WINDOWS GUIDE AT BOTTOM OF PAGE.

Remember, if you are using two BIND DNS servers in a master/slave configuration, you must update the serial number of the zone file when you update the file on the master if you want the slave to pick it up.

Remember, if you make a change to a zone, you can make that change live without restarting the DNS service with the following command

rndc reload example.local

On Ubuntu 16.04, you need to

sudo apt-get install bind9 bind9utils bind9-doc dnsutils

named-checkconf

named-checkzone yourdomain.tld /etc/bind/zones/name-of-file.db

Then

vi /etc/bind/named.conf.options

And add…

options {
        directory "/var/cache/bind";
        listen-on port 53 { 127.0.0.1; 192.168.1.5; };

        listen-on-v6 { any; };
        allow-recursion { any; };
        allow-query { any; };
        allow-query-cache { any; };
		
        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035

};

service bind9 restart

If you are running the local ufw firewall, you may need to open UDP/TCP 53.

vi /etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "example.local" {
        type master;
        file "/etc/bind/zones/example.local.db";
        allow-transfer { slave.ip.address; };
};

zone "1.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/rev.99.168.192.in-addr.arpa";
        allow-transfer { slave.ip.address; };
};

vi /etc/bind/zones/example.local.db

$TTL    604800
@       IN      SOA     ns1.example.local admin.example.local. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
@       IN      A       127.0.0.1
@       IN      AAAA    ::1




; Name servers
example.local.    IN      NS      ns1.example.local.
example.local.    IN      NS      ns2.example.local.


; records for name servers
ns1         IN      A       192.168.1.4
ns2        IN      A       192.168.1.5



; Other A records
@               IN      A       192.168.1.7
www             IN      A       192.168.1.8
myserver          IN      A       192.168.1.9

vi /etc/bind/zones/rev.99.168.192.in-addr.arpa

$TTL    604800
@       IN      SOA     example.local. admin.example.local. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; Name servers
        IN      NS      ns1.example.com.
        IN      NS      ns2.example.com.

; PTR Records
14       IN      PTR      server1.example.local.
15       IN      PTR      server2.example.local.
16       IN      PTR      server3.example.local.

In Ubuntu 16.04

rndc querylog

tail -f /var/log/syslog

Also

sudo mkdir /var/log/named
sudo chown bind:bind /var/log/named
sudo chmod ug+w /var/log/named

NOTE Use /var/log/named/ for logging folder otherwise you will encounter issues with AppArmor

user@hostname:/etc/bind# cat named.conf.options
options {
        directory "/var/cache/bind";
        listen-on port 53 { 127.0.0.1; 127.0.1.1; 192.168.0.1; };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        allow-recursion { any; };
        allow-query { any; };
        allow-query-cache { any; };
};

logging {
        channel bind_default_log {
                file "/var/log/named/default.log" versions 3 size 5m;
                //severity debug 9;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel bind_update_log {
                file "/var/log/named/update.log" versions 3 size 5m;
                //severity debug 9;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel bind_update-security_log {
                file "/var/log/named/update-security.log" versions 3 size 5m;
                //severity debug 9;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel bind_security_log {
                file "/var/log/named/security.log" versions 3 size 5m;
                //severity debug 9;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel bind_query_log {
                file "/var/log/named/query.log" versions 3 size 5m;
                //severity debug 10;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel bind_lame-servers_log {
                file "/var/log/named/lame-servers.log" versions 3 size 5m;
                //severity debug 9;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        category default { bind_default_log; };
        category update { bind_update_log; };
        category update-security { bind_update-security_log; };
        category security { bind_security_log; };
        category queries { bind_query_log; };
        category lame-servers { bind_lame-servers_log; };
};

Log on to the slave machine and run

dig @master.ip.address mydomain.local. AXFR

I found I had to edit vi /etc/resolvconf/resolv.conf.d/head and add nameserver 127.0.0.1 to the end of the file, save, exit and then run the following to get the NS servers to correctly access DNS on themselves.

