From 108554317ee821cc926109de9179fed4a1aed2ea Mon Sep 17 00:00:00 2001 From: Ventz Petkov Date: Mon, 12 Feb 2018 23:35:24 -0500 Subject: [PATCH] Major Upgrade - added very detailed configs for many scenarios, with lots of examples. The server is now fully functional for an authoritative master and a recursive/forwarding cacher. You can still mount over the /etc/bind and /var/bind directories and override everything yourself. This should help many users who did not know where to start with bind. --- README.md | 57 +++++++--- build.sh | 0 container/Dockerfile | 19 +++- container/configs/README | 2 + container/configs/default-zones/db.0 | 12 ++ container/configs/default-zones/db.127 | 13 +++ container/configs/default-zones/db.255 | 12 ++ container/configs/default-zones/db.empty | 14 +++ container/configs/default-zones/db.local | 14 +++ container/configs/default-zones/db.root | 92 +++++++++++++++ container/configs/example-configs/README | 20 ++++ .../authoritative/named.conf.options | 56 ++++++++++ .../recursive-resolver/named.conf.options | 104 +++++++++++++++++ container/configs/named.conf | 16 +++ container/configs/named.conf.default-zones | 28 +++++ container/configs/named.conf.local | 42 +++++++ container/configs/named.conf.options | 105 ++++++++++++++++++ container/configs/named.conf.rfc1918 | 20 ++++ container/entrypoint.sh | 4 +- run.sh | 12 -- 20 files changed, 611 insertions(+), 31 deletions(-) mode change 100644 => 100755 build.sh create mode 100644 container/configs/README create mode 100644 container/configs/default-zones/db.0 create mode 100644 container/configs/default-zones/db.127 create mode 100644 container/configs/default-zones/db.255 create mode 100644 container/configs/default-zones/db.empty create mode 100644 container/configs/default-zones/db.local create mode 100644 container/configs/default-zones/db.root create mode 100644 container/configs/example-configs/README create mode 100644 container/configs/example-configs/authoritative/named.conf.options create mode 100644 container/configs/example-configs/recursive-resolver/named.conf.options create mode 100644 container/configs/named.conf create mode 100644 container/configs/named.conf.default-zones create mode 100644 container/configs/named.conf.local create mode 100644 container/configs/named.conf.options create mode 100644 container/configs/named.conf.rfc1918 delete mode 100644 run.sh diff --git a/README.md b/README.md index 2746551..a2858b8 100644 --- a/README.md +++ b/README.md @@ -1,46 +1,77 @@ ### ISC BIND9 Container (Stable: 9.11.2_xx) built on top of Alpine -### Last update: 2-6-18 +### Last update: 2-12-18 (major new update!) NOTE: "Last Update" is the date of the latest DockerHub build. This container is a super small (~5MB compressed pull, and only ~9MB when extracted) FULL version of ISC BIND9. -It is ideal for a quick master, slave, recursive server/resolver, RPZ -"dns firewall", or just about any other purpose you can use bind for. +It is ideal for an extremely secure and fast master (authoritative server), +slave, recursive server/resolver, RPZ "dns firewall", or just +about any other purpose you can use bind for. -# Security - always on the latest stable release! +# Security - always on the latest stable BIND release! This container will _always_ be up to date on the latest stable+patched version, usually within 24 hours of it being available in Alpine. In fact, most of the BIND vulnerabilities so far have been reported by me to the Alpine developers. -# Required "DATA" directory - for named.conf and zone data: +# How to deploy a Bind (DNS) server? +This container contains everything needed in terms of configuration to +run as an authoritative server or a recursive resolver/forwarding cacher. + +However, the default config permits queries and recursion only from 127.0.0.1 - which will not be too useful :) +But the assumption is that you will override ```/etc/bind``` with your configs, and ```/var/bind``` with your zones. + +# Required "DATA" directory - for configs and zone data: This container assumes you have a "/DATA" folder with with your container specific data. -You can change that folder (and sub-folders) as needed, but make sure you update the "-v" mounts for the run. +(You can change that folder, sub-folders, and file points as needed, but make sure you update the "-v" mounts for