How to Set Up a Local DNS Resolver on Ubuntu 18.04, 16.04 with BIND9

This tutorial will be showing you how to set up a local DNS resolver on Ubuntu 18.04, 16.04 with the widely-used BIND9 DNS software. A DNS resolver is known by many names, some of which are listed below. They all refer to the same thing.

  • full resolver (in contrast to stub resolver)
  • DNS recursor
  • recursive DNS server
  • recursive resolver

Also be aware that A DNS server can also called a name server. Examples of DNS resolver are 8.8.8.8 (Google public DNS server) and 1.1.1.1 (Cloudflare public DNS server). The OS on your PC also has a resolver, although it’s called stub resolver due to its limited capability. A stub resolver is a small DNS client on the end-user’s computer that receives DNS requests from applications such as Firefox and forward requests to a recursive resolver. Almost every resolver can cache DNS response to improve performance, so they are also called caching DNS server.

Why Run Your Own Local DNS Resolver

Normally, your computer or router uses your ISP’s DNS resolver to query DNS names. Running your own local DNS resolver can speed up DNS lookups, because

  1. The local DNS resolver only listens to your DNS requests and does not answer other people’s DNS requests, so you have a much higher chance of getting DNS answers directly from the cache on the resolver.
  2. The network latency between your computer and DNS resolver is eliminated (almost zero), so DNS queries can be sent to root DNS servers more quickly.

If you run a mail server and use DNS blacklists (DNSBL) to block spam, then you are advised to run a local DNS resolver to speed up DNS lookups. If you run your own VPN server on a VPS (Virtual Private Server), it’s also a good practice to install a DNS resolver on the same VPS.

You may also want to run your own DNS resolver if you don’t like your Internet browsing history being stored on a third-party server.

If you own a website and want your own DNS server to handle name resolution for your domain name instead of using your domain registrar’s DNS server, then you will need to set up an authoritative DNS server, which is different from a DNS resolver. BIND can act as an authoritative DNS server and a DNS resolver at the same time, but it’s a good practice to separate the two roles on different boxes. This tutorial shows how to set up a local DNS resolver and because it will be used on local host/local network, no encryption (DNS over TLS or DNS over HTTPS) is needed. Setting up a DoT or DoH server will be discussed in a future article.

Set Up a Local DNS Resolver on Ubuntu 18.04, 16.04 with BIND9

BIND (Berkeley Internet Name Domain) is an open-source DNS server software widely used on Unix/Linux due to it’s stability and high quality. It’s originally developed by UC Berkeley, and later in 1994 its development was moved to Internet Systems Consortium, Inc (ISC).

Run the following command to install BIND 9 on Ubuntu 18.04, 16.04 from default repository. BIND 9 is the current version and BIND 10 is a dead project.

sudo apt update
sudo apt install bind9 bind9utils bind9-doc bind9-host

Check version.

named -v

Sample output:

BIND 9.11.3-1ubuntu1.3-Ubuntu (Extended Support Version) <id:a375815>

To check the version number and build options, run

named -V

BIND version number and build option

By default, BIND automatically starts after installation.You check its status with:

systemctl status bind9

If it’s not running, then start it with:

sudo systemctl start bind9

And enable auto start at boot time:

sudo systemctl enable bind9

The BIND server will run as the bind user, which is created during installation, and listens on TCP and UDP port 53, as can be seen by running the following command:

sudo netstat -lnptu | grep named

ubuntu 18.04 bind9 setup

Usually DNS queries are sent to the UDP port 53. The TCP port 53 is for responses sizes larger than 512 bytes.

The BIND daemon is called named. (A daemon is a piece of software that runs in the background.) The named binary is installed by the bind9 package and there’s another important binary: rndc, the remote name daemon controller, which is installed by the bind9utils package. The rndc binary is used to reload/stop and control other aspects of the BIND daemon. Communication is done over TCP port 953.

