MASTER
THE NAMESYSTEM

// The phonebook of the internet.

DNS IS THE BACKBONE OF THE WEB.

Every time you type a URL, DNS translates that human-readable domain into an IP address. Without DNS, you'd be typing "142.250.185.78" instead of "google.com".

WHY RUN YOUR OWN DNS?

Self-hosted DNS gives you complete control over your domain, faster resolution, privacy from third-party DNS providers, and the ability to create custom internal domains for your network.

TAKE BACK CONTROL.

Learn to configure BIND, manage DNS records, set up DNSSEC, and implement DNS caching. Become the authority for your own domains.

BEGIN YOUR JOURNEY →

// The Path to Mastery

12 lessons. Complete DNS control.

LESSON 01

Introduction to DNS

How domain names work and DNS fundamentals

Beginner
LESSON 02

Installing BIND9

Set up your own DNS server

Beginner
LESSON 03

BIND Configuration Basics

named.conf and zone file structure

Beginner
LESSON 04

Zone Files

Create and manage DNS zone records

Intermediate
LESSON 05

Configuring Zones in BIND

Master zones and record types

Intermediate
LESSON 06

Slave Zones & Transfers

Configure secondary DNS servers

Intermediate
LESSON 07

DNSSEC

Secure DNS with DNSSEC signatures

Advanced
LESSON 08

DNS Caching & Forwarding

Speed up DNS resolution

Intermediate
LESSON 09

Split DNS & Views

Different DNS responses for different networks

Advanced
LESSON 10

Troubleshooting DNS

dig, nslookup, and DNS debugging

Advanced
LESSON 11

Split-Horizon DNS

Internal vs external DNS configuration

Advanced
LESSON 12

Anycast DNS

Global DNS with BGP routing

Advanced

// Why DNS Matters

The Domain Name System (DNS) is often called the "phonebook of the internet." It translates domain names like "google.com" into IP addresses like "142.250.185.78" that computers use to identify each other.

DNS is hierarchical and distributed. Root servers (.) sit at the top, followed by TLD servers (.com, .org, .net), then authoritative nameservers for specific domains. This distributed architecture is what makes the internet scalable.

Running your own DNS server gives you:

The internet can't exist without DNS. Now you understand how it works.

// Tools & References

📖 Official Docs

BIND9 Documentation

bind9.readthedocs.io

🔧 IANA DNS

DNS Parameters Registry

iana.org/dns-parameters

🔐 DNSSEC

DNSSEC Deployment Guide

dnssec.net

🖥️ DNS Tools

Online DNS Lookup

digwebinterface.com

📡 Root Servers

Root Zone Information

root-servers.org

⚡ Cloudflare DNS

DNS Provider Reference

cloudflare.com/dns

// Introduction to DNS

×

What is DNS?

DNS (Domain Name System) is the phonebook of the internet. It translates human-readable domain names like example.com into IP addresses like 93.184.216.34 that computers use to communicate.

How DNS Works

When you type a URL in your browser:

  1. Your computer checks its local DNS cache
  2. If not found, it queries a recursive DNS resolver
  3. The resolver queries root DNS servers
  4. Root servers point to TLD servers (.com, .org, etc.)
  5. TLD servers point to authoritative name servers
  6. The authoritative server returns the IP address
DNS HIERARCHY: Root → TLD (.com, .net) → Domain (example.com) → Subdomain (www.example.com)

DNS Record Types

Record Purpose
A IPv4 address
AAAA IPv6 address
CNAME Alias to another domain
MX Mail server
NS Name server
TXT Text records (SPF, DKIM)

Why Run Your Own DNS?

  • Privacy: Don't rely on third-party resolvers that log queries
  • Control: Full control over your domain's DNS records
  • Speed: Local caching for faster resolution
  • Security: Block malicious domains at the DNS level
  • Learning: Understand how the internet actually works

Quiz

1. DNS translates domain names to _____.

Hint: Numbers computers use

2. A records map to _____ addresses.

Hint: 32-bit addresses

3. MX records specify _____ servers.

Hint: Email

4. CNAME creates an _____.

Hint: Points to another name

Show Answers

Answers

  1. IP addresses
  2. IPv4
  3. mail
  4. alias

// Installing BIND9

×

What is BIND?

BIND (Berkeley Internet Name Domain) is the most widely used DNS server software. It's free, open-source, and runs on most Unix-like systems.

Installation on Ubuntu/Debian

$ sudo apt update Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease Reading package lists... Done
$ sudo apt install bind9 bind9utils bind9-dnsutils Reading package lists... Done The following NEW packages will be installed: bind9 bind9utils bind9-dnsutils Do you want to continue? [Y/n] y

Installation on CentOS/RHEL

$ sudo dnf install bind bind-utils Last metadata expiration check: 0:00:01 ago Package bind-32:9.16.23-1.el9.x86_64 is already installed.

Starting and Enabling BIND

$ sudo systemctl start named # Start BIND
$ sudo systemctl enable named # Enable on boot
$ sudo systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/lib/systemd/system/named.service; enabled) Active: active (running)

BIND File Structure (Ubuntu/Debian)

  • /etc/bind/ - Main configuration directory
  • /etc/bind/named.conf - Main config file
  • /etc/bind/named.conf.options - Global options
  • /etc/bind/named.conf.local - Local zone definitions
  • /etc/bind/named.conf.zones - Zone file declarations
  • /etc/bind/db.* - Template zone files
  • /var/cache/bind/ - Working directory
  • /var/log/named/ - Log files

Testing Your Installation

$ named -v BIND 9.18.1 (Extended Support Version)
$ dig @127.0.0.1 google.com # Test local DNS

Quiz

1. DNS translates _____ to IP addresses.

Hint: Like google.com

2. The root of DNS hierarchy is marked by _____.

Hint: Dot

3. An A record maps a domain to an _____ address.

Hint: Version 4

4. MX records are used for _____.

Hint: Mail exchange

5. CNAME creates an _____.

Hint: Canonical name

6. The dig command is used for _____ queries.

Hint: DNS lookup

7. A _____ record holds authority information.

Hint: Start of Authority

8. AAAA records store _____ addresses.

Hint: Version 6

Show Answers

Answers

  1. domain names
  2. .
  3. IPv4
  4. email
  5. alias
  6. DNS
  7. SOA
  8. IPv6

// BIND Configuration Basics

×

Understanding BIND Configuration

BIND configuration is split across multiple files. Understanding this structure is essential for effective DNS administration.

Main Configuration Files

/etc/bind/named.conf

The primary configuration file that includes other files:

include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.options

Global options for the DNS server:

options { directory "/var/cache/bind"; recursion yes; allow-query { any; }; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation auto; listen-on { any; }; };

Key Directives

recursion

Allow recursive queries (for caching resolver):

recursion yes;

allow-query

Who can query this server:

allow-query { 192.168.1.0/24; localhost; };

forwarders

Upstream DNS servers for queries:

forwarders { 8.8.8.8; 8.8.4.4; };

listen-on

Interfaces to listen on:

listen-on { 127.0.0.1; 192.168.1.1; };

Testing Configuration

$ sudo named-checkconf # Check configuration syntax
$ sudo systemctl reload named # Reload configuration
IMPORTANT: Always test configuration with named-checkconf before reloading. Syntax errors can prevent BIND from starting.

Quiz

1. BIND stands for _____ Internet Name Domain.

Hint: University name

2. On Ubuntu, BIND is installed with _____.

Hint: Package manager

3. On CentOS, the package is called _____.

Hint: Not bind9

4. The BIND service is called _____.

Hint: Name daemon

5. The main config file is _____.

Hint: In /etc/bind/

6. dig @127.0.0.1 tests _____ DNS.

Hint: Local server

7. BIND runs as the _____ user by default.

Hint: Named user

8. bind9-utils contains _____ tools.

Hint: Helper programs

Show Answers

Answers

  1. Berkeley
  2. apt install bind9
  3. bind
  4. named
  5. named.conf
  6. local
  7. bind
  8. utility

// Zone Files

×

What are Zone Files?

Zone files contain DNS records for a domain. They define how to resolve your domain name to IP addresses and other information.

