How to Set Up a DNS Server with BIND9 on RHEL 9

November 28, 2025
Linux
Comment off

BIND9 (Berkeley Internet Name Domain version 9) is the most widely deployed DNS server software in the world and is fully supported on RHEL 9 through the bind package. Running your own authoritative DNS server lets you resolve hostnames for domains you control without relying on a third-party provider. This tutorial covers installing BIND9, writing a forward and reverse zone for example.com, validating the configuration, starting the service, and testing resolution end-to-end with dig. All commands are run as root or with sudo.

Prerequisites

A RHEL 9 server with a static IP address (see the static IP tutorial)
sudo or root access
A domain name you control, or the ability to test in a private lab using example.com
Port 53 accessible on TCP and UDP (we will open it with firewalld)

Step 1 — Install BIND9 and Utilities

Install the bind server package and bind-utils, which provides the dig, nslookup, and host diagnostic tools.

sudo dnf install -y bind bind-utils

After installation the BIND9 daemon is named named and its primary configuration file is /etc/named.conf. Zone data files are stored under /var/named/.

Step 2 — Configure /etc/named.conf

Edit the main configuration file to set the listening address, define which clients may query the server, configure forwarders for non-authoritative lookups, and declare your zones.

sudo cp /etc/named.conf /etc/named.conf.bak
sudo vi /etc/named.conf

Replace the default content with the following, substituting your server’s IP for 192.168.1.100:

options {
    listen-on port 53 { 127.0.0.1; 192.168.1.100; };
    listen-on-v6 port 53 { ::1; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    allow-query     { localhost; 192.168.1.0/24; };
    recursion yes;
    forwarders { 8.8.8.8; 8.8.4.4; };
    forward only;
    dnssec-validation yes;
};

zone "example.com" IN {
    type master;
    file "example.com.zone";
    allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
    type master;
    file "192.168.1.rev";
    allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Step 3 — Create the Forward Zone File

Create the zone data file for example.com at /var/named/example.com.zone. This file contains the SOA record, NS record, mail exchanger, and A/CNAME records for your domain.

sudo vi /var/named/example.com.zone

$TTL 86400
@   IN  SOA  ns1.example.com.  admin.example.com. (
            2026051701  ; Serial (YYYYMMDDnn)
            3600        ; Refresh
            1800        ; Retry
            604800      ; Expire
            86400 )     ; Negative cache TTL

; Name servers
@       IN  NS   ns1.example.com.
@       IN  NS   ns2.example.com.

; A records
ns1     IN  A    192.168.1.100
ns2     IN  A    192.168.1.101
@       IN  A    192.168.1.100
www     IN  A    192.168.1.100
mail    IN  A    192.168.1.102

; CNAME record
ftp     IN  CNAME  www.example.com.

; MX record
@       IN  MX   10  mail.example.com.

Set the correct ownership so BIND can read the file:

sudo chown root:named /var/named/example.com.zone
sudo chmod 640 /var/named/example.com.zone

Step 4 — Create the Reverse Zone File

The reverse zone maps IP addresses back to hostnames (PTR records). Create /var/named/192.168.1.rev:

sudo vi /var/named/192.168.1.rev

$TTL 86400
@   IN  SOA  ns1.example.com.  admin.example.com. (
            2026051701
            3600
            1800
            604800
            86400 )

@       IN  NS   ns1.example.com.
100     IN  PTR  ns1.example.com.
101     IN  PTR  ns2.example.com.
102     IN  PTR  mail.example.com.

sudo chown root:named /var/named/192.168.1.rev
sudo chmod 640 /var/named/192.168.1.rev

Step 5 — Validate Configuration and Start named

Always validate syntax before starting the service to catch errors early.

# Check named.conf syntax
sudo named-checkconf /etc/named.conf

# Check forward zone
sudo named-checkzone example.com /var/named/example.com.zone

# Check reverse zone
sudo named-checkzone 1.168.192.in-addr.arpa /var/named/192.168.1.rev

# Enable and start the service
sudo systemctl enable --now named

# Confirm it is running
sudo systemctl status named

Step 6 — Open the Firewall and Test with dig

Open port 53 on both UDP and TCP using firewalld, then verify name resolution with dig.

# Open DNS ports
sudo firewall-cmd --permanent --add-service=dns
sudo firewall-cmd --reload

# Test forward lookup
dig @192.168.1.100 www.example.com A

# Test reverse lookup
dig @192.168.1.100 -x 192.168.1.100

# Test MX record
dig @192.168.1.100 example.com MX

# Test forwarding for external names
dig @192.168.1.100 google.com

Each dig response should show status: NOERROR and the expected records in the ANSWER SECTION.

Conclusion

You have installed BIND9 on RHEL 9, configured /etc/named.conf with a forward zone and reverse zone for example.com, validated the zone files with named-checkzone, started the named service, opened firewall port 53, and confirmed resolution with dig. Your server is now an authoritative DNS server for example.com and forwards all other queries to Google’s resolvers. Remember to increment the serial number in your zone files every time you make a change so secondary nameservers pick up the update.

Next steps: How to Install and Configure Postfix Mail Server on RHEL 9, How to Configure DKIM, SPF, and DMARC on RHEL 9, and How to Configure a Static IP Address with NetworkManager on RHEL 9.