Skip to content

Instantly share code, notes, and snippets.

Last active May 3, 2024 22:17
Show Gist options
  • Save shr00mie/740bd9ae89d04dd6d8f076c7793346a3 to your computer and use it in GitHub Desktop.
Save shr00mie/740bd9ae89d04dd6d8f076c7793346a3 to your computer and use it in GitHub Desktop.
BIND9 slave for AD DNS master
## -------------------------------=[ Info ]=--------------------------------- ##
# Inspired by and adapted from:
# /u/rootwyrm
# Successfully tested on:
# - ESXi 6.7 -> Ubuntu Server 18.04
# - Raspberry Pi 2 -> Raspbian Stretch Lite
## -=[ Author ]=------------------------------------------------------------- ##
# shr00mie
# 01.14.2019
# v0.1
## -=[ Use Case ]=----------------------------------------------------------- ##
# Deploy and config bind9 slave for AD DNS master.
## -=[ Notes ]=-------------------------------------------------------------- ##
# Minimum bind9 versions (based on functional domain level):
# - Server 2k8(r2) = 9.6
# - Server 2k12(r2) = 9.9
## -=[ Prep ]=--------------------------------------------------------------- ##
# Create (A) entry for bind9 slave on AD DNS master
# AD DNS Prep:
# - DNS Snap-in
# - View -> Advanced (Enabled)
# - DNS Server (Right Click) -> Properties
# - [Advanced]
# - Enable bind secondaries (Enabled)
# - Enable netmask ordering (Enabled)
# - Enable DNSSEC validation for remote responses
# - Name Checking: Muiltibyte (UTF8) or All Names
# - Load zone data on startup: From Active Directory and registry
# - Enable automatic scavenging (set optimal interval for your use case)
# - * Root Hints MUST BE UPDATED MANUALLY (You can use the "Resolve" to do this.)
# - Forward Lookup Zones
# - -> Properties
# - [General]
# - Dynamic Updates: Secure Only
# - [Zone Transfers]
# - Allow Zone Transfers (Enabled)
# - Only to servers listed on the Name Servers tab
# - <Apply>
# - [Name Servers]
# - <Add>
# - Enter FQDN of bind9 slave
# - <OK>
# -
# - same as above
# - Reverse Lookup Zones
# - -> Properties (repeat for all reverse lookup zones)
# - same steps as for forward lookup zones
# - [Security]
# - Everyone -> Read (Enabled)
## -=[ Breakdown ]=---------------------------------------------------------- ##
# 1. Update system
# 2. Install bind9
# 3. Cleanup
# 4. Edit /etc/default/bind9. Attach bind to IPv4
# 5. Backup /etc/bind/named.conf.options
# 6. Create /var/cache/bind/zones folder and set permissions
# 7. Config /etc/bind/named.conf.options
# 8. Append reverse lookup zones to /etc/bind/named.conf.options
# 9. Restart bind9
## -=[ To-Do ]=-------------------------------------------------------------- ##
# 1. Change DNS var to array and mod script to account for array iteration.
# 2. Separate out acl, options, zones, and logging into separate files
## ----------------------------=[ Functions ]=------------------------------- ##
# Usage: status "Status Text"
function status() {
echo -e "\n...${GREEN}$1${RESTORE}..."
function add_reverse_zone(){
cat << EOF | sudo tee -a /etc/bind/named.conf.options > /dev/null
zone "$" {
type slave;
masters { $AD_Server_IP; };
file "$Zone_DB_Root.$";
allow-transfer { dns_master; };
allow-notify { dns_master; };
## ----------------------------=[ Variables ]=------------------------------- ##
# IP of AD DNS server
# IP of bind9 server
# CIDR mask for LAN for allowed query acl
# Forwarder
# Array of reverse LANs (4.1.10)
Reverse_Subnets=("x.x.x" "x.x.x" "x.x.x" "x.x.x")
# Root path for zone dbs
## ---------------------------=[ Script Start ]=----------------------------- ##
status "Updating system and installing bind9"
sudo apt update && sudo apt upgrade -y
sudo apt install bind9 bind9utils bind9-doc -y
sudo apt autoclean && sudo apt autoremove -y
status "Editing /etc/default/bind9 to bind to IPv4"
sudo sed -i.back "s/OPTIONS=\"-u bind\"/OPTIONS=\"-u bind -4\"/" /etc/default/bind9
status "Backing up named.conf.options"
sudo cp /etc/bind/named.conf.options /etc/bind/named.conf.options.back
status "Creating Zones folder"
sudo mkdir /var/cache/bind/zones
sudo mkdir /var/cache/bind/log
sudo chown -R bind:bind /var/cache/bind
status "Configuring bind9 options"
cat << EOF | sudo tee /etc/bind/named.conf.options > /dev/null
acl "lan" {
acl "dns_master" {
options {
directory "/var/cache/bind";
check-names master warn;
allow-notify { localhost; dns_master; };
allow-transfer { localhost; dns_master; };
edns-udp-size 4096;
max-udp-size 4096;
dnssec-enable yes;
dnssec-validation yes;
allow-query { lan; };
forwarders { $PiHole; };
zone "$Domain_Name" {
type slave;
masters { $AD_Server_IP; };
file "$Zone_DB_Root.$Domain_Name";
allow-transfer { dns_master; };
allow-notify { dns_master; };
zone "_msdcs.$Domain_Name" {
type slave;
masters { $AD_Server_IP; };
file "$Zone_DB_Root._msdcs.$Domain_Name";
allow-transfer { dns_master; };
allow-notify { dns_master; };
status "Appending reverse lookup zones"
for sub in ${Reverse_Subnets[@]}
status "Appending ${sub}"
add_reverse_zone ${sub}
status "Appending logging configuration"
cat << EOF | sudo tee -a /etc/bind/named.conf.options > /dev/null
logging {
channel update_debug {
file "/var/cache/bind/log/update_debug.log" versions 3 size 100k;
severity debug;
print-severity yes;
print-time yes;
channel security_info {
file "/var/cache/bind/log/security_info.log" versions 1 size 100k;
severity info;
print-severity yes;
print-time yes;
channel bind_log {
file "/var/cache/bind/log/bind.log" versions 3 size 1m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
category default { bind_log; };
category lame-servers { null; };
category update { update_debug; };
category update-security { update_debug; };
category security { security_info; };
status "Restarting bind9"
sudo systemctl restart bind9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment