How to Install BIND on Ubuntu 14.04.2 from Source

It is indeed possible to install BIND on Ubuntu by using apt-get install bind9. But sometime the geek inside our soul wants to torture itself by doing installation from source.

This tutorial is based on Ubuntu 14.04.2 LTS and BIND 9.10.2. If you are using different version, then you need to modify some names in this tutorial. Or, this might not work at all, because you know, it is different.

I divide them into five different steps:

  • Download & Verify BIND source file
  • Installation
  • Configuration
  • Testing
  • Others things?

Download & Verify BIND source file

I download the latest BIND source file and the verification file. The source files and the verification file (.asc) can be obtained here.

sudo wget
sudo wget

The SHA-512 version is used because it is currently the best cryptographic hash available. The source file is signed by a certain private key and we need to verify it. This is using the Public-Key Cryptography principle. I’d advise you to read Wikipedia and also about GPG. Then the steps I am going to do next will be a bit clearer.

Let’s try to verify it with the provided .asc file.

sudo gpg bind-9.10.2.tar.gz.sha512.asc

You will get a question to enter the name of data file. It refers to the BIND source file you just downloaded: bind-9.10.2.tar.gz.

After you press [Enter], the output will be similar to this.

gpg: Signature made Wed Feb 25 13:35:48 2015 CET using RSA key ID 911A4C02
gpg: Can't check signature: public key not found

Do you see the RSA key ID 911A4C02? That is the key ID used to sign the source file. We still couldn’t verify it because we don’t have the public key. We need to retrieve it from the GPG keyserver.

sudo gpg --keyserver --recv-keys 911A4C02

The output will look like the following:

gpg: requesting key 911A4C02 from hkp server
gpg: /home/ardho/.gnupg/trustdb.gpg: trustdb created
gpg: key 911A4C02: public key "Internet Systems Consortium, Inc. (Signing key, 2015-2016) <>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

Then you need to do the gpg command that you invoked earlier. The result must look similar to this. If it isn’t, then something is wrong. Just go back to the beginning and check each step again.

gpg: Signature made Wed Feb 25 13:35:48 2015 CET using RSA key ID 911A4C02
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2015-2016)
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: ADBE 9446 286C 7949 05F1 E075 6FA6 EBC9 911A 4C02

You can see that it is a good signature from ISC (BIND developer). Now you are sure that you downloaded the correct source file.


All the dependencies must be installed first.

sudo apt-get install build-essential libssl-dev -y

Then we extract the source file.

tar xzvf bind-9.10.2.tar.gz

Then go to the extracted directory

cd bind-9.10.2

I configure it to use /etc/bind as the base directory because honestly, I don’t know what would be the default location if it is not set.

sudo ./configure –sysconfdir=/etc/bind && sudo make && sudo make install


For the barebone configuration, we have to create the root server file (named.root), localhost zone resolver ( and also the reverse localhost zone resolver (, and the main configuration file (named.conf).

The content for the root server file can be obtained here. The following commands will download the named.root file and put it in the correct directory.

cd /etc/bind
sudo wget

For localhost and reverse localhost zone resolver, I create two separate files.

Here is for

$TTL 86400
@       IN      SOA     localhost.      root.localhost. (
        1       ; serial
        360000  ; refresh every 100 hours
        3600    ; retry after 1 hour
        3600000 ; expire after 1000 hours
        3600    ; negative cache is 1 hour
        IN      NS      localhost
0       IN      PTR     loopback
1       IN      PTR     localhost

And this is for the

$TTL    86400 
$ORIGIN localhost.
; line below = localhost 1D IN SOA localhost root.localhost
@  1D  IN        SOA @  root (
@  1D  IN  NS @
   1D  IN  A

Then the main configuration file is named.conf.

// Define an access list to limit recursion later
acl localnet {;        

// Working directory and limit recursion
options {
        directory "/etc/bind";
        allow-recursion {

// Caching only DNS server. 
zone "." {
        type hint;
        file "named.root";

// Provide a reverse mapping for the loopback address
zone "" {
        type master;
        file "";
        notify no;

// where the localhost hostname is defined
zone "localhost" IN {
        type master;
        file "";
        allow-update { none; };

The above three files were created in order to kick-start BIND in a really basic configuration. It can only receive query from its localhost and it is configured to be a Caching Name Server.

You can check Wikipedia to know more about the types of DNS and head here to see more configuration example.

At this point, BIND service (which is called named) can be executed already. It is your choice to stop here. It is working already, just run:


You will see nothing there, but rest assured, it is working. Or if you really want to be sure, you can see the logs in the console by running:

named -g

Next step, I am going to test if the named.conf file is correctly written, add logs, and add a service to trigger named automatically.


In order to check whether the named.conf file is correctly written, I use named-checkconf function.

named-checkconf named.conf

If it returns no value which means it is correct, otherwise just go back to previous steps and check what is wrong with them.

Other Things?

To make my life easier, I also configure logging. I want to have logs in a separate file so I added the following lines to named.conf.

logging {
  channel simple_log {
    file "/var/log/bind/bindlog.log" versions 3 size 5m; //will create log file of maximum 5MB and retain the last 3 files. Feel free to change the location. 
    severity debug 2; //the logging levels
    print-time yes; //controls whether the date and time are written to output
    print-severity yes; //controls whether the severity level is written to the output channel 
    print-category yes; //controls whether the severity level is written to the output channel
  category default{

Above, I configured the logging to a file that is not created yet. So, first thing first.

mkdir /var/log/bind/

Then to start and stop the service, it needs rndc.

I create rndc key and configuration file by running a command:

sudo rndc-confgen

It will return the following result:

# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "HereWillBeTheSecret";

options {
default-key "rndc-key";
default-port 953;
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "HereWillBeTheSecret";
# };
# controls {
# inet port 953
# allow {; } keys { "rndc-key"; };
# };
# End of named.conf

I copy the above output above between # Start of rndc.conf and # End of rndc.conf to a new file rndc.conf and put the file in /etc/bind/. Then I append the rest of the above output (after removing the leading hashes between # Use with the following… and #End of named.conf to named.conf.

Start the named service and check the status of rndc.

sudo named
rndc status

If you see that the server is up and running then you are set!

Leave a Reply

Your email address will not be published. Required fields are marked *