Install and configure BIND DNS Server in Windows 7

Power up your Web Developer environment installing Bind 9 DNS Server. Specially it will delight you if you are using VirtualBox or Vagrant to run your Back-end stack, but your browser still is in the Host OS, in this case Windows (More about this in the next blog post)

These are the main benefits you will get:

• You want to have a domain *.dev or *.l being resolved to your localhost or IP of your Virtual Machine.
• It allows you to run complex forwarding rules, including port forwarding. Forget the limitations of the Windows hosts file.
• Bind acts also as local DNS Cache: maximum performance when browsing. (*)
• With the Bind installation you will get all those yummy linux network tools: dig, nslook, nsupdate, etc in your Windows Command shell.

The caveat it's that Bind it's not that easy to configure. That's the reason I created this tutorial:
Let's go:

1. Download BIND (latest release now is 9.9.1-P3)

2. Let's start with the Installation:

In the installer window, leave the default name "named" and password.

3. In System Properties => Environment Variables, find the variable PATH and append the string ;%SYSTEMROOT%\SysWOW64\dns\bin; (in case of Windows 64 bits) or;%SYSTEMROOT%\system32\dns\bin; for Windows 32 bits.

4. Search for the DOS prompt cmd.exe and important!, right click and "Start as administrator". Now browse to:
C:\Windows\SysWOW64\dns\etc
or in Windows 32 bits:
C:\Windows\system32\dns\etc

5.. By default the dns\etc folder is empty. Not for long. Execute the command:

rndc-confgen -a

This will create a file rndc.key.

In some tutorials you will see a extra step to create a rndc.conf file. That is not needed. If you do it. you will end up probably with messages like this when trying to "rndc reload":
WARNING: key file (rndc.key) exists, but using default configuration file (rndc.conf) (See)

Also you don't need to create a resolv.conf file, since Bind will look in the registry for the required nameserver information.

7. BIND Configuration files:

Let's configure Bind. It's better to run notepad commands directly from the already opened "Admin" shell, so you won't have Access denied problems later when saving the file.

notepad named.conf

Copy/paste this configuration:

options {        
  directory "c:\windows\SysWOW64\dns\etc";
  allow-transfer { none; };
};

logging{
  channel my_log{
    file "named.log" versions 3 size 2m;
    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default{
    my_log;
  };
};

At the beginning, is useful a verbose log with severity: info. Later when you get the DNS server working, change it to severity: warning.
All the options for the logging are explained here.

There is no controls statement, so the default configuration will be Bind running on127.0.0.1 port 953.
If you are curious, the full list of statements that can be used (with default values in bold).

Use that IP in your DNS configuration of your Internet Connection, and you will start using Bind to resolve DNS lookups.

8. Search for "Services" in the Windows Start Menu and find in the list ISC BIND and start it.

If for some reason it's not working and you are trying different BIND configurations, check the named.log file for hints.

Each time you change the configuration you will need to follow these 2 steps, in this order:

ipconfig /flushdns
rndc reload

Or you can reload the BIND Service from the GUI too. See the screenshot:

That's all.
You should be able to surf the web normally and you could disable the Windows built-in DNS Cache Client (in the Services).

---

The purpose of this first part is to have a minimalistic configuration to get BIND running with logging so it's easier to debug if you run into problems.

But with this configuration, you are letting Bind to resolve the DNS using its built-in list of root name servers, a quite slow process. DNS Lookups can take as much as 3 seconds.

You can tell to Bind to forward the requests to a faster DNS services, like Google's 8.8.8.8

Change the options of your named.conf to add the "forwarders" line:

options {        
  directory "c:\windows\SysWOW64\dns\etc";  
  forwarders {8.8.8.8; 8.8.4.4;};
  allow-transfer { none; };
};

Restart the ISC BIND Service. Now the DNS lookups are taking in my case about 22ms-40ms

If you want to optimize your DNS configuration, run some Benchmark with any of these tools: GRC DNS Benchmarking or NameBench. Here are some screenshots from Helsinki, a Welho Cable connection:

Let's explore more advanced configuration and options in the next blog post. I will post it in Twitter or by RSS.

---

Extra: Tips for debugging DNS issues and more

Hint: Almost every DNS problem I had configuring BIND and testing were because a DNS Cache in my way:

Query logs

This useful command will make that all DNS lookups are logged in the named.logfile. If you reload the service, it will stop.

rndc querylog

About the internal Windows DNS Cache

You can locate this Service by the name "DNS Client". Related commands:

• To inspect the Windows DNS Cache: ipconfig /displaydns.
• To clear the Windows DNS Cache: ipconfig /flushdns.
Tip: Create a shortcut in the Desktop with the value"C:\Windows\System32\ipconfig.exe /flushdns"

What's the benefit of Bind as your DNS Cache, instead of Windows DNS Local Cache?
I don't think there are any performance benefits, and both caches are non-persistent, in the way that rebooting the computer will clear the DNS Caches.
But one adventage of using Bind, it's that you can disable then the Windows DNS Cache and protect against some DNS Poisioning attacks due of malicious software manipulating the Windows DNS cache.

Talking about security, preparing this post I've seen multiple articles article about blacklisting DNS domains using some huge hosts files. (Those can be converted to Bind zone files). I don't use them, but it's nice to know that exists.

Dig and nslookup own DNS Cache

The dig and nslookup commands are quite independent from Windows. These commands use their own DNS Cache, and they bypass the Windows DNS Cache.
For example. If Windows DNS Cache has already cached drupal.org (see with command ipconfig /displaydns), and you stop the DNS Cache Service, then dig drupal.org will not work. In the other hand, ping drupal.org will work, because ping will consult the Windows DNS Cache before hitting the DNS Server.

About your browser DNS Cache

When debugging issues about DNS, remember that your browser also stores internally the DNS lookups.
Normally a CTRL + F5 should be enough to clear.
This (one year old) chart shows you specific times:

Source: http://dyn.com/web-browser-dns-caching-bad-thing/.

About Fiddler

If you use fantastic tool Fiddler, be aware that has its own DNS Cache that will interfere with your tests. Look my Stackoverflow question, where Eric answered. After following that advice, it's the most reliable tool I've found to inspect DNS lookups.

About Firebug

I wouldn't rely on the DNS Lookup Time of the Network tab. Always is 0 ms, even when it takes several seconds for the DNS request.

About Navigation Timing API

Todo: Test accuracy of Navigation Timing API. I will update soon.

Extra: Resources.

The single best guide for BIND I found is the book Pro DNS and BIND, available for free, who has also installation guides for every OS, including Windows 7.

Ref1: