coryHawkvelt
/
docker-bind
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Major Upgrade - added very detailed configs for many scenarios, with lots of examples. The server is now fully functional for an authoritative master and a recursive/forwarding cacher. You can still mount over the /etc/bind and /var/bind directories and override everything yourself. This should help many users who did not know where to start with bind.

This commit is contained in:
Ventz Petkov 2018-02-12 23:35:24 -05:00
parent ca044d1672
commit 108554317e
20 changed files with 611 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
README.md
View File

@ -1,46 +1,77 @@
### ISC BIND9 Container (Stable: 9.11.2_xx) built on top of Alpine ### ISC BIND9 Container (Stable: 9.11.2_xx) built on top of Alpine
### Last update: 2-6-18 ### Last update: 2-12-18 (major new update!)
NOTE: "Last Update" is the date of the latest DockerHub build. NOTE: "Last Update" is the date of the latest DockerHub build.
This container is a super small (~5MB compressed pull, and only ~9MB This container is a super small (~5MB compressed pull, and only ~9MB
when extracted) FULL version of ISC BIND9. when extracted) FULL version of ISC BIND9.
It is ideal for a quick master, slave, recursive server/resolver, RPZ It is ideal for an extremely secure and fast master (authoritative server),
"dns firewall", or just about any other purpose you can use bind for. slave, recursive server/resolver, RPZ "dns firewall", or just
about any other purpose you can use bind for.
# Security - always on the latest stable release! # Security - always on the latest stable BIND release!
This container will _always_ be up to date on the latest This container will _always_ be up to date on the latest
stable+patched version, usually within 24 hours of it being available stable+patched version, usually within 24 hours of it being available
in Alpine. In fact, most of the BIND vulnerabilities so far have been in Alpine. In fact, most of the BIND vulnerabilities so far have been
reported by me to the Alpine developers. reported by me to the Alpine developers.
# Required "DATA" directory - for named.conf and zone data: # How to deploy a Bind (DNS) server?
This container contains everything needed in terms of configuration to
run as an authoritative server or a recursive resolver/forwarding cacher.
However, the default config permits queries and recursion only from 127.0.0.1 - which will not be too useful :)
But the assumption is that you will override ```/etc/bind``` with your configs, and ```/var/bind``` with your zones.
# Required "DATA" directory - for configs and zone data:
This container assumes you have a "/DATA" folder with with your container specific data. This container assumes you have a "/DATA" folder with with your container specific data.
You can change that folder (and sub-folders) as needed, but make sure you update the "-v" mounts for the run. (You can change that folder, sub-folders, and file points as needed, but make sure you update the "-v" mounts for the run.)
Specifically, you need to have these directories/paths: Specifically, you need to have these directories/paths:
``` ```
1.) [ *REQUIRED* ] 1.) [ *REQUIRED* ]
In your "/DATA/etc/bind" directory, a file "named.conf", which acts as an entry point to your configs In your "/DATA/etc/bind" directory, a file "named.conf", which acts as an entry point to your configs
Take a look at the default config, and the example configs provided
2.) [ *REQUIRED* ] 2.) [ *REQUIRED* ]
A "/DATA/var/cache/bind" directory for all of the master or slave zones. If it's for slave zones, it will populate automatically and you can leave it blank. A "/DATA/var/bind" directory for all of the master or slave zones. If it's for slave zones, it will populate automatically and you can leave it blank.
3.) [ *OPTIONAL* ]
A "/DATA/var/log/named" directory for logging your DNS requests/returns/other breakdown. By default, logging is done to the console
``` ```
# How to run a BIND ("named") Docker Container? # How to run a BIND ("named") Docker Container?
``` ```
docker run --name=dns-master01 # Default Example
# This is just to test it out - by default only allows queries from
# itself (127.0.0.1) -- pretty useless for real world usage
docker run --name=dns-test
-it -d \
--dns=8.8.8.8 --dns=8.8.4.4 \
-p 53:53/udp -p 53:53 \
ventz/bind
```
```
# Customer Override Example for Authoritative Master
# Edit: named.conf.local with your forward zone at least
# and create the file in /var/named/$yourdomain.tld
docker run --name=dns-master
-it -d \ -it -d \
--dns=8.8.8.8 --dns=8.8.4.4 \ --dns=8.8.8.8 --dns=8.8.4.4 \
-p 53:53/udp -p 53:53 \ -p 53:53/udp -p 53:53 \
-v /DATA/etc/bind:/etc/bind \ -v /DATA/etc/bind:/etc/bind \
-v /DATA/var/cache/bind:/var/cache/bind \ -v /DATA/var/bind:/var/bind \
-v /DATA/var/log/named:/var/log/named \ ventz/bind
```
```
# Custom Override Example for Recursive Resolver/Cacher:
# Edit: named.conf.options -> change the "allow-recursion" and "allow-query" with your subnets
docker run --name=dns-resolver
-it -d \
--dns=8.8.8.8 --dns=8.8.4.4 \
-p 53:53/udp -p 53:53 \
-v /DATA/etc/bind:/etc/bind \
-v /DATA/var/bind:/var/bind \
ventz/bind ventz/bind
``` ```

