A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded



  • Domain Name System

    Berkeley Internet Name Domain (BIND)

    • Domain Name Service, a distributed database of name to IP address translations
    • a networked client server architecture.

    Two primary components:


    The server daemon, responds to requests from resolver and returns an IP address.


    Client stub, code implemented in system libraries that resolves names to IP addresses.

    Reserved ports - /etc/services

    domain         53/tcp
    domain         53/udp
    mdns         5353/tcp
    mdns         5353/udp          Multicast domain name service
    rndc          953              Default rndc port

    Latest (ISC) version appears to be 9.9 at time of writting so some of this stuff could be a bit dated. You can get the full ISC bind 9.9 Administrator Manual from here.

    Convert a bind4 configuration file to bind8 - /usr/sbin/named-bootconf

    # /usr/sbin/named-bootconf named.boot named.conf

    The location of main server configuration file varies depending on the version and distribution:

    • /etc/named.conf, /etc/named/named.conf, /etc/bind/named.conf, ../named.conf.local.
    • Domain names in named.conf do NOT end in a '.'

    Debian uses a modular approach incorporating named.d/ directory which contains separate customisable files that represent sections that would otherwise be in a single named.conf.

    Minimum required files to run 'named':

    File Description
    named.boot(V4), named.conf(V8, V9) Named/Bind configuration file or root.hints or db.root root Server hints file
    named.local or db.local or db.127 Loopback data file
    /etc/resolv.conf Tells system which name server to use
  • Main server types

    Authoritative server

    • allows others to find the IP address of a given domain name
    • it knows the IP <=> domain name mapping for that domain i.e. it owns, has the zone files for the domain
    • e.g. web hosting companies or specialist DNS hosting companies (

    Recursive server

    • allows you to resolve other people's domain name
    • it provides the information to a web client that allows it to resolve a domain name into an IP address
    • it does the searching for you by asking 'root' servers who is reponsible for a particular domain, then asking those authoritative servers for the IP address of the domain in question
    • it gets its knowlege about a domain from the domain's authoritative server
    • e.g. ISP domain servers, specialist DNS hosting companies

    Non-authoritative server

    • a caching server
    • it does not own the zone files for the domain queried
    • when a non-authoritative server queries an authoritative server and receives an authoritative answer, it passes that answer along to the querier as an authoritative answer
    • if the answer to a query comes from it's cache it is a non-authoritative answer
  • Caching-only name server

    Caching-only name server example

    • serves resolution requests from it's cache if it has them in which case it is a non-authoritative answer
    • requests the information from other servers if the answer is not in it's cache, caching the result
    • if the response comes from an Authoritative server it is passed on to the client as an Authoritative answer

    A Non-authoritative answer

    $ nslookup
    non-authoritative answer:
    Configure named

    Configure zones and options - /etc/named.conf or /etc/bind/named.conf

    options {
     directory "/var/cache/bind";      // Working directory
     pid-file "";             // Put pid file in working direcory
    zone "." {
     type hint;                        // Root server hints
     file "/etc/bind/db.root";         // Location of zone file on disk
    zone "" {       // Reverse mapping zone file for the loopback
     type master;                      // This server is the master server for this zone
     file "/etc/bind/db.127";          
    Create the zone files

    local reverse lookup file - (

    $TTL 604800
    # describes the zone, where it comes from, 'email addr.' of who is responsible for it
    @ IN SOA (
                        1  ; Serial
                   604800  ; Refresh
                    86400  ; Retry
                  2419200  ; Expire
                  604800 ) ; Negative Cache TTL
     IN  NS
    1 IN  PTR  localhost.
    Check version of root.hints (, db.root)

    A few sample lines of a root.hints file

    ;       This file holds the information on root name servers needed to
    ;       initialize cache of Internet domain name servers
    ;       last update:    Feb 04, 2008
    ;       related version of root zone:   2008020400
    ; formerly NS.INTERNIC.NET
    .                        3600000  IN  NS    A.ROOT-SERVERS.NET.
    a.ROOT-SERVERS.NET.      3600000      A
    a.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30

    The '.' on the left hand side equates to the root zone. '2008020400' is the version number.