For example, we can check the status of the BIND name server.

sudo rndc status

remote name daemon controller

Configurations for a Local DNS Resolver

/etc/bind/ is the directory that contains configurations for BIND.

  • named.conf: the primary config file which includes configs of three other files.
  • db.root: the root hints file used by DNS resolvers to query root DNS servers. There are 13 groups of root DNS servers, from a.root-servers.net to m.root-servers.net.
  • db.127: localhost IPv4 reverse mapping zone file.
  • db.local: localhost forward IPv4 and IPv6 mapping zone file.
  • db.empty: an empty zone file

Out of the box, the BIND9 server on Ubuntu provides recursive service for localhost and local network clients only. Outside queries will be denied. So you don’t have to edit the configuration files. To get you familiar with BIND 9 configurations, I will show you how to enable recursion service anyway.

The main BIND configuration file /etc/bind/named.conf sources the settings from 3 other files.

  • /etc/bind/named.conf.options
  • /etc/bind/named.conf.local
  • /etc/bind/named.conf.default-zones

To enable recursion service, edit the first file.

sudo nano /etc/bind/named.conf.options

In the options clause, add the following lines. Replace IP addresses in the allow-recursion statement with your own local network addresses.

 // hide version number from clients for security reasons.
 version "not currently available";

 // optional - BIND default behavior is recursion
 recursion yes;

 // provide recursion service to trusted clients only
 allow-recursion { 127.0.0.1; 192.168.0.0/24; 10.10.10.0/24; };

 // enable the query log
 querylog yes;

enable recursion service in bind9

Save and close the file. Then test the config file syntax.

sudo named-checkconf

If the test is successful (indicated by a silent output), then restart BIND9.

sudo systemctl restart bind9

If you have a firewall running on the BIND server, then you need to open port 53 to allow LAN clients to send DNS queries.

sudo ufw allow in from 192.168.0.0/24 to any port 53

This will open TCP and UDP port 53 to the private network 192.168.0.0/24. Then from another computer in the same LAN, we can run the following command to query the A record of google.com. Replace 192.168.0.102 with the IP address of your BIND resolver.

dig A google.com @192.168.0.102

Now on the BIND resolver, check the query log with the following command.

sudo journalctl -eu bind9

This will show the latest log message of the bind9 service unit. I can found the following line in the log, which indicates that a DNS query for google.com’s A record has been received from port 57806 of 192.168.0.103.

named[1162]: client @0x7f4d2406f0f0 192.168.0.103#57806 (google.com): query: google.com IN A +E(0)K (192.168.0.102)

Setting the Default DNS Resolver on Ubuntu 18.04 Server

Systemd-resolved provides the stub resolver on Ubuntu 18.04. As mentioned in the beginning of this article, a stub resolver is a small DNS client on the end-user’s computer that receives DNS requests from applications such as Firefox and forward requests to a recursive resolver.

The default recursive resolver can be seen with this command.

systemd-resolve --status

local dns resolver ubuntu

As you can see, BIND isn’t the default. If you run the following command on the BIND server,

dig A facebook.com

This DNS query can’t be found in BIND log. Instead, you need to explicitly tell dig to use BIND.

dig A facebook.com @127.0.0.1

To set BIND as the default resolver, open the systemd-resolved configuration file.

sudo nano /etc/systemd/resolved.conf

In the [Resolve] section, add the following line. This will set a global DNS server for your server.

DNS=127.0.0.1

bind dns resolver

Save and close the file. Then restart systemd-resolved service.

sudo systemctl restart systemd-resolved

Now run the following command to check the default DNS resolver.

systemd-resolve --status

bind9 recursive resolver ubuntu 18.04

Now perform a DNS query without specifying 127.0.0.1.

dig A facebook.com

You will see the DNS query in BIND log, which means BIND is now the default recursive resolver. If you don’t see any queries in the BIND log, you might need to configure per-link DNS server.

