Setting up BIND to Run as a Recursive Nameserver
Internet Systems Consortium
950 Charter StreetRedwood CityCA94063UShttp://www.isc.org/
day=4 month='September' year='2007'
Copyright (C) 2007 Internet Systems Consortium, Inc.
All Rights Reserved.
This Technical Note instructs a moderately-experienced systems
administrator on the steps necessary to quickly set up a
recursive (caching-only) nameserver for use on a system or
trusted local network
Stop or kill off your current named process, if one is
running. Usually, running "rndc stop" will instruct named
to shut down. If this doesn't work, you can look for any
error messages to determine a problem. On Unix systems, you
can use ps to verify that it has stopped running. If the
process is still running, you can use kill to force it to stop.
Obtain the latest version of BIND from ftp.isc.org or one of
the many sites who mirror it. At the time of writing, the
latest version is bind-9.4.1-P1.tar.gz. You can find that
via FTP at
. If you prefer a web interface, please access it via
. When looking at version numbers, please note that P stands
for patch, RC means release candidate, while b is short for
beta. Only numbered or patched releases are considered to be
production-quality releases.
Extract the distribution. After you've obtained the file and
moved it to a convenient directory with enough free space:
tar zxf bind-9.4.1-P1.tar.gzcd bind-9.4.1-P1
Build the package by running the configure script.
Specifying a prefix will put the binaries and other files in
a single location, to avoid overwriting any existing files.
After that's successful, build the binaries and such by
running make. To install the binaries and associated files,
use "make install".
Note that while the configure script is designed to work in a
large number of environments, it may instead exit with an error.
./configure --prefix=/usr/local/iscmakemake install
Create a configuration file for the named binary. Make an
/usr/local/isc/etc/named.conf that looks something like the
following. If you are running IPv6 on your system, please
enable the "listen-on-v6" statement.
If you are running this system on an insecure connection such
as an open wireless connection, please remove the "localnets;"
entries since this may increase the chance of your nameserver
being used maliciously for attacks. However, if you are using
this in a home or office environment, it is okay to leave that
parameter in, since you probably want to offer name service to
other local systems.
Create the files referenced in the configuration. Create
the following seven files in /var/named-- or whatever
"directory", declared in /usr/local/isc/etc/named.conf,
specifies. Note that you can verify you have the latest
named.cache by downloading it from
. It's worthwhile to verify you have the latest version
of the named.cache occasionally. This file does not
change frequently, but changes may occur during the next
few years.
Generate an key for rndc. In order to run rndc, which will
let you control named over a separate channel, execute
the command:
rndc-confgen -a
This will create /usr/local/isc/etc/rndc.key, which the
named.conf is set up to include. Please verify and control
the permissions on this file, since anyone who has this key
on this machine could control your nameserver.
Add your nameserver to the list of resolvers. On Unix
systems, edit /etc/resolv.conf. Add in the folllowing line
at the first nameserver entry in the file:
nameserver 127.0.0.1
If you control this file, the entry should be permanent.
However, note that on some variants of Unix, networking
scripts may modify this file. In that case, you may wish to
either alter those scripts or change this file each time
after networking changes are made.
If your system does not start up named by default, edit your
startup configuration to start /usr/local/isc/sbin/named.
Replace references to "named" with "/usr/local/isc/sbin/named"
to make sure that this newest version is running, rather than
running an older version.
Start up named. Check the system logfile for any messages
reflecting a successful start. On Unix, you can use ps to
verify that the named process is running. You can also use
"rndc status" to verify that the server is running. It will
also output some brief status messages.