Server DNS Bind9

DNS ip address

Install Bind9

apt update ; apt install bind9 dnsutils

Bind local configuration file

nano /etc/bind/named.conf.local

acl ns-servers {
    1.0.0.1;
};

Bind log's configuration file

mkdir /var/log/named -p ; chown bind:bind /var/log/named

nano /etc/bind/named.conf.log

logging {
	channel bind_log {
		file "/var/log/named/bind.log" versions 3 size 5m;
		severity info;
		print-category yes;
		print-severity yes;
		print-time yes;
	};
	channel security_file {
		file "/var/log/named/security.log" versions 3 size 30m;
		severity dynamic;
		print-time yes;
	};

	category default { bind_log; };
	category update { bind_log; };
	category update-security { bind_log;};
	category security { security_file; };
	category queries { bind_log; };
	category lame-servers { null; };
};

Add log's configuration to main file

nano /etc/bind/named.conf

include "/etc/bind/named.conf.log";

Change default for named

echo '' | tee /etc/default/named ; nano /etc/default/named

RESOLVCONF=yes
OPTIONS="-u bind -4"

Edit bind options

rm /etc/bind/named.conf.options ; nano /etc/bind/named.conf.options

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable
	// nameservers, you probably want to use them as forwarders.
	// Uncomment the following block, and insert the addresses replacing
	// the all-0's placeholder.

	forwarders {
		1.1.1.1;		// Cloud Flare
		1.0.0.1;		// Cloud Flare
		8.8.8.8;		// Google
		8.8.4.4;		// Google
		208.67.222.222;	// Cisco
		208.76.220.220;	// Cisco
		64.6.64.6;		// Verisign
		64.6.65.6;		// Verisign
	};

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	// dnssec-validation auto;
	// dnssec-enable no;
	dnssec-validation no;

	listen-on { 1.1.1.1; };
	listen-on-v6 { none; };

	allow-transfer { none; };

	// From 9.9.5 ARM, disables interfaces scanning to prevent unwanted stop listening
	interface-interval 0;

	// Do not make public version of BIND
	version none;

};

Restart Named Service

service named restart

tail -f -n 1000 /var/log/named/bind.log

Enable log rotate

nano /etc/logrotate.d/bind

/var/log/named/bind.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  create 644 bind bind
  postrotate
    /usr/sbin/invoke-rc.d bind9 reload > /dev/null
  endscript
}

logrotate -d /etc/logrotate.d/bind

Open UDP port for Bind

ufw allow 53/udp