Linux Networking

Bind9 local DNS server intro

Practical Linux guide: bind9 local DNS server intro without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

A minimal BIND9 authoritative/caching DNS server on Debian/Ubuntu for local lab zones — split DNS for *.home.arpa style domains.

1) Install BIND

sudo apt install bind9 bind9utils

2) Forward zone snippet

# /etc/bind/named.conf.local
zone "lab.local" {
    type master;
    file "/etc/bind/db.lab.local";
};

3) Zone file

$TTL 604800
@   IN SOA ns1.lab.local. admin.lab.local. (2025060901 604800 86400 2419200 604800)
@   IN NS ns1.lab.local.
ns1 IN A 192.168.1.10
web IN A 192.168.1.20
sudo named-checkconf
sudo named-checkzone lab.local /etc/bind/db.lab.local
sudo systemctl restart bind9

4) Point clients

Set router DHCP DNS to 192.168.1.10 or per-host resolvectl dns eth0 192.168.1.10.

Verify

dig @127.0.0.1 web.lab.local +short
sudo rndc status

5) Caching resolver for LAN

options {
    forwarders { 1.1.1.1; 8.8.8.8; };
    dnssec-validation auto;
};

6) Allow queries from subnet

acl lan { 192.168.1.0/24; };
options { allow-query { lan; localhost; }; };

7) Reverse zone (optional)

Needed for some mail and Kerberos setups — forward zones suffice for homelab hostnames.

Split horizon

Internal zone lab.local resolves privately while public DNS unchanged — ideal for services not exposed to internet.

8) systemd-resolved coexistence

Ubuntu stub resolver on 127.0.0.53 — point clients to BIND IP directly or configure resolved to forward to BIND for local zones.

Prerequisites

bind9 package. Zone names chosen (.local not ideal for mDNS conflict — prefer .home.arpa or internal subdomain). Serial number scheme. Client DNS forward plan.

increment serial on every edit

# YYYYMMDDNN format in SOA — forget to bump and secondaries ignore updates

rndc key

sudo rndc status
sudo rndc reload lab.local

Reload zone after serial bump without full named restart.

DNS over TLS upstream

Forward to Cloudflare 1.1.1.1 on 853 in bind options — local clients still use plain 53 to bind; bind encrypts upstream — privacy for lab DNS without per-client DoT config.

DNSSEC validation failures

Broken DNSSEC on upstream with dnssec-validation auto breaks resolution — switch to dnssec-validation no temporarily on lab resolver only while debugging chain.

secondary NS optional

Second bind instance on another host as slave for zone transfer — homelab overkill but production internal zones benefit from AXFR redundancy.

allow-recursion ACL

Open resolver on internet gets abused for amplification — restrict recursion to lan ACL only even on homelab if port 53 NAT forwarded accidentally.

TTL lowering before migration

Lower SOA TTL to 300 before IP change — internal clients pick new record faster after server migration.

Related guides

bind dns linux local server

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Networking
Set up Wi‑Fi from the command line
Practical Linux guide: set up Wi‑Fi from the command line without the usual guesswork.
Read guide
Networking
iptables vs nftables overview
Practical Linux guide: iptables vs nftables overview without the usual guesswork.
Read guide