How to Set Up a Private DNS Server with BIND9

When to Run Your Own DNS

A private DNS server is useful for internal name resolution, split-horizon DNS, or running authoritative DNS for your domains. BIND9 is the most widely used DNS server software.

Installation

sudo apt update && sudo apt install -y bind9 bind9-utils

Configure an Authoritative Zone

Add to /etc/bind/named.conf.local:

zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
    allow-transfer { 10.0.0.2; };  // secondary DNS
};

Create the Zone File

Create /etc/bind/zones/db.example.com:

$TTL    300
@       IN      SOA     ns1.example.com. admin.example.com. (
                        2026022501      ; Serial (YYYYMMDDNN)
                        3600            ; Refresh
                        600             ; Retry
                        86400           ; Expire
                        300 )           ; Negative Cache TTL

; Nameservers
@       IN      NS      ns1.example.com.
@       IN      NS      ns2.example.com.

; A Records
@       IN      A       198.48.63.241
ns1     IN      A       198.48.63.241
ns2     IN      A       198.48.63.242
www     IN      A       198.48.63.241
mail    IN      A       198.48.63.243

; MX Records
@       IN      MX  10  mail.example.com.

; TXT Records
@       IN      TXT     "v=spf1 ip4:198.48.63.240/28 -all"

Validate Configuration

sudo named-checkconf
sudo named-checkzone example.com /etc/bind/zones/db.example.com

Restart and Test

sudo systemctl restart bind9
dig @localhost example.com A
dig @localhost example.com MX

Security Hardening

# In named.conf.options
options {
    recursion no;           // Disable recursion for authoritative-only
    allow-query { any; };
    dnssec-validation auto;
    listen-on { any; };
};