you only want to define A, CNAME, or PTR for hosts on the network and don't require them to be able to query the DNS servers (unlikely) you can skip this section.

Connect to the ns1 host (10.1.100.41) via SSH.

On ns1, edit the named.conf.options file:

$ sudo vi /etc/bind/named.conf.options

If you want to permit recursive DNS queries from clients on the new network you need to add it to the trusted ACL:

        10.1.101.0/24;   # lab network 2

When done editing it should look like:

// Lab subnets we wish to allow recursive queries from.
acl "trusted" {  
        10.1.100.0/24;   # lab network
        10.1.101.0/24;   # lab network 2
};

options {  
        directory "/var/cache/bind";

        recursion yes;                 # enables resursive queries
        allow-recursion { trusted; };  # allows recursive queries from "trusted" clients
        listen-on { 10.1.100.41; };    # ns1 private IP address - listen on private network only
        allow-transfer { none; };      # disable zone transfers by default

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Save the file and exit the editor.

Repeat the same process on the secondary nameserver:

Connect to the ns2 host (10.1.100.42) via SSH.

On ns2, edit the named.conf.options file:

$ sudo vi /etc/bind/named.conf.options

If you want to permit recursive DNS queries from clients on the new network you need to add it to the trusted ACL:

        10.1.101.0/24;   # lab network 2

When done editing it should look like:

// Lab subnets we wish to allow recursive queries from.
acl "trusted" {  
        10.1.100.0/24;   # lab network
        10.1.101.0/24;   # lab network 2
};

options {  
        directory "/var/cache/bind";

        recursion yes;                 # enables resursive queries
        allow-recursion { trusted; };  # allows recursive queries from "trusted" clients
        listen-on { 10.1.100.41; };    # ns1 private IP address - listen on private network only
        allow-transfer { none; };      # disable zone transfers by default

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Save the file and exit the editor.

Add Local Reverse DNS Zone

On ns1, open the named.conf.local file for editing:

$ sudo vi /etc/bind/named.conf.local

Add a reverse zone for the 10.1.101.0/24 subnet. The reverse mapping for 10.1.101 is entered as 101.1.10:

zone "101.1.10.in-addr.arpa" {  
    type master;
    file "/etc/bind/zones/db.10.1.101";  # 10.1.101.0/24 subnet
    allow-transfer { 10.1.100.42; };     # ns2 private IP address – secondary
};

At this point the /etc/bind/named.conf.local file should look like the following:

zone "homelab.local" {  
    type master;
    file "/etc/bind/zones/db.homelab.local"; # zone file path
    allow-transfer { 10.1.100.42; };         # ns2 private IP address – secondary
};

zone "100.1.10.in-addr.arpa" {  
    type master;
    file "/etc/bind/zones/db.10.1.100";  # 10.1.100.0/24 subnet
    allow-transfer { 10.1.100.42; };     # ns2 private IP address – secondary
};

zone "101.1.10.in-addr.arpa" {  
    type master;
    file "/etc/bind/zones/db.10.1.101";  # 10.1.101.0/24 subnet
    allow-transfer { 10.1.100.42; };     # ns2 private IP address – secondary
};

Save the file and exit the editor.

Repeat the same process on the secondary nameserver:

On ns2, open the named.conf.local file for editing:

$ sudo vi /etc/bind/named.conf.local

Add a reverse zone for the 10.1.101.0/24 subnet. The reverse mapping for 10.1.101 is entered as 101.1.10:

zone "101.1.10.in-addr.arpa" {  
    type slave;
    file "db.10.1.101";
    masters { 10.1.100.41; };  # ns1 private IP
};

At this point the /etc/bind/named.conf.local file should look like the following:

zone "homelab.local" {  
    type slave;
    file "db.homelab.local";
    masters { 10.1.100.41; };  # ns1 private IP
};

zone "100.1.10.in-addr.arpa" {  
    type slave;
    file "db.10.1.100";
    masters { 10.1.100.41; };  # ns1 private IP
};

zone "101.1.10.in-addr.arpa" {  
    type slave;
    file "db.10.1.101";
    masters { 10.1.100.41; };  # ns1 private IP
};

Save the file and exit the editor.

