BIND 9 DNS setup for local domain names

As a developer, you may need a server on the local network being accessible via HTTPS. This is the first episode of a guide on how you can achieve this by spinning up a Bind 9 DNS service on your LAN to be able to access the web server by its name.

July 05, 2020

I am currently working on an intranet application that might not be connected to the Internet at all. Its purpose would be to help the medical personnel of a hospital facing a flood of patients due to a hypothetical natural catastrophe. Our first objective would be to secure the communication between the client application and the server. Before generating our own SSL certificates we need a local domain name first.

What is covered

Online Resources

Installing BIND 9 on Ubuntu Server 20.04

According to the Internet Systems Consortium, "BIND 9 has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system".

Update the apt cache:

sudo apt update

Install BIND:

sudo apt install bind9 bind9utils bind9-doc

Set BIND to IPv4 only because we do not use IPv6 on our local network by editing /etc/default/bind9:

...
OPTIONS="-u bind -4"

Configuring BIND 9

We only listen on private network DNS queries, so we need to edit /etc/bind/named.conf.options like so:

options {
  directory "/var/cache/bind";
  dnssec-validation auto;
  version "not currently available";
  recursion yes;
  allow-recursion { 127.0.0.1; 192.168.1.0/24; };
};

We define two zones inside of /etc/bind/named.conf.local, one for the forward zone name and the other for the reverse zone name:

zone "medical.equipment" {
  type master;
  file "/etc/bind/zones/db.medical.equipment";
};

zone "1.168.192.in-addr.arpa" {
  type master;
  file "/etc/bind/zones/db.192.168";
};

Those two definition files do not exist yet, so we first create the folder and then the files themselves:

sudo mkdir /etc/bind/zones

sudo nano /etc/bind/zones/db.medical.equipment

As you may notice, we not only defined SOA and NS records but also A pointers for various names needed later by NGINX web server and mail exchanger record MX because we'll have a local mailing system also. IP address 192.168.1.10 is alocated to the server.

;
$TTL    604800
@       IN      SOA     medical.equipment. root.medical.equipment. (
                             14         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

;
@               IN      NS      medical.equipment.

;
@               IN      A       192.168.1.10

;
@               IN      MX      10              mail.medical.equipment.

;
www             IN      A       192.168.1.10
mail            IN      A       192.168.1.10
www.mail        IN      A       192.168.1.10
mailadmin       IN      A       192.168.1.10
www.mailadmin   IN      A       192.168.1.10

Let's create the records for the reverse zone name now:

sudo nano /etc/bind/zones/db.192.168

;
$TTL    604800
@       IN      SOA     medical.equipment. root.medical.equipment. (
                              15        ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

;
@               IN      NS      medical.equipment.
@               IN      A       192.168.1.10

;
10             IN      PTR     medical.equipment.
10             IN      PTR     mail.medical.equipment.
10             IN      PTR     mailadmin.medical.equipment.

Before restarting named service, we should check if our setup is correctly edited. If we did something wrong, these utils (named-checkconf and named-checkzone) should show us where we need to make the corrections:

sudo named-checkconf
sudo named-checkzone mail.equipment /etc/bind/zones/db.medical.equipment
sudo named-checkzone mail.equipment /etc/bind/zones/db.192.168

Let's restart BIND to take into account our customized settings:

sudo systemctl restart named

Make sure Ubuntu firewall UFW allows connections from local network on port 53:

sudo ufw allow in from 192.168.1.0/24 to any port 53

Configuring the network connection for local clients and testing

On every device from LAN, you want to allow access to the web applications and to the email services, you need to modify the DNS server settings to the IP of the server 192.168.1.10.

To be able to test the new DNS settings we need two utility apps dig and nslookup. Let's install those. On Ubuntu we can do that like so:

sudo apt install dnsutils

Now let's test our settings. All should point to the 192.168.1.10 server:

dig medical.equipment
dig www.medical.equipment
dig mail.medical.equipment
dig www.mail.medical.equipment
dig mailadmin.medical.equipment
dig www.mailadmin.medical.equipment
dig -t mx medical.equipment

Using nslookup then by pressing Enter you can check those form above interactively. To check the MX record you need to type set type=mx then press Enter, then type in medical.equipment. For reverse lookup you can use host 192.168.1.10 and you should get back.

10.1.168.192.in-addr.arpa domain name pointer mailadmin.medical.equipment.
10.1.168.192.in-addr.arpa domain name pointer mail.medical.equipment.
10.1.168.192.in-addr.arpa domain name pointer medical.equipment.