Major Upgrade - added very detailed configs for many scenarios, with lots of examples. The server is now fully functional for an authoritative master and a recursive/forwarding cacher. You can still mount over the /etc/bind and /var/bind directories and override everything yourself. This should help many users who did not know where to start with bind.
This commit is contained in:
parent
ca044d1672
commit
108554317e
57
README.md
57
README.md
|
@ -1,46 +1,77 @@
|
|||
### ISC BIND9 Container (Stable: 9.11.2_xx) built on top of Alpine
|
||||
### Last update: 2-6-18
|
||||
### Last update: 2-12-18 (major new update!)
|
||||
|
||||
NOTE: "Last Update" is the date of the latest DockerHub build.
|
||||
|
||||
This container is a super small (~5MB compressed pull, and only ~9MB
|
||||
when extracted) FULL version of ISC BIND9.
|
||||
|
||||
It is ideal for a quick master, slave, recursive server/resolver, RPZ
|
||||
"dns firewall", or just about any other purpose you can use bind for.
|
||||
It is ideal for an extremely secure and fast master (authoritative server),
|
||||
slave, recursive server/resolver, RPZ "dns firewall", or just
|
||||
about any other purpose you can use bind for.
|
||||
|
||||
# Security - always on the latest stable release!
|
||||
# Security - always on the latest stable BIND release!
|
||||
This container will _always_ be up to date on the latest
|
||||
stable+patched version, usually within 24 hours of it being available
|
||||
in Alpine. In fact, most of the BIND vulnerabilities so far have been
|
||||
reported by me to the Alpine developers.
|
||||
|
||||
# Required "DATA" directory - for named.conf and zone data:
|
||||
# How to deploy a Bind (DNS) server?
|
||||
This container contains everything needed in terms of configuration to
|
||||
run as an authoritative server or a recursive resolver/forwarding cacher.
|
||||
|
||||
However, the default config permits queries and recursion only from 127.0.0.1 - which will not be too useful :)
|
||||
But the assumption is that you will override ```/etc/bind``` with your configs, and ```/var/bind``` with your zones.
|
||||
|
||||
# Required "DATA" directory - for configs and zone data:
|
||||
This container assumes you have a "/DATA" folder with with your container specific data.
|
||||
You can change that folder (and sub-folders) as needed, but make sure you update the "-v" mounts for the run.
|
||||
(You can change that folder, sub-folders, and file points as needed, but make sure you update the "-v" mounts for the run.)
|
||||
|
||||
Specifically, you need to have these directories/paths:
|
||||
```
|
||||
1.) [ *REQUIRED* ]
|
||||
In your "/DATA/etc/bind" directory, a file "named.conf", which acts as an entry point to your configs
|
||||
Take a look at the default config, and the example configs provided
|
||||
|
||||
2.) [ *REQUIRED* ]
|
||||
A "/DATA/var/cache/bind" directory for all of the master or slave zones. If it's for slave zones, it will populate automatically and you can leave it blank.
|
||||
|
||||
3.) [ *OPTIONAL* ]
|
||||
A "/DATA/var/log/named" directory for logging your DNS requests/returns/other breakdown. By default, logging is done to the console
|
||||
A "/DATA/var/bind" directory for all of the master or slave zones. If it's for slave zones, it will populate automatically and you can leave it blank.
