Cloud servers from $4/mo - Grab the Deal! Let’s start ->
English
Community
Sign In
Sign In

Port Forwarding in Linux with Iptables

Port Forwarding in Linux with Iptables
Hostman Team
Technical writer
Linux Network
09.04.2025
Reading time: 10 min
Share

Have you ever hosted a server (game or web) on your home computer and shared your IP address with friends, but no one could connect?

The issue lies in your router, which hides connected devices behind its own IP address. Everything within the router is a local network, while everything outside is a global network. However, there is no direct mediator between them, only a barrier preventing external connections.

The solution is port forwarding, a technology that directs external requests to an internal device and vice versa. In Linux operating systems, the iptables utility is used for this purpose, which will be the focus of this article.

The commands shown in this guide were executed on a Hostman cloud server running Ubuntu 22.04.

What Is Port Forwarding?

Port forwarding (also known as port mapping) redirects network traffic from one port to another, either through a router (hardware-level) or a firewall (software-level).

With port forwarding, devices within a local network become accessible from the global network. Without it, external requests cannot reach internal devices.

Common scenarios where port forwarding is needed:

  • Connecting to a home server (game server, surveillance cameras, data storage).
  • Hosting game servers or websites on a home PC.
  • Accessing a remote desktop.
  • Remote device management.

For example, if a server in a local network operates on port 8080, port forwarding allows it to be accessed from the global network through port 80.

Example Setup:

  1. A computer with IP 192.168.1.100 (internal/gray IP) runs a web server listening on port 8080.
  2. The computer is within a Wi-Fi router’s local network, which has an external IP 203.0.113.10 (public/white IP), listening on port 80.
  3. All global network requests to port 80 on the router are forwarded to port 8080 on the internal computer.

This setup allows us to redirect incoming traffic from the global network to the local network.

How Does Port Forwarding Work in Linux?

Linux has built-in tools for handling incoming and outgoing traffic. These tools act as a packet filtering and modification pipeline.

Port forwarding in Linux is based on NAT (Network Address Translation), configured using the iptables system utility.

What Is NAT?

NAT (Network Address Translation) is a technique that converts external requests from the global network into internal requests within the local network (and vice versa).

Technically, NAT modifies IP addresses and ports in data packets. It is not a standalone utility but a concept or approach.

There are two main types of NAT:

  • SNAT (Source NAT) – Modifies the source IP address in outgoing packets.
  • DNAT (Destination NAT) – Modifies the destination IP address in incoming packets.

While NAT protects the local network from external access, it requires port forwarding for incoming connections.

What Is Iptables and How Does It Work?

Iptables is a Linux utility used to configure NAT (and more) by modifying tables with rule chains that control traffic.

Iptables has five main rule chains:

  • INPUT – Handles incoming packets.
  • FORWARD – Handles forwarded packets.
  • OUTPUT – Handles outgoing packets.
  • PREROUTING – Handles packets before routing.
  • POSTROUTING – Handles packets after routing.

Iptables has five tables, each using specific rule chains:

  • filter – Allows or blocks packets (INPUT, FORWARD, OUTPUT).
  • nat – Modifies IP addresses and ports (OUTPUT, PREROUTING, POSTROUTING).
  • mangle – Alters packet headers (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING).
  • raw – Controls connection filtering (OUTPUT, PREROUTING).
  • security – Applies additional security policies (INPUT, FORWARD, OUTPUT).

The rule chains act as hooks in the packet processing pipeline, allowing iptables to implement port forwarding in Linux.

How Port Forwarding Works in Iptables

Port forwarding in iptables follows a standard packet processing flow based on three possible directions:

  • Incoming (INPUT) – Packets sent to the local system.
  • Outgoing (OUTPUT) – Packets sent from the local system.
  • Forwarded (FORWARD) – Packets routed through the system.

