I have moved my DNS and DHCP servers to Docker, Docker-DNS Server. I am still using ISC_Bind9, but am now using ISC_Kea for DHCP as ISC_Bind is no longer supported as of 2022.

tl;dr;

An interesting older resource is BigDinosaur Blog Running BIND9 and ISC-DHCP. Unfortunately, no longer readily available, Kill-9 Ubuntu 16.04 based Router, Part 2 - DHCP does not seem to be saved on Wayback Machine Internet Archive, but Part 5 - DNS is. (As are Building an Ubuntu 16.04 Router Part 6: Remote Access, Building an Ubuntu 16.04 Router Part 7: Proxies and Caching & Building an Ubuntu 16.04 Router Part 8: Monitoring. It looks like parts 2 and 3 are missing only.)

Another reference is Lani's Weblog - Make your DHCP server dynamically update your DNS records on Ubuntu 12.04 (Precise Pangolin). Also dragon.org.uk DNS with bind9 and DHCP on Ubuntu 16.04.

• How To Configure BIND as a Private Network DNS Server on Debian 9
  
• Configure BIND Slave DNS Server on Debian 11
• Configure DHCP Failover with Dynamic DNS on CentOS 7
• Debian DHCP server failover
• Configure BIND Slave DNS Server on Debian 11 | Debian 10
• DNS for Rocket Scientists - This is a good general description

First install or ensure already installed the DNS server software: “sudo apt install bind9”

Next check the named.conf configuration file, “less /etc/bind/named.conf”. This can remain as default as below. However the configuration files noted there in will need to be set up. We will copy the existing files to default:

• sudo cp /etc/bind/named.conf.options /etc/bind/default.named.conf.options
• sudo cp /etc/bind/named.conf.local /etc/bind/default.named.conf.local
• sudo cp /etc/bind/named.conf.default-zones /etc/bind/default.named.conf.default-zones

There are a number of “names” that are used with bind9 dns.

• “bind9” is the DNS software is known as isc_bind9, and systemctl in some Linux refers to the service as bind9.service.
• “named” is the normal name of the isc-bind9 code that is call to start the application
• “rndc” is an application used to control a running bind9 instance, e.g. rndc reload to reload the configuration

sudo vim /etc/default/bind9 or sudo vim /etc/default/named, set following parameter: OPTIONS=“-u bind -4”

The /etc/bind/named.conf is not changed, and should look as below.

named.conf

// Default contents of /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

Next modify the named.conf.options configuration file, sudo vim /etc/bind/named.conf.options, as noted below.

name.conf.options

options {
  directory "/var/cache/bind";
  auth-nxdomain no; # conform to RFC1035
  forwarders {
    9.9.9.9;
    1.1.1.1;
    1.0.0.1;
    //208.67.222.222;
    //208.67.220.220;
    };
  allow-query {
    192.168.1/24;
    127.0.0.1;
    };
  allow-transfer {
    192.168.1/24;
    127.0.0.1;
    };
	
    // listen-on-v6 { any; };
};

The forwarders section contains the DNS servers to be checked if this DNS does not have the record. I have been using OpenDNS to allow some free security screening, IP 208.67.222.222 and 208.67.220.220. I have stop using these. IP 9.9.9.9, Quadnine provides some protection bad web sites. Similar for 1.1.1.1 and 1.0.0.1. from Another common option is to use Google DNS at 8.8.8.8 and 8.8.4.4. I avoid using Google products as there is something unclean about free services that extra value by tracking you.

