InfraRunBook
    Back to articles

    How to Install BIND9 on Ubuntu – Complete Step-by-Step Guide

    DNS
    Published: Feb 15, 2026
    Updated: Feb 15, 2026

    A practical Infra Run Book guide to installing, configuring, and securing BIND9 DNS server on Ubuntu. Covers package installation, forward and reverse zone setup, named-checkconf validation, and security hardening best practices.

    How to Install BIND9 on Ubuntu – Complete Step-by-Step Guide

    What is BIND9?

    BIND9 (Berkeley Internet Name Domain version 9) is the most widely deployed open-source DNS server. It is maintained by ISC (Internet Systems Consortium) and powers a significant portion of internet DNS infrastructure.

    • Acts as an authoritative DNS server for your domain zones
    • Acts as a recursive resolver for internal networks
    • Fully standards-compliant (RFC 1034, 1035)

    Prerequisites

    • Ubuntu 20.04 / 22.04 / 24.04 (any LTS)
    • Root or sudo privileges
    • A static IP address configured on the server
    • Port 53 TCP/UDP open in your firewall

    Step 1 – Update the System

    Always update packages before installing:

    sudo apt update && sudo apt upgrade -y

    Step 2 – Install BIND9

    sudo apt install bind9 bind9utils bind9-doc -y

    This installs:

    • bind9 – the DNS server daemon (
      named
      )
    • bind9utils – tools like
      named-checkconf
      ,
      named-checkzone
    • bind9-doc – documentation

    Step 3 – Verify Installation

    named -v

    Expected output:

    BIND 9.18.x (Ubuntu)

    Step 4 – Configure BIND9 (named.conf.options)

    Edit the main options file:

    sudo nano /etc/bind/named.conf.options

    Replace the contents with a secure baseline configuration:

    options {
    directory "/var/cache/bind";

    // Allow recursion only for trusted networks
    recursion yes;
    allow-recursion { 127.0.0.1; 10.0.0.0/8; 192.168.0.0/16; };

    // Listen on all interfaces
    listen-on { any; };
    listen-on-v6 { any; };

    // Forward unresolved queries to public DNS
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    forward only;

    // Security hardening
    dnssec-validation auto;
    auth-nxdomain no;
    version none;
};

    Important: Restrict

    allow-recursion
    to your internal subnets only. Never allow open recursion to the internet.

    Step 5 – Create a Forward Zone

    Edit

    named.conf.local
    to declare your zone:

    sudo nano /etc/bind/named.conf.local

    Add:

    zone "example.local" {
    type master;
    file "/etc/bind/zones/db.example.local";
};

    Create the zones directory and zone file:

    sudo mkdir -p /etc/bind/zones
sudo cp /etc/bind/db.local /etc/bind/zones/db.example.local
sudo nano /etc/bind/zones/db.example.local

    Edit to look like:

    $TTL    604800
@   IN  SOA ns1.example.local. admin.example.local. (
              2026021501 ; Serial (YYYYMMDDnn)
              604800     ; Refresh
              86400      ; Retry
              2419200    ; Expire
              604800 )   ; Negative Cache TTL

; Name servers
@       IN  NS      ns1.example.local.

; A records
ns1     IN  A       192.168.1.10
@       IN  A       192.168.1.10
www     IN  A       192.168.1.20

    Step 6 – Create a Reverse Zone (Optional but Recommended)

    Add to

    named.conf.local
    :

    zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.192.168.1";
};
    sudo cp /etc/bind/db.127 /etc/bind/zones/db.192.168.1
sudo nano /etc/bind/zones/db.192.168.1
    $TTL    604800
@   IN  SOA ns1.example.local. admin.example.local. (
              2026021501
              604800
              86400
              2419200
              604800 )

@       IN  NS      ns1.example.local.
10      IN  PTR     ns1.example.local.
20      IN  PTR     www.example.local.

