Server DNS Bind9

DNS ip address

Install Bind9

apt update ; apt install bind9 dnsutils

Bind local configuration file

nano /etc/bind/named.conf.local

acl ns-servers {
    1.0.0.1;
};

Bind log's configuration file

mkdir /var/log/named -p ; chown bind:bind /var/log/named

nano /etc/bind/named.conf.log

logging {
	channel bind_log {
		file "/var/log/named/bind.log" versions 3 size 5m;
		severity info;
		print-category yes;
		print-severity yes;
		print-time yes;
	};
	channel security_file {
		file "/var/log/named/security.log" versions 3 size 30m;
		severity dynamic;
		print-time yes;
	};

	category default { bind_log; };
	category update { bind_log; };
	category update-security { bind_log;};
	category security { security_file; };
	category queries { bind_log; };
	category lame-servers { null; };
};

Add log's configuration to main file

nano /etc/bind/named.conf

include "/etc/bind/named.conf.log";

Change default for named

echo '' | tee /etc/default/named ; nano /etc/default/named

RESOLVCONF=yes
OPTIONS="-u bind -4"

Edit bind options

rm /etc/bind/named.conf.options ; nano /etc/bind/named.conf.options

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable
	// nameservers, you probably want to use them as forwarders.
	// Uncomment the following block, and insert the addresses replacing
	// the all-0's placeholder.

	recursion yes;
	allow-recursion {
		127.0.0.1;
		192.168.23.0/24;
	};
	allow-query-cache {
		127.0.0.1;
		192.168.23.0/24;
	};
	forwarders { };
        
	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	// dnssec-validation auto;
	// dnssec-enable no;
	dnssec-validation no;
        
	listen-on { 192.168.23.252; };
	listen-on-v6 { none; };

	// DNSBL/URIBL
	minimal-responses yes;
	edns-udp-size 1232;

	allow-transfer { none; };

	// From 9.9.5 ARM, disables interfaces scanning to prevent unwanted stop listening
	interface-interval 0;

	// Do not make public version of BIND
	version none;

};

Restart Named Service

service named restart

tail -f -n 1000 /var/log/named/bind.log

Enable log rotate

nano /etc/logrotate.d/bind

/var/log/named/bind.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  create 644 bind bind
  postrotate
    /usr/sbin/invoke-rc.d bind9 reload > /dev/null
  endscript
}

logrotate -d /etc/logrotate.d/bind

Open UDP port for Bind

ufw allow 53/udp