    When named cannot find an answer in it's cache it asks one of the nameservers listed in the 'roots.hints' file to provide 'directions' to resolving the request.

    Check if 'root.hints' file's SOA version number has changed

    $ dig . SOA | grep SOA
    ; <<>> DiG 9.8.1-P1 <<>> . SOA
    ;.               IN  SOA
    .            86400   IN  SOA 2013120400 1800 900 604800 86400

    If your version differs from the root-servers version then you should update (download the root-servers version).

    Update the, root.hints or db.root file

    # wget --user=ftp --password=ftp \
    -O /var/named/root.hints
    # dig . ns > roothints
    Configure system to use it's own cache first


    search               # domain is appended to searches using short
                                    # hostnames i.e. dnssrv ->                   
    nameserver               # IP address of self (caching-only server)
                                    # Could also use

    Only one search statement which can contain a space separated list of domains. Max. of 3 nameservers.

    Restart named

    The usual suspects

    # sudo /etc/init.d/bind9 restart
                                    (or maybe)
    # sudo service bind9 restart     (maybe bind9 or bind or named or ...)
    # sudo kill -HUP <pid of named>
    Test the configuration

    Do a reverse lookup on the loopback address

    $ dig -x
    ;                IN      PTR
    ;; ANSWER SECTION: 259200  IN      PTR     localhost.
    ;; AUTHORITY SECTION:   259200  IN      NS

    Our nameserver gives an authoritative reply for it's own reverse lookup loopback zone - which you would expect.

  • Named syntax checker

    Checks the syntax in zone files as well

    named-checkconf [-v] [-j] [-t directory] {filename} [-z]
     -t directory       Chroot to directory
     -v                 Print the version
     -z                 Perform a test load of all master zones found in named.conf.
     -j                 When loading a zonefile read the journal if it exists.
     filename           Configuration file to be checked. Defaults to 

    Options may have changed.

    Test load all configured master zone files

    # named-checkconf -z
    zone loaded serial 1
    zone loaded serial 1
    zone loaded serial 2

    Check configuration file

    # named-checkconf

    No news is good news .. if no problems then o output.

    Check zone file

    # named-check zone <domain> <zone-file>

    Outputs info and OK if OK.

    Check reverse-zone file

    # named-checkzone /etc/bind/zones/master/db.192.168.0
    zone loaded serial 2


  • Stopping and starting BIND8,9
    ndc, named. bind9

    Down to version and your distributions implementation.

    BIND 8

    # /usr/sbin/ndc [start | stop | ... ]
    # /etc/init.d/ndc [start | stop | restart | status | probe | checkconfig | .... ]

    '/etc/named.conf' bind 8 has NO controls { ... } or key { ... } sections

    BIND 9

    # /usr/sbin/named                             (Start)
    # /etc/init.d/named [start | stop | restart | status | probe | checkconfig | .... ]
    # /etc/init.d/bind9 [start | stop | restart | status | probe | checkconfig | .... ]

    BIND 9 has replaced 'ndc' with 'rndc'. 'rndc' cannot start named.

    There are also the usual linux/unix ways of stopping programs .. 'kill', 'killall' ..

  • BIND8 control program

    BIND8 named control utility.

    ndc directive [...]
     dumpdb                  Dump db and cache to /var/tmp/named_dump.db
                             (uses the INT signal)
     trace                   Increment trace level by 1 to /var/tmp/
     notrace                 Set trace level to 0, closes /var/tmp/
     querylog | qrylog       Toggle querylogging feature on/off
     start | stop

