How to set up a DNS Server

A complete guide to spinning up your own DNS server.

Odds are, if you have a computer and you find yourself on
the interwebs Googling away, you have heard the term ‘DNS’. The fact is that
without DNS none of this would be possible: You wouldn’t be able to read this,
you wouldn’t be able to read information about the newly released OnePlus 7 Pro
(I’m not excited about it, you are) and you wouldn’t be able to read how in the
world the Tampa Bay Lightning got swept in the opening round of the 2019 NHL Eastern
Conference Playoffs (I’m not bitter about it, you are). In fact, none of the
internet or its many information and services would be unavailable without DNS.

A ‘Domain Name Server’s primary function is to translate
easily re(adable)memorable names, such as into an IP address that
are nearly possible to remember en masse. It provides other information, as
mentioned in some of my previous articles, such as (but not limited to) mail
domain information, as in which server to send mail to, and what IP addresses
are valid to send said mail (SPF). But without the simple A or AAAA record to
translate name into IP address, we’re not here reading this now.

Cybersecurity Live - Boston

There are DNS servers all over the place, the world even.
Many are public, some are private, some are for mass distribution and some are
top level (.com) that use Root Zone servers. Many people have a small DNS
service running in their homes and they might not even know it. Most
“all-in-one” routers contain a DNS service on it that can act as an
intermediary between the Candy Crush servers and their cell phone. That
router’s DNS service will query another server, typically from the ISP, and
that server has queried from another server and they tell 2 friends, and they
tell 2 friends, etc. It’s basically a game of Telephone without the element of
human error (which is, um, I guess the point of Telephone; maybe a bad

So, it would stand to reason that most small businesses have
their own DNS server. But why? Basically, for all the right reasons. All the 2

  1. Performance – The DNS information is stored
    locally and can be served to internal users at a much better time. There is no
    need to bounce around the internet to get your information. Plus, you would not
    be competing with other people for DNS requests on the external/publicly
    available DNS servers.
  2. Security – As you probably guessed by the
    analogy of Telephone, and the “fun” of Telephone, it is possible for bad DNS
    information to be propagated across the internet. Having your own DNS server
    will likely result in the same but certain safeguards can be put in place to
    prevent “poisoning” of DNS information.

we move forward of setting up a DNS server, we have to address the question: is
it worth it? In short, the answer is probably yes but the shorter answer is
depends (I’m basing which is shorter simply by letter count). Again, there is a
chance your little router may be caching some DNS information, of popular or
most visited sites, so you are running a small DNS server without you really
knowing about it. The performance may not be great on a larger scale (small to
medium business) so it is almost definitely worth it for those cases.
Specifically and obviously for the 2 reasons outlined above. But also to help
map out internal, private networks that would otherwise not have access from
the public inbound. Many times, it is nice for users of a private network to
know each other by name and not by number and that all depends on the preferred
structure, particularly for security reasons.

are so many options for DNS servers that it would be difficult to go through
all of the options. Because of this, we will be going over general concepts and
examine 2 quick walkthroughs of the most popular options.

2 options that we will look into will be Microsoft Server 2016 DNS server and
Bind, which is a popular choice among Linux servers.

Get In(terwebs)trawebs Bound with Bind

assumption here would be that you are on one of the most popular
distributions/flavors or Linux available: Ubuntu 16.04. But, most other
distributions of Linux will have nearly the exact same steps. Syntax would
likely be the same (also depending on the shell, BaSH assumed here) but
folder/file locations may vary.

assumption is that you are signed into the shell with proper permissions that
would not require ‘sudo’.

that, here we go:

  • From the shell, type:
  • apt-get install bind9
  • Once installed, you should see a message
    indicating that the DNS service Bind is starting up

Well, that was easy enough. Now, let’s look into some
configuration of the DNS server:

