Complete Guide: Production-Grade DNS Setup on Linux (Step-by-Step)

Category: Technology

Tags: DNS, BIND, Linux, DNS Server, DNS Setup, Production DNS, Enterprise DNS, DNS Security, SELinux, AppArmor, DNS Views, DNS Forwarding, DNSSEC, Network Infrastructure, Server Administration, DNS Configuration, DNS Tutorial, DNS Best Practices, DNS Monitoring, Split DNS, Recursive DNS

Posted on 2025-05-17T05:06:03.813586

DNS is a foundational component of modern networks. Setting up a reliable, secure, and scalable DNS server is essential for any organization’s IT infrastructure. In this article, I’ll walk you through a production-grade DNS server setup on Linux using BIND, with best practices and security considerations.

Why DNS Matters

The Domain Name System (DNS) translates human-readable domain names like example.com into IP addresses. Without DNS, every connection would require typing IPs manually. DNS servers can be:

  • Authoritative: Serve DNS records for your domains.
  • Recursive/Resolver: Resolve queries from clients, caching answers.
  • Forwarders: Forward queries to upstream servers.

This guide focuses on setting up authoritative and recursive DNS with security and reliability.

 

Choosing the Right Linux Distro

For enterprise-grade DNS:

  • AlmaLinux or Rocky Linux (RHEL-compatible, stable, secure, minimal install)
  • Debian or Ubuntu (widely used, simpler AppArmor security)
  • Avoid bloated distros for DNS servers; go for minimal installs.

Security frameworks:

  • SELinux (default on RHEL/Alma/Rocky) – powerful, granular but complex
  • AppArmor (default on Debian/Ubuntu) – easier to manage, path-based

Step 1: Installing BIND

On RHEL-based distros:

sudo dnf install bind bind-utils -y

On Debian/Ubuntu:

sudo apt-get update
sudo apt-get install bind9 dnsutils -y

Step 2: Basic BIND Configuration

Edit /etc/named.conf (RHEL) or /etc/bind/named.conf.options (Debian):

acl trustedclients {
    10.26.0.0/24;
    127.0.0.1;
};

options {
    directory "/var/named";
    listen-on port 53 { 127.0.0.1; 10.26.0.11; };
    allow-query { trustedclients; };
    recursion yes;
    forwarders { 8.8.8.8; 8.8.4.4; };
    forward only;
    dnssec-enable yes;
    dnssec-validation auto;
};

Step 3: Creating Zones

Add zone config to named.conf:

zone "example.com" IN {
    type master;
    file "example.com.zone";
    allow-update { none; };
};

Step 4: Writing a Zone File

Create /var/named/example.com.zone:

$TTL 86400
@   IN  SOA ns1.example.com. admin.example.com. (
        2025051701 ; Serial
        3600       ; Refresh
        1800       ; Retry
        604800     ; Expire
        86400      ; Negative Cache TTL
)
@       IN  NS      ns1.example.com.
ns1     IN  A       10.26.1.18
www     IN  A       10.26.1.100

Step 5: Configuring DNS Views (Split DNS)

Views allow serving different DNS responses based on client IP (e.g., internal vs external):

acl "internal" {
    10.26.0.0/24;
};

acl "external" {
    any;
};

view "internal" {
    match-clients { internal; };
    recursion yes;
    zone "example.com" {
        type master;
        file "internal.example.com.zone";
    };
};

view "external" {
    match-clients { external; };
    recursion no;
    zone "example.com" {
        type master;
        file "external.example.com.zone";
    };
};

Step 6: Validating and Reloading BIND Configuration

sudo named-checkconf
sudo named-checkzone example.com /var/named/example.com.zone
sudo rndc reload

Step 7: Testing Your DNS Server

Use dig to test:

dig @10.26.1.11 example.com
dig @10.26.1.11 www.example.com

Step 8: Securing Your DNS Server

  • Run BIND as non-root user (usually named user)
  • Configure SELinux/AppArmor policies:
sudo setsebool -P named_write_master_zones 1
sudo setsebool -P named_tcp_bind_http_port 1
sudo restorecon -Rv /var/named
  • Enable logging and monitor query logs
  • Limit recursive queries and enable DNSSEC for data integrity
  • Use firewall to allow DNS traffic only from trusted clients

Step 9: Monitoring and Maintenance

  • Regularly check logs and zone file syntax
  • Use named-checkzone before applying changes
  • Automate zone file backups and increment serial numbers properly
  • Monitor query rates and server health

Conclusion

A well-configured DNS server is crucial for network stability and security. Using BIND on a minimal, secure Linux distro with ACLs, views, DNSSEC, and proper monitoring ensures your DNS infrastructure is robust and reliable.

 

Resources

 

← Back to Home