OSX Mavericks - BIND no longer installed… how to get local DNS server working?

Question

I have always used BIND on OSX to provide a local DNS resolver for my local development machines, particularly to facilitate virtual machines accessing my local dev environment.

Answer 1

Men & Mice is offering BIND installers for free at http://support.menandmice.com/download/bind/macosx/10.9-Mavericks/

MacOS X 10.4 (PPC), 10.5/10.6 (x86) and 10.7/10.8 (and new) 10.9 (x86_64)

Here is my recommendation for a basic "/etc/named.conf" file for BIND 9.9.4. Many basic configuration recommendations in the Internet and templates from BIND installations in Linux/BSD distributions have not been updated to recent updates in BIND and are not optimal (although they continue to work)

// BIND named.conf caching only DNS server
// configuration file for 
// BIND 9.7 and up
options {
    // set the DNS servers "home" directory
    // all files with relative path names
    // will be read or written from this
    // directory
    directory "/var/named";
    // disable query-logging on start
    // query-logging can be enabled using
    // "rndc querylog"
    querylog no;
};

// automatic empty zone for the "localhost" name
zone "localhost" IN {
   type master;
   database "_builtin empty . nothing.invalid.";
};

// logging template for a caching DNS server
logging {
   channel syslog { syslog daemon; severity info; };
   channel security { file "security.log" versions 10 size 50M; print-time yes; };
   channel query_log {
     file "query.log" versions 10 size 50M; severity debug; print-time yes;
   };
   category general       { syslog; };
   category security      { security; };
   category queries       { query_log; };
   category dnssec        { security; };
   category default       { syslog; };
   category resolver      { syslog; };
   category client        { syslog; };
   category query-errors  { query_log; };
   category edns-disabled { syslog; };
};

Some comments:

• rndc.key does not need to be imported using an import statement. if no dedicated rndc configuration is present, rndc.key will be read by named on startup by default

• if no "control" block is defined, the defaul control statement is being used. The default control configuration is

  controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; };

• never specify "query-source" with an port number for an caching DNS server (I would prefer not to see it even it commented out, someone might enable it and create a security hole), it is a security risk (it disables UDP port randomization abd therefor enables easy DNS cache spoofing)

• no need to specify an empty zone for "0.0.127.in-addr.arpa.", as it is (among a couple of other empty zones) in the default BIND config since version 9.5.x
• the zone specification for "localhost" shows how to define an empty zone that does not require an extra zonefile on disk
• for caching DNS servers that operate in the Internet DNS, I highly recommend to use the "root.hints" (list of root DNS servers) that is build into the BIND by not specifying a zone of type "hint". The "build-in" root hints are updated every time the BIND program is updated.
• the logging statement gives a list of logging categories that are interesting for a caching DNS server. "query-logging" (logs all queries received by the DNS server) can hurt the performance of a busy DNS server (> 1000 queries per second), it is disabled in the option block but can be enabled (toggled) using "rndc querylog". The status of the querylog function (enabled/disabled) can be looked up using "rndc status"