0
build.sh Normal file → Executable file
View File

19
container/Dockerfile
View File

@ -3,19 +3,28 @@ EXPOSE 53 53/udp
RUN apk --update upgrade && apk add bind RUN apk --update upgrade && apk add bind
RUN mkdir -m 0755 -p /var/run/named && chown -R root:named /var/run/named # /etc/bind needs to be owned by root, group owned by "bind", and chmod 750
# /var/cache/bind needs to be owned by "bind"
# since we are mounting, do it manually # since we are mounting, do it manually
# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown # NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
RUN mkdir -m 0755 -p /var/cache/bind && touch /var/cache/bind/docker-init && chown -R named:named /var/cache/bind # &
# /var/bind needs to be owned by root, group owned by "bind", and chmod 770
# since we are mounting, do it manually
# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
# &
# Get latest bind.keys
RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \
mkdir -m 0770 -p /var/bind && chown -R root:named /var/cache ; \
wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \
rndc-confgen -a -r /dev/urandom
COPY configs/. /etc/bind/
# Mounts # Mounts
# NOTE: Per Dockerfile manual --> # NOTE: Per Dockerfile manual -->
# "if any build steps change the data within the volume # "if any build steps change the data within the volume
# after it has been declared, those changes will be discarded." # after it has been declared, those changes will be discarded."
VOLUME ["/etc/bind"] VOLUME ["/etc/bind"]
VOLUME ["/var/cache/bind"] VOLUME ["/var/bind"]
COPY entrypoint.sh / COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"] ENTRYPOINT ["/entrypoint.sh"]

2
container/configs/README Normal file
View File

@ -0,0 +1,2 @@
You should add your zones to: named.conf.local
Generally, that's the only file you will need to modify

12
container/configs/default-zones/db.0 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

13
container/configs/default-zones/db.127 Normal file
View File

@ -0,0 +1,13 @@
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.

12
container/configs/default-zones/db.255 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
container/configs/default-zones/db.empty Normal file
View File

@ -0,0 +1,14 @@
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
container/configs/default-zones/db.local Normal file
View File

@ -0,0 +1,14 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1

92
container/configs/default-zones/db.root Normal file
View File

@ -0,0 +1,92 @@
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: January 30, 2018
; related version of root zone: 2018013001
;
; FORMERLY NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file

20
container/configs/example-configs/README Normal file
View File

@ -0,0 +1,20 @@
1.) Start with the FULL directory contents of "configs" which has a
fully functioning recurive resolver/forwarding cacher AND an
authoritative config at the same time.
The "configs" directory contains:
* README
* named.conf
* named.conf.default-zones
* named.conf.rfc1918
* named.conf.local -> modify this for all of your authoritative zones
* named.conf.options -> feel free to overwrite this with one fr
default-zones:
db.0 db.127 db.255 db.empty db.local db.root
2.) and then feel free to use the "named.conf.options" provided in the
"example-configs" to override the default with a more "specific
'named.conf.options' as needed for a more

56
container/configs/example-configs/authoritative/named.conf.options Normal file
View File

