19 March 2026

Bind on OpenWRT

Installation

opkg update
opkg install bind-server bind-tools

Stop DNSMasq from serving DNS

# /etc/config/dhcp
config dnsmasq
  option domain ''
  option port 0```

/etc/init.d/dnsmasq restart
/etc/init.d/named start

BIND root hints on OpenWrt

Debian typically uses /usr/share/dns/root.hints or /usr/share/dns/bind.keys. OpenWrt usually does not ship a root hints file, so define one explicitly. I copied this to /etc/bind/named.conf.root-hints and included it via named.conf.options.

Failures priming and dnssec failures could be caused by time issues, make sure the router is synchronized via NTP and showing the time in UTC.

Troubleshooting configuration

stop the init script

/etc/init.d/named stop

run bind in the foreground with logging

/usr/sbin/named -g -d 2 -c /etc/bind/named.conf

or increase debug level if nothing shows

/usr/sbin/named -g -d 4 -c /etc/bind/named.conf

check syslog output in another shell logread -f

quick config checks

/usr/sbin/named-checkconf -z /etc/bind/named.conf

/usr/sbin/named-checkzone example.com /etc/bind/zones/db.example.com

check file permissions for zone files and keys ls -la /etc/bind /etc/bind/zones

restart normally after fixing /etc/init.d/named start

QUERY Logging and RNDC

OpenWRT’s implementation effectively breaks the rndc utility, by trying to regenerate part of the rndc config every time named starts, so rndc won’t work to enable and disable query logging interactively. The fix is to add a config named.conf.logging and include it when needed via named.conf, which requires restarting named to activate and de-activate.

logging {
    channel query_log {
        syslog daemon;
        severity dynamic;
    };
    category queries { query_log; };
};