How To Install And Configure Secondary DNS Server In Linux

Aug 18, 2022 · 2 mins read
linux dns ubuntu bind9
How To Install And Configure Secondary DNS Server In Linux

In the video below, we show you how to install and configure a secondary DNS server in Linux using Ubuntu 22.04.1 LTS and Bind 9

Bear in mind, while a secondary DNS server will provide redundancy for DNS resolutions, it will contain a readable copy of the database

So if the primary server fails, it should be replaced as soon as possible in order to be able to make future DNS changes

We’ll update and configure an existing primary DNS server as we want redundancy with internal zone transfers

Then we’ll install and configure a secondary server which will also act as a redundant forwarder for Internet DNS resolution

Finally we’ll set up a client and do some testing

Steps Taken

  1. Update Primary Server 

    sudo apt update && sudo apt upgrade -y  
cd /etc/bind
sudo nano /etc/bind/named.conf.local
    zone "templab.lan"  {
..
	allow-transfer { 172.16.17.11; };
	also-notify { 172.16.17.11; };
};

zone "16.172.in-addr.arpa" {
..
	allow-transfer { 172.16.17.11; };
	also-notify { 172.16.17.11; };
};
    sudo systemctl restart bind9
sudo systemctl status bind9

  2. Create Secondary Server
    NOTE: It’s assumed you already have an Ubuntu server built to be the secondary server. This next step is just to install bind9

    sudo apt update && sudo apt upgrade -y  
sudo apt install bind9 -y  
cd /etc/bind  
sudo nano /etc/bind/named.conf.local

    zone "templab.lan"  {
	type secondary;
	file "/var/lib/bind/db.templab.lan";
	masters { 172.16.17.10; };
};

zone "16.172.in-addr.arpa" {
	type secondary;
	file "/var/lib/bind/db.172.16";
	masters { 172.16.17.10; };
};  
    sudo systemctl restart bind9
sudo systemctl status bind9
    Check a transfer took place
    ls -l /var/lib/bind
    If not, then if you have UFW installed on your computers, check that TCP is allowed on port 53
    Traditionally UDP was used for lookups and TCP for zone transfers, but now both UDP and TCP get used for lookups so TCP access should have already been allowed

  3. Test Internal DNS on the secondary 

    nslookup dhcp1.templab.lan 172.16.17.11  
nslookup 172.16.17.10 172.16.17.11

  4. Restrict Access and Configure DNS Forwarding 

    cd /etc/bind  
sudo nano named.conf.options  
    acl trustedclients {
	localhost;
	localnets;
	172.16.18.0/24;
	172.16.19.0/24;
	172.16.21.0/24;
	172.16.22.0/24;
	172.16.24.0/24;
};

options {
	directory "/var/cache/bind";

	recursion yes;
	allow-query { trustedclients; };
	allow-query-cache { trustedclients; };
	allow-recursion { trustedclients; };

	forwarders {
		172.16.17.254;
	};

	dnssec-validation no;

	listen-on-v6 port 53 { ::1; };
	listen-on port 53 { 127.0.0.1; 172.16.17.11; };
};
    sudo systemctl restart bind9
sudo systemctl status bind9

  5. Update IP addressing
    Re-configuure the secondary server to use itself for DNS resolution 

    cd /etc/netplan  
ls -l  
sudo nano 00-installer-config.yaml
    Change the name server to 127.0.0.1

    Apply the changes 
    sudo netplan apply

Sharing is caring!