    Reloading modified zone files

    # killall -HUP named
    # kill -HUP <PID of named>
    # ndc reload
  • BIND9 (remote) control utility

    BIND9 (remote) named control utility

    rndc [-c config] [-s server] 
         [-p port] [-k key-file ] 
         [-y key] [-V] command
     reload                                      Reload configuration file and zones.
     reload zone [class [view]]                  Reload a single zone.
     refresh zone [class [view]]                 Schedule immediate maintenance for a zone.
     retransfer zone [class [view]]              Retransfer a single zone without checking serial number.
     freeze                                      Suspend updates to all dynamic zones.
     freeze zone [class [view]]                  Suspend updates to a dynamic zone.
     thaw                                        Enable updates to all dynamic zones and reload them.
     thaw zone [class [view]]                    Enable updates to a frozen dynamic zone and reload it.
     notify zone [class [view]]                  Resend NOTIFY messages for the zone.
     reconfig                                    Reload configuration file and NEW zones only.
     dumpdb [-all|-cache|-zones] [view ...]      Dump cache(s) to the dump file (named_dump.db).
     stop                                        Save pending updates to master files and stop the server.
     stop -p                                     As stop and report process id.
     halt                                        Stop the server without saving pending updates.
     halt -p                                     As halt and report process id.
     trace level                                 Change the debugging level.
     flush                                       Flushes all of the server's caches.
     flush [view]                                Flushes the server's cache for a view.
     flushname name [view]                       Flush the given name from the server's cache(s)
     recursing                                   Dump the queries that are currently recursing (named.recursing)
     validation newstate [view]                  Enable / disable DNSSEC validation.

    There is no 'start' cmd for 'rndc'. Restart is not yet implemented (time of writing).

    Various ways to reload modified zone files

    # /etc/init.d/bind9 [stop | start | reload | restart | force-reload]
    # rndc reload
    # rndc reload
    # rndc reconfig
    # killall -HUP named
    # kill -HUP <PID of named>
  • Generate a BIND9 rndc configuration file
    • Generates configuration files for rndc
    • An alternative to writing the rndc.conf file and the corresponding controls and key statements in named.conf.
    • Can be run with the '-a' option to set up a rndc.key file and avoid the need for a rndc.conf file and a controls statement altogether.
    rndc-confgen [options]
     -a                      Generate just the key clause and write it to keyfile 
                             (/etc/bind/rndc.key).  NO need for control and key 
                             statements in /etc/named.conf
     -b bits                 From 1 through 512, default 128; total length of the secret
     -c keyfile              Specify an alternate key file (requires -a)
     -k keyname              The name as it will be used  in named.conf and rndc.conf
     -p port                 The port named will listen on and rndc will connect to
     -r randomfile           A file containing random data
     -s addr                 The address to which rndc should connect
     -t chrootdir            Write a keyfile in chrootdir as well (requires -a)
     -u user                 Set the keyfile owner to "user" (requires -a)

    Running 'rndc-confgen -a' allows BIND 9 and rndc to be used as drop-in replacements for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file.

    Generate the rndc.conf file

    # rndc-confgen > /etc/bind/rndc.conf

    Generate the /etc/bind/rndc.key file

    # rndc-confgen -a -k dnsadmin -b 256

    Replaces the default key name with 'dnsadmin'.

    'named' and 'rndc' will automatically read info from /etc/bind/rndc.key on startup - if it exists. If it does exist there is no need to include a 'control' and 'key' clause in named.conf.

  • BIND9 'rndc' configuration file
    • rndc.conf is the configuration file for the 'rndc' command - BIND 9 name server control program
    • it allows for remote control of a named server
    • to use 'rndc' from other machines their system clocks need to be within '5 minutes' of each other

    Sample /etc/bind/rndc.conf

    key "rndc-key" {
     algorithm hmac-md5;
     secret "af5nfFqVDcaYnHKN+xnFuQ==";
    options {
     default-key "rndc-key";
     default-port 953;

    To accept 'rndc' connections and recognise the key specified in the 'rndc.conf' file, the name server must be configured with the controls statement in the 'named.conf' file.

