BIND

Resources

BIND, or the Berkeley Internet Name Daemon, is a popular free software DNS server, and also one of the most frequently used name servers on the Internet.

With BIND, users are able to set up a name server for managing their own DNS records, for caching DNS, or acting as a slave DNS server. The software supports DNSSEC which provides cryptographic signatures on the DNS records as a means to natively authenticate the integrity and ownership of the records.

Installation

BIND is offered through the net-dns/bind package. As with most packages, it is good practice to check the USE flags before emerging. Since BIND is a popular name server software, it is also a popular target for hackers and malicious groups. Is wise to securely configure BIND, which includes building in support for only features that will be actually used. If a feature will not be used, reduce the surface area of security vulnerabilities by disabling it.

USE flags

USE flags for net-dns/bind Berkeley Internet Name Domain - Name Server

`+caps`	Use Linux capabilities library to control privilege
`dnsrps`	Enable the DNS Response Policy Service (DNSRPS) API, a mechanism to allow an external response policy provider
`dnstap`	Enables dnstap packet logging
`doc`	Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally
`doh`	Enables dns-over-https
`fixed-rrset`	Enables fixed rrset-order option
`geoip`	Add geoip support for country and city lookup based on IPs
`gssapi`	Enable gssapi support
`idn`	Enable support for Internationalized Domain Names
`jemalloc`	Use dev-libs/jemalloc for memory management
`lmdb`	Enable LMDB support to store configuration for 'addzone' zones
`selinux`	!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
`static-libs`	Build static versions of dynamic libraries as well
`test`	Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
`xml`	Add support for XML files

Data provided by the Gentoo Package Database · Last update: 2025-04-03 15:25 More information about USE flags

Emerge

root #emerge --ask net-dns/bind

Additional software

Bind-tools

USE flags for bind-tools:

USE flags for net-dns/bind-tools bind tools: dig, nslookup, host, nsupdate, dnssec-keygen

`+caps`	Use Linux capabilities library to control privilege
`doc`	Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally
`gssapi`	Enable gssapi support
`idn`	Enable support for Internationalized Domain Names
`libedit`	Use the libedit library (replacement for readline)
`readline`	Enable support for libreadline, a GNU line-editing library that almost everyone wants
`test`	Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
`verify-sig`	Verify upstream signatures on distfiles
`xml`	Add support for XML files

Data provided by the Gentoo Package Database · Last update: 2025-03-27 19:14 More information about USE flags

Install:

root #emerge --ask net-dns/bind-tools

Configuration

Service

OpenRC

To have automatically start BIND at system boot:

root #rc-update add named default

To start the service now:

root #rc-service named start

Most management of BIND is done through its rndc command, although the /etc/init.d/named (OpenRC) init script can be passed the following arguments, in addition the typical start/stop/restart routines:

checkconfig: Validates the configuration file /etc/bind/named.conf for correct syntax.
checkzones: Validates the zone files for correct syntax.
reload: Reloads the zone files without restarting the named daemon itself.

For example:

root #rc-service named reload

Chroots

System that will be using BIND in a chrooted environment should set the CHROOT variable in /etc/conf.d/named accordingly. Check the comments as well, as they provide information on automatically creating the chrooted environment using emerge --config.

Recipes

Easy caching DNS

root #echo 'dns_servers="127.0.0.1"' >> /etc/conf.d/net

As root edit /etc/bind/named.conf add an internet service provider's DNS where the x.x.x.x are.

FILE /etc/bind/named.conf

forwarders {
		x.x.x.x;	// Your ISP NS
		x.x.x.x;	// Your ISP NS
		4.2.2.1;		// Level3 Public DNS
		4.2.2.2;		// Level3 Public DNS
		8.8.4.4;		// Google Open DNS
		8.8.8.8;		// Google Open DNS
	};

root #rc-service named restart

user $dig google.com

External resources

http://tldp.org/LDP/lame/LAME/linux-admin-made-easy/domain-name-server.html - The Linux Documenation Projects guide for BIND (a bit antiquated), but perhaps helpful reference maternal.
https://wiki.archlinux.org/index.php/BIND - BIND in the Arch wiki