Ubuntu - Bind - Configure Bind9 - Secondary Nameserver

A Secondary Server is highly recommended in order to maintain the availability of the domain should the Primary become unavailable.

IMPORTANT: On the Primary server, the zone transfer needs to be allowed.

Add the allow-transfer option to the example Forward and Reverse zone definitions in /etc/bind/named.conf.local:

/etc/bind/named.conf.local
zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { 192.168.1.11; };
};
 
zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.192";
    allow-transfer { 192.168.1.11; };
};

NOTE: Replace 192.168.1.11 with the IP Address of your Secondary nameserver.

Restart BIND9 on the Primary server:

sudo systemctl restart bind9.service

Configure Bind9

On the Secondary server.

Edit the /etc/bind/named.conf.local and add the following declarations for the Forward and Reverse zones:

/etc/bind/named.conf.local
zone "example.com" {
    type slave;
    file "db.example.com";
    masters { 192.168.1.10; };
};        
 
zone "1.168.192.in-addr.arpa" {
    type slave;
    file "db.192";
    masters { 192.168.1.10; };
};

NOTE: Replace 192.168.1.10 with the IP Address of your Primary nameserver.

Restart BIND9 on the Secondary server:

sudo systemctl restart bind9.service

NOTE: In /var/log/syslog you should see something similar to the following:

client 192.168.1.10#39448: received notify for zone '1.168.192.in-addr.arpa'
zone 1.168.192.in-addr.arpa/IN: Transfer started.
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
 connected using 192.168.1.11#37531
zone 1.168.192.in-addr.arpa/IN: transferred serial 5
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
 Transfer completed: 1 messages, 
6 records, 212 bytes, 0.002 secs (106000 bytes/sec)
zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 5)
 
client 192.168.1.10#20329: received notify for zone 'example.com'
zone example.com/IN: Transfer started.
transfer of 'example.com/IN' from 192.168.1.10#53: connected using 192.168.1.11#38577
zone example.com/IN: transferred serial 5
transfer of 'example.com/IN' from 192.168.1.10#53: Transfer completed: 1 messages, 
8 records, 225 bytes, 0.002 secs (112500 bytes/sec)

NOTE: A zone is only transferred if the Serial Number on the Primary is larger than the one on the Secondary.

If you want to have your Primary DNS notifying other Secondary DNS Servers of zone changes, you can add also-notify { ipaddress; }; to /etc/bind/named.conf.local as shown in the example below:

/etc/bind/named.conf.local
zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { 192.168.1.11; };
    also-notify { 192.168.1.11; }; 
};
 
zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.192";
    allow-transfer { 192.168.1.11; };
    also-notify { 192.168.1.11; }; 
};

NOTE: The default directory for non-authoritative zone files is /var/cache/bind/.

This directory is also configured in AppArmor to allow the named daemon to write to it.