    Configure 'named' to accept rndc connections - /etc/bind/named.conf

    controls {
       inet port 953
       allow {; } keys { "rndc-key"; };
    // This must match the key statement in /etc/rndc.conf
    key "rndc-key" {
       algorithm hmac-md5;
       secret "af5nfFqVDcaYnHKN+xnFuQ==";
  • Client configuration
    • Client configuration is centred upon the resolver.
    • The resolver is configured via /etc/resolv.conf.
    • The method to use for name resolution is configured via either /etc/host.conf or /etc/nsswitch.conf and or /etc/hosts.
    Resolution method Description
    Files /etc/hosts a static local file with name-to-address mappings for a few systems
    NIS Network Information Service (NIS or NIS+) some private networks use
    DNS Distributed db, small portions are managed by local authorities

    Lookup method (pre-glib2c) - /etc/hosts.conf

    order hosts,bind             # Lookup method and order i.e. try /etc/hosts
                                 # first, if no joy use dns.
    multi on                     # Returns all valid addresses for a host 
                                 # instead of stopping after the first.

    Lookup method (post-glib2c) - /etc/nsswitch.conf

    hosts:      files dns        # Search local files first then use DNS

    These days it is more than likely to be '/etc/nsswitch.conf' with '/etc/hosts' being used for local name resolution.

  • Debian, Ubuntu caching-only named server

    The main BIND9 configuration files are:

    • The default configuration a caching server.
    • Just need to add the IP numbers of your ISP's DNS servers.

    Configure your ISP's named servers forwarders - /etc/bind/named.conf.options

        forwarders {
   ;             # ISP's nameserver1 IP
   ;             # ISP's nameserver2 IP

    Restart named, bind9 ...


    $ dig -x
  • Remotely controlled caching and authoritative nameserver

    A basic, small example.

    • the server will be the authoritative server for my home's internal lan
    • it will be a caching server for everything else
    • can use bind9's 'rndc' to remotely control the 'named'

    Actions required are:

    • use the same configuration as the caching only server above
    • add to it the 'rndc' configuration from above
    • add to it a forward and a reverse zone file for my home's internal lan


    • The /etc/rndc-conf exists and is the same as that used in the above "BIND 9 'rndc' configuration file - rndc.conf" article.
    • The reverse zone/map for the loopback is the same as that used for the caching-only example

    Add 'rndc' and additional zones to /etc/bind/named.conf

    acl "my-home" {; };   
    options {
      directory "/var/cache/bind";                       // Working directory
      pid-file "";                              // Put pid file in working directory
      listen-on {; };
      allow-query { "my-home"; localhost; };             // Allow queries from
      allow-recursion { "my-home"; localhost; };
    controls {                                           
      inet port 953                            // Allow rndc use via loopback using
        allow {; } keys { "rndc-key"; };       // the "rndc-key".
      inet * allow { "my-home" } keys { "rndc-key"; };   // Use acl for address-matching.  Allow
                                                         // any IP on internal lan to access via
                                                         // any server address (IP and port) using
                                                         // the "rndc-key" key
    key "rndc-key" {                                     // This must match the key statement 
       algorithm hmac-md5;                               // in /etc/rndc.conf
       secret "af5nfFqVDcaYnHKN+xnFuQ==";                // Should be in a secure file and 'included'
    };                                                   // into this one
    zone "." {
      type hint;                                         // Root server hints
      file "/etc/bind/db.root";
    zone "" {                        // Reverse mapping for the loopback address
      type master;
      file "/etc/bind/db.127";
      notify no;
    zone "" {                      // Reverse mapping for my-home address
      type master;                                       // slave | forward | stub | hint | delegation-only
      file "/etc/bind/db.0.168.192";                     // Stub -  like slaves but only maintain a copy of NS RRs
      notify no;
    zone "" {                                 // Forward mapping for names
      type master;
      file "/etc/bind/";
      notify no;

    Create the forward zone file for "my-home" lan - /etc/bind/

    $TTL 604800
    @     IN SOA (
                             2  ; Serial
                        604800  ; Refresh
                         86400  ; Retry
                       2419200  ; Expire
                       604800 ) ; Negative Cache TTL
    dnssrv            A
    wireless-router   A 
    kali-laptop       A

    Create the reverse zone file for 'my-home" lan - /etc/bind/db.127

    $TTL 604800
    @ IN SOA (
                            1  ; Serial
                       604800  ; Refresh
                        86400  ; Retry
                      2419200  ; Expire
                      604800 ) ; Negative Cache TTL
      IN  NS
    2 IN  PTR  dnssrv.
    1 IN  PTR  wireless-router.
    3 IN  PTR  kali-laptop.
  • Configure logging
    • Logging is configured in named.conf via the logging{ ... } stanza.
    • Within the logging stanza are at least two further stanzas - channel and category.