|
||||
```
|
||||
|
||||
|
||||
# How to run a BIND ("named") Docker Container?
|
||||
|
||||
```
|
||||
docker run --name=dns-master01
|
||||
# Default Example
|
||||
# This is just to test it out - by default only allows queries from
|
||||
# itself (127.0.0.1) -- pretty useless for real world usage
|
||||
docker run --name=dns-test
|
||||
-it -d \
|
||||
--dns=8.8.8.8 --dns=8.8.4.4 \
|
||||
-p 53:53/udp -p 53:53 \
|
||||
ventz/bind
|
||||
```
|
||||
|
||||
```
|
||||
# Customer Override Example for Authoritative Master
|
||||
# Edit: named.conf.local with your forward zone at least
|
||||
# and create the file in /var/named/$yourdomain.tld
|
||||
docker run --name=dns-master
|
||||
-it -d \
|
||||
--dns=8.8.8.8 --dns=8.8.4.4 \
|
||||
-p 53:53/udp -p 53:53 \
|
||||
-v /DATA/etc/bind:/etc/bind \
|
||||
-v /DATA/var/cache/bind:/var/cache/bind \
|
||||
-v /DATA/var/log/named:/var/log/named \
|
||||
-v /DATA/var/bind:/var/bind \
|
||||
ventz/bind
|
||||
```
|
||||
|
||||
```
|
||||
# Custom Override Example for Recursive Resolver/Cacher:
|
||||
# Edit: named.conf.options -> change the "allow-recursion" and "allow-query" with your subnets
|
||||
docker run --name=dns-resolver
|
||||
-it -d \
|
||||
--dns=8.8.8.8 --dns=8.8.4.4 \
|
||||
-p 53:53/udp -p 53:53 \
|
||||
-v /DATA/etc/bind:/etc/bind \
|
||||
-v /DATA/var/bind:/var/bind \
|
||||
ventz/bind
|
||||
```
|
||||
|
|
|
@ -3,19 +3,28 @@ EXPOSE 53 53/udp
|
|||
|
||||
RUN apk --update upgrade && apk add bind
|
||||
|
||||
RUN mkdir -m 0755 -p /var/run/named && chown -R root:named /var/run/named
|
||||
|
||||
# /var/cache/bind needs to be owned by "bind"
|
||||
# /etc/bind needs to be owned by root, group owned by "bind", and chmod 750
|
||||
# since we are mounting, do it manually
|
||||
# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
|
||||
RUN mkdir -m 0755 -p /var/cache/bind && touch /var/cache/bind/docker-init && chown -R named:named /var/cache/bind
|
||||
# &
|
||||
# /var/bind needs to be owned by root, group owned by "bind", and chmod 770
|
||||
# since we are mounting, do it manually
|
||||
# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
|
||||
# &
|
||||
# Get latest bind.keys
|
||||
RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \
|
||||
mkdir -m 0770 -p /var/bind && chown -R root:named /var/cache ; \
|
||||
wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \
|
||||
rndc-confgen -a -r /dev/urandom
|
||||
|
||||
COPY configs/. /etc/bind/
|
||||
|
||||
# Mounts
|
||||
# NOTE: Per Dockerfile manual -->
|
||||
# "if any build steps change the data within the volume
|
||||
# after it has been declared, those changes will be discarded."
|
||||
VOLUME ["/etc/bind"]
|
||||
VOLUME ["/var/cache/bind"]
|
||||
VOLUME ["/var/bind"]
|
||||
|
||||
COPY entrypoint.sh /
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
You should add your zones to: named.conf.local
|
||||
Generally, that's the only file you will need to modify
|
|
@ -0,0 +1,12 @@
|
|||
;
|
||||
; BIND reverse data file for broadcast zone
|
||||
;
|
||||
$TTL 604800
|
||||
@ IN SOA localhost. root.localhost. (
|
||||
1 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
604800 ) ; Negative Cache TTL
|
||||
;
|
||||
@ IN NS localhost.
|
|
@ -0,0 +1,13 @@
|
|||
;
|
||||
; BIND reverse data file for local loopback interface
|
||||
;
|
||||
$TTL 604800
|
||||
@ IN SOA localhost. root.localhost. (
|
||||
1 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
604800 ) ; Negative Cache TTL
|
||||
;
|
||||
@ IN NS localhost.
|
||||
1.0.0 IN PTR localhost.
|
|
@ -0,0 +1,12 @@
|
|||
;
|
||||
; BIND reverse data file for broadcast zone
|
||||
;
|
||||
$TTL 604800
|
||||
@ IN SOA localhost. root.localhost. (
|
||||
1 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
604800 ) ; Negative Cache TTL
|
||||
;
|
||||
@ IN NS localhost.
|
|
@ -0,0 +1,14 @@
|
|||
; BIND reverse data file for empty rfc1918 zone
|
||||
;
|
||||
; DO NOT EDIT THIS FILE - it is used for multiple zones.