  • pico /etc/bind/named.conf.local
  • This will open the file ‘named.conf.local’ with the text editor ‘Pico’
  • Enter the following text:
 zone "" { type master; file "/etc/bind/zones/"; };   zone "" { type master; file "/etc/bind/zones/"; } 
  • You should replace ‘’ to
    your domain
  • The Reverse DNS name, ‘3.2.1.’ should probably
    be the first 3 octets of your IP address in reverse. For example, if the IP
    address for your server is,, you should list the name as
  • Control + C will prompt to exit with the option
    to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name
    used to open the editor.
  • This will set the basic zone configuration of
    the forward DNS service and will also set up the reverse DNS service.
  • We’ll create the correct folder where the DNS
    database will live. Type the following:
  • mkdir /etc/bind/zones
  • Now, we’ll create the appropriate DB. Type the
·         ; BIND data file for
$TTL 14400
@ IN SOA ns1. host. (
201006601 ; Serial
7200 ; Refresh
120 ; Retry
2419200 ; Expire
604800) ; Default TTL
; IN NS ns1. IN NS ns2. IN MX 10 mail. IN A abc.def.ghi.jkl
ns1 IN A abc.def.ghi.jkl
ns2 IN A abc.def.ghi.jkl
mail IN A abc.def.ghi.jkl
ftp IN CNAME IN TXT "v=spf1 ip4:abc.def.ghi.jkl a mx ~all"
mail IN TXT "v=spf1 a -all"
  • Replace ‘yourDomainNameHere’ with, guess what,
    your domain name.
  • Replace ‘abc.def.ghi.jkl’ with your server’s IP
  • Control + C will prompt to exit with the option
    to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name
    used to open the editor.
  • Now we will create the reverse DNS file. Type:
  • pico /etc/bind/zones/
  • The Reverse DNS name, ‘3.2.1.’ should probably be the first 3 octets of your IP address in reverse. For example, if the IP address for your server is,, you should list the name as ‘rev.1.2.10’.
  • Add the following information:
 @ IN SOA ( 2010081401; 28800; 604800; 604800; 86400 );   IN NS 4 IN PTR 
  • Guess what, replace ‘yourDomainNameHere’ with,
    guess what, your domain name. Guess what.
  • Control + C will prompt to exit with the option
    to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name
    used to open the editor.
  • Now we’ll modify the local file that defines the
    DNS servers. Type:
  • pico /etc/resolv.conf
  • Enter the following:
  • search
  • Control + C will prompt to exit with the option
    to Save. Pressing ‘Y’ and then ‘Enter’ to quit and save under the file name
    used to open the editor.
  • Now, we’ll restart the service to pull in the
    new configuration. Type:
  • /etc/init.d/bind9 restart
  • The service should restart with the new
    configuration and put you in a very basic configuration.

And Now, The Other One

Just as with Bind, the previous DNS server, listed, there
are assumptions to this installation guide. The big one being that you are
operating OS Microsoft Server 2016 whether Standard or Essentials (either of
which can be virtualized). Also, the need for a user with rights/permissions to
be able to make system changes such as installing the DNS server component as
well as configuration of the DNS Manager.

This will also be a little different than the Bind install
which we did exclusively through the command line (BaSH, in that case). This
Microsoft Server DNS install will be through the friendly GUI and not through
PowerShell. Everything can be done through PowerShell, FYI, but the Microsoft
GUI is friendly enough for basic configuration. Some more advanced stuff may
benefit using PowerShell.

  • Open the Server Manager in Windows Server 2016.
  • Select ‘Manage’ in the toppish right and click
    on ‘Add Roles and Features’.
  • Click ‘Next’ through the ‘Installation Type’
  • Select the server to which you want to add the feature/role.
    The current server should be listed but if there any other Windows Servers that
    are tied to the current operating one, then they would be selectable, as well.
  • When the Roles page is loaded, it should list
    the current roles that the server can provide. Locate ‘DNS Server’ and check
    the box. Hit ‘Next’.
  • On the ‘Features’ page, any dependencies will be
    checked but nothing else would need to be clicked to complete the DNS Server
    install. Hit ‘Next’.
  • The next section, titled as ‘DNS Server’ just gives
    some overview information but doesn’t require any action except for, of course,
    and guess what, the ‘Next Button.’
  • The next screen will finalize the proposed
    changes. There is a checkbox that will call for a reboot after the task is
    performed, if necessary. In this case, it is necessary so if nothing else needs
    to be immediately done, it can be checked and rebooted.

Not terribly difficult there. Let’s go ahead and get the
forward and reverse lookup zones created and configured.

  • Back in Server Manager, select ‘Tools’ and ‘DNS’
    which will launch the ‘DNS Manager’.
  • On the left, there will be a listing of domain
    servers. Right-click on the DNS server and select ‘Configure a DNS Server’. A
    wizard has suddenly appeared!
  • When you click on ‘Next’, there is an option to
    select what kind of zones you would like to create. The second selection should
    be ‘Create Forward and Reverse Lookup Zones’. This is a good option but smaller
    networks can probably get away with just creating a Forward lookup zone.
  • The next screen will ask if the Forward Lookup
    Zone should be configured now. Sure, let’s do that thing.
  • Set this zone as the ‘Primary Zone’. The name
    should be set appropriately.
  •  File
    naming is next and it will use the Zone name set previously and add ‘.dns’ to
    the end of it. There is no problem with this unless there is an existing DNS
    file that should be used.
  • The next screen will get a bit into personal
    preference but there are some guidelines that may help with your decision.
    Dynamic updates indicate how DNS information should be populated into the DB.

    • ‘Allow only secure dynamic updates’ would be fed
      from Active Directory integrated zones. This would severely limit what can be
      populated. If the DNS server is running just to manage the internal computers,
      this would be a good option.
    • ‘Allow both nonsecure and secure dynamic
      updates’ would allow for the previously mentioned but also allow from untrusted
      sources. This is likely not ideal. 3rd party domains can be trusted
      and this would extend to that but it is best to be in control of where DNS
      information comes from to evade route poisoning or exposure to DDoS.
    • ‘Do not allow dynamic updates’ would force that
      all records are added manually. In order for this to work well, the network
      would have to be mostly statically assigned IP addresses which is a lot of
      overhead. Most servers should have a static IP but computers, IP phones, etc
      often work off DHCP as they come and go from the premises. This is a good
      option but has a ton of work with it. Are you prepared?
  • The next screen will ask if the Reverse Lookup Zone
    should be configured now. Sure, let’s do that other thing.
  • Set this zone as the ‘Primary Zone’. ‘Next’
  • The following screen will ask if you want to use
    IPv4 or IPv6. Even though we exceedingly on borrowed time for IPv4 and should
    be dealing with v6, let’s stick with v4. Unless you configure your network to
    be on v6. Such a hipster thing to do. But, seriously, we should be on v6. And,
    I apologize for the disparaging tone to hipsters.
  • The next screen will ask to type the first 3
    octets of the IP address of that zone. I always thought this was strange
    because of how subnet masks work but I guess it is the IP address of the subnet
    identifier (first IP address in the subnet which is an unusable (unassignable)
  • The next screen will ask for a filename of the
    DB that will, by default, name it the reverse of those first 3 octets and add
    ‘’. This is good but name it anything you want, you rebel you.
  •  Next
    screen is the dynamic update thing again that is 6 bullet points (the 3 sub-bullet
    points) above this. Again, your decision but the recommendation would be
    whatever you picked for the forward-y one.
  • The next screen is for forwarding when the DNS
    server doesn’t have the answer. That will require a different DNS to be setup
    that will have the answer (or potentially have more access and would have a
    better chance to have the answer). If you’re not there yet, just click ‘Nah’.
    If yes, provide the IP address of the other server and hope that the other
    server is configured as such.
  • When you click ‘Next’, it will display the
    proposed zone creation and you are done. Start adding records, or, if you
    selected the Dynamic Updates, the records will populate on their own.

Here’s a Post amble

As stated, this is a very basic setup for each instance. There are a lot of options as well as features that can be implemented. This basic setup is mostly beneficial for internal networking (intranet) to help map internal computers, phones, etc to the IP addresses they are assigned. That way, you may know the naming format of different computers within the office and not have to know the IP address. It’s like DNS on the internet, but smaller scale. This is, uh, exactly what we are going for with this here. Anyway, this topic and walkthrough has nothing to do with scrutinizing, really but happy scrutinizing anyway!

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Ross Thomas. Read the original post at:

API Poll

Step 1 of 5

Do you have an API security project in 2022?