Creating a Forward Zone

Create /var/cache/bind/db.example.com:

$TTL 604800; @ IN SOA ns1.example.com. admin.example.com. ( 2026022501 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.example.com. @ IN NS ns2.example.com. @ IN A 192.168.1.10 @ IN MX 10 mail.example.com. ns1 IN A 192.168.1.11 ns2 IN A 192.168.1.12 mail IN A 192.168.1.20 www IN CNAME @ ftp IN CNAME @

Zone File Directives

  • $TTL: Default time-to-live for records
  • $ORIGIN: Default domain for unqualified names
  • @: Current origin (domain name)

Common Record Types

A Record (IPv4 Address)

server1 IN A 192.168.1.10

AAAA Record (IPv6 Address)

server1 IN AAAA 2001:db8::1

CNAME Record (Alias)

blog IN CNAME @

MX Record (Mail Exchange)

@ IN MX 10 mail.example.com. @ IN MX 20 mail2.example.com.

TXT Record

@ IN TXT "v=spf1 mx -all"

Creating a Reverse Zone

For 192.168.1.0/24, create /var/cache/bind/db.1.168.192:

$TTL 604800; @ IN SOA ns1.example.com. admin.example.com. ( 2026022501 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; @ IN NS ns1.example.com. 10 IN PTR example.com. 11 IN PTR ns1.example.com. 20 IN PTR mail.example.com.

Testing Zone Files

$ sudo named-checkzone example.com /var/cache/bind/db.example.com zone example.com/IN: loaded serial 2026022501 OK

Quiz

1. The main BIND config file is _____.

Hint: In /etc/bind/

2. The _____ directive allows recursive queries.

Hint: For caching

3. Forwarders send queries to _____.

Hint: External DNS

4. To test config, use _____.

Hint: Check configuration

5. listen-on specifies _____ addresses.

Hint: Network interfaces

6. allow-query controls who can _____.

Hint: DNS queries

7. The directory option sets the _____.

Hint: BIND working dir

8. After config changes, _____ named.

Hint: systemctl reload

Show Answers

Answers

  1. named.conf
  2. recursion
  3. upstream servers
  4. named-checkconf
  5. listen
  6. query
  7. working directory
  8. reload

// Configuring Zones in BIND

×

Declaring Zones in BIND

After creating zone files, you need to declare them in BIND configuration.

Adding a Zone to named.conf.local

zone "example.com" { type master; file "/var/cache/bind/db.example.com"; allow-transfer { none; }; };

Zone Types

  • master: Primary DNS server (authoritative)
  • slave: Secondary server (receives transfers)
  • stub: Like slave but only NS records
  • forward: Forward queries to other servers
  • hint: Root hints for recursion

Adding a Reverse Zone

zone "1.168.192.in-addr.arpa" { type master; file "/var/cache/bind/db.1.168.192"; allow-transfer { none; }; };

Complete Configuration Example

// Forward zone for example.com zone "example.com" { type master; file "/var/cache/bind/db.example.com"; allow-transfer { 192.168.1.0/24; }; also-notify { 192.168.1.12; }; }; // Reverse zone for 192.168.1.0/24 zone "1.168.192.in-addr.arpa" { type master; file "/var/cache/bind/db.1.168.192"; allow-transfer { 192.168.1.0/24; }; };

Zone Transfer Control

Secure your zones by controlling who can transfer:

allow-transfer { none; }; # Block all transfers allow-transfer { 192.168.1.0/24; }; # Allow specific network allow-transfer { key "transfer-key"; }; # Use TSIG key

Testing and Reloading

$ sudo named-checkconf # Check configuration
="prompt">$sudo systemctl reload named # Reload BIND
$ dig @localhost example.com # Test your zone

Quiz

1. Zone files contain _____ records.

Hint: DNS information

2. The SOA record contains _____ information.

Hint: Start of Authority

3. The serial number should _____ on updates.

Hint: Increment

4. CNAME creates a _____.

Hint: Canonical name

5. MX records are for _____.

Hint: Mail exchange

6. PTR records provide _____ DNS.

Hint: IP to name

7. To test a zone, use _____.

Hint: Check zone file

8. TXT records are commonly used for _____.

Hint: Sender Policy Framework

Show Answers

Answers

  1. DNS
  2. authority
  3. increase
  4. alias
  5. email
  6. reverse
  7. named-checkzone
  8. SPF

// Slave Zones & Transfers

×

What are Slave Zones?

Slave zones receive zone transfers from master servers, providing redundancy and load distribution.

Configuring a Slave Zone

zone "example.com" { type slave; file "/var/cache/bind/db.example.com"; masters { 192.168.1.11; }; allow-notify { 192.168.1.11; }; };

Key Slave Options

masters

IP addresses of master servers:

masters { 192.168.1.11; 192.168.1.12; };

allow-notify

Accept NOTIFY messages from:

allow-notify { 192.168.1.11; };

How Zone Transfers Work

  1. Master server detects zone change
  2. Master sends NOTIFY to slaves
  3. Slave requests AXFR (full transfer) or IXFR (incremental)
  4. Master sends zone data
  5. Slave saves to disk and serves

TSIG Keys for Secure Transfers

Generate a TSIG key for secure zone transfers:

$ tsig-keygen -a hmac-sha256 transfer-key key "transfer-key" { algorithm hmac-sha256; secret "abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ="; };

Add to both master and slave:

key "transfer-key" { algorithm hmac-sha256; secret "abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ="; };

Master configuration:

zone "example.com" { type master; file "/var/cache/bind/db.example.com"; allow-transfer { key "transfer-key"; }; };

Slave configuration:

zone "example.com" { type slave; file "/var/cache/bind/db.example.com"; masters { 192.168.1.11; }; keys { "transfer-key"; }; };

Testing Zone Transfers

$ dig @192.168.1.11 example.com AXFR # Request full zone transfer

Quiz

1. Zones are declared in _____.

Hint: Local config

2. A master zone is _____.

Hint: Authoritative

3. A slave zone _____.

Hint: From master

4. allow-transfer controls zone _____.

Hint: AXFR

5. also-notify notifies _____ servers.

Hint: Slave servers

6. Reverse zones use _____ notation.

Hint: Reverse DNS

7. The serial should _____ on updates.

Hint: Increment

8. To test config, use _____.

Hint: Check configuration

Show Answers

Answers

  1. named.conf.local
  2. primary
  3. receives transfers
  4. transfers
  5. secondary
  6. in-addr.arpa
  7. increase
  8. named-checkconf

// DNSSEC

×

What is DNSSEC?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, preventing DNS spoofing and cache poisoning attacks.

Why DNSSEC Matters

Without DNSSEC, an attacker can:

  • Intercept DNS queries
  • Return fake IP addresses
  • Redirect traffic to malicious sites

DNSSEC authenticates that DNS responses actually came from the authoritative server.

Enabling DNSSEC Validation

In named.conf.options:

options { dnssec-validation yes; dnssec-lookaside auto; };

Signing a Zone (Auto-Signed)

Enable automatic signing in zone configuration:

zone "example.com" { type master; file "/var/cache/bind/db.example.com"; dnssec auto; };
$ sudo systemctl reload named # Reload to generate keys

Key Files Generated

$ ls -la /var/cache/bind/ db.example.com db.example.com.jnl Kexample.com.+005+12345.key Kexample.com.+005+12345.private

DS Records

DS (Delegation Signer) records are used to chain trust from parent to child zone:

$ dnssec-dsfromkey Kexample.com.+005+12345.key example.com. IN DS 12345 5 1 ABCDEF1234567890... example.com. IN DS 12345 5 2 ABCDEF1234567890...

DS Record in Parent Zone

Add to your registrar's DNS management:

example.com. IN DS 12345 5 1 ABCDEF1234567890...

Testing DNSSEC

$ dig +dnssec google.com ; <<>> DiG 9.18.1 <<>> +dnssec google.com ;; ANSWER SECTION: google.com. 300 IN A 142.250.185.78 google.com. 300 IN RRSIG A 13 2 300 ...
$ dig @8.8.8.8 dnsviz.net A # Online DNSSEC validation tool

Manual Key Signing

For more control, use dnssec-signzone:

$ dnssec-signzone -A -3 $(date +%s) -N INCREMENT -o example.com -t /var/cache/bind/db.example.com # Sign zone manually

Quiz

1. Slave zones receive _____ from masters.

Hint: Zone transfers

2. AXFR is a _____ transfer.

Hint: Complete zone

3. IXFR is an _____ transfer.

Hint: Partial

4. NOTIFY messages initiate _____.

Hint: Zone transfers

5. TSIG keys provide _____ transfers.

Hint: Authenticated

6. The masters directive lists _____ servers.

Hint: Primary servers

7. allow-notify controls _____ notifications.