|
||||
; Instead, copy it, edit named.conf, and use that copy.
|
||||
;
|
||||
$TTL 86400
|
||||
@ IN SOA localhost. root.localhost. (
|
||||
1 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
86400 ) ; Negative Cache TTL
|
||||
;
|
||||
@ IN NS localhost.
|
|
@ -0,0 +1,14 @@
|
|||
;
|
||||
; BIND data file for local loopback interface
|
||||
;
|
||||
$TTL 604800
|
||||
@ IN SOA localhost. root.localhost. (
|
||||
2 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
604800 ) ; Negative Cache TTL
|
||||
;
|
||||
@ IN NS localhost.
|
||||
@ IN A 127.0.0.1
|
||||
@ IN AAAA ::1
|
|
@ -0,0 +1,92 @@
|
|||
; This file holds the information on root name servers needed to
|
||||
; initialize cache of Internet domain name servers
|
||||
; (e.g. reference this file in the "cache . <file>"
|
||||
; configuration file of BIND domain name servers).
|
||||
;
|
||||
; This file is made available by InterNIC
|
||||
; under anonymous FTP as
|
||||
; file /domain/named.cache
|
||||
; on server FTP.INTERNIC.NET
|
||||
; -OR- RS.INTERNIC.NET
|
||||
;
|
||||
; last update: January 30, 2018
|
||||
; related version of root zone: 2018013001
|
||||
;
|
||||
; FORMERLY NS.INTERNIC.NET
|
||||
;
|
||||
. 3600000 NS A.ROOT-SERVERS.NET.
|
||||
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
|
||||
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
|
||||
;
|
||||
; FORMERLY NS1.ISI.EDU
|
||||
;
|
||||
. 3600000 NS B.ROOT-SERVERS.NET.
|
||||
B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201
|
||||
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
|
||||
;
|
||||
; FORMERLY C.PSI.NET
|
||||
;
|
||||
. 3600000 NS C.ROOT-SERVERS.NET.
|
||||
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
|
||||
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
|
||||
;
|
||||
; FORMERLY TERP.UMD.EDU
|
||||
;
|
||||
. 3600000 NS D.ROOT-SERVERS.NET.
|
||||
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
|
||||
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
|
||||
;
|
||||
; FORMERLY NS.NASA.GOV
|
||||
;
|
||||
. 3600000 NS E.ROOT-SERVERS.NET.
|
||||
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
|
||||
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
|
||||
;
|
||||
; FORMERLY NS.ISC.ORG
|
||||
;
|
||||
. 3600000 NS F.ROOT-SERVERS.NET.
|
||||
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
|
||||
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
|
||||
;
|
||||
; FORMERLY NS.NIC.DDN.MIL
|
||||
;
|
||||
. 3600000 NS G.ROOT-SERVERS.NET.
|
||||
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
|
||||
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
|
||||
;
|
||||
; FORMERLY AOS.ARL.ARMY.MIL
|
||||
;
|
||||
. 3600000 NS H.ROOT-SERVERS.NET.
|
||||
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
|
||||
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
|
||||
;
|
||||
; FORMERLY NIC.NORDU.NET
|
||||
;
|
||||
. 3600000 NS I.ROOT-SERVERS.NET.
|
||||
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
|
||||
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
|
||||
;
|
||||
; OPERATED BY VERISIGN, INC.
|
||||
;
|
||||
. 3600000 NS J.ROOT-SERVERS.NET.
|
||||
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
|
||||
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
|
||||
;
|
||||
; OPERATED BY RIPE NCC
|
||||
;
|
||||
. 3600000 NS K.ROOT-SERVERS.NET.
|
||||
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
|
||||
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
|
||||
;
|
||||
; OPERATED BY ICANN
|
||||
;
|
||||
. 3600000 NS L.ROOT-SERVERS.NET.
|
||||
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
|
||||
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
|
||||
;
|
||||
; OPERATED BY WIDE
|
||||
;
|
||||
. 3600000 NS M.ROOT-SERVERS.NET.