@ -0,0 +1,56 @@
// Copy this file to /etc/bind/named.conf.options if you want to run bind as an
// authoritative nameserver. If you want to run a recursive DNS resolver
// instead, see Ventz's "example-configs/recursive-resolver/named.conf.options"
//
// BIND supports using the same daemon as both authoritative nameserver and
// recursive resolver; it supports this because it is the oldest and original
// nameserver and so was designed before it was realized that combining these
// functions is inadvisable.
//
// In actual fact, combining these functions is a very bad idea. It is thus
// recommended that you run a given instance of BIND as either an authoritative
// nameserver or recursive resolver, not both. The example configuration herein
// provides a secure starting point for running an authoritative nameserver.
options {
directory "/var/bind";
// Configure the IPs to listen on here.
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
// If you want to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// Specify a list of IPs/masks to allow zone transfers to here.
//
// You can override this on a per-zone basis by specifying this inside a zone
// block.
//
// Warning: Removing this block will cause BIND to revert to its default
// behaviour of allowing zone transfers to any host (!).
allow-transfer {
none;
};
// If you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/var/run/named/named.pid";
// Changing this is NOT RECOMMENDED; see the notes above and in
// named.conf.recursive.
allow-recursion { none; };
recursion no;
};
// Example of how to configure a zone for which this server is the master:
//zone "example.com" IN {
// type master;
// file "/etc/bind/master/example.com";
//};
// You can include files:
//include "/etc/bind/example.conf";

104
container/configs/example-configs/recursive-resolver/named.conf.options Normal file
View File

@ -0,0 +1,104 @@
// Copy this file to /etc/bind/named.conf.options if you want to run bind as a
// recursive DNS resolver. If you want to run an authoritative nameserver
// instead, see Ventz's "example-configs/authoritative/named.conf.options"
//
// BIND supports using the same daemon as both authoritative nameserver and
// recursive resolver; it supports this because it is the oldest and original
// nameserver and so was designed before it was realized that combining these
// functions is inadvisable.
//
// In actual fact, combining these functions is a very bad idea. It is thus
// recommended that you run a given instance of BIND as either an authoritative
// nameserver or recursive resolver, not both. The example configuration herein
// provides a starting point for running a recursive resolver.
//
//
// *** IMPORTANT ***
// You should note that running an open DNS resolver (that is, a resolver which
// answers queries from any globally routable IP) makes the resolver vulnerable
// to abuse in the form of reflected DDoS attacks.
//
// These attacks are now widely prevalent on the open internet. Even if
// unadvertised, attackers can and will find your resolver by portscanning the
// global IPv4 address space.
//
// In one case the traffic generated using such an attack reached 300 Gb/s (!).
//
// It is therefore imperative that you take care to configure the resolver to
// only answer queries from IP address space you trust or control. See the
// "allow-recursion" directive below.
//
// Bear in mind that with these attacks, the "source" of a query will actually
// be the intended target of a DDoS attack, so this only protects other networks
// from attack, not your own; ideally therefore you should firewall DNS traffic
// at the borders of your network to eliminate spoofed traffic.
//
// This is a complex issue and some level of understanding of these attacks is
// advisable before you attempt to configure a resolver.
options {
directory "/var/bind";
// Specify a list of CIDR masks which should be allowed to issue recursive
// queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
allow-recursion {
127.0.0.1/32;
};
// If you want this resolver to itself resolve via means of another recursive
// resolver, uncomment this block and specify the IP addresses of the desired
// upstream resolvers.
//forwarders {
// 8.8.8.8;
// 8.8.4.4;
//};
// By default the resolver will attempt to perform recursive resolution itself
// if the forwarders are unavailable. If you want this resolver to fail outright
// if the upstream resolvers are unavailable, uncomment this directive.
//forward only;
// Configure the IPs to listen on here.
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
// If you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/var/run/named/named.pid";
// Removing this block will cause BIND to revert to its default behaviour
// of allowing zone transfers to any host (!). There is no need to allow zone
// transfers when operating as a recursive resolver.
allow-transfer { none; };
};
// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info
//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};

16
container/configs/named.conf Normal file
View File

@ -0,0 +1,16 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
include "/etc/bind/rndc.key";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

28
container/configs/named.conf.default-zones Normal file
View File

@ -0,0 +1,28 @@
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/default-zones/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/default-zones/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/default-zones/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/default-zones/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/default-zones/db.255";
};

