Sign In
Sign In

Setting Up a BIND DNS Server

Setting Up a BIND DNS Server
Hostman Team
Technical writer
Ubuntu
19.07.2024
Reading time: 14 min

The DNS (Domain Name System) is a system where all domain names of servers are organized in a specific hierarchy. Why do we need it? Imagine needing to connect to a device with the IP address 91.206.179.207. You could enter this address in the command line to get the information you need, but remembering many such numeric combinations is very difficult. Therefore, special servers were created to convert domain names into IP addresses. So, for example, when you enter hostman.com in your browser’s search bar, the request data is sent to a DNS server, which looks for matches in its database. The DNS server then sends the necessary IP address to your device, and only then does the browser directly access the resource.

Configuring your own DNS allows for more flexible and precise system configuration and avoids reliance on third parties. In this article, we will look at how to set up DNS using the BIND nameserver on Ubuntu.

Terms

  • Zone: A part of the DNS hierarchy hosted on a DNS server. It establishes the boundaries within which a specific server or group of servers is responsible.

  • Root Servers: DNS servers containing information about top-level domains (.ru, .com, etc.).

  • Domain: A named part of the DNS hierarchy, a specific node that includes other nodes. DNS addresses are read from right to left and start with a dot, with domains also separated by dots. For example, the domain poddomen.domen.ru should be read as .ru.domen.poddomen. Usually, the domain name reflects the DNS hierarchy structure, but the final dot is omitted.

  • FQDN (Fully Qualified Domain Name): A full domain name including the names of all parent domains.

  • Resource Record: A unit of information storage, essentially a record that links a name to some service information. It consists of:

    • Name (NAME): The name or IP address that owns the zone.

    • Time to Live (TTL): The duration a record is stored in the DNS cache before being deleted.

    • Class (CLASS): Network type, usually IN (Internet).

    • Type (TYPE): The record's purpose.

    • Various Information (DATA): Additional details.

Common Resource Records

  • A: Maps a hostname to an IPv4 address. Each network interface can have only one A record.
website.com.              520    IN     A      91.206.179.207
  • AAAA: The same as an A record, but for IPv6.
  • CNAME: Canonical name record, an alias for a real name for redirection.

  • MX: Specifies mail hosts for the domain. The NAME field contains the destination domain, and the DATA field contains the priority and host for receiving mail.
website.com.             17790   IN      MX      10 mx.website.com.
website.com.             17790   IN      MX      20 mx2.website.com.
  • NS: Points to the DNS server servicing the domain.

  • PTR: IP address to domain name mapping, needed for reverse name resolution.

  • SOA: Describes the main zone settings.

  • SRV: Contains addresses of servers providing internal domain services, such as Jabber.

Requirements

To follow the instructions in this article, you need at least two Ubuntu cloud servers in the same data center. Any of these servers can be ordered from Hostman. 

We will need two Ubuntu 20.04 servers, used as the primary and secondary DNS servers, ns1 and ns2, respectively. Additionally, there will be extra servers using our configured servers.

You must have superuser privileges on each server.

Installing BIND on DNS Servers

We will use bind9 as the DNS server. Install the bind9 package from the Linux repository:

sudo apt update && sudo apt upgrade -y
sudo apt install bind9

Additionally, it is recommended to install network monitoring tools:

sudo apt install dnsutils

After installation, start the bind9 service:

sudo service bind9 start

The main configuration file of the server is /etc/bind/named.conf. It describes the general settings and is usually split into several others for convenience. DNS setup begins by working with the parameters inside this file.

named.conf.options

This file contains the general server parameters. We will specify the DNS configuration data in it.

options {
        dnssec-validation auto;
        auth-nxdomain no;
        directory "/var/cache/bind";
        recursion no; # disallow recursive queries to the nameserver

        listen-on {
                     172.16.0.0/16; 
                     127.0.0.0/8;    
        };

        forwarders { 
            172.16.0.1;
            8.8.8.8;  
        };
};

To verify that everything is entered correctly, use one of the named daemon utilities, named-checkconf.

sudo named-checkconf

If everything is correct, the bind server starts working.

