Update on DoH support in BIND 9
DNS over HTTPS Update It has been a long time since our last blog on the BIND 9 DNS-over-HTTPS (DoH) implementation.Read
Versatile, classic, complete name server software
BIND 9 has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system.
If you want source code, download current version from the ISC website or our FTP site. Or, install our updated ISC packages for Ubuntu, CentOS/Fedora, and the standard Debian package. If you prefer Docker, get our official Docker image.
Contact ISC for Support
Before your mail server sends an email, before your web browser displays a web page, there is a DNS lookup to resolve a DNS name to an IP address. Watch this DNS Fundamentals presentation from Eddy Winstead of ISC or read A Warm Welcome to DNS by Bert Hubert of PowerDNS.
BIND is used successfully for every application from publishing the (DNSSEC-signed) DNS root zone and many top-level domains, to hosting providers who publish very large zone files with many small zones, to enterprises with both internal (private) and external zones, to service providers with large resolver farms.
We support three major branches of BIND 9 at a time: Stable, Extended-Support, and Development. See this advice: Which version of BIND do I want to download and install? as well as our list of supported platforms.
We also maintain a significant feature matrix and version history.
If you would prefer a GUI management interface, you might consider a Commercial Product based on BIND.
Instructions are available for Installing and Upgrading BIND 9. ISC provides executables for Windows and packages for Ubuntu and CentOS and Fedora and Debian - BIND9 ESV, Debian - BIND 9 Stable, Debian - BIND 9 Development version. We also have official Docker images. Most operating systems also offer BIND 9 packages for their users. These may be built with a different set of defaults than the standard BIND 9 distribution, and some of them add a version number of their own that does not map exactly to the BIND 9 version.
The BIND Administrator Reference Manual (ARM) included in the BIND distribution is the primary reference for BIND configuration. See the Best Practices documents in our Knowledgebase for configuration recommendations.
Resolver users may find Getting started with Recursive Resolvers to be useful. There are a number of excellent books on BIND; Ron Hutchinson’s DNS for Rocket Scientists is generously posted on the Internet at Zytrax.com and can be a very helpful online reference tool.
Most users will benefit from joining the bind-users mailing list. We advise all users to subscribe to email@example.com to get announcements about new versions and security vulnerabilities. For other news, see our BIND blogs.
Our partners at Men and Mice run a very good series of hands-on training classes. If your DNS is critical to your business, we recommend you subscribe for technical support from ISC.
A resolver is a program that resolves questions about names by sending those questions to appropriate servers and responding to the servers’ replies. In the most common application, a web browser uses a local stub resolver library on the same computer to look up names in the DNS. That stub resolver is part of the operating system. The stub resolver usually will forward queries to a caching resolver, a server or group of servers on the network dedicated to DNS services. Those resolvers will send queries to one or multiple authoritative servers in order to find the IP address for that DNS name.
When a customer searches for a non-existent domain (NXDOMAIN response), you can redirect the user to another web page. This is done using the BIND 9 DLZ feature.
Prefetch popular records before they expire from the cache. This will improve the performance delivered to end users for resolving names that have short expiration times.
From time to time you may get incorrect or outdated records in the resolver cache. BIND 9 gives you the ability to remove them selectively or as a group.
BIND 9 is unique in providing the ability to configure different views in a single BIND server. This allows you to give internal (on-network) and external (from the Internet) users different views of your DNS data, keeping some DNS information private.
BIND 9 offers two configuration parameters, fetches-per-zone and fetches-per-server. These features enable rate-limiting queries to authoritative systems that appear to be under attack. These features have been successful in mitigating the impact of a DDoS attack on resolvers in the path of the attack.
Protect your clients from imposter sites by validating DNSSEC. In BIND 9, this is enabled with a single command. BIND 9 also has a Negative Trust Anchor feature, which temporarily disables DNSSEC validation when there is a problem with the authoritative server’s DNSSEC support. BIND 9 offers support for RFC 5011 maintenance of root key trust anchors.
A Response Policy Zone or RPZ is a specially constructed zone that specifies a policy rule set. The primary application is for blocking access to domains that are believed to be published for abusive or illegal purposes. There are companies that specialize in identifying abusive sites on the Internet, which market these lists in the form of RPZ feeds. For more information on RPZ, including a list of DNS reputation feed providers, see https://dnsrpz.info.
BIND supports QNAME minimization by default. This feature minimizes leakage of excessive detail about the query to systems that need those details. BIND will be supporting two different encryption mechanisms, DNS over HTTPS (DoH) and DNS over TLS (DoT), in BIND 9.18. These implementations are available in the development branch today.
ISC packages may be found at: CentOS Epl & Fedora, Ubuntu Launchpad, and Debian. We also have an official Docker image. Download sources here and follow these instructions to verify a download file. Note that BIND 9.18 and beyond will no longer support the native Windows(tm) operating system.
|VERSION||STATUS||DOCUMENTATION||RELEASE DATE||EOL DATE||DOWNLOAD|
|9.17.18||Development|| BIND 9.17 ARM (
Release Notes ( HTML )
|9.16.21||Current-Stable, ESV|| BIND 9.16 ARM (
Release Notes ( HTML )
|9.11.35||Current-Stable, ESV|| BIND 9.11 ARM (
Release Notes ( HTML PDF )
|August 2021||December 2021|
Join the bind-users mailing list to offer help to or receive advice from other users.Join Now
Before submitting a bug report, please ensure that you are running a current version. Then log your report as an issue in our BIND GitLab project. If you think this bug may be a security vulnerability, please do not log it in Gitlab, but instead send an email to firstname.lastname@example.org.Report
Test a domain to ensure full reachability and compliance with EDNS standards.Test
Consult our library of technical articles on BIND 9 and DNS.Browse
|Administrator Reference Manual (ARM)||Links to current ARM on Read The Docs|
|Binary packages||CentOS & Fedora packages from ISC, Ubuntu package from ISC||Debian -BIND9 ESV, Debian - BIND9 Stable, Debian - BIND9 Development version|
|Software version options||Supported operating systems||ISC’s Software Support Policy and Version Numbering|
|Features and versions||BIND 9 Significant Features Matrix||BIND 9 version history|
|Vulnerabilities||ISC Software Defect and Security Vulnerability Disclosure Policy||BIND 9 Security Vulnerability Matrix|
|Best practices||Authoritative Systems||Recursive Systems|
|US Government user information||Capability statement and other references||BIND 9 Security Technical Implementation Guidelines|
|Other||DNS tools and resources||History of BIND|