From ed80ef77a3bdfe6a98637e9a09896eab0ed7d401 Mon Sep 17 00:00:00 2001 From: tcely Date: Thu, 15 Feb 2018 20:22:16 -0500 Subject: [PATCH 1/9] Changes for issue #10 --- container/Dockerfile | 30 ++--- container/configs/README | 5 +- container/configs/default-zones/db.255 | 12 -- .../default-zones/{db.local => db.localhost} | 0 .../default-zones/{db.root => named.cache} | 0 .../configs/default-zones/{db.127 => rev.127} | 0 .../default-zones/{db.0 => rev.broadcast} | 0 container/configs/example-configs/README | 20 ---- .../authoritative/named.conf.options | 56 ---------- .../recursive-resolver/named.conf.options | 104 ------------------ container/configs/named.conf | 5 +- container/configs/named.conf.acls | 10 ++ container/configs/named.conf.default-zones | 18 ++- container/configs/named.conf.local | 6 +- container/configs/named.conf.options | 101 +++-------------- .../configs/named.conf.options.authoritative | 30 +++++ container/configs/named.conf.options.local | 6 + .../configs/named.conf.options.recursive | 58 ++++++++++ container/configs/named.conf.rfc1918 | 36 +++--- container/entrypoint.sh | 38 ++++++- 20 files changed, 206 insertions(+), 329 deletions(-) delete mode 100644 container/configs/default-zones/db.255 rename container/configs/default-zones/{db.local => db.localhost} (100%) rename container/configs/default-zones/{db.root => named.cache} (100%) rename container/configs/default-zones/{db.127 => rev.127} (100%) rename container/configs/default-zones/{db.0 => rev.broadcast} (100%) delete mode 100644 container/configs/example-configs/README delete mode 100644 container/configs/example-configs/authoritative/named.conf.options delete mode 100644 container/configs/example-configs/recursive-resolver/named.conf.options create mode 100644 container/configs/named.conf.acls create mode 100644 container/configs/named.conf.options.authoritative create mode 100644 container/configs/named.conf.options.local create mode 100644 container/configs/named.conf.options.recursive diff --git a/container/Dockerfile b/container/Dockerfile index 1307ecb..60379d9 100644 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -1,21 +1,16 @@ FROM alpine:latest -EXPOSE 53 53/udp -RUN apk --update upgrade && apk add bind +EXPOSE 53 53/udp +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] -# /etc/bind needs to be owned by root, group owned by "bind", and chmod 750 -# since we are mounting, do it manually -# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown -# & -# /var/bind needs to be owned by root, group owned by "bind", and chmod 770 -# since we are mounting, do it manually -# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown -# & -# Get latest bind.keys -RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \ - mkdir -m 0770 -p /var/bind && chown -R root:named /var/cache ; \ - wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \ - rndc-confgen -a -r /dev/urandom +RUN apk --update upgrade && \ + apk add bind gnupg1 && \ + rm -rf /var/cache/apk/* && \ + chmod g-w /var/bind && \ + cp -p /etc/bind/bind.keys /var/bind/ && \ + install -d -m 0770 -o named -g named /var/cache/bind && \ + ln -s ../../var/bind/rndc.key /etc/bind/rndc.key COPY configs/. /etc/bind/ @@ -23,8 +18,5 @@ COPY configs/. /etc/bind/ # NOTE: Per Dockerfile manual --> # "if any build steps change the data within the volume # after it has been declared, those changes will be discarded." -VOLUME ["/etc/bind"] -VOLUME ["/var/bind"] +VOLUME ["/etc/bind", "/var/cache/bind"] -COPY entrypoint.sh / -ENTRYPOINT ["/entrypoint.sh"] diff --git a/container/configs/README b/container/configs/README index 3e50e76..c3ec94b 100644 --- a/container/configs/README +++ b/container/configs/README @@ -1,2 +1,5 @@ You should add your zones to: named.conf.local -Generally, that's the only file you will need to modify +If you want to change server options edit: named.conf.options.local +To add ACLs for use in either of the above files edit: named.conf.acls + +Generally, these are the only files you will need to modify diff --git a/container/configs/default-zones/db.255 b/container/configs/default-zones/db.255 deleted file mode 100644 index e3aabdb..0000000 --- a/container/configs/default-zones/db.255 +++ /dev/null @@ -1,12 +0,0 @@ -; -; BIND reverse data file for broadcast zone -; -$TTL 604800 -@ IN SOA localhost. root.localhost. ( - 1 ; Serial - 604800 ; Refresh - 86400 ; Retry - 2419200 ; Expire - 604800 ) ; Negative Cache TTL -; -@ IN NS localhost. diff --git a/container/configs/default-zones/db.local b/container/configs/default-zones/db.localhost similarity index 100% rename from container/configs/default-zones/db.local rename to container/configs/default-zones/db.localhost