Primary DNS Server

The primary DNS server stores the main copy of the zone data file. All zones will be stored in the /etc/bind/master-zones directory of the primary DNS server. Create the directory:

sudo mkdir /etc/bind/master-zones

Create a file to describe the zone:

sudo touch /etc/bind/master-zones/test.example.com.local.zone

And add SOA, NS, and A records to it:

$ttl 3600 
$ORIGIN test.example.com. 
test.example.com.               IN              SOA  (      
ns.test.example.com.    
abuse.test.example.com.  
                                2022041201 
                                10800 
                                1200 
                                604800 
                                3600   ) 

@                               IN              NS              ns.test.example.com. 
@                               IN              NS              ns2.test.example.com.

@                               IN              A                172.16.101.3 
ns                              IN               A                172.16.0.5 
ns2                             IN              A                172.16.0.6

Next, run the check with the utility named-checkzone.

sudo named-checkzone test.example.com. /etc/bind/master-zones/test.example.com.local.zone

named.conf.local

This is another file included in the server's main configuration. We will specify local zones in it:

zone "test.example.com." {
                type master;
                file "/etc/bind/master-zones/test.example.com.local.zone";
};

After entering the necessary data, check the config and restart bind9 (the -z flag checks zone files):

sudo named-checkconf
sudo named-checkconf -z
sudo service bind9 restart
sudo service bind9 status

Setting Up Views

Views allow flexible management of name resolution from different subnets. Specify in the /etc/bind/named.conf file:

include "/etc/bind/named.conf.options";

acl "local" { 172.16.0.0/16; };
view "local" {
                include "/etc/bind/named.conf.local";
                match-clients { local; };
};

In the same file, you can specify directives for indicating which nodes and network addresses to accept or reject requests from. Then, restart bind9:

sudo service bind9 restart

After the server restarts, you can request the SOA record for the server 172.16.0.5 from another computer on the local network:

dig @172.16.0.5 -t SOA test.example.com

At this stage, the primary DNS server setup is complete. The next sections cover the secondary server, mail server setup, and reverse zone configuration.

Secondary Server

The initial steps are the same as for the primary server — installing bind9 and network utilities:

sudo apt update && sudo apt upgrade -y
sudo apt install bind9
sudo apt install dnsutils
sudo service bind9 start

Next, to store zone files, create the /etc/bind/slave directory and grant the necessary permissions:

sudo mkdir /etc/bind/slave
sudo chmod g+w /etc/bind/slave

Proceed to configure the zone on the secondary server. Add the zone to the /etc/bind/named.conf.local file:

zone "test.example.com." {
        type slave;
        file "/etc/bind/slave/test.example.com.local.zone";
        masters { 172.16.0.5; };
};

And set up views in the main configuration file named.conf:

include "/etc/bind/named.conf.options";
acl "local" { 172.16.0.0/16; };
view "local" {
        match-clients { local; };
        include "/etc/bind/named.conf.local";
};

After adding the settings, check the syntax, and then restart bind9:

sudo named-checkconf
sudo named-checkconf -z
sudo service bind9 restart

If there are no errors, perform the zone transfer:

sudo rndc retransfer test.example.com

The rndc retransfer command allows for a zone transfer without checking serial numbers. Briefly, the primary (ns1) and secondary (ns2) DNS servers work as follows: ns2 only checks the serial number of the zone and ignores the content of the entire zone file. If the serial number decreases, the zone transfer will be stopped. Therefore, it is crucial to increment the serial number every time you edit the zone. It is recommended to use the current date and an incremental number as the serial number.

Once you have set up the server and performed the zone transfer, you need to restrict the transfer to the secondary server’s IP address in the named.conf configuration on the primary server. To do this, add the allow-transfer directive with the IP address of the secondary DNS server in named.conf:

zone "test.example.com." {
    type master;
    allow-transfer { 172.168.0.6; };
    file "/etc/bind/master-zones/test.example.com.local.zone";
};

Then restart the server:

sudo service bind9 restart

After this step, all further operations will be performed on the primary server.

Adding an MX Record

In this example, we use mx as the hostname since it is a commonly accepted designation. Therefore, the FQDN (Fully Qualified Domain Name) will be mx.test.example.com.

To add an MX record:

1) Add the mail resource records to the zone file located at /etc/bind/master-zones/test.example.com.local.zone.

; Add the MX records to the zone file
@   IN  MX  10 mx.test.example.com.
@   IN  MX  20 mx2.test.example.com.

This adds two MX records with different priorities for the domain test.example.com.

2)  Update the serial number in the SOA (Start of Authority) record to reflect the changes.

$TTL 3600
@   IN  SOA ns.test.example.com. admin.test.example.com. (
        2024071101  ; Serial number
        10800       ; Refresh
        1200        ; Retry
        604800      ; Expire
        3600        ; Minimum TTL
)

3) Verify the zone file syntax with the following command:

sudo named-checkzone test.example.com. /etc/bind/master-zones/test.example.com.local.zone

This command checks the syntax of the zone file to ensure there are no errors.

4) Apply the changes by reloading BIND:

sudo service bind9 reload

This command reloads the BIND DNS server configuration to apply the updates made to the zone file.

Reverse DNS Setup

Reverse DNS is the reverse of the forward DNS resolution, converting IP addresses back to domain names.

For example, the IP address 192.168.1.10 is represented in reverse notation as 10.1.168.192.in-addr.arpa.

Because a hierarchical model is used, the management of the zone can be delegated to the owner of the IP address range. Essentially, a PTR record defines a domain name based on an IP address, which is conceptually similar to an A record. PTR records are primarily used for verifying mail servers.

To configure the reverse lookup zone, create a new zone file:

sudo nano /etc/bind/master-zones/16.172/in-addr.arpa.zone

And add the following data:

$TTL    3600 
16.172.in-addr.arpa.            IN      SOA  ( 
ns.test.example.com. 
admin.test.example.com. 
                                2022041202 
                                10800 
                                1200 
                                604800 
                                3600  )
                                IN      NS            ns.test.example.com. 
                                IN      NS           ns2.test.example.com. 

3.101.16.172.in-addr.arpa.      IN      PTR              test.example.com. 
5.0.16.172.in-addr.arpa.        IN      PTR           ns.test.example.com. 
6.0.16.172.in-addr.arpa.        IN      PTR          ns2.test.example.com. 
2.101.16.172.in-addr.arpa.      IN      PTR         mail.test.example.com.

Check the configuration:

sudo named-checkzone 16.172.in-addr.arpa /etc/bind/master-zones/16.172.in-addr.arpa.zone

Then, open named.conf.local:

sudo nano /etc/bind/named.conf.local

And specify the following zone:

zone "16.172.in-addr.arpa." {
                type master;
                file "/etc/bind/master-zones/16.172.in-addr.arpa.zone";
                allow-transfer { 172.16.0.6; };
        };

Restart the bind9 service:

sudo named-checkconf
sudo named-checkconf -z
sudo service bind9 restart

Check with the dig utility:

dig @172.16.0.5 -x 172.16.0.5

Now you can perform a similar setup on the secondary server. Add the following configuration to named.conf.local:

zone "16.172.in-addr.arpa." { 
    type slave; 
    file "/etc/bind/slave/16.172.in-addr.arpa.zone"; 
    masters { 172.16.0.5; }; 
};

At this stage, we have completed work with local domain zones. You can now proceed to configure the external domain zone.

