Latest posts

How to Build BIND

If you need to install the latest version of the BIND DNS server, you won't find it in your package repositories. You will need to compile it from the source and create a proper environment by hand.

On Debian

apt install bind9

Will get you 9.11.5

On CentOS

yum install bind

Will get you 9.11.4

Latest BIND version at the moment is 9.14. Unless you run a bleeding-edge distribution, you can't get a much newer version than these. If you are willing to run a bleeding-edge distro on your environment, you can get the latest version with ease.

sudo pacman -S bind
[sudo] password for mbp:
resolving dependencies...
looking for conflicting packages...

Packages (1) bind-9.14.5-1

Total Download Size:   0.21 MiB
Total Installed Size:  0.67 MiB

If you are managing a serious production environment, you won't get such luxuries. You have to get your hands dirty get the latest version.

But why this new version is not included in the default repositories? Because it takes time and effort to make proper packages out of the new versions. Also, most distributions prefer some extra testing before putting new versions in their repositories. Most of the time, the version in the official repositories are good for daily operations. Unless you need a feature in a newer version, it is better to stick to repositories.

You can choose a bind version from BIND 9 Significant Features Matrix.

Bind has many versions with different EOL dates. Choose wisely for your update cycle. Bind has a system for its releases. The current codebase is bind 9.

  • Major branches go like 9.12, 9.13, 9.14.
  • Minor versions go like 9.12.1, 9.12.2, 9.12.3.
  • Odd-numbered major versions are development versions. 9.13 was the first of this trend.
  • Even-numbered major versions are stable versions like 9.12.

I have chosen bind 9.14 for my build. It's both feature-packed and stable. I'm using a CentOS environment.

Before building from source, we need a few dependencies and packages:

  • wget
  • gcc
  • python36-ply
  • openssl-devel
  • libcap-devel

To gather the build gang on Centos 7 minimal:

yum -y install wget gcc python36-ply openssl-devel libcap-devel

Also, BIND needs the following dependencies on CentOS

  • audit-libs-python
  • bind-libs
  • checkpolicy
  • libcgroup
  • libsemanage-python
  • policycoreutils-python
  • python-IPy
  • python-ply
  • setools-libs
yum -y install audit-libs-python bind-libs checkpolicy libcgroup libsemanage-python policycoreutils-python python-IPy python-ply setools-libs

To grab the required tarball, visit

tar zxvf  bind-9.14.3.tar.gz
cd bind-9.14.3

When you compile software from source, you can specify build parameters. These parameters can't be changed after the build. You don't such a chance with binary packages.

Interesting build parameters

Now we are ready to configure and compile. Since we are compiling for ourselves, we might as well optimize the binary

  • --with-tuning=large

    This option, tunes BIND for high memory machines. Some of the significant changes done by this parameter are:

    • ISCSOCKETMAXEVENTS changed from 64 to 1024 (Maximum number of events communicated with kernel)
    • ISCSOCKETMAXSOCKETS changed from 4096 to 21000 (maximum sockets named can use)
    • RCVBUFSIZE changed from 32K to 16M (these increases receive buffer which reduces dropped packages )
    • RESOLVER_NTASKS changed from 31 to 523 ( Increases the number of resolver tasks )
    • UDPBUFFERS increased from 1000 to 32K
    • EXCLBUFFERS increased from 4096 to 32K

    This option makes bind use more ram. Why using more ram is good? Because idle RAM is wasted RAM. If your system does not have lots of RAM, this option will slow your installation down. But how much ram is high ram? I usually consider this option when the machine has 16GB + ram.

  • --with-openssl

    Enables OpenSSL support, which is required for DNSSEC which is required for a decent DNS setup

  • --enable-threads

    For 9.6+ versions this is the default option, does not need to be specified. For older versions this is the most important compile parameter, if you omit this at build, most of your cores will chill out while a single core does all the work.

  • --enable-dnstap

    Include dnstap support. Dnstap is a flexible, structured binary log format for DNS which utilized Protocol Buffers to encode events. The beautiful thing about this is, this not a BIND specific format. Other common DNS software also supports this log format and its an implementation-neutral standard. protobuff lib is required for this.

  • --with-libtool:

    This parameter forces the building of dynamic libraries and links the installed binaries to these libraries.

  • --with-libidn2:

    This parameter enables the IDNA2008 (Internationalized Domain Names in Applications) support.

  • --enable-fetchlimit:

    Use this option if you want to be able to limit the rate of recursive client queries. This may be useful on servers which receive a large number of queries. This is a very useful feature.

  • --disable-static:

    This switch prevents the installation of static versions of the libraries.

  • --with-dlz-{mysql,bdb,filesystem,ldap,odbc,stub}: Use one (or more) of those options to add Dynamically Loadable Zones support. For more information refer to

So I ended up with the following build.

./configure  --with-openssl  --enable-fetchlimit
make install

When you install with a package manager, post and prescripts of the package file take care of some stuff for you. Since we did a manual install, we need some extra steps.

You need to write a service file to manage you BIND service with systemctl. It put my service files under /etc/systemd/system . Some people also use /usr/lib/systemd/system/ , but this place is reserved upstream unit files which comes with packages.

vim /etc/systemd/system/bind.service

ExecStart=/usr/local/sbin/named -4 -f -u named -t /etc/named -c /etc/named.conf
ExecReload=/usr/local/sbin/rndc reload
ExecStop=/usr/local/sbin/rndc stop


Also, you need to create a group and a user for bind.

groupadd named
useradd -d /var/named -g named -s /bin/false named

Now you have a working BIND. All you need is some configuration files. Put your config files and key files in the proper places. If you don't put the configuration files, the next step will fail.

systemctl start bind
systemctl status bind

Now you are ready to go.

Published under  on .


Open Source and Linux, Notes, Guides and Ideas