Configure Per-Link DNS Server on Ubuntu 18.04

You can also configure per-link DNS server, which will override the global DNS server. There are two ways to configure per-link DNS servers:

  • via systemd-resolved
  • via netplan

systemd-resolved

List files under /etc/systemd/network/ directory.

ls /etc/systemd/network/

Sample output:

05-eth0.network  99-default.link

As you can see, I have two link configuration files. The 05-eth0.network file is for my main network interface, so I edit this file.

sudo nano /etc/systemd/network/05-eth0.network

Your filename might be different. If there are no files under this directory, then your per-link DNS configuration is not controlled by systemd-resolved.

Comment out the default DNS and Domain entry, and add your own DNS entry.

DNS=127.0.0.1

Save and close the file. Then restart systemd-resolved service.

sudo systemctl restart systemd-resolved

netplan

Some Ubuntu servers might be using netplan to configure per-link networking. In this case, you need to configure DNS server in the .yaml file under /etc/netplan/ directory. List files in this directory.

ls /etc/netplan/

Sample output:

01-netcfg.yaml

So I edit this file.

sudo nano /etc/netplan/01-netcfg.yaml

Set the DNS server address in the nameservers section.

      nameservers:
        search: [ invalid ]
        addresses:
                - 127.0.0.1

Configure Per-Link DNS Server on Ubuntu

Save and close the file. Then apply the change.

sudo netplan apply

Note: If you see the following error message, then netplan can’t process the configuration file.

Invalid YAML at /etc/netplan/01-netcfg.yaml  inconsistent indentation

You should fix the inconsistent indentation and run sudo netplan apply command again.

Setting the Default DNS Resolver on Ubuntu 16.04 Server

Ubuntu 16.04 uses the resolvconf program to manage DNS resolvers in /etc/resolv.conf file. Install the resolvconf package.

sudo apt install resolvconf

To set BIND as the default resolver on Ubuntu 16.04 server, you need to edit the /etc/resolvconf/resolv.conf.d/head file and add “nameserver 127.0.0.1” to this file, which can be done by running the following command:

echo "nameserver 127.0.0.1" | sudo tee -a /etc/resolvconf/resolv.conf.d/head

The resolver defined in this file will always be the first DNS resolver no matter what. Now restart resolvconf service.

sudo systemctl restart resolvconf

You can now check the content of /etc/resolv.conf.

cat /etc/resolv.conf

ubuntu 16.04 set default DNS resolver

As you can see, 127.0.0.1 is default DNS resolver.

Note that some hosting provider like Linode may use a network helper to auto-generate the /etc/resolv.conf file. To change the default DNS resolver, you need to disable that network helper in the hosting control panel.

Update: Later I noticed that the BIND package on Ubuntu 16.04 comes with a Systemd service unit bind9-resolvconf.service, which will help us set the default DNS resolver on Ubuntu server, so you don’t have to do it manually like above. By default, this service is disabled, we need to start it and enable auto-start at boot time.

sudo systemctl start bind9-resolvconf

sudo systemctl enable bind9-resolvconf

Make sure the resolvconf package is installed. Just two lines of commands and BIND will be set as the default DNS resolver on your Ubuntu 16.04 server.

Setting Default DNS Resolver on Client Computers

On Ubuntu desktop, you can follow the above instructions to set the default DNS resolver, but remember to replace 127.0.0.1 with the IP address of BIND server. The steps of setting default DNS resolver on MacOS and Windows can be found on the Internet.

How to Disable IPv6 in BIND

If you don’t use IPv6 in your network, then it’s a good idea to turn off IPv6 in BIND, otherwise there will be a lot of errors about IPv6 in BIND log like below.

network unreachable resolving 'mirrors.fedoraproject.org/A/IN': 2001:4178:2:1269:dead:beef:cafe:fed5#53
network unreachable resolving 'mirrors.fedoraproject.org/AAAA/IN': 2001:4178:2:1269:dead:beef:cafe:fed5#53
network unreachable resolving 'mirrors.fedoraproject.org/A/IN': 2610:28:3090:3001:dead:beef:cafe:fed5#53
network unreachable resolving 'mirrors.fedoraproject.org/AAAA/IN': 2610:28:3090:3001:dead:beef:cafe:fed5#53

To disable IPv6 in BIND on Ubuntu, simply open the /etc/default/bind9 file

sudo nano /etc/default/bind9

Add “-4” to the OPTIONS.