External Domain Zone

First, to handle queries from the external network, add the external IP address to the listen-on directive in the named.conf.options configuration file:

listen-on {
    aaa.bbb.ccc.ddd/32; # our external IP
    172.16.0.0;
    127.0.0.0/8
}

Next, create the zone file (don't forget to change the serial number!) and add the external IP addresses to it:

sudo nano /etc/bind/master-zones/test.example.com.zone

Add the following content to the file:

$TTL 3600
$ORIGIN test.example.com.
test.example.com.               IN              SOA  (     
    ns.test.example.com.
    admin.test.example.com.
                                2022041205
                                10800
                                1200
                                604800
                                3600   )
@                               IN              NS              ns.test.example.com.
@                               IN              NS              ns2.test.example.com.
@                               IN              A               aaa.bbb.ccc.ddd # first external address
ns                              IN              A               aaa.bbb.ccc.ddd
ns2                             IN              A               eee.fff.ggg.hhh # second external address

Then, create a separate file for the external view zones to serve different domain zones to clients from different subnets:

sudo nano /etc/bind/named.conf.external

Add the following content to the file:

zone "test.example.com." { 
    type master; 
    file "/etc/bind/master-zones/test.example.com.zone";
    allow-transfer { 172.16.0.6; };
};

After this, include the file in named.conf by adding the following block:

acl "external-view" { aaa.bbb.ccc.ddd; };
view "external-view" {
    recursion no;
    match-clients { external-view; };
    include "/etc/bind/named.conf.external";
};

Now check this zone and restart BIND9:

sudo named-checkconf -z
sudo named-checkzone test.example.com. /etc/bind/master-zones/test.example.com.zone
sudo service bind9 restart
sudo service bind9 status

On the secondary DNS server, you need to specify the external server address in named.conf.options:

sudo nano /etc/bind/named.conf.options

Add the following configuration:

options {
    dnssec-validation auto;
    auth-nxdomain no;
    recursion no;
    directory "/var/cache/bind";
    listen-on {
        eee.fff.ggg.hhh/24;
        172.16.0.0/16;
        127.0.0.0/8;
    };
};

Similarly to the primary server, create a new named.conf.external file:

sudo nano /etc/bind/named.conf.external

Add the following content to the file:

zone "test.example.com." {
    type slave;
    file "/etc/bind/slave/test.example.com.zone"; 
    masters { 172.16.0.5; };
};

Then add the following block to named.conf:

acl "external-view" { eee.fff.ggg.hhh; }; 
view "external-view" { 
    recursion no; 
    match-clients { external-view; }; 
    include "/etc/bind/named.conf.external"; 
};

And perform the transfer:

sudo rndc retransfer test.example.com IN external-view

Debugging

When setting up a DNS server, it is very important to pay close attention to query logging. This helps with initial troubleshooting, and during normal server operation, it allows you to fully control the services.

BIND9 allows for comprehensive logging rules configuration—writing to a single file, separating different categories into different logs, and so on.

To write debugging information to one file, you need to create logging rules and include them in the main configuration. Create a log.conf file:

sudo nano /etc/bind/log.conf

Add the following content:

logging {
    channel bind.log {
        file "/var/lib/bind/bind.log" versions 10 size 20m;
        severity debug;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    category queries { bind.log; };
    category default { bind.log; };
    category config { bind.log; };
};

Then include the file in the main configuration:

include "/etc/bind/log.conf";

And restart BIND9:

sudo service bind9 restart

You can create multiple such files with different settings and include them depending on the development stage or server load.

Conclusion

In this guide, we configured DNS on a server running Ubuntu OS using the bind9 package. After following the steps, the two configured DNS servers can be used for name resolution on the network. To use the custom DNS servers, configure your other servers to use 172.16.0.5 and 172.16.0.6 as their DNS servers. 

This setup can serve as the foundation for further enhancements, such as setting up an email server.