    Step 7 – Validate Configuration

    Check for syntax errors before restarting:

    sudo named-checkconf

    Check each zone file:

    sudo named-checkzone example.local /etc/bind/zones/db.example.local
sudo named-checkzone 1.168.192.in-addr.arpa /etc/bind/zones/db.192.168.1

    Expected output:

    zone example.local/IN: loaded serial 2026021501
OK

    Step 8 – Start & Enable BIND9

    sudo systemctl enable --now named

    Verify it is running:

    sudo systemctl status named

    Expected output:

    ● named.service - BIND Domain Name Server
   Active: active (running)

    Step 9 – Configure Firewall

    sudo ufw allow 53/tcp
sudo ufw allow 53/udp
sudo ufw reload

    Step 10 – Test DNS Resolution

    From a client on the same network:

    nslookup www.example.local 192.168.1.10

    Or using

    dig
    :

    dig @192.168.1.10 www.example.local

    Expected output:

    ;; ANSWER SECTION:
www.example.local.  604800  IN  A  192.168.1.20

    ✅ Best Practices

    • Always use
      named-checkconf
      before restarting BIND9
    • Restrict recursion to internal networks only
    • Keep serial numbers updated (use YYYYMMDDNN format) on every zone change
    • Enable DNSSEC for production zones
    • Monitor BIND9 logs:
      sudo journalctl -u named -f
    • Set
      version none;
      to hide BIND version from public

    Remember: Always validate zone files after edits. A single syntax error can take down DNS for your entire domain.

    Frequently Asked Questions

    What is BIND9 and what is it used for?

    BIND9 (Berkeley Internet Name Domain 9) is the most widely deployed open-source DNS server, maintained by ISC. It can serve as an authoritative DNS server for domain zones and as a recursive resolver for internal networks.

    Which Ubuntu versions support BIND9?

    BIND9 is supported on all current Ubuntu LTS versions including Ubuntu 20.04 (Focal), 22.04 (Jammy), and 24.04 (Noble). It is available directly from the official Ubuntu apt repositories.

    How do I install BIND9 on Ubuntu?

    Install BIND9 on Ubuntu using: sudo apt update && sudo apt install bind9 bind9utils bind9-doc -y. This installs the named daemon, validation tools like named-checkconf and named-checkzone, and documentation.

    What is the main configuration file for BIND9 on Ubuntu?

    BIND9 on Ubuntu uses /etc/bind/named.conf as the root configuration, which includes named.conf.options for server options, named.conf.local for zone declarations, and named.conf.default-zones for default zones.

    How do I check if BIND9 is running on Ubuntu?

    Check BIND9 status using: sudo systemctl status named. If running, it shows Active: active (running). You can also check with: sudo journalctl -u named -f to view live logs.

    What is a forward zone in BIND9?

    A forward zone in BIND9 maps hostnames to IP addresses. It is defined in named.conf.local and uses a zone file with A records, NS records, and SOA records to resolve domain names to their corresponding IP addresses.

    What is a reverse zone in BIND9 and why is it needed?

    A reverse zone maps IP addresses back to hostnames using PTR records. It is used for reverse DNS lookups and is important for mail server verification, security tools, and network diagnostics like nslookup and dig.

    How do I validate BIND9 configuration before restarting?

    Use named-checkconf to validate the main configuration file and named-checkzone to validate each zone file. For example: sudo named-checkconf and sudo named-checkzone example.local /etc/bind/zones/db.example.local. Both must return OK before restarting.

    How do I restart BIND9 after making configuration changes?

    Restart BIND9 using: sudo systemctl restart named. Always run named-checkconf first to ensure there are no configuration errors before restarting, as errors will cause named to fail to start.

    How do I secure BIND9 on Ubuntu?

    Secure BIND9 by: restricting recursion to internal IPs using allow-recursion, hiding the BIND version with version none, enabling DNSSEC validation with dnssec-validation auto, restricting zone transfers, using UFW to allow only port 53 from trusted sources, and regularly reviewing named logs.

    Related Articles