Configure BIND as a forwarding, caching and local domain resolving DNS Server in Ubuntu

Submitted on Fri, 08/14/2020 - 16:46


This documentation is about configuring bind as a DNS server in Ubuntu. The DNS server is expected to achieve following tasks:

1. Resolve a local FQDN web.ddc to its private IP,

2. Resolve global domains by forwarding the query to google's Public DNS servers at and

3. Cache the query results for faster access in the future.

Important Details:

Host Private IP: (This could be a web server.)

Hostname: web

Private FQDN: web.ddc

DNS Server's Private IP: 

Note: This scenario assumes the DNS Server and the host to be the same node in the network. It is also assumed that bind is already intalled in the OS.

Color Codes:

Commands in blue

File content in green

Expected output in purple

Note in dark grey


Note: # indicates root access

First Part

Summary: Configure hostname, FQDN,DNS resolver and disable dnsmasq


1. Configure hostname

# vim /etc/hostname


Save and exit

2. Configure FQDN

# vim /etc/hosts   web.ddc   web

Save and exit

Note: FQDN should be the first entry in this configuration file for the given IP address followed by hostname.

In new version of Ubuntu such as Ubuntu 16.04 this method will not work. In such cases please do the following:

i. Set hostname with following command

hostnamectl set-hostname web

ii. Configure FQDN by editing /etc/hosts file as follows:   web.ddc   web

3. Check the newly configured hostname and FQDN with following commands

# hostname (checks hostname)

Expected output:


# hostname -f (checks FQDN)

Expected output:


4. Configure Ubuntu's resolver to use our BIND DNS server

Main configuration file: /etc/resolv.conf

# vim /etc/resolv.conf


Save and exit

Usually this file is populated by DHCP procedures which involves getting information from the router. 

If we want to make sure that our DNS server is used in the first place, we edit this file, /etc/resolvconf/resolv.conf.d/head

# vim /etc/resolvconf/resolv.conf.d/head


Save and exit

This will make sure that in case the router provides other information regarding DNS servers, our server at gets top priority.

For example, if the router's DHCP procedure is configured to set DNS server as In this case, the main configuration file will read:


The first part came from /etc/resolvconf/resolv.conf.d/head whereas the second part came from the router's DHCP procedure.

5. Regenerate resolv.conf file after making the necessary changes

# resolvconf -u

6.  Disable DNSMasq

# vim /etc/NetworkManager/NetworkManager.conf

#dns=dnsmasq (dnsmasq disabled by commenting the line)

Save and exit

Note: dnsmasq is a lightweight DNS and DHCP server which needs to be disabled for bind to work.

Second part

Summary: Configure bind DNS server and trusted clients.


1. Configure trusted clients, forwarding to google's DNS server and enable recursion

# vim /etc/bind/named.conf.options

acl "trusted" {; # this lists the nodes in the network which will have privilege to use this DNS server


options {

directory "/var/cache/bind";

recursion yes; #enables DNS recursion

allow-recursion {

trusted; #enables DNS recursion only for trusted DNS clients


listen-on {; #IP address for the DNS server



forwarders {; #BIND will forward queries to google's DNS server to resolve global domains; #BIND will forward queries to google's DNS server to resolve global domains


   dnssec-validation auto; #enables dnssec validation 

   auth-nxdomain no;    #conform to RFC1035


Save and exit


2. Define a local zone named "ddc" and map the settings to the zone file "db.ddc"

# vim /etc/bind/named.conf.local

zone "ddc" {

type master;
file "/etc/bind/zones/db.ddc"; # path to zone file


Save and exit

Note: you can similary define reverse zone and map to the reverse zone file


3. Create the zones folder and db.ddc file

# mkdir zones

# cd zones

# vim db.ddc

$TTL    604800

@       IN      SOA     web.ddc. admin.web.ddc. (
                       20160520         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

;nameserver NS record
                        IN      NS      web.ddc.

;nameserver A record
web.ddc.           IN      A

Save and exit

4. Check for syntax error in the recently configured named.conf.local and named.conf.option file

# named-checkconf

Expected Output: Return to prompt (no output in case of no syntax error)

In case of error, you will receive an error message which you can take reference to fix the error itself.

5. Check the zone file "db.ddc" against the zone "web.ddc"

# named-checkzone web.ddc db.ddc


zone web.ddc/IN: loaded serial 2

6. Restart bind service

# service bind9 restart

7. Test the configuration

# dig web.ddc

Expected Output


;web.ddc.            IN    A

web.ddc.        604800    IN    A

ddc.            604800    IN    NS    web.ddc.




Finally, we will set DHCP configuration in router to set as primary DNS server. This way, when computers connect to our private network, router will provide as primary DNS server. Secondary DNS server can be any other DNS server. This way, the local domain web.ddc, which will resolve to, will be accessible to all the computers in the private network. Likewise, the computers will also be able to access global domains with the help from Google's DNS servers at and