Incoming Packets (INPUT) Processing Order

  1. raw (PREROUTING) – Connection filtering.
  2. mangle (PREROUTING) – Packet modification.
  3. nat (PREROUTING) – Changes the destination address.
  4. If the packet is for this system, continue to INPUT processing. Otherwise, forward it.
  5. mangle (INPUT) – Final packet modification.
  6. filter (INPUT) – Packet filtering.
  7. security (INPUT) – Security policy enforcement.

Outgoing Packets (OUTPUT) Processing Order

  1. raw (OUTPUT) – Connection filtering.
  2. mangle (OUTPUT) – Packet modification.
  3. nat (OUTPUT) – Changes the destination address.
  4. filter (OUTPUT) – Final packet filtering.
  5. security (OUTPUT) – Security policy enforcement.
  6. mangle (POSTROUTING) – Final packet modification.
  7. nat (POSTROUTING) – Changes the source address.

Forwarded Packets (FORWARD) Processing Order

  1. raw (PREROUTING) – Connection filtering.
  2. mangle (PREROUTING) – Packet modification.
  3. nat (PREROUTING) – Changes the destination address.
  4. Forwarding decision is made.
  5. mangle (FORWARD) – Packet modification.
  6. filter (FORWARD) – Packet filtering.
  7. security (FORWARD) – Security policy enforcement.
  8. mangle (POSTROUTING) – Final packet modification.
  9. nat (POSTROUTING) – Changes the source address.

General Processing Order of Tables:

  1. raw
  2. mangle
  3. nat
  4. filter
  5. security

Types of Port Forwarding

Common types of port forwarding include:

  1. Local Forwarding – Redirects traffic within the same machine. Example: An application on a local server sends a request to a specific port.
  2. Interface Forwarding – Redirects traffic between different network interfaces. Example: A packet from the global network arrives on one interface and is forwarded to another.
  3. Remote Host Forwarding – Redirects traffic from a remote server to a local host. Example: A request from a remote server is forwarded to a local machine.

Each type of port forwarding is implemented using a specific set of rules in the iptables tables.

Using the Iptables Command

In most Linux distributions, the iptables utility is already installed. You can check this by querying its version:

iptables --version

If iptables is not installed, you need to install it manually. First, update the package list:

sudo apt update

Then, install it:

sudo apt install iptables -y

By default, Linux uses the ufw firewall, which automatically configures iptables. To avoid conflicts, you must stop the ufw service first:

sudo systemctl stop ufw

Then, disable it:

sudo systemctl disable ufw

Iptables Command Structure

The basic syntax of the iptables command is as follows:

iptables [TABLE] [COMMAND] [CHAIN] [NUMBER] [CONDITION] [ACTION]

In each specific command, only some of these parameters are used:

  • TABLE: The name of one of the five tables where the rule is added.
  • COMMAND: The operation to perform on a specific rule or chain.
  • CHAIN: The name of the chain where the operation is performed.
  • NUMBER: The rule number to manipulate.
  • CONDITION: The condition under which the rule applies.
  • ACTION: The transformation to be applied to the packet.

Selecting a Table

The -t flag specifies the table to operate within:

For filter:

iptables -t filter

For nat:

iptables -t nat

For mangle:

iptables -t mangle

For raw:

iptables -t raw

For security:

iptables -t security

If the -t flag is not specified, the default table is filter. The security table is rarely used.

Manipulating Rules

We can perform different operations on rules within each chain:

Add a rule to the end of a chain (-A):

iptables -A INPUT -s 192.168.123.132 -j DROP

This rule blocks incoming connections from the specified IP address.

Delete a rule by its number (-D):

iptables -D OUTPUT 7

Insert a rule at a specific position (-I):

iptables -I INPUT 5 -s 192.168.123.132 -j DROP

Replace a rule (-R):

iptables -R INPUT 5 -s 192.168.123.132 -j ACCEPT

This replaces a previously added blocking rule with an allow rule.