the run.) Specifically, you need to have these directories/paths: ``` 1.) [ *REQUIRED* ] In your "/DATA/etc/bind" directory, a file "named.conf", which acts as an entry point to your configs +Take a look at the default config, and the example configs provided 2.) [ *REQUIRED* ] -A "/DATA/var/cache/bind" directory for all of the master or slave zones. If it's for slave zones, it will populate automatically and you can leave it blank. - -3.) [ *OPTIONAL* ] -A "/DATA/var/log/named" directory for logging your DNS requests/returns/other breakdown. By default, logging is done to the console +A "/DATA/var/bind" directory for all of the master or slave zones. If it's for slave zones, it will populate automatically and you can leave it blank. ``` # How to run a BIND ("named") Docker Container? ``` -docker run --name=dns-master01 +# Default Example +# This is just to test it out - by default only allows queries from +# itself (127.0.0.1) -- pretty useless for real world usage +docker run --name=dns-test +-it -d \ +--dns=8.8.8.8 --dns=8.8.4.4 \ +-p 53:53/udp -p 53:53 \ +ventz/bind +``` + +``` +# Customer Override Example for Authoritative Master +# Edit: named.conf.local with your forward zone at least +# and create the file in /var/named/$yourdomain.tld +docker run --name=dns-master -it -d \ --dns=8.8.8.8 --dns=8.8.4.4 \ -p 53:53/udp -p 53:53 \ -v /DATA/etc/bind:/etc/bind \ --v /DATA/var/cache/bind:/var/cache/bind \ --v /DATA/var/log/named:/var/log/named \ +-v /DATA/var/bind:/var/bind \ +ventz/bind +``` + +``` +# Custom Override Example for Recursive Resolver/Cacher: +# Edit: named.conf.options -> change the "allow-recursion" and "allow-query" with your subnets +docker run --name=dns-resolver +-it -d \ +--dns=8.8.8.8 --dns=8.8.4.4 \ +-p 53:53/udp -p 53:53 \ +-v /DATA/etc/bind:/etc/bind \ +-v /DATA/var/bind:/var/bind \ ventz/bind ``` diff --git a/build.sh b/build.sh old mode 100644 new mode 100755 diff --git a/container/Dockerfile b/container/Dockerfile index de3a200..1307ecb 100644 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -3,19 +3,28 @@ EXPOSE 53 53/udp RUN apk --update upgrade && apk add bind -RUN mkdir -m 0755 -p /var/run/named && chown -R root:named /var/run/named - -# /var/cache/bind needs to be owned by "bind" +# /etc/bind needs to be owned by root, group owned by "bind", and chmod 750 # since we are mounting, do it manually # NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown -RUN mkdir -m 0755 -p /var/cache/bind && touch /var/cache/bind/docker-init && chown -R named:named /var/cache/bind +# & +# /var/bind needs to be owned by root, group owned by "bind", and chmod 770 +# since we are mounting, do it manually +# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown +# & +# Get latest bind.keys +RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \ + mkdir -m 0770 -p /var/bind && chown -R root:named /var/cache ; \ + wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \ + rndc-confgen -a -r /dev/urandom + +COPY configs/. /etc/bind/ # Mounts # NOTE: Per Dockerfile manual --> # "if any build steps change the data within the volume # after it has been declared, those changes will be discarded." VOLUME ["/etc/bind"] -VOLUME ["/var/cache/bind"] +VOLUME ["/var/bind"] COPY entrypoint.sh / ENTRYPOINT ["/entrypoint.sh"] diff --git a/container/configs/README b/container/configs/README new file mode 100644 index 0000000..3e50e76 --- /dev/null +++ b/container/configs/README @@ -0,0 +1,2 @@ +You should add your zones to: named.conf.local +Generally, that's the only file you will need to modify diff --git a/container/configs/default-zones/db.0 b/container/configs/default-zones/db.0 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/container/configs/default-zones/db.0 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/container/configs/default-zones/db.127 b/container/configs/default-zones/db.127 new file mode 100644 index 0000000..cd05bef --- /dev/null +++ b/container/configs/default-zones/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. diff --git a/container/configs/default-zones/db.255 b/container/configs/default-zones/db.255 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/container/configs/default-zones/db.255 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/container/configs/default-zones/db.empty b/container/configs/default-zones/db.empty