Skip to content

Instantly share code, notes, and snippets.

@Ikkyusan1

Ikkyusan1/BrewBindInstallAndSetupMacOS.sh

Last active April 16, 2025 16:04
Show Gist options
  • Save Ikkyusan1/4e79e1ac844a2073223c2c4690931e77 to your computer and use it in GitHub Desktop.
Save Ikkyusan1/4e79e1ac844a2073223c2c4690931e77 to your computer and use it in GitHub Desktop.
Download ZIP
Install and setup bind (named) on MacOS 11 Big Sur with brew
Raw
BrewBindInstallAndSetupMacOS.sh
#!/bin/bash
set -euo pipefail
# MacOS 11 Big Sur
# Homebrew 3.3.9
# bind: stable 9.16.24
# Local caching NS server
# 1) INSTALL BIND
brew install bind
# To enable service on boot:
# sudo brew services start bind
# To restart bind after an upgrade:
# sudo brew services restart bind
# Or, if you don't want/need a background service you can just run:
# /usr/local/opt/bind/sbin/named -f -L /usr/local/var/log/named/named.log
# Config is located in :
# /usr/local/etc/bind
# Get help:
# brew help services
# 2) CONFIGURE BIND
# This configuration is based on what's available on a Debian system,
# slightly adapted (log filepath in particular).
# In latest version of MacOS, system folders are readonly (/etc in particular).
# Thus, we'll place the config in /usr/local/etc
# Create cache dir
mkdir -p /usr/local/var/cache/bind
# Go to bind config directory
cd /usr/local/etc/bind/
# Create a custom launch key
/usr/local/sbin/rndc-confgen > rndc.conf
head -n 6 rndc.conf > rndc.key
# And create the config files
cat <<'EOT' > named.conf
logging {
category default {
_default_log;
};
channel _default_log {
file "/usr/local/var/log/named/named.log" versions 10 size 1m;
severity info;
print-time yes;
};
};
include "/usr/local/etc/bind/named.conf.options";
include "/usr/local/etc/bind/named.conf.local";
include "/usr/local/etc/bind/named.conf.default-zones";
EOT
cat <<'EOT' > named.conf.options
options {
directory "/usr/local/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
// listen on local IP
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; };
// Uncomment the following to disable IPv6
// filter-aaaa-on-v4 yes;
};
EOT
cat <<'EOT' > named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
EOT
cat <<'EOT' > named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/local/etc/bind/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/usr/local/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/usr/local/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/usr/local/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/usr/local/etc/bind/db.255";
};
EOT
cat <<'EOT' > root.hints
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: March 13, 2019
; related version of root zone: 2019031302
;
; FORMERLY NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file
EOT
cat <<'EOT' > zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
EOT
cat <<'EOT' > db.0
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
EOT
cat <<'EOT' > db.127
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
EOT
cat <<'EOT' > db.255
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
EOT
cat <<'EOT' > db.empty
;
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
EOT
cat <<'EOT' > db.local
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
EOT
# Start/Enable service at boot:
sudo brew services start bind
# Check if service launched correctly:
sudo brew services list
# Should display:
# Name Status User File
# bind started root /Library/LaunchDaemons/homebrew.mxcl.bind.plist
# If not, check the log file:
# /usr/local/var/log/named/named.log
# If you get errors like:
# managed-keys-zone: DNSKEY set for zone '.' could not be verified with current keys
# or
# validating ./NS: no valid signature found
#
# That's because cache files are somehow corrupted.
# (https://gitlab.isc.org/isc-projects/bind9/-/issues/2895)
# Make sure bind can send outgoing TCP/UDP requests on port 53.
# And before restarting the service, delete the cache files located in:
# /usr/local/var/cache/bind/
# If you get errors like:
# host unreachable resolving '_.me/A/IN': 2001:503:ba3e::2:30#53
#
# Disable IPv6 support. Add option -4 to service startup in:
# /usr/local/Cellar/bind/*/homebrew.mxcl.bind.plist
# And uncomment the relevant line in:
# /usr/local/etc/bind/named.conf.options
# When everything runs correctly, test if the DNS resolution works:
dig A duckduckgo.com @127.0.0.1
# And finally,
# you can set 127.0.0.1 as primary DNS server in MacOS network config.
@macuserguru
Copy link

Are this for Monterey 12.2.1 & 12.3 ready too?

@Ikkyusan1
Copy link
Author

I don't know : I'm not on Monterey. Maybe you can test this recipe and tell us if it works ?

@jack142-dev
Copy link

jack142-dev commented Jan 25, 2024
edited
Loading

New to BIND, trying to install this on a Mac mini M1 Sonoma. How would I add my own DNS entries? I ran the installer but seems to not have created the /usr/local/etc/bind/ directory?

/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 35: cd: /usr/local/etc/bind/: No such file or directory
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 38: /usr/local/sbin/rndc-confgen: No such file or directory
cat: db.0: No such file or directory

I manually created those directories now getting:

/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 38: rndc.conf: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 39: rndc.key: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 42: named.conf: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 59: named.conf.options: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 92: named.conf.local: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 102: named.conf.default-zones: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 134: root.hints: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 230: zones.rfc1918: Permission denied
cat: db.0: No such file or directory
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 268: db.127: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 284: db.255: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 299: db.empty: Permission denied
/Users/localadmin/Downloads/4e79e1ac844a2073223c2c4690931e77-0d97b4b4c226c68c6324aa796cde727f1bb37356/BrewBindInstallAndSetupMacOS.sh: line 317: db.local: Permission denied

@Ikkyusan1
Copy link
Author

I should have written somewhere that this gist is not exactly a script to be run per se, it's more like a recipe to follow and adapt.

The errors are self explanatory enough, you got permissions problems, the folders/files are most likely owned by the wrong user/group, or perhaps not writable.

I haven't touched Sonoma, I don't know if the layout is the same as on BigSur, so you're on your own, sorry mate.
But if you manage to make it work, please report back, of make a fork of the gist with your working adaptations, it could be helpful to other people.

Good luck.

@jack142-dev
Copy link

Thanks for that info I think I was able to get past the errors by changing the permissions on the folder using chown. How do I add a new zone, for example I want to add the below, which file should I add it to?

zone "printers.aprnt.net" {
type forward; forward only; forwarders { printopia-pro-server-ip; };
};

Also where would I put the pointer record below too?

lb._dns-sd._udp IN PTR printers.aprnt.net.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment