User Tools

Site Tools


This is an old revision of the document!

Lab Exercise 2 – Authoritative DNS Servers


Participants should be able to configure primary and secondary name server for a given domain name and do a zone transfer between them. This should include creating, modifying, deleting RRs and incrementing Primary name server serial number. Each participant name servers should be visible from other name servers since we will use the lab root and GTLD server. A custom lab root hint will be used.

Note: Configure your VM to be the primary (also called master) of your own domain and also a slave for VMs in your right side. VM in your left will act as slave for your own domain.


  1. Everyone will use groupXX as their domain name. Instructor will also act as a GTLD server for this exercise. S/he will be creating the delegation of .net subdomains to every vm in the lab.
  2. Create a new working directory for your master server under /etc/bind
    mkdir -p /etc/bind/master
  3. Create a zone file for your domain under `/etc/bind/master` and add necessary resource records like NS record, A record, txt record, MX record that will determine which host is receiving mail for your domain. For example, if you have `` as your domain, you must create ``, with the following base contents (sample configuraiton for server01):
    $TTL 1d
    @	SOA   (
                     2016010101	;serial no.
                     30m		;refresh
                     15m		;retry
                     1d			;expire
                     30m		;negative cache ttl 
    IN	NS
    ns	IN	A	192.168.30.X
    www 	IN	A	192.168.30.X
    mail01	IN	A	192.168.1XX.200
    mail02	IN	A	192.168.1XX.201	MX 10	MX 20	IN	TXT "groupXX Authoritative DNS Server"
  4. Modify the configuration file (/etc/bind/named.conf.local). Please note that the primary zone is of “type master” while a secondary zone is of “type slave.” Specify your nameserver’s working directory.
    zone "" {
    	type master;
    	file "/etc/bind/master/";
  5. Reload bind configuration
    systemctl reload named
    systemctl status named
  6. Once BIND is running, you can do some basic test using DNS tools like dig. To test your name server to display the SOA records for your domain.
    dig @192.168.30.XX SOA

    To test your name server to display NS records

    dig @192.168.30.XX NS

    To test your name server to display other resource records (A, MX, or TXT). You can also use the -t option to set the query type.

    dig @192.168.30.XX A

    dig -t MX @192.168.30.XX
  7. Setup your server as the secondary server for your neighbour. Create a folder called slave. Your primary server’s zonefile will be copied to this folder.
    mkdir -p /etc/bind/slave
  8. In your named.conf.local add the following ( is the neighbour zone):\\
    zone "" {
    	type slave;
    	file "/var/named/slave/";
    	masters { 192.168.30.YY;
  9. Secure your zones by restricting who can get the zone file. You can test this by trying zone transfer from another nameserver in the lab.
    dig @localhost AXFR

    If successful, you will see all the resource records as an output.

  10. Now, add the following line in your named.conf.local for the zones where you are primary:
    zone "" {
    	type master;
    	file "/etc/named/master/";
    	allow-transfer { 192.168.30.YY; 

    Execute the same dig command again. If successful, the status in the dig output should say Transfer Failed.

  11. You can make `` (the secondary/slave server) as authorative server. For that add another NS record in the `` file:
    $TTL 1d
    @	SOA   (
                     2016010101	;serial no.
    		<config sniff...........>
    IN	NS
    IN	NS
    		<config sniff..........>
bdnog11/netsec/bind-authoritative.1578811736.txt.gz · Last modified: 2020/01/12 12:48 by Muhammad Moinur Rahman