    Example - /etc/bind/named.conf

      channel simple_log {
        file "/var/log/named/bind.log" versions 3 size 5m;
        severity warning;
        print-time yes;
        print-severity yes;
        print-category yes;
      category default{

    Logging channel options and categories

    Check documentation re. rsyslogd if you want to use that as a channel.

    A channel defines:

    • which file to use as a log
    • some house-keeping options
    • general options on what to actually log

    Use own or predefined names such as "default_syslog" "default_debug" "default_stderr" "null"

    • versions Number of log versions to keep. Appends 0, 1, ... to log file
    • size <k|K|m|M|g|G>If NO size AND a versions - log files will be rolled only when BIND is restarted.

    If size and NO versions - once size is reached logging will stop until file size is reduced. If size AND a versions - log files will be rolled when the size limit is reached.


    Use syslogd logging features - file, syslog, stderr and null are mutually exclusive for a channel


    Logging level


    Controls what categories are logged to the various channel_names

    A category defines the finer details of what to include in the log.

    Category name Description
    client Processing of client requests
    config Configuration file parsing and processing
    database Messages relating to the dbs used internally by the NS to store zone and cache data
    default Logs all values not explicitly defined in category statements except queries
    delegation-only Logs queries that have returned NXDOMAIN
    dispatch Dispatching of incoming packets to the server modules
    dnssec DNSSEC and TSIG protocol processing
    general Anything that is not classified as any other item in this list defaults to this category
    lame-servers Mis-configuration in the delegation of domains. Switch off category lame-servers {null;};
    network Logs all network operations
    notify Logs all NOTIFY operations
    queries Logs all query transactions
    resolver Name resolution performed on behalf of clients by a caching NS
    security Approval and denial of requests
    update Logging of all dynamic update (DDNS) transactions
    update-security Approval and denial of update requests used with DDNS
    xfer-in Details of zone transfers the server is receiving
    xfer-out Details of zone transfers the server is sending
  • Zone files

    Forward and Reverse zone files are used to resolve domains to IP addresses and IP addresses to Domain names.

    Zone files contain resource records (RRs). A RR describes the resource it refers to.

    Common resource records (RRs) include:

    RR Description
    SOA Start Of Authority, parameters affecting an entire zone, each zone file starts with one of these
    NS Name Server, Domain's name server(s), usually primary and secondary, can be more
    A Address, domain name/hostname to IP mapping
    PTR Reverse name PoinTeR, IP to domain name mapping
    MX Mail eXchange, tells mail systems where to send mail addressed to
    CNAME Canonical Name, a way to give a single machine several names (aliases). CNAMEs should ONLY ever refer to an A RR e.g. dnssrv A 123.456.7.8 → ubusrv CNAME dnssrv
    TXT Text, stores arbitrary values

    Location of zone files

    Achieved via use of the file keyword in 'named.conf'**

    zone "" {
         file "/path/to/";

    Forward Zone file example -

    $TTL 604800
    @     IN SOA (
                             2  ; Serial
                        604800  ; Refresh
                         86400  ; Retry
                       2419200  ; Expire
                       604800 ) ; Negative Cache TTL
    dnssrv            A
    wireless-router   A

    Reverse Zone file example -

    $TTL 604800
    @ IN SOA (
             1  ; Serial
        604800  ; Refresh
         86400  ; Retry
       2419200  ; Expire
       604800 ) ; Negative Cache TTL
      IN NS
    1 IN PTR localhost.
    • A TTL of 86400 secs. (24 hours) could have been written as '$TTL 24h' or '$TTL 1d'
    • All domain names in a zone file must end with a 'dot'
    Based on the above two example zone files:

    @ is a special notation meaning the origin.

