This document describes the installation of ISC BIND on Ubuntu Linux.

Installation

The following procedure will provide a default install of BIND (BIND 9.8.2 and greater).We strongly recommend using the latest versions of BIND 9 and keeping it up-to-date with the latest security fixes.

  • Login to your account on the Ubuntu system. You will need root access - via sudo or su. The instructions below will use sudo but you can run them without sudo if you are logged in as root.
  • Next we’ll need to download and install BIND and its utilities 
    sudo apt-get update
sudo apt-get install bind9
  • Next we’ll need to start bind with the following command: 
    sudo /usr/sbin/service bind9 start
  • Verify that Bind is running. 
    dig @127.0.0.1 google.com
  • If dig fails, check BIND’s logs in /var/log/syslog
  • Check the installed version matches at least 9.8.2 for example: 
    /usr/sbin/named -v
BIND 9.10.3-P4-Ubuntu <id:ebd72b3>

System time synchronization

A correct system time is required for transferring ThreatSTOP Policy zones. Using NTP is an easy way to keep correct time.

BIND will show the following error in /var/log/syslog if the clock is not synchronized:

zone <ZONE NAME> refresh: failure trying master 192.124.129.51#53 (source 0.0.0.0#0): clocks are unsynchronized

Ubuntu 16

Install NTP:

sudo apt-get install ntp
  • Check the status of the NTP service:
sudo timedatectl
               Local time: Mon 2021-08-09 19:08:08 UTC
           Universal time: Mon 2021-08-09 19:08:08 UTC
                 RTC time: Mon 2021-08-09 19:08:10
                Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
              NTP service: active

If NTP is not enabled, the output will show:

System clock synchronized: no
              NTP service: inactive
  • If NTP is not active, run these commands to enable NTP synchronization.
sudo timedatectl set-ntp yes
sudo service ntp restart

Ubuntu 20

  • Check the status of the NTP service

  • Check the status of the NTP service:

sudo timedatectl
               Local time: Mon 2021-08-09 19:08:08 UTC
           Universal time: Mon 2021-08-09 19:08:08 UTC
                 RTC time: Mon 2021-08-09 19:08:10
                Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
              NTP service: active

If NTP is not enabled, the output will show:

System clock synchronized: no
              NTP service: inactive
  • To enable NTP, run the following command:
sudo timedatectl set-ntp 1

Restricting access to BIND

  • It is recommendeded to add ACLs to limit the systems that can connect to your BIND instance.
  • Add an ACL with the list of authorized subnets
  • Since version 9.4, BIND defaults the allow-recursion option to the local networks (localnets), rather than any.
  • Add ACLs to /etc/bind/named.conf.local, e.g. 
    acl my-networks {
      172.16.0.0/12;
};
  • Restrict access with the allow-recursion parameter in the options block of /etc/bind/named.conf.options 
    options {
  ...
  allow-recursion { my-networks; };
  ...
};

Additional information