resolvconf --enable-updates

• Download Win x64 BIND 9.16.24 from ISC's BIND website. 9.16 is the last version of BIND to be natively supported on Microsoft Windows.
• Extract the zip file.
• As Administrator, run BINDInstall.exe.
• The install window will ask for a target directory. For this guide, we will use the default “C:\Program Files\ISC BIND 9”.
• Set a service account name (this will create a local user). Password must meet the password requirements of the system.
• For the options tick “Automatic Startup” and “Keep Config Files After Uninstall”. Don't bother ticking “Tools Only” (this is if you want to install DIG on a Windows system and not BIND) and DO NOT tick “Start BIND Service After Install.
• Click Install.
• It should prompt you to install Microsoft Visual C++ 2017 Redistributable (x64) 14.16.27033. Even if Visual C++ throws an error, BIND may still be working.
• The service is listed under Windows Services as “ISC BIND”.
• Create the folders dns\logs under the installation directory (e.g “C:\Program Files\ISC BIND 9\dns\logs”)
• Create the folders dns\keys under the installation directory (e.g “C:\Program Files\ISC BIND 9\dns\keys”)
• Edit the security properties for the installation directory (e.g. “C:\Program Files\ISC BIND 9\”) to make sure that the service account you created has read/write permissions to the folder. You may need to click “Advanced” in the “Select Users..” popup and scroll down the list until you find the sevice account as it is local (not domain).
• Copy the configuraiton files into the “etc” sub-folder off the installation folder (e.g. C:\Program Files\ISC BIND 9\etc). The configuration is below. YOu need three files
  • named.conf (this is what BIND uses)
  • named_forward53.conf
  • named_forward5353.conf
• All three files should be identicle except for the port they listen on. named_forward53.conf should listen on 53, named_forward5353.conf should listen on 5353 and named.conf should listen on the one you actively want to listen on. We have three files so that it is easy to create a script to copy named_forward53.conf or named_forward5353.conf to named.conf. This allows the automation of moving BIND from port 5353 to 53 and vice-versa. Useful during migrations to Infoblox.
• Copy bind.keys file to “C:\Program Files\ISC BIND 9\dns\bind.keys”
• Query logs are in the file “C:\Program Files\ISC BIND 9\dns\logs\queries”

Remember, you cannot set the port of a nslookup query on Windows. The documentation says it is supported but it silently doesn't work.

Remember, you may need to add the following to the options section.

	dnssec-enable no;
	dnssec-validation no;

This was needed when forwarding to Infoblox (which had DNSSEC disabled). The BIND logs showed something similar to the following

12-Dec-2018 10:05:24.294 managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period.
12-Dec-2018 11:36:07.683 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
12-Dec-2018 11:43:40.942   validating C:\Program Files\ISC BIND 9\/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 11:43:40.958   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 11:44:18.302   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 11:44:18.302   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 11:49:17.050   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 11:49:17.066   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 11:59:07.186   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 11:59:07.186   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 12:00:21.172   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 12:00:21.172   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 12:02:04.971   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 12:02:04.971   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 14:19:30.328   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 14:19:32.734   validating internal.test/SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 14:19:38.968 validating test.internal.test/A: bad cache hit (cds.internal.test/DS)
12-Dec-2018 14:19:51.078 validating test.internal.test/A: bad cache hit (cds.internal.test/DS)
12-Dec-2018 14:31:11.044   validating ./SOA: got insecure response; parent indicates it should be secure
12-Dec-2018 14:31:11.701   validating ./SOA: got insecure response; parent indicates it should be secure

This file just tells BIND to listen on port 5353 and forward to two IP addresses.

options {
	directory "C:\Program Files\ISC BIND 9\dns";
	auth-nxdomain no;
	allow-recursion { any; };
	allow-query { any; };
	version none;
        bindkeys-file "C:\Program Files\ISC BIND 9\dns\bind.keys";
        managed-keys-directory "C:\Program Files\ISC BIND 9\dns\keys";
        dnssec-validation auto;        
        listen-on port 5353 { any; };
	minimal-responses yes;
	forwarders { 192.168.1.1; 192.168.1.2; };
	forward only;
	max-cache-ttl 300;
	max-ncache-ttl 300;
};

logging {
	channel default_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\default.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel general_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\general.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel database_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\database.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel security_file {
	file "C:\Program Files\ISC BIND 9\dns\logs\security.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel config_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\config.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel resolver_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\resolver.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel xfer-in_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\xfer-in.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel xfer-out_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\xfer-out.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel notify_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\notify.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel client_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\client.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel unmatched_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\unmatched.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel queries_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\queries.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel network_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\network.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel update_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\update.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel dispatch_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\dispatch.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel dnssec_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\dnssec.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};
	channel lame-servers_file {
		file "C:\Program Files\ISC BIND 9\dns\logs\lame-servers.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
	};

	category default { default_file; };
	category general { general_file; };
	category database { database_file; };
	category security { security_file; };
	category config { config_file; };
	category resolver { resolver_file; };
	category xfer-in { xfer-in_file; };
	category xfer-out { xfer-out_file; };
	category notify { notify_file; };
	category client { client_file; };
	category unmatched { unmatched_file; };
	category queries { queries_file; };
	category network { network_file; };
	category update { update_file; };
	category dispatch { dispatch_file; };
	category dnssec { dnssec_file; };
	category lame-servers { lame-servers_file; };
};

This is the bind.keys file.

# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9.  As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options.  To use the built-in DLV key, set
# "dnssec-lookaside auto;".  Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of Feburary 2017.  If any key fails to
# initialize correctly, it may have expired.  In that event you should
# replace this file with a current version.  The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.

managed-keys {
  
        # This key (20326) is to be published in the root zone in 2017.
        # Servers which were already using the old key (19036) should
        # roll seamlessly to this new one via RFC 5011 rollover. Servers
        # being set up for the first time can use the contents of this
        # file as initializing keys; thereafter, the keys in the
        # managed key database will be trusted and maintained
        # automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
                R1AkUTV74bU=";
};

Remember, you may need to add the following to the options section if you don't get the keys right.

	dnssec-enable no;
	dnssec-validation no;