Ubuntu
19.07.2024
Reading time: 14 min

Similar

Java

Switching between Java Versions on Ubuntu

Managing multiple Java versions on Ubuntu is essential for developers working on diverse projects. Different applications often require different versions of the Java Development Kit (JDK) or Java Runtime Environment (JRE), making it crucial to switch between these versions efficiently. Ubuntu provides powerful tools to handle this, and one of the most effective methods is using the update-java-alternatives command. Switching Between Java Versions In this article, the process of switching between Java versions using updata-java-alternatives will be shown. This specialized tool simplifies the management of Java environments by updating all associated commands (such as java, javac, javaws, etc.) in one go.  Overview of Java version management A crucial component of development is Java version control, especially when working on many projects with different Java Runtime Environment (JRE) or Java Development Kit (JDK) needs. In order to prevent compatibility problems and ensure efficient development workflows, proper management ensures that the right Java version is utilized for every project. Importance of using specific Java versions You must check that the Java version to be used is compatible with the application, program, or software running on the system. Using the appropriate Java version ensures that the product runs smoothly and without any compatibility issues. Newer versions of Java usually come with updates and security fixes, which helps protect the system from vulnerabilities. Using an out-of-date Java version may expose the system to security vulnerabilities. Performance enhancements and optimizations are introduced with every Java version. For maximum performance, use a Java version that is specific to the application. Checking the current Java version It is important to know which versions are installed on the system before switching to other Java versions.  To check the current Java version, the java-common package has to be installed. This package contains common tools for the Java runtimes including the update-java-alternatives method. This method allows you to list the installed Java versions and facilitates switching between them. Use the following command to install the java-common package: sudo apt-get install java-common Upon completing the installation, verify all installed Java versions on the system using the command provided below: sudo update-java-alternatives --list The report above shows that Java versions 8 and 11 are installed on the system. Use the command below to determine which version is being used at the moment. java -version The displayed output indicates that the currently active version is Java version 11. Installing multiple Java versions Technically speaking, as long as there is sufficient disk space and the package repositories support it, the administrator of Ubuntu is free to install as many Java versions as they choose. Follow the instructions below for installing multiple Java versions. Begin by updating the system using the following command:   sudo apt-get update -y && sudo apt-get upgrade -y To add another version of Java, run the command below. sudo apt-get install <java version package name> In this example, installing Java version 17 can be done by running:  sudo apt-get install openjdk-17-jdk openjdk-17-jre Upon completing the installation, use the following command to confirm the correct and successful installation of the Java version: sudo update-java-alternatives --list Switching and setting the default Java version To switch between Java versions and set a default version on Ubuntu Linux, you can use the update-java-alternatives command.  sudo update-java-alternatives --set <java_version> In this case, the Java version 17 will be set as default: sudo update-java-alternatives --set java-1.17.0-openjdk-amd64 To check if Java version 17 is the default version, run the command:  java -version The output shows that the default version of Java is version 17. Managing and Switching Java Versions in Ubuntu Conclusion In conclusion, managing multiple Java versions on Ubuntu Linux using update-java-alternatives is a simple yet effective process. By following the steps outlined in this article, users can seamlessly switch between different Java environments, ensuring compatibility with various projects and taking advantage of the latest features and optimizations offered by different Java versions. Because Java version management is flexible, developers may design reliable and effective Java apps without sacrificing system performance or stability.
22 August 2025 · 4 min to read
Ubuntu