Flush all rules in a chain (-F):

iptables -F INPUT

Manipulating Chains

We can also perform operations on entire chains:

Create a new chain (-N):

iptables -N SOMENAME

Delete a chain (-X):

iptables -X SOMENAME

Rename a chain (-E):

iptables -E SOMENAME NEWNAME

Set default policy for a chain (-P):

iptables -P INPUT DROP

This blocks all incoming connections to the server.

Reset statistics for a chain (-Z):

iptables -Z INPUT

Setting Conditions

Each rule can have conditions for its execution:

Specify the protocol (-p):

iptables -A INPUT -p tcp -j ACCEPT

This allows incoming connections using the TCP protocol.

Specify the source address (-s):

iptables -A INPUT -s 192.168.123.132 -j DROP

Specify the destination address (-d):

iptables -A OUTPUT -d 192.168.123.132 -j DROP

Specify network interface for incoming traffic (-i):

iptables -A INPUT -i eth2 -j DROP

Specify network interface for outgoing traffic (-o):

iptables -A OUTPUT -o eth3 -j ACCEPT

Specify the destination port (--dport):

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Specify the source port (--sport):

iptables -A INPUT -p tcp --sport 1023 -j DROP

Negate a condition (!):

iptables -A INPUT ! -s 192.168.123.132 -j DROP

This blocks all incoming connections except from the specified IP address.

Specifying Actions

Each table supports different actions:

For the filter table:

  • ACCEPT – Allow the packet.
  • DROP – Block the packet.
  • REJECT – Block the packet and send a response.
  • LOG – Log packet information.
  • RETURN – Stop processing in the current chain.

For the nat table:

  • DNAT – Change the packet’s destination address.
  • SNAT – Change the packet’s source address.
  • MASQUERADE – Change the source address dynamically.
  • REDIRECT – Redirect traffic to the local machine.

Port Forwarding with Iptables

Local Port Forwarding

To redirect local traffic from one port to another:

sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80

To remove the rule:

sudo iptables -t nat -D PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80

Forwarding Between Interfaces

To forward port 8080 from interface eth0 to port 80 on eth1:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.100:80

Then, allow packet forwarding:

sudo iptables -A FORWARD -p tcp -d 10.0.0.100 --dport 80 -j ACCEPT

Forwarding to a Remote Host

To forward incoming packets to a remote server:

Enable packet forwarding in the system settings:

echo 1 > /proc/sys/net/ipv4/ip_forward

Add a port forwarding rule:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80

Allow forwarded packets to be sent out:

sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.100 --dport 80 -j MASQUERADE

Alternatives to iptables for Port Forwarding

It should be noted that iptables is not the only tool for traffic management. There are several popular alternatives.

nftables

nftables is a more modern tool for managing traffic in Linux. Unlike iptables, it does not have predefined tables, and its syntax is more straightforward and concise.

Additionally, this utility uses a single command, nft, to manage all types of traffic: IPv4, IPv6, ARP, and Ethernet. In contrast, iptables requires additional commands such as ip6tables, arptables, and ebtables for these tasks.

firewalld

firewalld is a more complex traffic management tool in Linux, built around the concept of zones and services. This allows network resources to be assigned different levels of security.

The configuration of firewalld is broader and more flexible. For example, instead of manually defining rules for each port, we can specify specific services.

Additionally, firewalld provides a more interactive command-line interface, allowing real-time traffic management.

Conclusion

While there are alternatives, iptables remains the primary tool for traffic control in Linux. It provides a structured way to filter, modify, and forward packets, making it a powerful solution for managing network traffic.