Hint: Notify messages

8. Slave zones save to _____.

Hint: Zone file

Show Answers

Answers

  1. transfers
  2. full
  3. incremental
  4. transfers
  5. secure
  6. master
  7. NOTIFY
  8. disk

// DNS Caching & Forwarding

×

DNS Caching

DNS caching reduces query latency and reduces load on upstream servers by storing query results temporarily.

Configuring Caching Server

A basic caching-only DNS server:

options { recursion yes; allow-query { 127.0.0.1; 192.168.1.0/24; }; listen-on { 127.0.0.1; 192.168.1.1; }; forwarders { 8.8.8.8; 8.8.4.4; }; };

Cache Settings

Maximum Cache Size

max-cache-size 256M;

Minimum TTL

min-ttl 300;

Maximum Cache TTL

max-cache-ttl 86400;

Maximum Negative Caching

max-ncache-ttl 3600;

DNS Forwarding

Forward specific domains to different servers:

zone "internal.example.com" { type forward; forward only; forwarders { 192.168.1.11; 192.168.1.12; }; };

Forward vs Recursion

  • Forward: Pass queries to upstream servers
  • Recursion: Resolve queries by following the chain

Viewing Cache Statistics

$ rndc stats # Generate statistics
$ cat /var/cache/bind/named.stats # View statistics

Flushing Cache

$ rndc flush # Flush all cache
$ rndc flushname example.com # Flush specific domain

Query Logging

logging { channel query_log { file "/var/log/named/query.log"; severity info; }; category queries { query_log; }; };

Quiz

1. DNSSEC adds _____ to DNS records.

Hint: Cryptographic

2. DNSSEC prevents DNS _____ attacks.

Hint: Cache poisoning

3. DS records chain _____ from parent to child.

Hint: Delegation

4. dnssec-validation enables _____.

Hint: DNSSEC checking

5. Keys are stored in _____ files.

Hint: Key files

6. RRSIG records contain _____.

Hint: DNSSEC signatures

7. DS records are added to the _____ zone.

Hint: TLD registrar

8. dnssec-signzone is used for _____ signing.

Hint: Manual zone signing

Show Answers

Answers

  1. signatures
  2. spoofing
  3. trust
  4. validation
  5. K*.key
  6. signatures
  7. parent
  8. manual

// Split DNS & Views

×

What is Split DNS?

Split DNS (or split horizon) serves different DNS answers based on who's asking. This is useful for internal vs. external clients.

Use Cases

  • Internal networks: Resolve to private IPs
  • External clients: Resolve to public IPs
  • VPN users: Access internal resources
  • Development: Different configs per environment

Configuring Views

view "internal" { match-clients { 192.168.1.0/24; 10.0.0.0/8; }; recursion yes; zone "example.com" { type master; file "/var/cache/bind/db.internal.example.com"; }; }; view "external" { match-clients { any; }; recursion no; zone "example.com" { type master; file "/var/cache/bind/db.external.example.com"; }; };

match-clients Options

  • IP addresses: 192.168.1.1
  • Networks: 192.168.1.0/24
  • ACLs: Define in named.conf.options
  • any: Match all
  • localhost: Localhost only

Internal Zone File (192.168.1.0/24)

$TTL 604800; @ IN SOA ns1.example.com. admin.example.com. ( 2026022501 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; @ IN NS ns1.example.com. @ IN A 192.168.1.10 www IN A 192.168.1.10 api IN A 192.168.1.20 db IN A 192.168.1.30

External Zone File (Public)

$TTL 604800; @ IN SOA ns1.example.com. admin.example.com. ( 2026022501 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; @ IN NS ns1.example.com. @ IN A 203.0.113.10 www IN A 203.0.113.10 api IN A 203.0.113.20

Testing Views

$ dig @192.168.1.1 www.example.com # From internal network
$ dig @203.0.113.1 www.example.com # From external network

Important Notes

CAUTION: All zones must be defined in every view. Use "empty" zones for views that shouldn't have certain domains.