How to Install and Configure SSH on Ubuntu 22.04

A secure connection between a client and a server is made possible via the SSH network protocol. Since all communications are encrypted, distant network attacks and data theft across the network are avoided. Let’s say you have ordered a cloud server from Hostman. You will need SSH installed and configured to connect to and administer the server. The guide below will describe how to install SSH on Ubuntu 22.04 and configure it. SSH Key configuration is pretty simple on Ubuntu Prerequisites Before proceeding with the installation and configuration of the Secure Shell service, ensure the following requirements are met: Linux Command Line Skills for Configuration Having a solid grasp of basic Linux commands like sudo, apt, nano, and systemctl is essential when setting up the service. These commands will be frequently used during the installation and configuration process. It's crucial to be comfortable working within the command line environment to manage the service effectively. Root or Sudo Access for Setup To install and configure the server, administrative (root) privileges are required. Users must either have sudo access or be logged in as root. Without these privileges, the setup process cannot proceed. Internet Connection for Package Download A stable internet connection is necessary to install the OpenSSH server and any additional related packages. Without a functional connection, the system cannot retrieve the required software components. Configuring Firewall for Access If a firewall, like ufw, is enabled on the system, it may block remote access by default. It is essential to configure your firewall to allow incoming connections. Use ufw or another firewall tool to ensure port 22 is open and accessible. Access to the System (Local or Remote) To configure the service locally, you must have physical access to your computer; otherwise, it must be remotely accessible through its IP address. To connect, make sure the system is correctly linked to the network. Don't forget, that you can deploy your cloud server fast and cheap by choosing our VPS Server Hosting Step 1: Prepare Ubuntu The first thing you need to do before you start installing SSH on Ubuntu is to update all apt packages to the latest versions. To do this, use the following command: sudo apt update && sudo apt upgrade Step 2: Install SSH on Ubuntu OpenSSH is not pre-installed on the system, so let's install it manually. To do this, type in the terminal: sudo apt install openssh-server The installation of all the necessary components will begin. Answer "Yes" to all the system prompts.  After the installation is complete, go to the next step to start the service. Step 3: Start SSH Now you need to enable the service you just installed using the command below: sudo systemctl enable --now ssh On successful startup, you will see the following system message. The --now key helps you launch the service and simultaneously set it to start when the system boots. To verify that the service is enabled and running successfully, type: sudo systemctl status ssh The output should contain the Active: active (running) line, which indicates that the service is successfully running. If you want to disable the service, execute:  sudo systemctl disable ssh It disables the service and prevents it from starting at boot. Step 4: Configure the firewall Before connecting to the server via SSH, check the firewall to ensure it is configured correctly. In our case, we have the UFW installed, so we will use the following command: sudo ufw status In the output, you should see that SSH traffic is allowed. If you don't have it listed, you need to allow incoming SSH connections. This command will help with this: sudo ufw allow ssh Step 5: Connect to the server Once you complete all the previous steps, you can log into the server using the SSH protocol. You will need the IP address or domain name of the server as well as the name of a user that was created on the server in order to complete this step. In the terminal line, enter the command: ssh username@IP_address Or:  ssh username@domain Important: To successfully connect to a remote server, SSH must be installed and configured on the remote server and the user's computer from which you make the connection.  - Step 6 (optional): Create Key Pair for Secure Authentication For enhanced security, consider configuring a key pair instead of relying on password authentication. To generate one, use the following command: ssh-keygen Step 7: Configure SSH Having completed the previous five steps, you can already connect to the server remotely. However, you can further increase the connection's security by changing the default connection port to another or changing the password authentication to key authentication. These and other changes require editing the SSH configuration file. The main OpenSSH server settings are stored in the main configuration file sshd_config (location: /etc/ssh). Before you start editing, you should create a backup of this file:  sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.initial If you get any errors after editing the configuration file, you can restore the original file without problems. After creating the backup, you can proceed to edit the configuration file. To do this, open it using the nano editor: sudo nano /etc/ssh/sshd_config In the file, change the port to a more secure one. It is best to set values from the dynamic range of ports (49152 - 65535) and use different numbers for additional security. For example, let's change the port value to 49532. To do this, we uncomment the corresponding line in the file and change the port as shown in the screenshot below. SSH Key Configuration Description in Linux Terminal In addition to this setting, we recommend changing the password authentication mode to a more secure key authentication mode. To do this, uncomment the corresponding line and make sure the value is "Yes", as shown in the screenshot. Authentication Key should be Enabled Now, let's prohibit logging on to the server as a superuser by changing the corresponding line as shown in the picture below. Don't Forget to Close Access to Root Login There are other settings you can configure to increase the server security:  UseDNS checks if the hostname matches its IP address. The value "Yes" enables this parameter. PermitEmptyPasswords prohibits using empty passwords for authentication if the value is "No." MaxAuthTries limits the number of unsuccessful attempts to connect to the server within one communication session.  AllowUsers and AllowGroups are responsible for the list of users and groups allowed to access the server: # AllowUsers User1, User2, User3# AllowGroups Group1, Group2, Group3 Login GraceTime sets the time provided for successful authorization. We recommend reducing the value of this parameter by four times. ClientAliveInterval limits the time of user inactivity. After exceeding the specified limit, the user is disconnected. After making all the changes in the main configuration file, save them and close the editor.  Restart the service to make the changes take effect: sudo systemctl restart ssh If you have changed the port in the configuration file, you should connect using the new port:  ssh -p port_number username@IP_address Or: ssh -p port_number_port_username@domain Troubleshooting Connection Issues Ensure the service is running with: sudo systemctl status ssh Restart it if necessary: sudo systemctl restart ssh Check firewall settings to allow traffic on port 22: sudo ufw allow 22 Confirm the system is reachable by running: ping <server-ip-address> Disabling the Service If you need to disable remote access for any reason, follow these steps: Stop the Service To temporarily stop accepting connections: sudo systemctl stop ssh Prevent Automatic Startup To disable it from starting on reboot: sudo systemctl disable ssh Confirm Inactive Status Verify that the service is no longer running: sudo systemctl status ssh Uninstall the Server If the service is no longer needed, remove it and its associated configuration files: sudo apt remove openssh-server Conclusion This article presents a step-by-step guide on installing and configuring SSH in Ubuntu 22.04 and describes how to edit the main configuration file to improve security. We hope this guide helps you to set up a secure remote connection to your Ubuntu server.To see more about SSH keys click here.
21 August 2025 · 7 min to read
PHP