new file mode 100644 index 0000000..8a12858 --- /dev/null +++ b/container/configs/default-zones/db.empty @@ -0,0 +1,14 @@ +; BIND reverse data file for empty rfc1918 zone +; +; DO NOT EDIT THIS FILE - it is used for multiple zones. +; Instead, copy it, edit named.conf, and use that copy. +; +$TTL 86400 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/container/configs/default-zones/db.local b/container/configs/default-zones/db.local new file mode 100644 index 0000000..2f272d4 --- /dev/null +++ b/container/configs/default-zones/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 diff --git a/container/configs/default-zones/db.root b/container/configs/default-zones/db.root new file mode 100644 index 0000000..3d6b3ba --- /dev/null +++ b/container/configs/default-zones/db.root @@ -0,0 +1,92 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: January 30, 2018 +; related version of root zone: 2018013001 +; +; FORMERLY NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201 +B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file \ No newline at end of file diff --git a/container/configs/example-configs/README b/container/configs/example-configs/README new file mode 100644 index 0000000..f9f63ee --- /dev/null +++ b/container/configs/example-configs/README @@ -0,0 +1,20 @@ +1.) Start with the FULL directory contents of "configs" which has a +fully functioning recurive resolver/forwarding cacher AND an +authoritative config at the same time. + +The "configs" directory contains: + +* README +* named.conf +* named.conf.default-zones +* named.conf.rfc1918 +* named.conf.local -> modify this for all of your authoritative zones +* named.conf.options -> feel free to overwrite this with one fr + +default-zones: +db.0 db.127 db.255 db.empty db.local db.root + + +2.) and then feel free to use the "named.conf.options" provided in the +"example-configs" to override the default with a more "specific +'named.conf.options' as needed for a more diff --git a/container/configs/example-configs/authoritative/named.conf.options b/container/configs/example-configs/authoritative/named.conf.options new file mode 100644 index 0000000..da2f936 --- /dev/null +++ b/container/configs/example-configs/authoritative/named.conf.options @@ -0,0 +1,56 @@ +// Copy this file to /etc/bind/named.conf.options if you want to run bind as an +// authoritative nameserver. If you want to run a recursive DNS resolver +// instead, see Ventz's "example-configs/recursive-resolver/named.conf.options" +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a secure starting point for running an authoritative nameserver. + +options { + directory "/var/bind"; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you want to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + // Specify a list of IPs/masks to allow zone transfers to here. + // + // You can override this on a per-zone basis by specifying this inside a zone + // block. + // + // Warning: Removing this block will cause BIND to revert to its default + // behaviour of allowing zone transfers to any host (!). + allow-transfer { + none; + }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Changing this is NOT RECOMMENDED; see the notes above and in + // named.conf.recursive. + allow-recursion { none; }; + recursion no; +}; + +// Example of how to configure a zone for which this server is the master: +//zone "example.com" IN { +// type master; +// file "/etc/bind/master/example.com"; +//}; + +// You can include files: +//include "/etc/bind/example.conf"; diff --git a/container/configs/example-configs/recursive-resolver/named.conf.options b/container/configs/example-configs/recursive-resolver/named.conf.options new file mode 100644 index 0000000..d9c164f --- /dev/null +++ b/container/configs/example-configs/recursive-resolver/named.conf.options @@ -0,0 +1,104 @@ +// Copy this file to /etc/bind/named.conf.options if you want to run bind as a +// recursive DNS resolver. If you want to run an authoritative nameserver +// instead, see Ventz's "example-configs/authoritative/named.conf.options" +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a starting point for running a recursive resolver. +// +// +// *** IMPORTANT *** +// You should note that running an open DNS resolver (that is, a resolver which +// answers queries from any globally routable IP) makes