Next create a cryptographic key file using sudo /usr/sbin/rndc-confgen -a, note that this command can take quite some time to complete, a number of minutes. The command produces a key file /etc/bind/rndc.key.

rndc.key

key "rndc-key" {
  algorithm hmac-md5;
  secret "LBLC2Dg8v6hYNE/ecnd6Ag==";
};

Configure the DNS zones sudo vim /etc/bind/named.conf.local

named.conf.local

key "rndc-key" {
  algorithm hmac-md5;
  secret "LBLC2Dg8v6hYNE/ecnd6Ag==";
};

zone "kptree.net" {
  type master;
  file "/var/lib/bind/db.kptree.net";
  allow-update { key rndc-key; };
};

zone "168.192.in-addr.arpa" {
  type master;
  file "/var/lib/bind/db.168.192";
  allow-update { key rndc-key; };
};

Modify the forward lookup zone definition file sudo vim /var/lib/bind/db.kptree.net

db.kptree.net

; This line indicates that the object we're configuring below (in this case,
; kptree.net) has its origin at the "." domain.  "." is the root domain
; from which all the TLDs branch.
; Note the comment character is ; not the usual #
$ORIGIN .

; Next line defines the DNS time-to-live setting
$TTL 907200    ; 1 week 3 days 12 hours

; The next set of lines are the "Start of Authority" record and define
; important info about the domain. In my case, we're defining kptree.net
; that router.kptree.net is its source host, and webmaster@kptree.net
; and saying is the domain maintainer. For the e-mail address, we use a 
; dot instead of an @.
; The lines after that define the zone serial number, which is used to 
; keep track of when the zone file was modified, and then some interval 
; which you can leave as default.
kptree.net   IN SOA  router.kptree.net. root.kptree.net. (
        2019072101   ; serial
        10800        ; refresh (3 hours)
        3600         ; retry (1 hour)
        604800       ; expire (1 week)
        38400        ; minimum (10 hours 40 minutes)
        )
	
; Next, we define the hosts necessary to make the domain function. First, 
; we add an "NS Record" to define the domain's name server...
    NS  router.kptree.net.

; ...then an "A Record" for the domain server's IP address...
    A   192.168.1.12 ; This is the LAN address of the html server
                     ; that is hairpin NATed

; ...and finally "MX Records" so that e-mail for the domain's e-mail 
; addresses goes to the right place.
    MX  00 mail.kptree.net.
;
; NOTE THE TRAILING PERIODS. THEY ARE EXTREMELY IMPORTANT.
;
;
; Now we're ready to begin adding hosts, but first we need another origin
; statement to indicate that the hosts added below originate not from ".", 
; like the domain itself; rather, they originate from "kptree.net".
;
$ORIGIN kptree.net.
;
; Again, NOTE THE TRAILING PERIOD.
; Now we add A records for the non-DHCP hosts in the domain:
router        A   192.168.1.1
;switch       A   192.168.1.3  ; This manage switch was bricked a while ago.
kptreeserver  A   192.168.1.5
mediaserver   A   192.168.1.7
wiki          A   192.168.1.9
kpts          A   192.168.1.10
cloud         A   192.168.1.11
www           A   192.168.1.12  ; www is directed to the html server
wwwserver     A   192.168.1.12
;photo        A   192.168.1.16  ; photo is directed to the html server
;photoserver  A   192.168.1.17
mail          A   192.168.1.12  ; mail is directed to the html server
mailserver    A   192.168.1.18
; There seems to be no white space allowed before the name.

Note: To allow all LAN traffic to correctly flow to the html server and reverse proxy to sub-domain servers the DNS origin and all sub-domains must point to the main html server.

Define the reverse zone, sudo vim /var/lib/bind/db.168.192

db.168.192

# Again, we have an origin record and a TTL entry...
$ORIGIN .
$TTL 907200    ; 1 week 3 days 12 hours

; note the name of the reverse domain: "db.168.192". This
; is a special name format used only by reverse lookup domains.
168.192.in-addr.arpa  IN SOA  router.kptree.net. admin.kptree.net. (
                         2017072101      ; serial
                         10800           ; refresh (3 hours)
                         3600            ; retry (1 hour)
                         604800          ; expire (1 week)
                         38400           ; minimum (10 hours 40 minutes)
    )
                         NS  router.kptree.net.
;
; Just like above, we now set our origin away from "." to the actual domain
; name, which is "1.168.192.in-addr-arpa", and then we add records. However,
; this time, we're adding "PTR records", or pointer records.
$ORIGIN 1.168.192.in-addr.arpa.
$TTL 259200    ; 3 days
    1       PTR router.kptree.net.
;   3       PTR switch.kptree.net.         ; This managed switch is bricked.
    5       PTR kptreeserver.kptree.net.
    10	    PTR kpts.kptree.net.
    12      PTR wwwserver.kptree.net.
    12      PTR www.kptree.net.
    12      PTR kptree.net.
;   17      PTR photoserver.kptree.net.    ; not used at the moment
;   12      PTR photo.kptree.net.
    18      PTR mailserver.kptree.net.
    12      PTR mail.kptree.net.

