Home » Blog » Setting up BIND as a Slave DNS Server on Ubuntu 18.04

Information

Setting up BIND as a Slave DNS Server on Ubuntu 18.04

Benhcmark Administrator

18/10/2025

0 Views 0

SaveSavedRemoved 0

A Practical Guide to Setting Up a BIND Slave DNS Server on Ubuntu

In the world of network infrastructure, a single point of failure is a risk you can’t afford to take. For something as critical as the Domain Name System (DNS), which translates human-readable domain names into machine-readable IP addresses, downtime is not an option. A single DNS server going offline can make your websites, email, and other services completely unreachable.

This is where a master-slave DNS architecture comes in. By setting up a secondary (or “slave”) DNS server, you create a redundant system that ensures high availability and distributes the query load. The slave server maintains a read-only copy of the master server’s zone files and automatically synchronizes any changes, ready to handle DNS requests if the primary server becomes unavailable.

This guide provides a step-by-step walkthrough for configuring a BIND9 slave DNS server on a server running Ubuntu.

Why You Need a Secondary DNS Server

Before diving into the configuration, it’s important to understand the benefits of this setup:

• High Availability and Redundancy: If your primary (master) DNS server fails due to a hardware issue, network outage, or maintenance, the secondary (slave) server seamlessly continues to resolve DNS queries. This prevents a total service outage.
• Load Balancing: With two or more DNS servers, you can distribute the incoming query traffic between them. This reduces the load on any single server, improving response times and overall performance.
• Improved Performance for Geographic Distribution: If your users are spread out geographically, you can place a slave DNS server closer to a specific user base, reducing latency and speeding up DNS resolution for them.

Prerequisites

To follow this guide, you will need:

• A fully configured and working master BIND9 DNS server.
• A separate server for the slave, running Ubuntu.
• Root or sudo access on both the master and slave servers.
• The IP address of both servers.

Step 1: Configure the Master DNS Server for Zone Transfers

The first step is to authorize your new slave server to copy zone data from the master. This process is called a zone transfer. You need to explicitly tell the master server which IP addresses are allowed to request this data.

1. Connect to your master DNS server.

2. Open the BIND configuration file where your zone options are defined. This is typically /etc/bind/named.conf.options or /etc/bind/named.conf.local.

3. Inside the options {} block or within a specific zone {} definition, add the allow-transfer and also-notify directives. Replace SLAVE_SERVER_IP with the actual IP address of your new slave server.

   // Example for a specific zone in named.conf.local
   zone "yourdomain.com" {
       type master;
       file "/etc/bind/zones/db.yourdomain.com";
       // ... other options
   allow-transfer { SLAVE_SERVER_IP; };
   also-notify { SLAVE_SERVER_IP; };
   };
   
   

• allow-transfer: This directive explicitly grants the slave server’s IP permission to request a full copy of the zone file.
• also-notify: This tells the master to proactively send a notification to the slave server whenever the zone file is updated. This ensures changes are replicated almost instantly, rather than waiting for the slave to periodically check for updates.

1. After saving the file, check the BIND configuration for syntax errors:
   bash
sudo named-checkconf

2. If no errors are reported, restart the BIND service to apply the changes:
   bash
sudo systemctl restart bind9


Your master server is now ready to serve zone data to your slave server.

Step 2: Install and Configure the Slave DNS Server

Now, let’s move to your new server and set it up to act as the slave.

1. First, update your package list and install BIND9:

   sudo apt update
   sudo apt install bind9
   

2. Next, you need to define the zone that this server will be a slave for. Edit the /etc/bind/named.conf.local file:

   sudo nano /etc/bind/named.conf.local
   

3. Add the zone block for your domain. This configuration tells BIND that it is a slave for this zone and specifies where to get the master copy. Replace yourdomain.com and MASTER_SERVER_IP with your actual domain and master server’s IP address.

   zone "yourdomain.com" {
       type slave;
       file "/var/cache/bind/db.yourdomain.com";
       masters { MASTER_SERVER_IP; };
   };
   

   Let’s break down this configuration:

   • type slave: This is the most important directive. It defines this server’s role as a secondary server for the “yourdomain.com” zone.
   • file “/var/cache/bind/db.yourdomain.com”: This specifies the path where BIND will store the copied zone file. It’s crucial that this file is located in a directory that BIND has write permissions for, such as /var/cache/bind/.
   • masters { MASTERSERVERIP; }; This tells the slave server the IP address of the primary master server from which to request the zone data.

4. Save and close the file.

Step 3: Verification and Final Checks

With both servers configured, it’s time to start the slave’s BIND service and verify that the zone transfer was successful.

1. Check the slave server’s BIND configuration for syntax errors:

   sudo named-checkconf
   

2. If the syntax is correct, restart the BIND service:

   sudo systemctl restart bind9
   

3. Immediately after restarting, check the system logs to see the zone transfer in action. You can watch the logs in real-time with this command:

   sudo journalctl -u bind9 -f
   

   You should see lines indicating a successful transfer, such as:
   zone yourdomain.com/IN: transferred serial 2023040101
transfer of 'yourdomain.com/IN' from MASTER_SERVER_IP#53: Transfer completed

4. Verify the zone file was created. Check the directory you specified in the configuration:

   ls -l /var/cache/bind/
   

   You should see the file db.yourdomain.com present in the directory.

5. Finally, use a DNS query tool like dig to query your new slave server directly and confirm it is resolving records for your domain.
   bash
dig @localhost www.yourdomain.com

   The command should return the correct IP address for www.yourdomain.com, proving your slave server has the correct zone data and is functioning properly.

Essential Security Best Practices

To harden your DNS infrastructure, consider these security tips:

• Be Specific with allow-transfer: Never set allow-transfer { any; };. This would allow anyone on the internet to copy your entire DNS zone, potentially exposing sensitive information about your network infrastructure. Always list only the specific IP addresses of your slave servers.
• Use Firewall Rules: Configure your firewall (e.g., UFW) on both the master and slave servers. Port 53 (for both TCP and UDP) should only be open to necessary sources. Zone transfers happen over TCP, so ensure your master server’s firewall allows incoming TCP connections on port 53 from the slave’s IP.
• Implement TSIG Keys: For a more secure setup, use Transaction Signatures (TSIG) to cryptographically sign the DNS messages exchanged between your master and slave servers. This authenticates the zone transfer and ensures the data has not been tampered with in transit.

By following these steps, you have successfully built a more resilient, fault-tolerant DNS system that can withstand a single server failure, ensuring your online services remain available to users.

Source: https://kifarunix.com/configure-bind-as-slave-dns-server-on-ubuntu-18-04/