DNS on a Linux server translates human-readable domain names into IP addresses and controls how your system resolves, serves, caches, and secures those lookups. Understanding DNS on Linux covers the resolver stack (/etc/resolv.conf, systemd-resolved), running a DNS server (BIND, Unbound, dnsmasq), managing zone files, optimizing performance, and troubleshooting common errors.
If you run websites, mail servers, or internal services, learning DNS on Linux is essential. In this guide, I’ll explain how DNS works, how Linux resolves domains, and how to deploy and manage a DNS server. We’ll use beginner friendly language, real-world examples, and commands you can run today.
What is DNS and How it Works (In 60 Seconds)?
The Domain Name System (DNS) maps domains (like example.com) to IP addresses. A typical query flows from your Linux resolver to a recursive resolver (ISP, cloud, or local), then up the chain: root servers → TLD servers → authoritative nameservers for the domain. Caching speeds up future lookups and reduces latency.
Understanding DNS on Linux: Resolver Stack
On Linux, the “resolver” is the client-side path your applications use to turn domain names into IPs. It’s primarily driven by glibc, /etc/nsswitch.conf, and the nameserver definitions in /etc/resolv.conf. Many modern distros also add systemd-resolved and/or NetworkManager to manage dynamic DNS settings.
Key Files and Services
/etc/resolv.conf: Lists nameservers and options for the resolver. On some systems it’s a symlink to a stub resolver (127.0.0.53)./etc/nsswitch.conf: Controls lookup order (e.g.,hosts: files dns).systemd-resolved: A caching stub resolver and manager. Providesresolvectl/systemd-resolvefor status and debugging.- NetworkManager: Dynamically updates DNS settings based on connections and VPNs.
How to See Which Resolver You’re Using
# Is resolv.conf a symlink to systemd-resolved?
ls -l /etc/resolv.conf
# Show current DNS servers (systemd-resolved)
resolvectl status
# Check nsswitch host resolution order
grep ^hosts /etc/nsswitch.conf
# Quick lookups
getent hosts example.com
dig example.com +short
Common pitfalls include resolv.conf being overwritten by DHCP or NetworkManager, and conflicts when both systemd-resolved and a local DNS service (like dnsmasq) try to bind port 53. Decide on a single authority for DNS on the host to avoid race conditions.
Running a DNS Server on Linux – Options
Linux supports several DNS servers. Choose based on your use case: authoritative DNS for hosting domains, recursive/caching for faster client lookups, or a hybrid design.
Popular DNS Daemons
- BIND9: The most widely used, supports authoritative and recursive, DNSSEC, views, RPZ. Great all-rounder.
- Unbound: Lightweight, fast recursive resolver with DNSSEC validation. Often paired with NSD or external authoritative DNS.
- dnsmasq: Simple DNS and DHCP for small networks, labs, and edge devices.
- PowerDNS: Enterprise-grade with database backends; separate authoritative and recursor components.
When to Use Which
- Authoritative hosting for your domains: BIND9 or PowerDNS authoritative.
- Local caching for servers or offices: Unbound or dnsmasq.
- High-scale managed DNS: Consider cloud/managed DNS; self-host for internal/private zones.
Install and Configure a Caching Resolver (Unbound)
Unbound is ideal for speeding up lookups and validating DNSSEC on your Linux server.
# Ubuntu/Debian
sudo apt update && sudo apt install unbound -y
# RHEL/CentOS/AlmaLinux/Rocky
sudo dnf install unbound -y
# Minimal config example
sudo tee /etc/unbound/unbound.conf >/dev/null <<'EOF'
server:
interface: 0.0.0.0
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
qname-minimisation: yes
prefetch: yes
harden-dnssec-stripped: yes
root-hints: "/var/lib/unbound/root.hints"
EOF
# Fetch root hints and start
sudo curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.root
sudo systemctl enable --now unbound
Point your system to use it by setting nameserver 127.0.0.1 in /etc/resolv.conf (or configuring systemd-resolved/NetworkManager to forward to 127.0.0.1). Validate with dig and ensure cache hits improve latency over time.
Install and Configure BIND9 (Authoritative + Optional Recursion)
BIND9 can host zones for your domains and, if needed, serve recursive queries for your LAN. Use views for split DNS (internal vs external answers) and enable DNSSEC where applicable.
Ubuntu/Debian Setup
sudo apt update && sudo apt install bind9 bind9-utils -y
# Global options (forwarders optional)
sudo tee /etc/bind/named.conf.options >/dev/null <<'EOF'
options {
directory "/var/cache/bind";
recursion no; // set "yes" for recursive resolver
allow-query { any; };
dnssec-validation yes;
auth-nxdomain no;
listen-on { any; };
listen-on-v6 { any; };
// forwarders { 1.1.1.1; 8.8.8.8; }; // optional
};
EOF
Create an Authoritative Zone
# Add zone to named.conf.local
sudo tee -a /etc/bind/named.conf.local >/dev/null <<'EOF'
zone "example.com" {
type master;
file "/etc/bind/zones/db.example.com";
};
EOF
# Create zone file
sudo mkdir -p /etc/bind/zones
sudo tee /etc/bind/zones/db.example.com >/dev/null <<'EOF'
$TTL 3600
@ IN SOA ns1.example.com. admin.example.com. (
2025010101 ; Serial
3600 ; Refresh
900 ; Retry
604800 ; Expire
300 ) ; Negative Cache TTL
; NS records
IN NS ns1.example.com.
; A/AAAA records
ns1 IN A 203.0.113.10
@ IN A 203.0.113.20
www IN CNAME @
mail IN A 203.0.113.30
; MX record
@ IN MX 10 mail.example.com.
; TXT example (SPF)
@ IN TXT "v=spf1 a mx ~all"
EOF
# Check config and restart
sudo named-checkconf
sudo named-checkzone example.com /etc/bind/zones/db.example.com
sudo systemctl enable --now bind9
Update your domain’s registrar to point NS records at your BIND server(s). Remember to increment the zone Serial on every change. Use dig @ns1.example.com example.com any to verify.
RHEL/CentOS/AlmaLinux Setup
sudo dnf install bind bind-utils -y
# Paths differ slightly; configs typically under /etc/named.conf
sudo semanage permissive -a named_t # or set proper SELinux contexts for zone files
sudo systemctl enable --now named
# Firewalld
sudo firewall-cmd --add-service=dns --permanent
sudo firewall-cmd --reload
On SELinux systems, ensure zone files have the correct contexts (e.g., chcon -t named_zone_t /var/named/yourzone) and that BIND can read/write if using dynamic updates.
Managing DNS Records and TTLs
- A / AAAA: Map names to IPv4/IPv6.
- CNAME: Alias one name to another; don’t create alongside A/AAAA for the same label.
- MX: Mail exchanger priority for email delivery.
- NS: Authoritative nameservers for the zone or sub-delegation.
- TXT: SPF, DKIM, DMARC, verification keys.
- SRV: Service discovery (e.g., _sip._tcp).
- TTL: Lower for frequent changes; raise to improve cacheability once stable.
Plan TTLs before migrations. For example, lower TTLs 24–48 hours before moving a site, then increase after cutover to improve performance and reduce query load.
Diagnostics and Troubleshooting on Linux
Use these tools to debug DNS issues, from misconfigured zones to network-level blocking. They’re essential for any Linux administrator managing DNS configuration.
Commands You’ll Use Daily
# Query specific server and record type
dig @1.1.1.1 example.com A +noall +answer
# Trace delegation path (root -> TLD -> authoritative)
dig example.com +trace
# See DNSSEC validation chain
dig example.com DS +dnssec
dig example.com A +dnssec
# Reverse lookup
dig -x 203.0.113.20 +short
# Check local resolver status (systemd-resolved)
resolvectl status
resolvectl query example.com
# Packet capture on port 53
sudo tcpdump -n port 53
Common Errors and Fixes
- SERVFAIL: Often DNSSEC validation or lame delegation. Check DS records, clock skew, firewall, and upstream health.
- NXDOMAIN: The name doesn’t exist. Confirm zone loading and the exact label being queried.
- REFUSED: Your server denies queries (ACLs, views). Adjust allow-query/recursion settings.
- Stale resolv.conf: Overwritten by DHCP. Pin or manage via NetworkManager or systemd-resolved.
- Port 53 in use: Another daemon bound to 53. Choose one service or change bind addresses.
Performance and Security Best Practices
- Enable caching: Unbound or BIND with sane TTLs reduces latency and upstream load.
- Harden recursion: Restrict recursive service to trusted subnets; disable for the public Internet.
- DNSSEC: Validate on resolvers and sign authoritative zones when possible.
- QNAME minimization: Improves privacy and reduces data leakage to upstreams.
- Rate limiting/RRL: Mitigates amplification abuse on authoritative servers.
- Split-horizon DNS: Serve internal answers only to internal clients using views.
- Logging and monitoring: Enable query logs carefully; ship metrics to Prometheus/Grafana and alert on spikes.
- High availability: Use at least two authoritative nameservers in different networks/regions.
Self-Hosted vs Managed DNS: Which Should You Use?
If you need full control, private zones, or on-prem resolution, self-hosted DNS on Linux (BIND/Unbound) is ideal. For public-facing domains, managed DNS offers global resilience and Anycast performance without the overhead.
At YouStable, we see many customers succeed with a hybrid approach: use managed DNS for public zones and a lightweight Unbound or dnsmasq resolver on their VPS or dedicated servers for fast, secure local caching. Our hosting stacks and VPS plans make it easy to deploy both models while keeping DNS reliable and secure.
Step-by-Step: Point Linux to Your Preferred Resolver
- Decide: use local Unbound (127.0.0.1) or trusted upstream (e.g., 1.1.1.1, 9.9.9.9).
- If using
systemd-resolved, set DNS per interface:resolvectl dns eth0 127.0.0.1. - If using NetworkManager:
nm-connection-editorornmcli con mod <name> ipv4.dns "127.0.0.1"then reconnect. - For static servers, edit
/etc/resolv.conf(avoid if managed dynamically). - Verify with
digand ensure TTL-based caching behaves as expected.
Real-World Tips from 12+ Years Managing DNS
- Never run open recursion on a public IP. Lock it to private subnets.
- Document zone serial policies. Use date-based serials (YYYYMMDDnn) to avoid confusion.
- Stagger TTL changes during migrations; start low, end high.
- Keep authoritative servers in different ASNs/regions. Test failover regularly.
- Automate zone checks in CI:
named-checkzone,dnsviz.net, and DNSSEC validators. - If you use SELinux, plan contexts and directories before deployment to save hours of debugging.
- On busy resolvers, prefer Unbound for performance and simplicity; add local root hints.
FAQ’s: DNS on Linux Server
What is the difference between authoritative and recursive DNS on Linux?
Authoritative DNS serves final answers for the zones you host (e.g., example.com). Recursive DNS performs lookups on behalf of clients, walking the DNS hierarchy and caching results. BIND can do both; Unbound is typically recursive only.
How do I permanently set DNS servers on Ubuntu or Debian?
With systemd-resolved, use resolvectl dns <iface> <server> and optionally resolvectl domain. With NetworkManager, run nmcli con mod <name> ipv4.ignore-auto-dns yes ipv4.dns "1.1.1.1 9.9.9.9" then reconnect. Avoid editing /etc/resolv.conf directly if it’s managed.
Should I run my own DNS or use managed DNS?
Run your own for internal zones, lab environments, and specialized needs. Use managed DNS for public domains when you want global redundancy, Anycast performance, and low maintenance. Many teams combine both for reliability and control.
How do I troubleshoot slow DNS on Linux?
Check latency with dig and +stats, verify caching (repeat queries should be faster), inspect resolvectl status for active servers, and ensure no conflicting local daemons. Packet capture with tcpdump can reveal timeouts or blocked UDP/53.
Is DNSSEC required, and how do I enable it?
DNSSEC isn’t mandatory but significantly improves integrity. For resolvers, enable validation (Unbound: default on; BIND: dnssec-validation yes;). For authoritative zones, sign zones (e.g., dnssec-signzone) and publish DS records at your registrar.
Mastering DNS on Linux empowers you to deliver faster websites, resilient services, and secure name resolution. Whether you choose self-hosted BIND/Unbound or managed DNS plus a local cache, YouStable’s hosting and VPS platforms provide a stable foundation for reliable DNS at any scale.