If and of the above files are changed the serial number should be incremented up before updating the the DNS service, “sudo systemctl restart bind9”. A common technique is to use the date followed by a small single or double digit number, e.g. 2017072101.

The configuration file can be tested with:

• sudo named-checkconf /etc/bind/named.conf

The zone files checked with:

• sudo named-checkzone 168.192.in-addr.arpa /var/lib/bind/db.168.192 for the reverse zone file.
  • It is important that the first input parameter 168.192.in-addr-arpa matches the reverse address used in the SOA address used. The subsequent origin statements can be for lower address ranges, e.g. $origin 1.168.192.in-addr.arpa..
  • Again note the following fullstop after the origin address.
• sudo named-checkzone kptree.net /var/lib/bind/db.kptree.net for the forward zone file.

If not using IPv6 bind may still look for IPv6 unnecessarily filling up log files. To prevent perform the following:

• sudo vim /etc/default/bind9
• add the -4 in the line: OPTIONS=“-u bind -4”
• Also ensure to comment out “listen-on-v6 { any; };” in the file sudo vim /etc/bind/named.conf.options

Almost all ways caused by manually editing the zone file, which causes it to become out of sync with the automatic DHCP update. Solution is to:

• Stop bind9 (sudo systemctl stop bind9)
• Delete the problem zone file ending ing .jnl. It can be found in the same directory as the zone files: (/var/lib/bind/)
• Then start bind9 (sudo systemctl start bind9)

Before performing a manual update on a zone file use rndc freeze before editing and rndc thaw after. See man rndc for information on his command.

Split horizon DNS or split DNS allows the DNS query to be treated differently depending upon the source of the query. It is is usually used for internal services that can not be reached off LAN.

I am not sure how split DNS addresses the use of SSL certificated domain names based upon external web address on local address hosts with outsome form of hairpin NAT or similar occurring. Think about it, the IP address on the local server does not match the domain certificate IP address.

hairpin_nat is used to allow services provided by hosts on the internal network to be reached externally via NAT also to be reached by internal clients behind a NAT. Split DNS is not a direct replacement of this functionality.

Some external resources:

• Wikipedia: Split-horizon DNS], [[https://en.wikipedia.org/wiki/Split_horizon_route_advertisement|Split horizon route advertisement
• How To Configure Split Horizon DNS in BIND
• BIND 9 Configure Views To Partition External and Internal DNS Information
• Dynamic DNS with split horizon DNS or hairpin NAT
• Why don't more organizations use inside-to-inside NAT or similar solutions to allow NAT hairpins?
• rfc1918 - Address Allocation for Private Internets

Update Root hints Data File for Bind Named Server

Download latest bind9 root file to /etc/bind/db.root: sudo wget –user=ftp –password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /etc/bind/db.root

Reload rndc: sudo rndc reload

• zytrax.open DNS for Rocket Scientists
• ISC Org
  • Trust levels for RRsets in BIND cache, Root hints - a collection of operational and configuration FAQs,
  • Why is BIND re-priming the roots from hints more often than it should?,
  • BIND 9 Administrator Reference Manual,
  • What has changed in the behavior of "allow-recursion" and "allow-query-cache".
• How could one disable bind9's recursion and do forwarding only for DNS queries?
• How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04

This section is outdated, ISC DHCP was replaced by ISC Kea, and ISC DHCP is no longer formally supported as of 2022.

