published
priority 3
40 min. 70 XP.
BIND Zone Files. Forward, Reverse, and Serial Numbers
Internal DNS (DNS INT FWD/REV) requires BIND to serve two kinds of records: forward (nameIP) and reverse (IPname). Both are needed. the scoring engine checks them separately. This lesson walks through a minimal named.conf and two zone files, and teaches the single biggest gotcha (serial numbers).
Prerequisites
DCWF roles:
IT-441 Network Operations Specialist
IT-451 System Administrator
CS-462 Control Systems Security Specialist
Services:
DNS INT FWDDNS INT REVDNS EXT FWDDNS EXT REV
Objectives
- Read `/etc/bind/named.conf.local` and know what each `zone {}` block does
- Write a minimal forward-zone file with SOA, NS, and A records
- Write a matching reverse-zone file with PTR records
- Bump the SOA serial number correctly after every edit
- Validate config + zone files with `named-checkconf` and `named-checkzone`
- Reload BIND with `rndc reload` and verify with `dig`
Quick reference
| Command | Purpose |
|---|---|
| systemctl status bind9 | Is BIND running? |
| ss -ulnp | grep :53 | Is BIND listening on UDP 53? |
| named-checkconf | Validate named.conf syntax |
| named-checkzone <zone> <file> | Validate a specific zone file |
| rndc reload | Reload BIND after config changes |
| rndc zonestatus <zone> | Check if a zone is loaded |
| dig @127.0.0.1 <name> | Query BIND directly |
| dig @127.0.0.1 -x <ip> | Reverse DNS query |
| journalctl -u bind9 -n 30 | Recent BIND log lines |
Common pitfalls
- Forgetting to bump the SOA serial after editing. BIND refuses to pick up changes
- Missing the trailing dot on fully-qualified names in zone files (FQDN vs relative)
- Reverse zone uses octets in reverse order: 10.18.172.in-addr.arpa for 172.18.10.0/24
- `named-checkzone` needs the zone name AND file; order matters
- Zone file permissions wrong. bind user must be able to read them
- Allowing external recursion (default on some configs). don't, red team uses you as an amp
How it works (walkthrough)
# Minimal /etc/bind/named.conf.local
zone "team10.ncaecybergames.org" {
type master;
file "/etc/bind/db.team10";
};
zone "10.18.172.in-addr.arpa" { # reverse zone for 172.18.10.0/24
type master;
file "/etc/bind/db.172.18.10";
};
# /etc/bind/db.team10. forward zone
$TTL 3600
@ IN SOA ns.team10.ncaecybergames.org. admin.team10.ncaecybergames.org. (
2026041401 ; serial (YYYYMMDDNN). bump after every edit
3600 ; refresh
600 ; retry
86400 ; expire
300 ; negative TTL
)
IN NS ns.team10.ncaecybergames.org.
ns IN A 172.18.10.13
www IN A 172.18.10.13
dns IN A 192.168.10.12
# /etc/bind/db.172.18.10. reverse zone
$TTL 3600
@ IN SOA ns.team10.ncaecybergames.org. admin.team10.ncaecybergames.org. (
2026041401 3600 600 86400 300 )
IN NS ns.team10.ncaecybergames.org.
13 IN PTR www.team10.ncaecybergames.org.
Skill drills
-
1. What record type maps a name to an IPv4 address?A record
-
2. What record type does reverse DNS use?PTR
-
3. What's the reverse-zone name for the network 192.168.5.0/24?5.168.192.in-addr.arpa
-
4. Serial number format BIND admins use?YYYYMMDDNN (e.g., 2026041401)
-
5. Command to reload BIND without restarting it?rndc reload
-
6. What SOA field controls how long NEGATIVE responses are cached?The 5th number. negative TTL (minimum)