OPTIONS="-u bind -4"

Save and close the file. Then restart BIND and you are done.

sudo systemctl restart bind9

Conclusion

I hope this tutorial helped you set up a local DNS resolver on Ubuntu 18.04, 16.04 with BIND9. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 5 Average: 4.4]

23 Responses to “How to Set Up a Local DNS Resolver on Ubuntu 18.04, 16.04 with BIND9

  • THANKS (I REQUESTED THIS)

  • please, check where says “sudo apt install resovlconf” instead “sudo apt install resolvconf”, at ubuntu 16

  • This seems like a strange situation to me, but please pardon my limited knowledge.
    After editing /etc/systemd/resolved.conf to put in my local network for the DNS entry (i did un-“comment” that line first) and then running ‘systemd-resolve –status’. I get the same DNS servers listed… but when I do a dig command without specifying where to resolve, the activity shows up in my ‘sudo journalctl -eu bind9’ command

    • just um… realized that i’m not very smart… everything worked fine, i was just looking at the wrong line in the readout of the journalctl command… it worked perfectly and you guys are awesome!! let me just say as somebody that is just learning.. your tutorials have been indispensable! thank you!

  • Hello,

    I was doing fine until this command and the drive is empty?
    sudo nano /etc/systemd/network/05-eth0.network
    I don’t think I missed a step?
    Any ideas?

    • List files in /etc/systemd/network/ directory.

      ls /etc/systemd/network/

      Sample output:

      05-eth0.network  99-default.link

      As you can see, I have two link configuration files. The 05-eth0.network file is for my main network interface, so I edit this file.

      sudo nano /etc/systemd/network/05-eth0.network

      Your filename might be different. If there are no files under this directory, that means all your links (aka network interfaces) are using the global network configuration, and you don’t need to configure per-link DNS server.

      • Really – sorry – as I was re-reading – I have just seen my error…. About to leave another note!

  • Carlo Wood
    5 months ago

    Such wonderful tutorial! Unfortunately I ran into a problem. After adding ‘DNS=127.0.0.1’ to /etc/systemd/resolved.conf as shown, and restarting the systemd-resolved service, the `systemd-resolve –status` output starts with what you show under Global (although at the end there are STILL the same ‘DNS Servers:’ shown for Link 2 (eth0). But when I do subsequently `dig A facebook.com` there is no (extra) output from that for `sudo journalctl -eu bind9`. It still isn’t using my local DNS resolver. How to fix this?

    • Have you tried setting DNS resolver for the eth0 link, as described in the “Configure Per-Link DNS Server” section?

      • Carlo Wood
        5 months ago

        As `/etc/systemd/network` is empty for me, I did not try this.
        However, I am pretty sure that your `/etc/resolv.conf` also points to `/run/systemd/resolve/resolv.conf` does it not? I really think that is a requirement. As can be read in the manual page systemd-resolved(8) (http://manpages.ubuntu.com/manpages/bionic/man8/systemd-resolved.service.8.html#/etc/resolv.conf) this is a manual tweak that you pick. Using a symlink to `/run/systemd/resolve/stub-resolv.conf` leads to, as described in the man page (“This file lists the 127.0.0.53 DNS stub (see above) as the only DNS server.”) using the stub service that listens on 127.0.0.53. It is possible that that in turn uses the per-link configuration, I don’t know.