Outdated tl;dr;

dhcp.conf|

ddns-updates on;  
ddns-update-style interim;  
update-static-leases on;
authoritative;

key rndc-key { algorithm hmac-md5; secret LBLC2Dg8v6hYNE/ecnd6Ag==;}

allow unknown-clients;
use-host-decl-names on; 
default-lease-time 1814400; #21 days
max-lease-time 1814400; #21 days
log-facility local7;

# kptree DNS zones
zone kptree.net. {  
    primary localhost; # This server is the primary DNS server for the zone
    key rndc-key; # Use the key we defined earlier for dynamic updates
    }
zone 1.168.192.in-addr.arpa. {  
    primary localhost; # This server is the primary DNS server for the zone
    key rndc-key; # Use the key we defined earlier for dynamic updates
    }

# kptree LAN scope
subnet 192.168.1.0 netmask 255.255.255.0 {  
    range 192.168.1.100 192.168.1.200;
    option subnet-mask 255.255.255.0;
    option routers 192.168.1.1;
    option domain-name-servers 192.168.1.1;
    option domain-name "kptree.net";
    ddns-domainname "kptree.net.";
    ddns-rev-domainname "in-addr.arpa.";
}

# kptree.net groups
group {

    # Printer #1 Epson WF7725
    host printer1.kptree.net {
        hardware ethernet 9C:AE:D3:F0:C3:E7;
        fixed-address 192.168.1.4;
        ddns-hostname "printer1";
        }

    # Windows 10 Virtual Machine
    host vwin.kptree.net {
        hardware Ethernet 52:54:00:27:34:F4;
        fixed-address 192.168.1.30;
        ddns-hostname "vwin";
        }

   # Karl's iPhoneXS
    host karlPhone.kptree.net {
        hardware ethernet F0:99:B6:45:6C:F4;
        fixed-address 192.168.1.31;
        ddns-hostname "karl-phone";
        }

   # Karl's iPadMini4
    host karliPad.kptree.net {
        hardware ethernet 04:52:F3:1C:31:27;
        fixed-address 192.168.1.32;
        ddns-hostname "karl-ipad";
        }

  # Eka's iPhone12
    host Eka-iPhone12.kptree.net {
        hardware ethernet 44:90:BB:62:D2:2A;
        fixed-address 192.168.1.33;
        ddns-hostname "Eka-iPhone12";
        }

  # Karl's iPad air
    host karliPadair.kptree.net {
        hardware ethernet 34:31:8F:5F:16:A6;
        fixed-address 192.168.1.34;
        ddns-hostname "karl-ipadair";
        }

  # Karl's work
    host karl-ugl.kptree.net {
        hardware ethernet 5C:80:B6:A8:AE:1C;
        fixed-address 192.168.1.35;
        ddns-hostname "karl-ugl";
        }

    # Henry's iphone
    host henry.iphone.kptree.net {
        hardware ethernet 6c:4d:73:12:99:f1;
        fixed-address 192.168.1.36;
        ddns-hostname "henry-iphone";
        }

    # Willem's iphone
    host willem.iphone.kptree.net {
        hardware ethernet 64:c7:53:7b:01:2f;
        fixed-address 192.168.1.37;
        ddns-hostname "willem-iphone";
        }
		
    # KPTreeServer1 IPMI
    host kpts1-ipmi.kptree.net {
        hardware Ethernet 00:25:90:8B:D9:DB;
        fixed-address 192.168.1.40;
        ddns-hostname "kpts1-impi";
        }
		
    # Kptreeserver2 IPMI
    host kpts2-ipmi.kptree.net {
        hardware Ethernet 0C:C4:7A:F5:0E:F7;
        fixed-address 192.168.1.41;
        ddns-hostname "kpts2-impi";
        }
		
    # KPTreeRouter IPMI
    host kptr-ipmi.kptree.net {
        hardware Ethernet 00:C4:7A:9F:34:41;
        fixed-address 192.168.1.42;
        ddns-hostname "kptr-ipmi";
        }
				
    # APS Solar Energy Management Unit
    host aps-ema.kptree.net {
        hardware Ethernet 80:97:1B:00:36:BA;
        fixed-address 192.168.1.50;
        ddns-hostname "aps-ema";
        }
	
