This document describes the installation of ISC BIND on Ubuntu Linux.

Installation

The following procedure will provide a default install of BIND (BIND 9.8.2 and greater).We strongly recommend using the latest versions of BIND 9 and keeping it up-to-date with the latest security fixes.

  • Login to your account on the Ubuntu system. You will need root access - via sudo or su. The instructions below will use sudo but you can run them without sudo if you are logged in as root.
  • Next we’ll need to download and install BIND and its utilities
    sudo apt-get update
    sudo apt-get install bind9
    
  • Next we’ll need to start bind with the following command:
    sudo /usr/sbin/service bind9 start
    
  • Verify that Bind is running.
    dig @127.0.0.1 google.com
    
  • If dig fails, check BIND’s logs in /var/log/syslog
  • Check the installed version matches at least 9.8.2 for example:
    /usr/sbin/named -v
    BIND 9.10.3-P4-Ubuntu <id:ebd72b3>
    

NTP on Ubuntu

A correct system time is required for transferring ThreatSTOP Policy zones. Using NTP is an easy way to keep correct time. Install ntp:

sudo apt-get install ntp
  • Run timedatectl and check that ‘Network time on’ and ‘NTP synchronized’ are both set to ‘yes’
  • If it is not, run these commands to enable NTP synchronization.
    sudo timedatectl set-ntp yes
    sudo service ntp restart
    

BIND will show the following error in /var/log/syslog if the clock is not synchronized:

zone <ZONE NAME> refresh: failure trying master 192.124.129.51#53 (source 0.0.0.0#0): clocks are unsynchronized

Restricting access to BIND

  • It is recommendeded to add ACLs to limit the systems that can connect to your BIND instance.
  • Add an ACL with the list of authorized subnets
  • Since version 9.4, BIND defaults the allow-recursion option to the local networks (localnets), rather than any.
acl my-networks {
        172.16.0.0/12;
};
  • Restrict access with the allow-recursion parameter in the options block
    options {
      ...
      allow-recursion { my-networks; };
      ...
    };
    

Additional information