|
||||
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
|
||||
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
|
||||
; End of file
|
|
@ -0,0 +1,20 @@
|
|||
1.) Start with the FULL directory contents of "configs" which has a
|
||||
fully functioning recurive resolver/forwarding cacher AND an
|
||||
authoritative config at the same time.
|
||||
|
||||
The "configs" directory contains:
|
||||
|
||||
* README
|
||||
* named.conf
|
||||
* named.conf.default-zones
|
||||
* named.conf.rfc1918
|
||||
* named.conf.local -> modify this for all of your authoritative zones
|
||||
* named.conf.options -> feel free to overwrite this with one fr
|
||||
|
||||
default-zones:
|
||||
db.0 db.127 db.255 db.empty db.local db.root
|
||||
|
||||
|
||||
2.) and then feel free to use the "named.conf.options" provided in the
|
||||
"example-configs" to override the default with a more "specific
|
||||
'named.conf.options' as needed for a more
|
|
@ -0,0 +1,56 @@
|
|||
// Copy this file to /etc/bind/named.conf.options if you want to run bind as an
|
||||
// authoritative nameserver. If you want to run a recursive DNS resolver
|
||||
// instead, see Ventz's "example-configs/recursive-resolver/named.conf.options"
|
||||
//
|
||||
// BIND supports using the same daemon as both authoritative nameserver and
|
||||
// recursive resolver; it supports this because it is the oldest and original
|
||||
// nameserver and so was designed before it was realized that combining these
|
||||
// functions is inadvisable.
|
||||
//
|
||||
// In actual fact, combining these functions is a very bad idea. It is thus
|
||||
// recommended that you run a given instance of BIND as either an authoritative
|
||||
// nameserver or recursive resolver, not both. The example configuration herein
|
||||
// provides a secure starting point for running an authoritative nameserver.
|
||||
|
||||
options {
|
||||
directory "/var/bind";
|
||||
|
||||
// Configure the IPs to listen on here.
|
||||
listen-on { 127.0.0.1; };
|
||||
listen-on-v6 { none; };
|
||||
|
||||
// If you want to allow only specific hosts to use the DNS server:
|
||||
//allow-query {
|
||||
// 127.0.0.1;
|
||||
//};
|
||||
|
||||
// Specify a list of IPs/masks to allow zone transfers to here.
|
||||
//
|
||||
// You can override this on a per-zone basis by specifying this inside a zone
|
||||
// block.
|
||||
//
|
||||
// Warning: Removing this block will cause BIND to revert to its default
|
||||
// behaviour of allowing zone transfers to any host (!).
|
||||
allow-transfer {
|
||||
none;
|
||||
};
|
||||
|
||||
// If you have problems and are behind a firewall:
|
||||
//query-source address * port 53;
|
||||
|
||||
pid-file "/var/run/named/named.pid";
|
||||
|
||||
// Changing this is NOT RECOMMENDED; see the notes above and in
|
||||
// named.conf.recursive.
|
||||
allow-recursion { none; };
|
||||
recursion no;
|
||||
};
|
||||
|
||||
// Example of how to configure a zone for which this server is the master:
|
||||
//zone "example.com" IN {
|
||||
// type master;
|
||||
// file "/etc/bind/master/example.com";
|
||||
//};
|
||||
|
||||
// You can include files:
|
||||
//include "/etc/bind/example.conf";
|
|
@ -0,0 +1,104 @@
|
|||
// Copy this file to /etc/bind/named.conf.options if you want to run bind as a
|
||||
// recursive DNS resolver. If you want to run an authoritative nameserver
|
||||
// instead, see Ventz's "example-configs/authoritative/named.conf.options"
|
||||
//
|
||||
// BIND supports using the same daemon as both authoritative nameserver and
|
||||
// recursive resolver; it supports this because it is the oldest and original
|
||||
// nameserver and so was designed before it was realized that combining these
|
||||
// functions is inadvisable.
|
||||
//
|
||||
// In actual fact, combining these functions is a very bad idea. It is thus
|
||||
// recommended that you run a given instance of BIND as either an authoritative
|
||||
// nameserver or recursive resolver, not both. The example configuration herein
|
||||
// provides a starting point for running a recursive resolver.