Linux Network
09.04.2025
Reading time: 10 min
Share

Similar

Linux

How to Copy Files over SSH

The SSH (Secure Shell) protocol is a network protocol for remote command-line management of operating systems, widely considered the standard for remote access to *nix machines. It allows secure login to a server, remote command execution, file management (creating, deleting, copying, etc.), and more. Most cloud and hosting providers require SSH to access their services. In this article, we’ll look at how to copy files over SSH on both Windows and Linux systems. How SSH Works SSH can securely transmit any data (audio, video, application protocol data) through an encrypted communication channel. Unlike outdated and insecure protocols like Telnet and rlogin, SSH ensures data confidentiality and authenticity — essential for internet communications. Here’s how a secure connection between a client and server is established: TCP Connection Setup: By default, the server listens on port 22. Both sides share a list of supported algorithms (compression, encryption, key exchange) and agree on which to use. Authentication: To prevent impersonation, both parties verify each other's identities using asymmetric encryption (public/private key pairs). First, the server is authenticated. On the first connection, the client sees a warning with server details. Trusted server keys are stored in /home/<username>/.ssh/known_hosts. Key Generation: Once the server is verified, both sides generate a symmetric key to encrypt all data exchanged. User Authentication: This is done using either a password or a client-sent public key stored in /home/<username>/.ssh/authorized_keys on the server. The most popular implementation on Linux is OpenSSH, which comes pre-installed on most distributions (Ubuntu, Debian, RHEL-based, etc.). Clients like PuTTY or MobaXterm are used on Windows. Since Windows 10 and Server 2019, OpenSSH tools are also available natively. You can learn more about working with SSH in our tutorial. File Copying via SSH Two main utilities for copying files over SSH in Linux are scp and sftp. Both come with OpenSSH. SSH supports two protocol versions: 1 and 2. OpenSSH supports both, but version 1 is rarely used. Autocompletion Setup To enable Tab-based autocompletion when using scp, set up public key authentication: Generate a key pair: ssh-keygen You’ll see output like: Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): By default, your keys (id_rsa for private and id_rsa.pub for public) are saved to ~/.ssh/. Now copy the public key to the remote machine: ssh-copy-id [username]@[ip-address] After entering the user's password, you’ll see a message confirming the key was added. Secure Copy (SCP) For small data transfers (e.g., service configs), scp is best. Copy from local to remote: scp test.txt user@192.168.1.29:/home/user/ Copy multiple files: scp test1.txt test2.txt user@192.168.1.29:/home/user/ Copy from remote to local: scp user@192.168.1.29:/home/user/test.txt ~/ Copy directories: scp -r testdir user@192.168.1.29:/home/user/ Remote-to-remote copy: scp gendo@192.168.1.25:/home/gendo/test.txt user@192.168.1.29:/home/user/ Secure FTP (SFTP) SFTP is another utility included in OpenSSH. As of OpenSSH 9.0, scp now uses SFTP by default instead of the old SCP/RCP protocol. Unlike classic FTP, sftp transmits encrypted data over a secure tunnel. It does not require a separate FTP server. Example usage: sftp misato@192.168.1.29 sftp> ls sftp> lcd testdir/ sftp> get test.txt sftp> bye Graphical file managers like Midnight Commander and Nautilus use sftp. In Nautilus, the remote server appears like a local folder, e.g., user@ip. Copying Files Over SSH on Windows Use the pscp command-line tool from PuTTY to copy files on Windows. Copy to server: pscp C:\server\test.txt misato@192.168.1.29:/home/misato/ Copy from server: pscp misato@192.168.1.29:/home/misato/test.txt C:\file.txt List files on remote server: pscp -ls user@192.168.1.29:/home/misato Use quotes for paths with spaces: pscp "C:\dir\bad file name.txt" misato@192.168.1.29:/home/misato/ To get help, run: pscp Conclusion We’ve covered how to copy files to and from a server using the secure SSH protocol. If you work with cloud servers, understanding SSH is essential — it’s the standard method for remote access to *nix machines and a vital part of everyday DevOps and system administration.
14 April 2025 · 4 min to read
Linux

What is a Daemon in Computing?