How to Install PHP and PHP-FPM on Ubuntu 24.04

We are going to show you how to install PHP and PHP-FPM on Ubuntu 24.04. PHP, or Hypertext Preprocessor, is a popular open-source programming language used mostly for online development. The only PHP implementation of PHP FastCGI that is really helpful for websites with a lot of traffic is PHP. At the end of this guide, you should be ready to go with PHP running on your server.  Before that, check our instruction on how to set up a server on Ubuntu. PHP working scheme Prerequisites Before we start, please confirm you have the following: Ubuntu 24.04 LTS installed on the server A user account with the sudo access An essential command-line operation understanding A reliable internet connection for downloading software packages To ensure that your system is up to date, run the following commands: sudo apt updatesudo apt upgrade Install Apache Launch the Apache web server using the following command: sudo apt install apache2 Install PHP Let's begin with installing the PHP package in Ubuntu 24.04 server. First, open a terminal on your Ubuntu system. PHP and common modules are included in the installation action: sudo apt install php That command installs the core PHP package, the command-line interface, and common libraries. Make sure the installation works: php -v Start with PHP Installation Install PHP Extensions PHP extensions are the way to go to extending PHP installation with certain functions. Start by installing extensions: sudo apt install php-curl php-mbstring php-xml Short description: php-mysql: Allows MySQL database connection php-gd: Adds ability to manipulate images php-curl: Makes possible to communicate with servers php-mbstring: Provides multibyte string support php-xml: Enables XML support php-zip: Enables ZIP support Additional extensions can be installed as you see fit for your projects. You can search them using: apt-cache search php- Install and Configure PHP-FPM PHP-FPM is essential when dealing with high-traffic websites. To install and configure it: Install the package: sudo apt install php-fpm Launch PHP-FPM service. Depending on the installation, version number may differ. sudo systemctl start php8.3-fpm Tell PHP-FPM to go on boot: sudo systemctl enable php8.3-fpm Verify PHP-FPM is working: systemctl status php8.3-fpm This will output a response that says "Active (Running)" if everything is working as expected. Test PHP and PHP-FPM To ensure that PHP and PHP-FPM are both running with no problems, create a test file then serve it via the website's server. Let's say it uses Apache in this example: Generate PHP Info File. To show PHP settings using the phpinfo() function, do the following: mkdir -p /var/www/htmlecho "<?php phpinfo(); ?>" | sudo tee /var/www/html/info.php Set Up Apache for PHP-FPM. Ensure Apache is made compatible for PHP-FPM, by first finding Apache configuration file (usually /etc/apache2/sites-available/000-default.conf) then inserting: <FilesMatch \.php$>   SetHandler "proxy:unix:/var/run/php/php8.3-fpm.sock|fcgi://localhost/"</FilesMatch> Remember we must alter specific PHP version and socket path to suit individual settings of the server. Activate PHP and PHP-FPM. Enable PHP and PHP-FPM following these instructions: sudo apt install libapache2-mod-phpsudo a2enmod proxy_fcgi setenvif Reboot Apache. Apply changes by restarting Apache server: sudo systemctl restart apache2 Access PHP Info Page. First open your web browser and go to: http://your_server_ip/info.php Replace [server_ip] with the server IP address or domain. You can see details of your PHP installation. This is Where You Can Check Your PHP Current Status Install Multiple PHP Versions You may need to run different programs for specific projects, and each one may need a distinct set of features. Here's