the resolver vulnerable +// to abuse in the form of reflected DDoS attacks. +// +// These attacks are now widely prevalent on the open internet. Even if +// unadvertised, attackers can and will find your resolver by portscanning the +// global IPv4 address space. +// +// In one case the traffic generated using such an attack reached 300 Gb/s (!). +// +// It is therefore imperative that you take care to configure the resolver to +// only answer queries from IP address space you trust or control. See the +// "allow-recursion" directive below. +// +// Bear in mind that with these attacks, the "source" of a query will actually +// be the intended target of a DDoS attack, so this only protects other networks +// from attack, not your own; ideally therefore you should firewall DNS traffic +// at the borders of your network to eliminate spoofed traffic. +// +// This is a complex issue and some level of understanding of these attacks is +// advisable before you attempt to configure a resolver. + +options { + directory "/var/bind"; + + // Specify a list of CIDR masks which should be allowed to issue recursive + // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above. + allow-recursion { + 127.0.0.1/32; + }; + + // If you want this resolver to itself resolve via means of another recursive + // resolver, uncomment this block and specify the IP addresses of the desired + // upstream resolvers. + //forwarders { + // 8.8.8.8; + // 8.8.4.4; + //}; + + // By default the resolver will attempt to perform recursive resolution itself + // if the forwarders are unavailable. If you want this resolver to fail outright + // if the upstream resolvers are unavailable, uncomment this directive. + //forward only; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Removing this block will cause BIND to revert to its default behaviour + // of allowing zone transfers to any host (!). There is no need to allow zone + // transfers when operating as a recursive resolver. + allow-transfer { none; }; +}; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; diff --git a/container/configs/named.conf b/container/configs/named.conf new file mode 100644 index 0000000..2e9defb --- /dev/null +++ b/container/configs/named.conf @@ -0,0 +1,16 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +controls { + inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; +}; + +include "/etc/bind/rndc.key"; +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; + diff --git a/container/configs/named.conf.default-zones b/container/configs/named.conf.default-zones new file mode 100644 index 0000000..67409fb --- /dev/null +++ b/container/configs/named.conf.default-zones @@ -0,0 +1,28 @@ +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/etc/bind/default-zones/db.root"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/default-zones/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/default-zones/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/default-zones/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/default-zones/db.255"; +}; diff --git a/container/configs/named.conf.local b/container/configs/named.conf.local new file mode 100644 index 0000000..124494a --- /dev/null +++ b/container/configs/named.conf.local @@ -0,0 +1,42 @@ +// +// Do any local configuration here +// + +/////////////////////////////////////////////////////////////////////////////// +////////////////////////////////////////////////////////////////////////////// + +// STANDARD ZONES +include "/etc/bind/named.conf.default-zones"; + +// Consider adding the 1918 zones here, if they are not used in your +// organization +include "/etc/bind/named.conf.rfc1918"; + +/////////////////////////////////////////////////////////////////////////////// +////////////////////////////////////////////////////////////////////////////// + + +####################################### +# REVERSE 'PTR' RECORDS # +####################################### +# example reverse zone: 1.2.3.4/24 +//zone "4.3.2.1.in-addr.arpa" { +// type master; +// file "/var/bind/1.2.3.4.rev"; +// notify yes; +//}; + + +####################################### +# FORWARD 'A' RECORDS # +####################################### +# example "forward" (domain) zone: domain.tld +//zone "domain.tld" { +// type master; +// file "/var/bind/domain.tld"; +// notify yes; +// #also-notify { a.b.c.d; }; +// #allow-transfer { localhost; a.b.c.d; }; +// # vs +// #allow-transfer { "none"; }; +//}; diff --git a/container/configs/named.conf.options b/container/configs/named.conf.options new file mode 100644 index 0000000..de586f0 --- /dev/null +++ b/container/configs/named.conf.options @@ -0,0 +1,105 @@ +options { + directory "/var/bind"; + + // Remove (hide) our bind version - no reason to disclose it + version ""; + + // Configure the IPs to listen on here. + listen-on { any; }; + listen-on-v6 { none; }; + + // QUERY SOURCE - Useful for caching servers behind a firewall + // Default: address * port * + // Values : The IP address and port to use as the source of queries to other servers + // If you have problems and are behind a firewall, uncomment: + //query-source address * port *; + + pid-file "/var/run/named/named.pid"; + + // statistics-file "/var/cache/bind/named.stats"; + // zone-statistics yes; + + // If you want to allow only specific hosts to use the DNS server: + allow-query { 127.0.0.1; }; + + // Specify a list of IPs/masks to allow zone transfers to here. + // + // You can override this on a per-zone basis by specifying this inside a zone + // block. + // + // Warning: Removing this block will cause BIND to revert to its default + // behaviour of allowing zone transfers to any host (!). + allow-transfer { none; }; + + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // RECURSION - Required for caching servers + // Default: yes + // Values : yes, no + // + // yes: Attempt to resolve requests we are not authoritative for + // no : Do not resolve requests we are not authoritative for + // + // NOTE: Commented out because specified in each zone/view + recursion yes; + //recursion no; + + + // ALLOW-RECURSION - Who may use our caching server? + // Default: any; + // Values : any, none, (addresslist) + // + // any : anybody may use the caching server + // none : noone may use the caching server + // address: List of IP addresses that may use the caching server. + // allow-recursion { localhost; localnets; }; + // + // NOTE: Commented out because specified in each zone/view + // allow-recursion { clients; servers; lan; }; + //allow-recursion { none; }; + allow-recursion { 127.0.0.1; }; + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 8.8.8.8; + 8.8.4.4; + }; + + // FORWARD - Recommended for caching servers + // Default: first + // Values : first, only + // + // first: Query "forwarders" first, then resolve request ourself + // only : Only query the "forwarders" to resolve requests + // + forward first; + + + // NOTIFY - Relevant to authoritative servers + // Default: yes + // Values : yes, explicit, no + // + // yes : Send DNS NOTIFY messages to slave servers in zone NS records when zone changes + // explicit: Only send DNS NOTIFY messages to "also-notify" hosts + // no : Never automatically send DNS NOTIFY messages + // + notify yes; + + // Need this for SRV records + check-names master ignore; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 +}; diff --git a/container/configs/named.conf.rfc1918 b/container/configs/named.conf.rfc1918 new file mode 100644 index 0000000..937d6a5 --- /dev/null +++ b/container/configs/named.conf.rfc1918 @@ -0,0 +1,20 @@ +zone "10.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; + +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; + +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; diff --git a/container/entrypoint.sh b/container/entrypoint.sh index a15e905..c5f4364 100755 --- a/container/entrypoint.sh +++ b/container/entrypoint.sh @@ -1,4 +1,6 @@ #!/bin/sh -chown -R named:named /var/cache/bind +chown -R root:named /etc/bind /var/bind /var/run/named +chmod -R 770 /var/bind /var/run/named +chmod -R 750 /etc/bind # Run in foreground and log to STDERR (console): exec /usr/sbin/named -c /etc/bind/named.conf -g -u named diff --git a/run.sh b/run.sh deleted file mode 100644 index d264248..0000000 --- a/run.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# NOTE: Please make sure you have /DATA with those directories as sources -# and the appropriate named.conf + zone files - -docker run --name=dns-master01 --it -d \ ---dns=8.8.8.8 --dns=8.8.4.4 \ --p 53:53/udp -p 53:53 \ --v /DATA/etc/bind:/etc/bind \ --v /DATA/var/cache/bind:/var/cache/bind \ --v /DATA/var/log/named:/var/log/named \ -ventz/bind