Configure the Forward Zone File

On ns1, edit the forward zone file:

$ sudo vi /etc/bind/zones/db.homelab.local

Add a new section called ; 10.1.101.0/24 - A records and an A record for host3:

; 10.1.101.0/24 - A records
host3.homelab.local.        IN      A       10.1.101.50  

Increment the serial value by 1.

When done editing it should look like:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              8         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; name servers - A records
ns1.homelab.local.          IN      A       10.1.100.41  
ns2.homelab.local.          IN      A       10.1.100.42  
;
; 10.1.100.0/24 - A records
host1.homelab.local.        IN      A       10.1.100.90  
host2.homelab.local.        IN      A       10.1.100.91  
;
; 10.1.101.0/24 - A records
host3.homelab.local.        IN      A       10.1.101.50  
;
; 10.1.100.0/24 - CNAME records
www                         IN      CNAME   host1  
ftp                         IN      CNAME   ftp.openstack.com.  

Save the file and exit the editor.

Create the Reverse Zone File

Next we will create a reverse zone file containing DNS PTR records for reverse DNS lookups. For example, if a client queries the DNS server for 10.1.101.50 the server will look in the 10.1.101 zone file for a record mapping 10.1.101.50 to the FQDN host3.homelab.local.

In the named.conf.local file on ns1 the file for the reverse zone 101.1.10.in-addr.arpa was set to be /etc/bind/zones/db.10.1.101. Create the reverse zone file based on the /etc/bind/db.127 sample:

$ cd /etc/bind/zones
$ sudo cp ../db.127 ./db.10.1.101

Edit the reverse zone file:

$ sudo vi /etc/bind/zones/db.10.1.101

By default, it should match the following:

;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
1.0.0   IN      PTR     localhost.  

As we did with the forward zone file edit the SOA record and increment the serial value as follows:

@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              2         ; Serial

Delete the localhost. NS and localhost. PTR records.

Add nameserver (NS) records for the ns1 and ns2 servers:

; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.

Add PTR records for each of the hosts in your lab on this new network. The first column will be the last octet of the host's IP addresses in reverse order. If you were using a /16 network then you would enter the last two octets of the host's IP addresses in reverse order. For this example we'll create records for the host3 host on the 10.1.101.0/24 subnet:

; PTR Records
50      IN      PTR     host3.homelab.local.  ; 10.1.100.50  

At this point the file should look like the following:

$TTL    604800
@       IN      SOA     ns1.homelab.local. admin.homelab.local. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; name servers - NS records
        IN      NS      ns1.homelab.local.
        IN      NS      ns2.homelab.local.
;
; PTR Records
50      IN      PTR     host3.homelab.local.  ; 10.1.100.50  

Save and exit the db.10.1.101 file.

Check BIND Configuration File Syntax

On ns1, check the syntax of the configuration files that start with named.conf:

$ sudo named-checkconf

If the configuration files have no syntax errors you won't see any error messages.

Check the syntax of the forward zone file:

$ sudo named-checkzone homelab.local db.homelab.local

If there are no syntax errors you should see something similar to the following:

zone homelab.local/IN: loaded serial 8  
OK  

Check the syntax of the reverse zone file:

$ sudo named-checkzone 101.1.10.in-addr.arpa /etc/bind/zones/db.10.1.101

If there are no syntax errors you should see something similar to the following:

zone 101.1.10.in-addr.arpa/IN: loaded serial 2  
OK  

Check the configuration syntax on the secondary nameserver:

On ns2, check the syntax of the configuration files that start with named.conf:

$ sudo named-checkconf

If the configuration files have no syntax errors you won't see any error messages.

Restart BIND

Restart the BIND service on ns1:

$ sudo service bind9 restart

Restart the BIND service on ns2:

$ sudo service bind9 restart

Summary

This post walked through some of the most common activities associating with maintaining private DNS servers including adding and removing host records, adding canonical name records, and adding networks. Additional BIND documentation can be found on the BIND9 site.