The term daemon comes from a word in ancient Greek mythology that referred to an immaterial being influencing the human world. In computing, especially in UNIX-like operating systems, a daemon is a background process that runs without direct interaction from the user. It doesn’t depend on a terminal or user interface and typically starts with the system boot or under specific conditions. What is a Daemon The main function of a daemon is to provide specific services to other processes or users. For example, a daemon might listen on network ports waiting for connections, monitor system events and respond when certain conditions are met, manage scheduled jobs (like cron), send emails (sendmail), and more. In Windows, the closest equivalent to a daemon is a service. The difference lies mainly in how they're started, registered, managed, and configured within operating systems. However, their purpose is the same: to ensure continuous background operation of certain functions or services. Key Characteristics of a Daemon Runs in the background: Users typically don’t see the daemon’s interface; it doesn’t write to standard output (or redirect it to logs), nor does it request keyboard input. Autonomous: A daemon starts either at system boot when triggered by an init system (like systemd), or manually by a user (via scripts, cron, etc.). Long-lived: Ideally, a daemon runs indefinitely unless a critical error occurs or it receives an explicit stop signal. Isolated: Usually runs under a separate user/group account to minimize privileges, making services more secure and easier to manage. Logging: Instead of using standard input/output, daemons log information to log files or the system logger (journald, syslog, etc.), which is helpful for debugging and diagnostics. Daemons in Linux Historically, nearly all system background tasks in Linux are implemented as daemons. The OS includes dozens of them, each responsible for a specific function. Here are some examples: sshd (Secure Shell Daemon): Listens on port 22 (by default) and allows remote users to connect via encrypted SSH. Without sshd, remote terminal access is almost impossible. cron: A job scheduler daemon. It checks crontab entries and runs scripts or commands on a schedule, such as log cleanup, sending reports, system checks, etc. syslogd / rsyslog / journald: System logging daemons that collect messages from the kernel, utilities, other daemons, and apps, and save them in log files or the journal. NetworkManager or Wicd: Daemons that manage network settings — automating connections to wired/wireless networks, switching, configuring VPNs, and more. These daemons start at system boot and are registered with the system service manager (e.g., systemd). They run until the system is shut down or rebooted. Users interact with them indirectly — through config files, terminal commands (service, systemctl), or network requests (if the daemon provides HTTP/S, SSH, or another network interface). How to Create and Manage Daemons To implement a daemon, follow these steps: Forking the process: The parent process calls fork() and continues running the daemon code in the child process. Detach from controlling terminal (setsid): To avoid user interference (e.g., closing the terminal), the daemon calls setsid() to start a new session and become its leader. Close standard input/output descriptors: Since the daemon shouldn't write to the screen or wait for input, stdin, stdout, and stderr are closed or redirected to log files. Handle signals and logging: To support graceful shutdown or config reloads, the daemon must handle signals (SIGTERM, SIGHUP, etc.). Logging is usually done via syslog or files. Main loop:  After initialization, the daemon enters its main loop: waiting for events, handling them, and repeating until stopped. Let’s see how to create a daemon on Ubuntu 22.04 using a Hostman cloud server 1. Write the Daemon in C Create a file called mydaemon.c and insert the following code: #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <syslog.h> int main() { // Open syslog openlog("mydaemon", LOG_PID, LOG_DAEMON); syslog(LOG_NOTICE, "Daemon started"); // Main infinite loop while (1) { // Your background tasks: monitoring, queue handling, etc. syslog(LOG_NOTICE, "Performing task..."); sleep(60); } // If we ever exit the loop syslog(LOG_NOTICE, "Daemon stopped"); closelog(); return 0; } 2. Compile the Program First, update your packages: sudo apt update && sudo apt upgrade Install the GCC compiler if not already installed: sudo apt install gcc Compile the daemon: gcc mydaemon.c -o mydaemon 3. Move the Executable Move the binary to /usr/local/bin/, a standard location for custom utilities: mv mydaemon /usr/local/bin/mydaemon 4. Create a systemd Service Create a unit file called mydaemon.service: sudo nano /etc/systemd/system/mydaemon.service Insert the following content: [Unit] Description=My Daemon After=network.target [Service] Type=simple ExecStart=/usr/local/bin/mydaemon Restart=on-failure [Install] WantedBy=multi-user.target Explanation of the fields: Description: Description shown in systemctl status. After=network.target: Ensures the daemon starts after the network is up. Type=simple: The daemon doesn’t fork, it runs as a single process. ExecStart: Path to the daemon executable. Restart=on-failure: Restart automatically if the daemon crashes. WantedBy=multi-user.target: Makes the service start in the standard multi-user environment. 