    @   IN SOA  IN SOA

    The two examples have the same meaning. In the first example @ refers to

    @ occurring in a previous line is implicit in following lines so the last two lines in the example below have the same meaning.

    @   IN SOA
    IN NS
    @ IN NS

    Here @ is superfluous since it appears previously. All three entries below have the same meaning.

    IN NS
    @ IN NS IN NS

    If a machine name does not end in a period in a zone file the origin is added to its end e.g. will become

    MX      10    ; Primary Mail Exchanger
    MX      10 mail                 ; Primary Mail Exchanger

    Either entry is correct.

    SOA record

    • must be an actual machine with an A record.
    • It is not legal to have a CNAME record for the machine mentioned in the SOA record.
    • The zone maintainer should be a valid email address e.g. =>
  • Zone delegation

    Is done with NS resource records at any node.

    A zone delegation example

    10              NS

    The owner of the zone delegates control of to the listed nameservers.

  • Subdomains
    (a) Inside a zone

    Put a subdomain inside a normal zone file. The subdomain will not have its own SOA and NS records. Not recommended as it is harder to maintain (zone signing).

    (b) As a delegated zone

    Configure the subdomain as an independent zone (own SOA and NS records) and delegate that domain from the parent domain. A zone will only be authoritative if the parent zone has delegated its authority to the zone.

    The master nameserver for the 'parent' domain has an entry something like below.

    In named.conf

    zone "" in {
     type master;
     file "master/";

    Subdomain zone file -

    $TTL 1d
    @  1h  IN  SOA (
             2004074891     ; Serial
             8h             ; Refresh
             1h             ; Retry
             4w             ; Expire
             1h )           ; Negative
          IN  NS
          IN  NS
    ; zone data
          IN  MX  10
    www    IN  A
    ; A delegated subdomain
    subdom IN  NS
          IN  NS

    The owner of '' has delegated the control of it's sub-domain '' to ''m and '' namesevers.

    A problem with the above (as it stands) is that NS records point to names, not IPs. So to resolve I must first resolve, to resolve I must first resolve!!

    The solution is to use a glue record - an A record for the sub-domain's nameserver.

    Example of a glue record -

    ; zone data
          IN  MX  10
    www    IN  A
    ; A delegated subdomain
    subdom      IN  NS  ns1.subdom           ; Needs some glue
               IN  NS   ; Doesn't need a glue as it is NOT 
                                            ; a subdomain of
    ns1.subdom  IN  A            ; The glue record
  • Zone forwarding

    Requests for non-local zones are forwarded to and dealt with by other Nameservers.

    Sample entries - /etc/bind/named.conf

    options {
         directory "/var/named";
         forwarders {;};     // Forward all requests except for local zones
                                                     // to the nameservers listed
    //   forward only;                               // Forward only queries to listed nameservers -
                                                     // forwarders statement must exist as well.  Value 
                                                     // can be 'first' or 'only'.  Default is 'first'.
                                                     // If forwarder cannot resolve/respond this 
                                                     // server will attempt to do so. 
    zone "" IN {
         type forward;                               // Forward queries for this zone to listed nameservers
         forwarders {;};
  • Slave name servers

    Secondary, Tertiary DNS servers - Slave servers. These types of nameservers get their zone files from a master nameserver(s).

    Sample entry - /etc/named.conf

    zone "" {
         type slave;                             // Indicates secondary/tertiary server
         file "";
         masters {; };             // Where to get the zone files from

    Configure zone transfers - Master server named.conf

    (a) Slave server(s) configured as above.

    (b) Master server sample entries as below in master's named.conf

         allow-transfer { <IP of secondary/tertiary server> ... ; };     // Or use an acl
         notify yes;
         also-notify { <IP of secondary/tertiary server> ... ; };
    // notify yes        Master nameserver checks for NS RRs in the Zone files and sends a 
    //                   notify to those nameservers found whenever there is a change to 
    //                   the data in the zone file.
    // also-notify       A way to provide 'recipients of notifications' without having to 
    //                   create a NS RR in the zone file.

    Either in the global options or on a per zone basis.