how to handle and work with different PHP versions on Ubuntu 24.04. First, add PHP repository: sudo apt install software-properties-commonsudo add-apt-repository ppa:ondrej/php && sudo apt update Install PHP versions you need: sudo apt install php8.1 php8.1-fpm Deselect one PHP version and select the other: sudo update-alternatives --set php /usr/bin/php8.1 If you are using multiple PHP versions, ensure that your web server is pointing to the appropriate PHP-FPM socket. Securing PHP and PHP-FPM: Best Practices As a web developer, you are aware of how crucial it is to use both PHP and PHP-FPM in secure and reliable web applications. We'll go over some security measures in this part that you should use when utilizing PHP and PHP-FPM. 1. Keep PHP and PHP-FPM Updated PHP and PHP-FPM should be up to date. Doing regular updates will eliminate known security breaches and provide overall security improvements. You need to check for updates as often as possible then update the system as soon as the updates are available. 2. Configure PHP Securely To configure PHP securely, start by disabling unnecessary and potentially dangerous functions, such as exec, shell_exec, and eval, in the PHP configuration file (php.ini). Use open_basedir directive to restrict PHP’s access to specific directories, preventing unauthorized access to sensitive files. Set display_errors to Off in production to avoid exposing error messages that could provide insights to attackers. Limit file upload sizes and execution times to reduce the risk of resource exhaustion attacks. Besides, ensure that PHP runs under a dedicated, restricted user account with minimal permissions to prevent privilege escalation. Regularly update PHP to the latest stable version to patch vulnerabilities and improve security. 3. Use Safe Error Reporting To ensure an error-free application, it is quite handy locating and correcting code bugs in a development environment. In production environment, you have the possibility to hide the PHP errors by setting the display_errors directive to be off, and you should also set the log_errors directive to be On, thus this will help you prevent PHP from showing errors to the users whereas your server will log it in a safe location without problems to users. 4. Implement Input Validation Being aware of the input validations is quite crucial during the programming of your software. Make sure that all deficiencies are tested and only SQL statements containing their SQL equivalent that can produce outwardly neutral queries via prepared statements is considered safe. 5. Secure PHP-FPM Configuration PHP-FPM is required to run using a non-usual user account with minium rights. Furthermore, access to the PHP-FPM socket or port should be very limited to the web application. 6. Enable open_basedir You need to bind open_basedir directive in order to restrict access files within the given directory. In this case, if you attempt to visit a forbidden directory and the request is accidentally transmitted to the server, PHP will prevent you from doing so. 7. Use HTTPS We need to secure web calls by making apps HTTPS-only, which is the only prominent way to block all the known hacking tricks. Installing PHP on Ubuntu 24.04 is Rewarded Conclusion With this guide, you've successfully set up PHP and PHP-FPM on Ubuntu 24.04. Your server is now configured for dynamic web applications. To maintain security and performance, remember to keep the system and packages regularly updated. If you liked this instruction, please check our Cloud Servers to boost your cloud workflow!
21 August 2025 · 6 min to read

Do you have questions,
comments, or concerns?

Our professionals are available to assist you at any moment,
whether you need help or are just unsure of where to start.
Email us
Hostman's Support