coryHawkvelt
/
docker-bind
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Updated for: 9.14.8-r0 and added FAQs and clarifications in documentation

This commit is contained in:
Ventz Petkov 2020-02-06 16:36:36 -05:00
parent c748b9aba6
commit c1cc59a24f
1 changed files with 85 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
README.md
View File

@ -1,6 +1,6 @@
### ISC BIND9 Container (Stable: 9.14.7_xx) built on top of Alpine ### ISC BIND9 Container (Stable: 9.14.8_xx) built on top of Alpine
### Last update: 10-24-19 ### Last update: 2-6-20
### Latest Stable Docker Tag: 9.14.7-r0 ### Latest Stable Docker Tag: 9.14.8-r0
NOTE: "Last Update" is the date of the latest DockerHub build. NOTE: "Last Update" is the date of the latest DockerHub build.
@ -11,20 +11,22 @@ It is ideal for an extremely secure and fast master (authoritative server),
slave, recursive server/resolver, RPZ "dns firewall", or just slave, recursive server/resolver, RPZ "dns firewall", or just
about any other purpose you can use bind for. about any other purpose you can use bind for.
# Security - always on the latest stable BIND release! To get started quickly, skip to step "D".
# (A.) Security - always on the latest stable BIND release!
This container will _always_ be up to date on the latest This container will _always_ be up to date on the latest
stable+patched version, usually within 24 hours of it being available stable+patched version, usually within 24 hours of it being available
in Alpine. In fact, most of the BIND vulnerabilities so far have been in Alpine. In fact, most of the BIND vulnerabilities so far have been
reported by me to the Alpine developers. reported by me to the Alpine developers.
# How to deploy a Bind (DNS) server? # (B.) How to deploy a Bind (DNS) server?
This container contains everything needed in terms of configuration to This container contains everything needed in terms of configuration to
run as an authoritative server or a recursive resolver/forwarding cacher. run as an authoritative server or a recursive resolver/forwarding cacher.
However, the default config permits queries and recursion only from 127.0.0.1 - which will not be too useful :) However, the default config permits queries and recursion only from 127.0.0.1 - which will not be too useful :)
But the assumption is that you will override ```/etc/bind``` with your configs, and ```/var/cache/bind``` with your zones. But the assumption is that you will override ```/etc/bind``` with your configs, and ```/var/cache/bind``` with your zones.
# Required "DATA" directory - for configs and zone data: # (C.) Required "DATA" directory - for configs and zone data:
This container assumes you have a "/DATA" folder with with your container specific data. This container assumes you have a "/DATA" folder with with your container specific data.
(You can change that folder, sub-folders, and file points as needed, but make sure you update the "-v" mounts for the run.) (You can change that folder, sub-folders, and file points as needed, but make sure you update the "-v" mounts for the run.)
@ -39,7 +41,7 @@ A "/DATA/var/cache/bind" directory for all of the master or slave zones. If it's
``` ```
# How to run a BIND ("named") Docker Container? # (D.) How to run a BIND ("named") Docker Container?
## Default Example: ## Default Example:
This is just to test it out - by default only allows queries from This is just to test it out - by default only allows queries from
@ -79,3 +81,79 @@ ventz/bind
Additional options may be passed to the bind daemon via the `OPTIONS` argument, provided as: Additional options may be passed to the bind daemon via the `OPTIONS` argument, provided as:
`docker run --env OPTIONS='...' `docker run --env OPTIONS='...'
# (E.) FAQs
## How do I generate an RNDC Key?
```
docker run -it --rm --entrypoint "/usr/sbin/rndc-confgen" ventz/bind
```
Take the portion that looks like this and save to "/etc/bind/rndc.key":
```
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-sha256;
# Note: the secret will be different, this is just an example
secret "zjVC59ehGxbbB6OhYhGaqUTIXu8Imcg3VKzvoMwIMzY=";
};
```
## What configuration files do I need to get started?
I highly recommend reading more about bind if this is your question. Here are some useful resources:
* https://www.bind9.net/manuals
* https://wiki.debian.org/Bind9
* https://help.ubuntu.com/community/BIND9ServerHowto
* https://www.zytrax.com/books/dns/ch7/
* https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-18-04
That said, as a bare minimum (and depending on what you want - recursive, authoritative, etc), you need:
[note: all of these are provided in `container/configs` folder]
1.) Main config: `/etc/bind/named.conf`
2.) Options: `/etc/bind/named.conf.options` (note: sane and secure defaults for recursive! If for authoritative, turn off recursive at least!)
3.) Local zones: `/etc/bind/named.conf.local` (for your zone configs if authoritative/slave/etc)
4.) Optional: `/etc/bind/named.conf.rfc1918` (for your RFC1918 "private IP" zone definitions - this is optional, and while recommended, you may comment out the last line in `named.conf.local` that utilizes it)
5.) Optional: `/etc/bind/default-zones` (folder for rfc1918 definitions - not needed if `named.conf.rfc1918` is not used)
## How do I log everything:
1.) Add to your `named.conf`:
```
...
include "/etc/bind/named.conf.logging";
...
```
and
2.) Create a file `named.conf.logging` with:
```
logging {
channel stdout {
stderr;
severity info;
print-category no;
print-severity no;
print-time yes;
};
# Customize categories as needed
# To log everything, keep at least "default"
category security { stdout; };
category queries { stdout; };
category dnssec { stdout; };
category xfer-in { stdout; };
category xfer-out { stdout; };
category default { stdout; };
};
```
For more information, see: https://www.slideshare.net/MenandMice/bind-9-logging-best-practices