5. Start and Monitor the Daemon sudo systemctl daemon-reload # Reload systemd configuration sudo systemctl start mydaemon # Start the daemon sudo systemctl status mydaemon # Check its status If everything works, the status will show active. To view logs: journalctl -u mydaemon.service -e Examples of Daemon Usage Web Servers Their job is to listen on a network port (usually 80 or 443), accept HTTP/HTTPS requests, generate a response (an HTML page, JSON data, etc.), and send the result back to the client. In most cases, a web server starts with the system and continues running until the server is shut down or a stop command is issued (e.g., systemctl stop nginx). Database Daemons MySQL/MariaDB, PostgreSQL, MongoDB — all of these are also daemons. They start with the system and continue running in the background, accepting requests from client applications or web services. These daemons typically log activity, support configuration via files, and are managed using special utilities (or systemd). Job Schedulers (cron, atd) The cron daemon checks the schedule table (crontab) and runs programs at the times or intervals specified by the user. This makes it possible to automate backups, system updates, health checks, and many other routine tasks. atd is a similar daemon but executes tasks only once at a specific time (unlike cron, which runs tasks on a regular schedule). Access and Control Services (sshd, xrdp) sshd (Secure Shell Daemon) provides remote access via the SSH protocol. xrdp enables remote desktop connections using the RDP protocol. It acts as a daemon that listens for network connections on a specified port. Init System Daemons (systemd, init, Upstart) In modern systems, the role of the "main daemon" is fulfilled by systemd (replacing the older SysV init system). systemd is the first process to start after the kernel and is responsible for launching and managing all other services and processes. It starts them in parallel and handles their dependencies. Simply put, systemd is itself a daemon that “orchestrates” all others in the system. Advantages and Disadvantages of Daemons Advantages: Automation: Daemons enable system behavior to be automated — from responding to network requests to scheduling tasks — without user intervention. Isolation: Running under separate user/group accounts and detaching from terminals enhances security by limiting potential damage in case of compromise. Continuous Operation: A daemon can keep servicing requests (like a web server) without interruption even if the user logs out or the console is closed. Manageability: Linux provides system tools (e.g., systemd, init scripts) to centrally manage all daemons: starting, stopping, restarting, and logging. Disadvantages: Debugging Complexity: Since daemons run in the background and don’t output to the console, debugging requires thorough logging and more complex setups (debug flags, tracing, etc.). Security Risks: If a daemon runs with elevated privileges (e.g., as root), any vulnerability can potentially compromise the entire system. It's best to run daemons under limited accounts. Dependency Management: Some daemons may fail if, for example, they need network access before the network is up. Modern init systems solve this, but with classic SysV init scripts, this used to be a common issue. Increased Resource Usage: Any constantly running background process consumes system resources (memory, CPU time). If there are too many daemons, this can impact performance, especially on systems with limited resources. Conclusion Daemons are central to Linux operating systems' architecture, offering vast automation and background services capabilities. They allow administrators to flexibly configure network operations, scheduled tasks, logging, security systems, and many other components. Writing your own daemon requires understanding processes, signals, system calls, and careful attention to logging and security. Modern init systems (especially systemd) have simplified daemon management and service logic, making the creation of custom services more structured and flexible. However, it remains a complex field that demands careful design, debugging, and ongoing maintenance.
11 April 2025 · 8 min to read
Linux

