Server DNS Bind9

DNS ip address

Install Bind9

apt update ; apt install bind9 dnsutils

Bind local configuration file

nano /etc/bind/named.conf.local

acl ns-servers {
    1.0.0.1;
};

Bind log's configuration file

mkdir /var/log/named -p ; chown bind:bind /var/log/named

nano /etc/bind/named.conf.log

logging {
	channel bind_log {
		file "/var/log/named/bind.log" versions 3 size 5m;
		severity info;
		print-category yes;
		print-severity yes;
		print-time yes;
	};
	channel security_file {
		file "/var/log/named/security.log" versions 3 size 30m;
		severity dynamic;
		print-time yes;
	};

	category default { bind_log; };
	category update { bind_log; };
	category update-security { bind_log;};
	category security { security_file; };
	category queries { bind_log; };
	category lame-servers { null; };
};

Add log's configuration to main file

nano /etc/bind/named.conf

include "/etc/bind/named.conf.log";

Change default for named

echo '' | tee /etc/default/named ; nano /etc/default/named

RESOLVCONF=yes
OPTIONS="-u bind -4"

Edit bind options

rm /etc/bind/named.conf.options ; nano /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
            1.1.1.1;
            1.0.0.1;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        // dnssec-validation auto;
        // dnssec-enable no;
        dnssec-validation no;

        listen-on { 1.1.1.1; };
        listen-on-v6 { none; };

        allow-transfer { none; };

        // From 9.9.5 ARM, disables interfaces scanning to prevent unwanted stop listening
        interface-interval 0;

        // Do not make public version of BIND
        version none;

};

Restart Named Service

service named restart

tail -f -n 1000 /var/log/named/bind.log

Enable log rotate

nano /etc/logrotate.d/bind

/var/log/named/bind.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  create 644 bind bind
  postrotate
    /usr/sbin/invoke-rc.d bind9 reload > /dev/null
  endscript
}

logrotate -d /etc/logrotate.d/bind

Open UDP port for Bind

ufw allow 53/udp