        `systemd-resolve –status` gives:

        Global
        DNS Servers: 127.0.0.1
        DNSSEC NTA: 10.in-addr.arpa
        …
        Link 2 (eth0)
        Current Scopes: DNS
        LLMNR setting: yes
        MulticastDNS setting: no
        DNSSEC setting: no
        DNSSEC supported: no
        DNS Servers: 62.179.104.196
        213.46.228.196
        …
        

        Note that the latter two dns servers are (probably) the result of using DHCP, which by default fills this in. You can turn that off, but I kinda like having them as fall back.

        /run/systemd/resolve/stub-resolv.conf reads:

        nameserver 127.0.0.53

        /run/systemd/resolve/resolv.conf reads:

        nameserver 127.0.0.1
        nameserver 62.179.104.196
        nameserver 213.46.228.196
        

        Thank you for your wonderful collection of HOWTO’s! It has greatly helped me.
        I am currently trying to move my deluge setup from one machine to another (I might add comments there too later on, in an attempt to perhaps improve it).

    • There are two ways to configure per-link DNS server. If you don’t see any files in /etc/sytemd/network/ directory, then check /etc/netplan/ directory. I just rewrote the “Configure Per-Link DNS Server” section to make it clear to follow and understand.

      No, my /etc/resolv.conf points to /run/systemd/resolve/stub-resolv.conf, not/run/systemd/resolve/resolv.conf.

  • Carlo Wood
    5 months ago

    I basically found the answer is: https://askubuntu.com/a/1150294/493223
    I searched high and low if there is a better way than to manually change that symlink, but it seems necessary. Mine was pointing to: /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

    This must have been set by some application no? Oh well.

  • Carlo Wood
    5 months ago

    My `/etc/netplan` is empty too. I believe I do not have a per-link configuration set up at all (though I am using systemd-resolved, for sure). I think that what happens is that because I’m using DHCP – it is THAT which configures my eth0 (per link thus) to have those nameservers configured.

    As a result I can not use `/run/systemd/resolve/stub-resolv.conf`. There are two solutions for that: either change the symlink `/etc/resolv.conf` or turn off configuration of DNS by the DHCP client. It should be possible to do this by either uncommenting `prepend domain-name-servers 127.0.0.1;` or removing `domain-name-servers` from the `request` line in `/etc/dhcp/dhclient.conf` altogether.

  • I want to rate this article, but the link to rate it is missing. Great article, thanks. I just discovered linuxbabe today and joined mailing list.

  • IMRON AMD
    2 weeks ago

    My mail server on VPS Vult, but Vultr using DHCP. How to “Set the DNS server address in the nameservers section.” Xiao?

    Thank you.

  • IMRON HS
    24 mins ago

    After restart my server, my server (nginx) can’t access anymore. I try this:

    tail -f /var/log/nginx/error.log
    

    I got the error:

    2020/09/13 18:13:23 [emerg] 2383#2383: bind() to [::]:80 failed (98: Address already in use)
    2020/09/13 18:13:23 [emerg] 2383#2383: bind() to 0.0.0.0:80 failed (98: Address already in use)
    2020/09/13 18:13:23 [emerg] 2383#2383: bind() to [::]:80 failed (98: Address already in use)
    2020/09/13 18:13:23 [emerg] 2383#2383: bind() to 0.0.0.0:80 failed (98: Address already in use)
    2020/09/13 18:13:23 [emerg] 2383#2383: bind() to [::]:80 failed (98: Address already in use)
    2020/09/13 18:13:23 [emerg] 2383#2383: bind() to 0.0.0.0:80 failed (98: Address already in use)
    2020/09/13 18:13:23 [emerg] 2383#2383: bind() to [::]:80 failed (98: Address already in use)
    2020/09/13 18:13:23 [emerg] 2383#2383: bind() to 0.0.0.0:80 failed (98: Address already in use)
    2020/09/13 18:13:23 [emerg] 2383#2383: bind() to [::]:80 failed (98: Address already in use)
    2020/09/13 18:13:23 [emerg] 2383#2383: still could not bind()
    

    Can you help me Xiao? Thanks

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.


The maximum upload file size: 2 MB.
You can upload: image.