|
||||
//
|
||||
//
|
||||
// *** IMPORTANT ***
|
||||
// You should note that running an open DNS resolver (that is, a resolver which
|
||||
// answers queries from any globally routable IP) makes the resolver vulnerable
|
||||
// to abuse in the form of reflected DDoS attacks.
|
||||
//
|
||||
// These attacks are now widely prevalent on the open internet. Even if
|
||||
// unadvertised, attackers can and will find your resolver by portscanning the
|
||||
// global IPv4 address space.
|
||||
//
|
||||
// In one case the traffic generated using such an attack reached 300 Gb/s (!).
|
||||
//
|
||||
// It is therefore imperative that you take care to configure the resolver to
|
||||
// only answer queries from IP address space you trust or control. See the
|
||||
// "allow-recursion" directive below.
|
||||
//
|
||||
// Bear in mind that with these attacks, the "source" of a query will actually
|
||||
// be the intended target of a DDoS attack, so this only protects other networks
|
||||
// from attack, not your own; ideally therefore you should firewall DNS traffic
|
||||
// at the borders of your network to eliminate spoofed traffic.
|
||||
//
|
||||
// This is a complex issue and some level of understanding of these attacks is
|
||||
// advisable before you attempt to configure a resolver.
|
||||
|
||||
options {
|
||||
directory "/var/bind";
|
||||
|
||||
// Specify a list of CIDR masks which should be allowed to issue recursive
|
||||
// queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
|
||||
allow-recursion {
|
||||
127.0.0.1/32;
|
||||
};
|
||||
|
||||
// If you want this resolver to itself resolve via means of another recursive
|
||||
// resolver, uncomment this block and specify the IP addresses of the desired
|
||||
// upstream resolvers.
|
||||
//forwarders {
|
||||
// 8.8.8.8;
|
||||
// 8.8.4.4;
|
||||
//};
|
||||
|
||||
// By default the resolver will attempt to perform recursive resolution itself
|
||||
// if the forwarders are unavailable. If you want this resolver to fail outright
|
||||
// if the upstream resolvers are unavailable, uncomment this directive.
|
||||
//forward only;
|
||||
|
||||
// Configure the IPs to listen on here.
|
||||
listen-on { 127.0.0.1; };
|
||||
listen-on-v6 { none; };
|
||||
|
||||
// If you have problems and are behind a firewall:
|
||||
//query-source address * port 53;
|
||||
|
||||
pid-file "/var/run/named/named.pid";
|
||||
|
||||
// Removing this block will cause BIND to revert to its default behaviour
|
||||
// of allowing zone transfers to any host (!). There is no need to allow zone
|
||||
// transfers when operating as a recursive resolver.
|
||||
allow-transfer { none; };
|
||||
};
|
||||
|
||||
// Briefly, a zone which has been declared delegation-only will be effectively
|
||||
// limited to containing NS RRs for subdomains, but no actual data beyond its
|
||||
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
|
||||
// filter out "wildcard" or "synthesized" data from NAT boxes or from
|
||||
// authoritative name servers whose undelegated (in-zone) data is of no
|
||||
// interest.
|
||||
// See http://www.isc.org/products/BIND/delegation-only.html for more info
|
||||
|
||||
//zone "COM" { type delegation-only; };
|
||||
//zone "NET" { type delegation-only; };
|
||||
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "named.ca";
|
||||
};
|
||||
|
||||
zone "localhost" IN {
|
||||
type master;
|
||||
file "pri/localhost.zone";
|
||||
allow-update { none; };
|
||||
notify no;
|
||||
};
|
||||
|
||||
zone "127.in-addr.arpa" IN {
|
||||
type master;
|
||||
file "pri/127.zone";
|
||||
allow-update { none; };
|
||||
notify no;
|
||||
};
|
|
@ -0,0 +1,16 @@
|
|||
// This is the primary configuration file for the BIND DNS server named.
|
||||
//
|
||||
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
|
||||
// structure of BIND configuration files in Debian, *BEFORE* you customize
|
||||
// this configuration file.