Quiz

1. DNS _____ reduces query latency.

Hint: Cache storage

2. Forwarders send queries to _____.

Hint: External DNS

3. max-cache-ttl sets maximum _____.

Hint: Time to live

4. rndc _____ clears the cache.

Hint: Clear cache

5. Forward zone type uses _____.

Hint: Upstream servers

6. rndc _____ generates statistics.

Hint: Statistics

7. Queries can be logged in the _____ category.

Hint: Query logging

8. max-ncache-ttl caches _____ responses.

Hint: NXDOMAIN

Show Answers

Answers

  1. caching
  2. upstream servers
  3. cache time
  4. flush
  5. forwarders
  6. stats
  7. queries
  8. negative

// Troubleshooting DNS

×

DNS Troubleshooting

Understanding common DNS issues and how to debug them is essential for DNS administration.

Common Issues

  • NXDOMAIN: Domain doesn't exist
  • SERVFAIL: Server failed to resolve
  • REFUSED: Query refused
  • TIMEOUT: Query timed out
  • Slow resolution: Network or server issues

Basic Diagnostics

Query Specific Server

$ dig @8.8.8.8 google.com # Query Google's DNS

Query Specific Record Type

$ dig google.com MX # Query mail servers

Trace Full Resolution Path

$ dig +trace google.com # Full DNS resolution

Check Reverse DNS

$ dig -x 142.250.185.78 # Reverse lookup

Testing Zone Files

$ sudo named-checkconf # Check configuration
$ sudo named-checkzone example.com /var/cache/bind/db.example.com # Check zone file

Viewing Logs

$ sudo journalctl -u named -f # Follow BIND logs
$ sudo tail -f /var/log/named/named.log # Check named logs

Query Logging

Enable query logging for debugging:

$ rndc querylog # Toggle query logging

Testing DNSSEC

$ dig +dnssec cloudflare.com # Check DNSSEC signatures
$ dig +cd @8.8.8.8 example.com # Check DNSSEC validation

Common Fixes

Zone Not Loading

$ sudo named-checkconf && sudo systemctl reload named # Check and reload

Permission Issues

$ sudo chown -R bind:bind /var/cache/bind/ # Fix ownership

Serial Not Updated

$ sudo rndc reload example.com # Force reload zone

Network Testing

$ nslookup example.com 127.0.0.1 # Test local DNS
$ nc -zv localhost 53 # Test DNS port

Quiz

1. Split DNS serves _____ answers based on client.

Hint: Multiple

2. Views are matched using _____ criteria.

Hint: Client matching

3. Internal clients get _____ IP addresses.

Hint: 192.168.x.x

4. External clients get _____ IP addresses.

Hint: External IPs

5. Views are defined in _____.

Hint: Main config

6. match-clients can use _____.

Hint: Access control lists

7. Each view must have _____ zones.

Hint: All defined zones

8. Split DNS is also called split _____.

Hint: Split horizon

Show Answers

Answers

  1. different
  2. match-clients
  3. private
  4. public
  5. named.conf
  6. ACLs
  7. all
  8. horizon

// Split-Horizon DNS

×

What is Split-Horizon DNS?

Split-horizon DNS provides different DNS responses depending on the client's location - internal vs external. This is essential for enterprise networks that need both public and private resolution.

Internal vs External DNS

  • Internal: Resolves to private IPs (192.168.x.x, 10.x.x.x) for LAN access
  • External: Resolves to public IPs for internet-facing services
  • Security: Internal resources remain hidden from external queries
  • Efficiency: Local traffic stays on the LAN

Views in BIND

BIND uses views to implement split-horizon DNS:

view "internal" { match-clients { 192.168.1.0/24; 10.0.0.0/8; }; recursion yes; zone "corp.example.com" { type master; file "/var/cache/bind/db.internal.corp"; }; }; view "external" { match-clients { any; }; recursion no; zone "corp.example.com" { type master; file "/var/cache/bind/db.external.corp"; }; };

Internal Zone File

$TTL 3600; @ IN SOA ns1.corp.example.com. admin.corp.example.com. ( 2026030101 ; Serial 3600 ; Refresh 600 ; Retry 86400 ; Expire 3600 ) ; @ IN NS ns1.corp.example.com. @ IN A 192.168.1.10 www IN A 192.168.1.10 mail IN A 192.168.1.20 vpn IN A 192.168.1.30 db IN A 192.168.1.40