Setting Up a DNS Server

A personal DNS server can be useful if your provider doesn't offer this service or if existing solutions don't suit your needs. The easiest way to set one up is via a control panel (cPanel, CloudPanel, HestiaCP, etc), but you can also do it manually using the terminal and the Linux DNS Server BIND 9. Preparing the Server Let's say you've rented a Hostman Linux VPS and want to use your own DNS servers. To do that, you need to meet two conditions: Order another public IP address — DNS setup requires at least two IPs. Open DNS port 53, which is necessary for the nameserver to work. Ubuntu/Debian Update the package list: apt update Allow incoming packets on port 53 UDP in the firewall: iptables -I INPUT -p udp --dport 53 -j ACCEPT Save the firewall rules: iptables-save CentOS Install system updates: yum update Install time synchronization utility: yum install chrony Set your timezone, for example: timedatectl set-timezone Europe/Cyprus Enable and start the time synchronization service: systemctl enable chronyd --now Open port 53: firewall-cmd --permanent --add-port=53/udp Apply the updated firewall rules: firewall-cmd --reload Installing the DNS Server This guide uses BIND 9 to create an IP-based DNS server. Ubuntu/Debian Install required packages: apt-get install bind9 dnsutils Enable autostart: systemctl enable bind9 Start the service: systemctl start bind9 Check if it's running: systemctl status bind9 Look for active status in the output. CentOS Install the DNS utility: yum install bind Enable autostart: systemctl enable named Start the service: systemctl start named Check its status: systemctl status named You should see active in the output. Basic DNS Server Configuration The settings are defined in the configuration file. Ubuntu/Debian Open the config file: vi /etc/bind/named.conf.options In the listen-on block, specify the networks, e.g.: listen-on { 10.10.10.0/24; 10.1.0.0/16; }; To allow the DNS server to listen on all interfaces, either omit this line or use any. In the allow-query line, specify who can make queries: allow-query { any; }; Restart the service for changes to take effect: systemctl restart bind9 CentOS Open the config file: vi /etc/named.conf Find these lines: listen-on port 53 { 127.0.0.1; localhost; 192.172.160.14; }; ... allow-query { any; }; In the listen-on line, after localhost, specify the DNS IP address. This is the IP on which the host will accept queries. Use any to listen on all addresses. In the allow-query line, define query permissions. any allows queries from everyone. You can also restrict it to a specific subnet, e.g., 192.172.160.0/24. Apply the config: systemctl restart named Global Options Besides the basics, you can fine-tune the server using other global parameters: Argument What It Configures directory Working directory (default is /var/named if not specified) forwarders IPs to forward unresolved queries to (e.g., Google's DNS) forwarders { 8.8.8.8; 8.8.4.4; }; forward Options: FIRST or ONLY. FIRST tries forwarders first, then internal. ONLY skips internal search. listen-on Interfaces that BIND listens on (usually port 53 UDP) allow-transfer Hosts allowed for zone transfers allow-query Who is allowed to send DNS queries allow-notify Hosts allowed to receive zone change notifications allow-recursion Hosts that can make recursive queries. Default is unrestricted. Testing To check if the DNS server accepts queries from clients, use the nslookup utility. From another computer: nslookup site-example.com 192.172.160.14 This checks the IP address of site-example.com using DNS server 192.172.160.14. Alternatively, use dig: dig @192.172.160.14 site-example.com It works similarly, just a different syntax. BIND Zones Basic DNS server setup is complete. Now, let’s talk about usage. For that, you configure zones: Primary zone – You create and edit domain records directly on this host. Secondary zone – This host pulls data from a primary DNS server. Stub zone – Stores only NS records used for redirection. Caching-only zone – Doesn’t store records; only caches query results for performance. Zone management is handled in the config file and is a larger topic. Creating your own zone lets you assign friendly names to each host, which is helpful when dealing with many nodes instead of using IPs.
10 April 2025 · 4 min to read

Do you have questions,
comments, or concerns?

Our professionals are available to assist you at any moment,
whether you need help or are just unsure of where to start.
Email us
Hostman's Support