42
container/configs/named.conf.local Normal file
View File

@ -0,0 +1,42 @@
//
// Do any local configuration here
//
///////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////
// STANDARD ZONES
include "/etc/bind/named.conf.default-zones";
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/named.conf.rfc1918";
///////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////
#######################################
# REVERSE 'PTR' RECORDS #
#######################################
# example reverse zone: 1.2.3.4/24
//zone "4.3.2.1.in-addr.arpa" {
// type master;
// file "/var/bind/1.2.3.4.rev";
// notify yes;
//};
#######################################
# FORWARD 'A' RECORDS #
#######################################
# example "forward" (domain) zone: domain.tld
//zone "domain.tld" {
// type master;
// file "/var/bind/domain.tld";
// notify yes;
// #also-notify { a.b.c.d; };
// #allow-transfer { localhost; a.b.c.d; };
// # vs
// #allow-transfer { "none"; };
//};

105
container/configs/named.conf.options Normal file
View File

@ -0,0 +1,105 @@
options {
directory "/var/bind";
// Remove (hide) our bind version - no reason to disclose it
version "";
// Configure the IPs to listen on here.
listen-on { any; };
listen-on-v6 { none; };
// QUERY SOURCE - Useful for caching servers behind a firewall
// Default: address * port *
// Values : The IP address and port to use as the source of queries to other servers
// If you have problems and are behind a firewall, uncomment:
//query-source address * port *;
pid-file "/var/run/named/named.pid";
// statistics-file "/var/cache/bind/named.stats";
// zone-statistics yes;
// If you want to allow only specific hosts to use the DNS server:
allow-query { 127.0.0.1; };
// Specify a list of IPs/masks to allow zone transfers to here.
//
// You can override this on a per-zone basis by specifying this inside a zone
// block.
//
// Warning: Removing this block will cause BIND to revert to its default
// behaviour of allowing zone transfers to any host (!).
allow-transfer { none; };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// RECURSION - Required for caching servers
// Default: yes
// Values : yes, no
//
// yes: Attempt to resolve requests we are not authoritative for
// no : Do not resolve requests we are not authoritative for
//
// NOTE: Commented out because specified in each zone/view
recursion yes;
//recursion no;
// ALLOW-RECURSION - Who may use our caching server?
// Default: any;
// Values : any, none, (addresslist)
//
// any : anybody may use the caching server
// none : noone may use the caching server
// address: List of IP addresses that may use the caching server.
// allow-recursion { localhost; localnets; };
//
// NOTE: Commented out because specified in each zone/view
// allow-recursion { clients; servers; lan; };
//allow-recursion { none; };
allow-recursion { 127.0.0.1; };
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
8.8.8.8;
8.8.4.4;
};
// FORWARD - Recommended for caching servers
// Default: first
// Values : first, only
//
// first: Query "forwarders" first, then resolve request ourself
// only : Only query the "forwarders" to resolve requests
//
forward first;
// NOTIFY - Relevant to authoritative servers
// Default: yes
// Values : yes, explicit, no
//
// yes : Send DNS NOTIFY messages to slave servers in zone NS records when zone changes
// explicit: Only send DNS NOTIFY messages to "also-notify" hosts
// no : Never automatically send DNS NOTIFY messages
//
notify yes;
// Need this for SRV records
check-names master ignore;
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
};

20
container/configs/named.conf.rfc1918 Normal file
View File

@ -0,0 +1,20 @@
zone "10.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };

4
container/entrypoint.sh
View File

@ -1,4 +1,6 @@
#!/bin/sh #!/bin/sh
chown -R named:named /var/cache/bind chown -R root:named /etc/bind /var/bind /var/run/named
chmod -R 770 /var/bind /var/run/named
chmod -R 750 /etc/bind
# Run in foreground and log to STDERR (console): # Run in foreground and log to STDERR (console):
exec /usr/sbin/named -c /etc/bind/named.conf -g -u named exec /usr/sbin/named -c /etc/bind/named.conf -g -u named

12
run.sh
View File

@ -1,12 +0,0 @@
#!/bin/bash
# NOTE: Please make sure you have /DATA with those directories as sources
# and the appropriate named.conf + zone files
docker run --name=dns-master01
-it -d \
--dns=8.8.8.8 --dns=8.8.4.4 \
-p 53:53/udp -p 53:53 \
-v /DATA/etc/bind:/etc/bind \
-v /DATA/var/cache/bind:/var/cache/bind \
-v /DATA/var/log/named:/var/log/named \
ventz/bind