External Zone File

$TTL 3600; @ IN SOA ns1.corp.example.com. admin.corp.example.com. ( 2026030101 ; Serial 3600 ; Refresh 600 ; Retry 86400 ; Expire 3600 ) ; @ IN NS ns1.corp.example.com. @ IN A 203.0.113.10 www IN A 203.0.113.10 mail IN A 203.0.113.20 vpn IN A 203.0.113.30
SECURITY TIP: Never expose internal DNS zones to the internet. Use views with match-clients to restrict access to internal networks only.

Enterprise DNS Setup

Large organizations need hierarchical DNS infrastructure:

$ dig @192.168.1.1 www.corp.example.com ; <<>> DiG 9.18.1 <<>> @192.168.1.1 www.corp.example.com ;; ANSWER SECTION: www.corp.example.com. 3600 IN A 192.168.1.10 # Internal resolves to private IP
$ dig @203.0.113.1 www.corp.example.com ; <<>> DiG 9.18.1 <<>> @203.0.113.1 www.corp.example.com ;; ANSWER SECTION: www.corp.example.com. 3600 IN A 203.0.113.10 # External resolves to public IP

Quiz

1. NXDOMAIN means the domain _____.

Hint: Not found

2. REFUSED means the query was _____.

Hint: Denied

3. +trace shows full _____ path.

Hint: DNS resolution

4. To check config, use _____.

Hint: Check config

Show Answers

Answers

  1. doesn't exist
  2. refused
  3. resolution
  4. named-checkconf

// Anycast DNS

×

What is Anycast DNS?

Anycast DNS uses the same IP address on multiple servers worldwide. The network routes queries to the nearest server automatically, providing global load balancing and improved performance.

Global Load Balancing

  • Anycast routing: BGP routes traffic to closest server
  • Reduced latency: Users connect to nearest DNS server
  • Automatic failover: If one server fails, traffic routes elsewhere
  • DDoS mitigation: Attack traffic spreads across many servers

Multiple DNS Servers

Deploy Anycast DNS infrastructure across regions:

$ ip addr add 203.0.113.53/32 dev lo # Add Anycast IP to loopback on each server
$ ip route add 203.0.113.53/32 dev lo src 203.0.113.1 # Configure local route

BGP Configuration

Announce Anycast IPs via BGP to upstream providers:

router bgp 64496 network 203.0.113.53/32; neighbor 192.0.2.1 remote-as 64500; neighbor 192.0.2.1 announce route 203.0.113.53/32;
$ birdc show route 203.0.113.53/32 via 203.0.113.1 on eth0 [direct1 2026-03-01] * (240) via 203.0.113.2 on eth0 [direct2 2026-03-01] (240) # Show BGP routes to Anycast IP

Geographic Distribution

Deploy servers across multiple regions:

$ dig @203.0.113.53 example.com +short 142.250.185.78 # Query resolves from nearest server automatically

Health Monitoring

$ #!/bin/bash $ # Anycast health check script if ! dig @203.0.113.53 google.com +short; then ip route del 203.0.113.53/32 dev lo systemctl stop bird echo "Anycast withdrawn - DNS failure" fi

Monitoring Anycast

$ traceroute 203.0.113.53 traceroute to 203.0.113.53 (203.0.113.53) 1 router1.isp.net (192.0.2.1) 0.5 ms 2 anycast-server-ny.example.com (203.0.113.53) 1.2 ms # Trace shows nearest server
PERFORMANCE TIP: Anycast reduces DNS latency by routing users to the closest server. Major DNS providers like Cloudflare (1.1.1.1) and Google (8.8.8.8) use Anycast for global distribution.

Quiz

1. Anycast uses the same _____ on multiple servers.

Hint: Shared address

2. _____ routes traffic to the closest server.

Hint: Border Gateway Protocol

3. Anycast provides automatic _____.

Hint: Redundancy

4. Anycast helps mitigate _____ attacks.

Hint: Distributed denial

Show Answers

Answers

  1. IP address
  2. BGP
  3. failover
  4. DDoS