From Gentoo Wiki
Jump to: navigation, search

BIND, or the Berkeley Internet Name Daemon, is a popular free software DNS server, and also one of the most frequently used name servers on the Internet.

With BIND, users are able to set up a name server for managing their own DNS records, for caching DNS, or acting as a slave DNS server. The software supports DNSSEC which provides cryptographic signatures on the DNS records as a means to natively authenticate the integrity and ownership of the records.


BIND is offered through the net-dns/bind package. As with most packages, it is good practice to check the USE flags before emerging. Since BIND is a popular name server software, it is also a popular target for hackers and malicious groups. Is wise to securely configure BIND, which includes building in support for only features that will be actually used. If a feature will not be used, reduce the surface area of security vulnerabilities by disabling it.

USE flags

USE flags for net-dns/bind BIND - Berkeley Internet Name Domain - Name Server

dlz Enables dynamic loaded zones, 3rd party extension local
dnstap Enables dnstap packet logging local
filter-aaaa Enable filtering of AAAA records over IPv4 local
fixed-rrset Enables fixed rrset-order option local
geoip Add geoip support for country and city lookup based on IPs global
gost Enables gost OpenSSL engine support local
gssapi Enable gssapi support local
idn Enable support for Internationalized Domain Names global
json Enable JSON statistics channel local
ldap Add LDAP support (Lightweight Directory Access Protocol) global
lmdb Enable LMDB support to store configuration for 'addzone' zones local
nslint Build and install the nslint util local
rpz Enable response policy rewriting (rpz) local
threads Add threads support for various packages. Usually pthreads global
urandom Use /dev/urandom instead of /dev/random local


root #emerge --ask net-dns/bind

Additional software


USE flags for bind-tools:

USE flags for net-dns/bind-tools bind tools: dig, nslookup, host, nsupdate, dnssec-keygen

gost Enables gost OpenSSL engine support local
gssapi Enable gssapi support local
idn Enable support for Internationalized Domain Names global
urandom Use /dev/urandom instead of /dev/random local


root #emerge --ask net-dns/bind-tools




To have automatically start BIND at system boot:

root #rc-update add named default

To start the service now:

root #rc-service named start

Most management of BIND is done through its rndc command, although the /etc/init.d/named (OpenRC) init script can be passed the following arguments, in addition the typical start/stop/restart routines:

Validates the configuration file /etc/bind/named.conf for correct syntax.
Validates the zone files for correct syntax.
Reloads the zone files without restarting the named daemon itself.

For example:

root #rc-service named reload


System that will be using BIND in a chrooted environment should set the CHROOT variable in /etc/conf.d/named accordingly. Check the comments as well, as they provide information on automatically creating the chrooted environment using emerge --config.


Easy caching DNS

root #echo 'dns_servers=""' >> /etc/conf.d/net

As root edit /etc/bind/named.conf add an internet service provider's DNS where the x.x.x.x are.

FILE /etc/bind/named.conf
forwarders {
		x.x.x.x;	// Your ISP NS
		x.x.x.x;	// Your ISP NS;		// Level3 Public DNS;		// Level3 Public DNS;		// Google Open DNS;		// Google Open DNS
root #rc-service named restart
user $dig

See also

External resources