    # OpenSprinkler
    host sprinkler.kptree.net {
        hardware Ethernet 00:69:69:2D:31:00;
        fixed-address 192.168.1.51;
        ddns-hostname "sprinkler";
        }
   
    # Study Desktop - dt1
    host dt1.kptree.net {
        hardware ethernet 00:d8:61:34:dc:0e;
        fixed-address 192.168.1.71;
        ddns-hostname "dt1";
        }

    # Study Desktop - dt1-wifi
    host dt-wifi-1.kptree.net {
        hardware ethernet F4:D1:08:A6:96:72;
        fixed-address 192.168.1.72;
        ddns-hostname "dt-wifi-1";
        }
        
    # Erich Desktop - sdt25
    host edt25.kptree.net {
        hardware ethernet 00:8e:25:79:05:cc;
        fixed-address 192.168.1.73;
        ddns-hostname "sdt25";
        }
  
    # Henry's work
    host henry-desk.kptree.net {
        hardware ethernet 30:5A:3A:82:9D:35;
        fixed-address 192.168.1.74;
        ddns-hostname "henry-desk";
        }
    
    # Study Desktop - sdt1-wifi
    host sdt-wifi-1.kptree.net {
        hardware ethernet 8C:1D:96:94:AD:13;
        fixed-address 192.168.1.76;
        ddns-hostname "sdt-wifi-1";
        }

    # Study Desktop - sdt25
    host sdt25.kptree.net {
        hardware ethernet 1C:69:7A:D2:FD:91;
        fixed-address 192.168.1.77;
        ddns-hostname "sdt25";
        }

    # RPi 1
    host RPi1.kptree.net {
        hardware ethernet E4:5F:01:3B:55:6F;
        fixed-address 192.168.1.75;
        ddns-hostname "RPi1";
        }
 

    # WiFi Access Point #1
    host wifi-ap1.kptree.net {
        hardware Ethernet 80:37:73:EC:D3:1E;
        fixed-address 192.168.1.90;
        ddns-hostname "wifi-ap1";
        }
		
    # WiFi Access Point #2
    host wifi-ap2.kptree.net {
        hardware Ethernet C0:FF:D4:8B:24:FE;
        fixed-address 192.168.1.91;
        ddns-hostname "wifi-ap2";
        }

    }

The configuration file can be tested with: ''sudo dhcpd -t'' Restart the DHCP and DNS servers to update for latest configurations changes. DNS: ''sudo systemctl restart bind9'' and DHCP: ''sudo systemctl restart isc-dhcp-server''.\\ \\ To see active leases use command ''sudo dhcp-lease-list''.\\ ISC has stopped supporting ISC-DHCP client and relay versions as of 2022 and indicated that they plan to eventually stop support of server version. They seem to recommend migration to ISC-Kea, the ISC-DHCP replacement. ++++ ====isc-dhcp-server defaults file==== The default isc-dhcp-server configuration files is: ''sudo vim /etc/default/isc-dhcp-server''. Ensure the interface(s) that the DHCP server is to server requests upon is indicated, for example: *INTERFACESv4="br0" *INTERFACESv6="br0" ====isc-dhcp-server log file comments==== Unfortunately the log / journal for isc-dhcp-server contains the following comment for each system interface that is not assigned in ''/etc/default/isc-dhcp-server''. **//This is a warning, not an error!//** As such it can generally be ignored. ++++Example isc-dhcp-server warning

No subnet declaration for eno4 (no IPv4 addresses).
** Ignoring requests on eth1.  If this is not what
   you want, please write a subnet declaration
   in your dhcpd.conf file for the network segment
   to which interface eno4 is attached. **

ipv6 requires router advertisement to be functional to operate correctly. In Linux the radvd program performs this function and can be set up independently or with dhcp. The radvd daemon provides basic advertisement functionality, dhcp6 can give additional functionality.

