Authoritative DNS Servers

Participants should be able to configure primary and secondary name server for a given domain name and do a zone transfer between them. This should include creating, modifying, deleting RRs and incrementing Primary name server serial number. Each participant name servers should be visible from other name servers since we will use the lab root and GTLD server. A custom lab root hint will be used.

  1. In our lab you should approach the instructor for domain registration. Instructor will also act as a GTLD server for this exercise. He will be creating the delegation of .net subdomains to every pc in the lab.
  2. Create a new working directory for your master server under /var/cache/bind
    mkdir /var/cache/bind/master
    chown -R bind:bind /var/cache/bind/master
  3. Create a zone file for your domain under /var/cache/bind/master and add necessary resource records like NS record, A record, TXT record, MX record that will determine which host is receiving mail for your domain.
    For example, if you have as your domain(where X is your group number), you must create, with the following base contents:
    $TTL 1d
        20130823 ;serial no.
        30m ;refresh
        15m ;retry
        1d ;expire
        30m ;negative cache ttl
    ns          A  192.168.30.X
    www         A MX 10
                MX 20
    mail01      A
    mail02      A
  4. Modify the configuration file (named.conf.local). Please note that the primary zone is of type master while a secondary zone is of type slave.
    zone “” {
        type master;
        file “/var/cache/master/”;

    zone "." {
            type hint;
            file "/etc/bind/db.root";
    zone "localhost" {
            type master;
            file "/etc/bind/db.local";
  5. Check if bind configuration is working and see if it's running properly. Error messages will give you hints where the error is.
    named-checkconf /etc/bind/named.conf
  6. Once BIND is running, you can do some basic test using DNS tools like dig
    To test your name server to display the SOA records for your domain.
    dig @192.168.30.X SOA

    To test your name server to display NS records

    dig @192.168.30.X NS

    To test your name server to display other resource records (A, MX, or TXT). You can also use the -t option to set the query type.

    dig @192.168.30.X A
    dig –t MX @192.168.30.X
  7. Setup your server as the secondary server for your neighbour. Create a folder called slave. Your primary server’s zonefile will be copied to this folder.
    mkdir /var/cache/bind/slave
    chown -R bind:bind /var/cache/bind/slave

    In your named.conf.local, add the following:

    zone “” {
      type slave;
      file “/var/cache/bind/slave/”;
      masters {
  8. Secure your zones by restricting who can get the zone file. You can test this by trying zone transfer from another nameserver in the lab.
    dig @<ip-address> GROUPX.NET AXFR

    If successful, you will see all the resource records as an output.
    Now, add the following line in your named.conf.local for the zones where you are primary and restart bind service bind9 restart:

    zone “” {
      type master;
      file “/var/cache/bind/”;
      allow-transfer { 

    Execute the same dig command again. If successful, the status in the dig output should say Transfer Failed.

  • netsec20181209-np/dns_authoritative.txt
  • Last modified: 2021/04/19 06:39
  • by