|
||||
//
|
||||
// If you are just adding zones, please do that in /etc/bind/named.conf.local
|
||||
|
||||
controls {
|
||||
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
|
||||
};
|
||||
|
||||
include "/etc/bind/rndc.key";
|
||||
include "/etc/bind/named.conf.options";
|
||||
include "/etc/bind/named.conf.local";
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
// prime the server with knowledge of the root servers
|
||||
zone "." {
|
||||
type hint;
|
||||
file "/etc/bind/default-zones/db.root";
|
||||
};
|
||||
|
||||
// be authoritative for the localhost forward and reverse zones, and for
|
||||
// broadcast zones as per RFC 1912
|
||||
|
||||
zone "localhost" {
|
||||
type master;
|
||||
file "/etc/bind/default-zones/db.local";
|
||||
};
|
||||
|
||||
zone "127.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/default-zones/db.127";
|
||||
};
|
||||
|
||||
zone "0.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/default-zones/db.0";
|
||||
};
|
||||
|
||||
zone "255.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/default-zones/db.255";
|
||||
};
|
|
@ -0,0 +1,42 @@
|
|||
//
|
||||
// Do any local configuration here
|
||||
//
|
||||
|
||||
///////////////////////////////////////////////////////////////////////////////
|
||||
//////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
// STANDARD ZONES
|
||||
include "/etc/bind/named.conf.default-zones";
|
||||
|
||||
// Consider adding the 1918 zones here, if they are not used in your
|
||||
// organization
|
||||
include "/etc/bind/named.conf.rfc1918";
|
||||
|
||||
///////////////////////////////////////////////////////////////////////////////
|
||||
//////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
|
||||
#######################################
|
||||
# REVERSE 'PTR' RECORDS #
|
||||
#######################################
|
||||
# example reverse zone: 1.2.3.4/24
|
||||
//zone "4.3.2.1.in-addr.arpa" {
|
||||
// type master;
|
||||
// file "/var/bind/1.2.3.4.rev";
|
||||
// notify yes;
|
||||
//};
|
||||
|
||||
|
||||
#######################################
|
||||
# FORWARD 'A' RECORDS #
|
||||
#######################################
|
||||
# example "forward" (domain) zone: domain.tld
|
||||
//zone "domain.tld" {
|
||||
// type master;
|
||||
// file "/var/bind/domain.tld";
|
||||
// notify yes;
|
||||
// #also-notify { a.b.c.d; };
|
||||
// #allow-transfer { localhost; a.b.c.d; };
|
||||
// # vs
|
||||
// #allow-transfer { "none"; };
|
||||
//};
|
|
@ -0,0 +1,105 @@
|
|||
options {
|
||||
directory "/var/bind";
|
||||
|
||||
// Remove (hide) our bind version - no reason to disclose it
|
||||
version "";
|
||||
|
||||
// Configure the IPs to listen on here.
|
||||
listen-on { any; };
|
||||
listen-on-v6 { none; };
|
||||
|
||||
// QUERY SOURCE - Useful for caching servers behind a firewall
|
||||
// Default: address * port *
|
||||
// Values : The IP address and port to use as the source of queries to other servers
|
||||
// If you have problems and are behind a firewall, uncomment:
|
||||
//query-source address * port *;
|
||||
|
||||
pid-file "/var/run/named/named.pid";
|
||||
|
||||
// statistics-file "/var/cache/bind/named.stats";
|
||||
// zone-statistics yes;
|
||||
|
||||
// If you want to allow only specific hosts to use the DNS server:
|
||||
allow-query { 127.0.0.1; };
|
||||
|
||||
// Specify a list of IPs/masks to allow zone transfers to here.
|
||||
//
|
||||
// You can override this on a per-zone basis by specifying this inside a zone
|
||||
// block.
|
||||
//
|
||||
// Warning: Removing this block will cause BIND to revert to its default
|
||||
// behaviour of allowing zone transfers to any host (!).