• sudo apt install radvd
• sudo vim /etc/radvd.conf
  • radvd.conf

    interface br0 {
      AdvSendAdvert on;
      AdvLinkMTU 1440;
      MinRtrAdvInterval 60;
      MaxRtrAdvInterval 180;
      prefix 2001:470:1f2d:178::/64 {
        AdvOnLink on;
        AdvRouterAddr on;
        AdvPreferredLifetime 600;
        AdvValidLifetime 3600;
      };
    # route ::/0 {
    # };
      route 2001:470:1f2d:178::3/0 {
      };
    }; 

• sudo systemctl status radvd.service
  • /lib/systemd/system/radvd.service

    # It's not recommended to modify this file in-place, because it
    # will be overwritten during upgrades.  If you want to customize,
    # the best way is to use the "systemctl edit" command.
    
    [Unit]
    Description=Router advertisement daemon for IPv6
    Documentation=man:radvd(8)
    After=network.target
    ConditionPathExists=/etc/radvd.conf
    
    [Service]
    Type=forking
    ExecStartPre=/usr/sbin/radvd --logmethod stderr_clean --configtest
    ExecStart=/usr/sbin/radvd --logmethod stderr_clean
    ExecReload=/usr/sbin/radvd --logmethod stderr_clean --configtest
    ExecReload=/bin/kill -HUP $MAINPID
    PIDFile=/run/radvd.pid
    
    # Set the CPU scheduling policy to idle which is for running very low priority background jobs
    CPUSchedulingPolicy=idle
    
    # Allow for binding to low ports and doing raw network access
    CapabilityBoundingSet=CAP_NET_BIND_SERVICE  CAP_NET_RAW
    
    # Set up a new file system namespace and mounts private /tmp and /var/tmp directories
    # so this service cannot access the global directories and other processes cannot
    # access this service's directories.
    PrivateTmp=yes
    
    # Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
    # such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
    # but no physical devices such as /dev/sda.
    PrivateDevices=yes
    
    # Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
    ProtectSystem=full
    
    # The directories /home, /root and /run/user are made inaccessible and empty for processes
    # invoked by this unit.
    ProtectHome=yes
    
    # Ensures that the service process and all its children can never gain new privileges
    NoNewPrivileges=yes
    
    [Install]
    WantedBy=multi-user.target 

The local name resolver can be seen in /etc/resolv.conf. Usually this can not be effectively directly edited as it is controlled by other parts of the system that will wrote over it.

• dig bing.com, this will provide the name resolution information for this site.
• dig @1.1.1.1 wiki.kptree.net will check name resolution @ the specified resolver. This can help determine name propagation.
• dig mail.kptree.net will return mail server information
• dig @9.9.9.9 mail.kptree.net will return mail server information @ the specified resolver

• host mail.kptree.net
• host kptree.net

• nslookup wiki.kptree.net
• nslookup -type=mx mail.kptree.net for mail server information
• nslookup -type=mx -debug mail.kptree.net more verbose

• echo | openssl s_client -connect '9.9.9.9:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 to query current SPKI pin for Quad9
  • This also seems to work for other DNS resolvers, 1.1.1.1 (Cloudflare), 8.8.8.8 (Google)

• Stackexchange.com:
  • how-to-use-dns-over-tls-with-bind9-forwarders
  • how-to-test-if-dns-over-tls-dot-with-bind9-forwarders-is-actually-working
  • Enable TLS on BIND9
• DNS over TLS: Encrypting DNS end-to-end
• Encrypted Recursive DNS with DNS over TLS, Unbound, and Cloudflare
• Privacy: Using DNS-over-TLS with the Quad9 DNS Service
• ICANN - DNSSEC – What Is It and Why Is It Important?
• QUAD9 FAQ
• How to Easily Set Up a DNS over TLS Resolver with Nginx on Ubuntu
• DNSSEC with BIND 9 A Beginner's Guide to DNSSEC with BIND 9
• Some online DNSSEC analysers:
  • VERISIGN DNSSEC Analyzer
  • dnsviz.net
• Bind9 read the docs:
  • DNSSEC
  • dnssec-guide
• DNS Privacy Project - DNS Privacy Clients Says Bind9 does not not natively support TLS.

• Enabling DNS for IPv6 infrastructure
• Simple DNS Plus
• Linux IPv6 HOWTO (en)