|
||||
allow-transfer { none; };
|
||||
|
||||
|
||||
// If there is a firewall between you and nameservers you want
|
||||
// to talk to, you may need to fix the firewall to allow multiple
|
||||
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
||||
|
||||
// RECURSION - Required for caching servers
|
||||
// Default: yes
|
||||
// Values : yes, no
|
||||
//
|
||||
// yes: Attempt to resolve requests we are not authoritative for
|
||||
// no : Do not resolve requests we are not authoritative for
|
||||
//
|
||||
// NOTE: Commented out because specified in each zone/view
|
||||
recursion yes;
|
||||
//recursion no;
|
||||
|
||||
|
||||
// ALLOW-RECURSION - Who may use our caching server?
|
||||
// Default: any;
|
||||
// Values : any, none, (addresslist)
|
||||
//
|
||||
// any : anybody may use the caching server
|
||||
// none : noone may use the caching server
|
||||
// address: List of IP addresses that may use the caching server.
|
||||
// allow-recursion { localhost; localnets; };
|
||||
//
|
||||
// NOTE: Commented out because specified in each zone/view
|
||||
// allow-recursion { clients; servers; lan; };
|
||||
//allow-recursion { none; };
|
||||
allow-recursion { 127.0.0.1; };
|
||||
|
||||
// If your ISP provided one or more IP addresses for stable
|
||||
// nameservers, you probably want to use them as forwarders.
|
||||
// Uncomment the following block, and insert the addresses replacing
|
||||
// the all-0's placeholder.
|
||||
|
||||
forwarders {
|
||||
8.8.8.8;
|
||||
8.8.4.4;
|
||||
};
|
||||
|
||||
// FORWARD - Recommended for caching servers
|
||||
// Default: first
|
||||
// Values : first, only
|
||||
//
|
||||
// first: Query "forwarders" first, then resolve request ourself
|
||||
// only : Only query the "forwarders" to resolve requests
|
||||
//
|
||||
forward first;
|
||||
|
||||
|
||||
// NOTIFY - Relevant to authoritative servers
|
||||
// Default: yes
|
||||
// Values : yes, explicit, no
|
||||
//
|
||||
// yes : Send DNS NOTIFY messages to slave servers in zone NS records when zone changes
|
||||
// explicit: Only send DNS NOTIFY messages to "also-notify" hosts
|
||||
// no : Never automatically send DNS NOTIFY messages
|
||||
//
|
||||
notify yes;
|
||||
|
||||
// Need this for SRV records
|
||||
check-names master ignore;
|
||||
|
||||
//========================================================================
|
||||
// If BIND logs error messages about the root key being expired,
|
||||
// you will need to update your keys. See https://www.isc.org/bind-keys
|
||||
//========================================================================
|
||||
dnssec-validation auto;
|
||||
|
||||
auth-nxdomain no; # conform to RFC1035
|
||||
};
|
|
@ -0,0 +1,20 @@
|
|||
zone "10.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
|
||||
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
||||
|
||||
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
|
|
@ -1,4 +1,6 @@
|
|||
#!/bin/sh
|
||||
chown -R named:named /var/cache/bind
|
||||
chown -R root:named /etc/bind /var/bind /var/run/named
|
||||
chmod -R 770 /var/bind /var/run/named
|
||||
chmod -R 750 /etc/bind
|
||||
# Run in foreground and log to STDERR (console):
|
||||
exec /usr/sbin/named -c /etc/bind/named.conf -g -u named
|
||||
|
|
12
run.sh
12
run.sh
|
@ -1,12 +0,0 @@
|
|||
#!/bin/bash
|
||||
# NOTE: Please make sure you have /DATA with those directories as sources
|
||||
# and the appropriate named.conf + zone files
|
||||
|
||||
docker run --name=dns-master01
|
||||
-it -d \
|
||||
--dns=8.8.8.8 --dns=8.8.4.4 \
|
||||
-p 53:53/udp -p 53:53 \
|
||||
-v /DATA/etc/bind:/etc/bind \
|
||||
-v /DATA/var/cache/bind:/var/cache/bind \
|
||||
-v /DATA/var/log/named:/var/log/named \
|
||||
ventz/bind
|
Loading…
Reference in New Issue