diff --git a/container/configs/default-zones/db.root b/container/configs/default-zones/named.cache similarity index 100% rename from container/configs/default-zones/db.root rename to container/configs/default-zones/named.cache diff --git a/container/configs/default-zones/db.127 b/container/configs/default-zones/rev.127 similarity index 100% rename from container/configs/default-zones/db.127 rename to container/configs/default-zones/rev.127 diff --git a/container/configs/default-zones/db.0 b/container/configs/default-zones/rev.broadcast similarity index 100% rename from container/configs/default-zones/db.0 rename to container/configs/default-zones/rev.broadcast diff --git a/container/configs/example-configs/README b/container/configs/example-configs/README deleted file mode 100644 index f9f63ee..0000000 --- a/container/configs/example-configs/README +++ /dev/null @@ -1,20 +0,0 @@ -1.) Start with the FULL directory contents of "configs" which has a -fully functioning recurive resolver/forwarding cacher AND an -authoritative config at the same time. - -The "configs" directory contains: - -* README -* named.conf -* named.conf.default-zones -* named.conf.rfc1918 -* named.conf.local -> modify this for all of your authoritative zones -* named.conf.options -> feel free to overwrite this with one fr - -default-zones: -db.0 db.127 db.255 db.empty db.local db.root - - -2.) and then feel free to use the "named.conf.options" provided in the -"example-configs" to override the default with a more "specific -'named.conf.options' as needed for a more diff --git a/container/configs/example-configs/authoritative/named.conf.options b/container/configs/example-configs/authoritative/named.conf.options deleted file mode 100644 index da2f936..0000000 --- a/container/configs/example-configs/authoritative/named.conf.options +++ /dev/null @@ -1,56 +0,0 @@ -// Copy this file to /etc/bind/named.conf.options if you want to run bind as an -// authoritative nameserver. If you want to run a recursive DNS resolver -// instead, see Ventz's "example-configs/recursive-resolver/named.conf.options" -// -// BIND supports using the same daemon as both authoritative nameserver and -// recursive resolver; it supports this because it is the oldest and original -// nameserver and so was designed before it was realized that combining these -// functions is inadvisable. -// -// In actual fact, combining these functions is a very bad idea. It is thus -// recommended that you run a given instance of BIND as either an authoritative -// nameserver or recursive resolver, not both. The example configuration herein -// provides a secure starting point for running an authoritative nameserver. - -options { - directory "/var/bind"; - - // Configure the IPs to listen on here. - listen-on { 127.0.0.1; }; - listen-on-v6 { none; }; - - // If you want to allow only specific hosts to use the DNS server: - //allow-query { - // 127.0.0.1; - //}; - - // Specify a list of IPs/masks to allow zone transfers to here. - // - // You can override this on a per-zone basis by specifying this inside a zone - // block. - // - // Warning: Removing this block will cause BIND to revert to its default - // behaviour of allowing zone transfers to any host (!). - allow-transfer { - none; - }; - - // If you have problems and are behind a firewall: - //query-source address * port 53; - - pid-file "/var/run/named/named.pid"; - - // Changing this is NOT RECOMMENDED; see the notes above and in - // named.conf.recursive. - allow-recursion { none; }; - recursion no; -}; - -// Example of how to configure a zone for which this server is the master: -//zone "example.com" IN { -// type master; -// file "/etc/bind/master/example.com"; -//}; - -// You can include files: -//include "/etc/bind/example.conf"; diff --git a/container/configs/example-configs/recursive-resolver/named.conf.options b/container/configs/example-configs/recursive-resolver/named.conf.options deleted file mode 100644 index d9c164f..0000000 --- a/container/configs/example-configs/recursive-resolver/named.conf.options +++ /dev/null @@ -1,104 +0,0 @@ -// Copy this file to /etc/bind/named.conf.options if you want to run bind as a -// recursive DNS resolver. If you want to run an authoritative nameserver -// instead, see Ventz's "example-configs/authoritative/named.conf.options" -// -// BIND supports using the same daemon as both authoritative nameserver and -// recursive resolver; it supports this because it is the oldest and original -// nameserver and so was designed before it was realized that combining these -// functions is inadvisable. -// -// In actual fact, combining these functions is a very bad idea. It is thus -// recommended that you run a given instance of BIND as either an authoritative -// nameserver or recursive resolver, not both. The example configuration herein -// provides a starting point for running a recursive resolver. -// -// -// *** IMPORTANT *** -// You should note that running an open DNS resolver (that is, a resolver which -// answers queries from any globally routable IP) makes the resolver vulnerable -// to abuse in the form of reflected DDoS attacks. -// -// These attacks are now widely prevalent on the open internet. Even if -// unadvertised, attackers can and will find your resolver by portscanning the -// global IPv4 address space. -// -// In one case the traffic generated using such an attack reached 300 Gb/s (!). -// -// It is therefore imperative that you take care to configure the resolver to -// only answer queries from IP address space you trust or control. See the -// "allow-recursion" directive below. -// -// Bear in mind that with these attacks, the "source" of a query will actually -// be the intended target of a DDoS attack, so this only protects other networks -// from attack, not your own; ideally therefore you should firewall DNS traffic -// at the borders of your network to eliminate spoofed traffic. -// -// This is a complex issue and some level of understanding of these attacks is -// advisable before you attempt to configure a resolver. - -options { - directory "/var/bind"; - - // Specify a list of CIDR masks which should be allowed to issue recursive - // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above. - allow-recursion { - 127.0.0.1/32; - }; - - // If you want this resolver to itself resolve via means of another recursive - // resolver, uncomment this block and specify the IP addresses of the desired - // upstream resolvers. - //forwarders { - // 8.8.8.8; - // 8.8.4.4; - //}; - - // By default the resolver will attempt to perform recursive resolution itself - // if the forwarders are unavailable. If you want this resolver to fail outright - // if the upstream resolvers are unavailable, uncomment this directive. - //forward only; - - // Configure the IPs to listen on here. - listen-on { 127.0.0.1; }; - listen-on-v6 { none; }; - - // If you have problems and are behind a firewall: - //query-source address * port 53; - - pid-file "/var/run/named/named.pid"; - - // Removing this block will cause BIND to revert to its default behaviour - // of allowing zone transfers to any host (!). There is no need to allow zone - // transfers when operating as a recursive resolver. - allow-transfer { none; }; -}; - -// Briefly, a zone which has been declared delegation-only will be effectively -// limited to containing NS RRs for subdomains, but no actual data beyond its -// own apex (for example, its SOA RR and apex NS RRset). This can be used to -// filter out "wildcard" or "synthesized" data from NAT boxes or from -// authoritative name servers whose undelegated (in-zone) data is of no -// interest. -// See http://www.isc.org/products/BIND/delegation-only.html for more info - -//zone "COM" { type delegation-only; }; -//zone "NET" { type delegation-only; }; - -zone "." IN { - type hint; - file "named.ca"; -}; - -zone "localhost" IN { - type master; - file "pri/localhost.zone"; - allow-update { none; }; - notify no; -}; - -zone "127.in-addr.arpa" IN { - type master; - file "pri/127.zone"; - allow-update { none; }; - notify no; -}; diff --git a/container/configs/named.conf b/container/configs/named.conf index 2e9defb..bf96baa 100644 --- a/container/configs/named.conf +++ b/container/configs/named.conf @@ -1,9 +1,5 @@ // This is the primary configuration file for the BIND DNS server named. // -// Please read /usr/share/doc/bind9/README.Debian.gz for information on the -// structure of BIND configuration files in Debian, *BEFORE* you customize -// this configuration file. -// // If you are just adding zones, please do that in /etc/bind/named.conf.local controls { @@ -11,6 +7,7 @@ controls { }; include "/etc/bind/rndc.key"; +include "/etc/bind/named.conf.acls"; include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; diff --git a/container/configs/named.conf.acls b/container/configs/named.conf.acls new file mode 100644 index 0000000..086781c --- /dev/null +++ b/container/configs/named.conf.acls @@ -0,0 +1,10 @@ +// Default ACLs defined by bind +// +// any - Matches all hosts. +// none - Matches no hosts. +// localhost - Matches the IPv4 and IPv6 addresses of all network interfaces on the system. +// localnets - Matches any host on an IPv4 or IPv6 network for which the system has an interface. + +acl "recursors" { + 127.0.0.1; +}; diff --git a/container/configs/named.conf.default-zones b/container/configs/named.conf.default-zones index 67409fb..adf153e 100644 --- a/container/configs/named.conf.default-zones +++ b/container/configs/named.conf.default-zones @@ -1,7 +1,7 @@ // prime the server with knowledge of the root servers zone "." { type hint; - file "/etc/bind/default-zones/db.root"; + file "/etc/bind/default-zones/named.cache"; }; // be authoritative for the localhost forward and reverse zones, and for @@ -9,20 +9,28 @@ zone "." { zone "localhost" { type master; - file "/etc/bind/default-zones/db.local"; + file "/etc/bind/default-zones/db.localhost"; + allow-update { none; }; + notify no; }; zone "127.in-addr.arpa" { type master; - file "/etc/bind/default-zones/db.127"; + file "/etc/bind/default-zones/rev.127"; + allow-update { none; }; + notify no; }; zone "0.in-addr.arpa" { type master; - file "/etc/bind/default-zones/db.0"; + file "/etc/bind/default-zones/rev.broadcast"; + allow-update { none; }; + notify no; }; zone "255.in-addr.arpa" { type master; - file "/etc/bind/default-zones/db.255"; + file "/etc/bind/default-zones/rev.broadcast"; + allow-update { none; }; + notify no; }; diff --git a/container/configs/named.conf.local b/container/configs/named.conf.local index 124494a..b5a43ea 100644 --- a/container/configs/named.conf.local +++ b/container/configs/named.conf.local @@ -10,7 +10,7 @@ include "/etc/bind/named.conf.default-zones"; // Consider adding the 1918 zones here, if they are not used in your // organization -include "/etc/bind/named.conf.rfc1918"; +//include "/etc/bind/named.conf.rfc1918"; /////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////// @@ -22,7 +22,7 @@ include "/etc/bind/named.conf.rfc1918"; # example reverse zone: 1.2.3.4/24 //zone "4.3.2.1.in-addr.arpa" { // type master; -// file "/var/bind/1.2.3.4.rev"; +// file "/etc/bind/zones/rev.1.2.3.4"; // notify yes; //}; @@ -33,7 +33,7 @@ include "/etc/bind/named.conf.rfc1918"; # example "forward" (domain) zone: domain.tld //zone "domain.tld" { // type master; -// file "/var/bind/domain.tld"; +// file "/etc/bind/zones/db.domain.tld"; // notify yes; // #also-notify { a.b.c.d; }; // #allow-transfer { localhost; a.b.c.d; }; diff --git a/container/configs/named.conf.options b/container/configs/named.conf.options index de586f0..cf0203a 100644 --- a/container/configs/named.conf.options +++ b/container/configs/named.conf.options @@ -1,27 +1,19 @@ options { - directory "/var/bind"; + directory "/var/cache/bind"; + + lock-file none; + pid-file "/var/run/named.pid"; + random-device "/dev/urandom"; + automatic-interface-scan no; + + // statistics-file "named.stats"; + // zone-statistics: (full|terse|none); + // zone-statistics terse; + zone-statistics full; // Remove (hide) our bind version - no reason to disclose it version ""; - - // Configure the IPs to listen on here. - listen-on { any; }; - listen-on-v6 { none; }; - // QUERY SOURCE - Useful for caching servers behind a firewall - // Default: address * port * - // Values : The IP address and port to use as the source of queries to other servers - // If you have problems and are behind a firewall, uncomment: - //query-source address * port *; - - pid-file "/var/run/named/named.pid"; - - // statistics-file "/var/cache/bind/named.stats"; - // zone-statistics yes; - - // If you want to allow only specific hosts to use the DNS server: - allow-query { 127.0.0.1; }; - // Specify a list of IPs/masks to allow zone transfers to here. // // You can override this on a per-zone basis by specifying this inside a zone @@ -30,71 +22,7 @@ options { // Warning: Removing this block will cause BIND to revert to its default // behaviour of allowing zone transfers to any host (!). allow-transfer { none; }; - - - // If there is a firewall between you and nameservers you want - // to talk to, you may need to fix the firewall to allow multiple - // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - - // RECURSION - Required for caching servers - // Default: yes - // Values : yes, no - // - // yes: Attempt to resolve requests we are not authoritative for - // no : Do not resolve requests we are not authoritative for - // - // NOTE: Commented out because specified in each zone/view - recursion yes; - //recursion no; - - - // ALLOW-RECURSION - Who may use our caching server? - // Default: any; - // Values : any, none, (addresslist) - // - // any : anybody may use the caching server - // none : noone may use the caching server - // address: List of IP addresses that may use the caching server. - // allow-recursion { localhost; localnets; }; - // - // NOTE: Commented out because specified in each zone/view - // allow-recursion { clients; servers; lan; }; - //allow-recursion { none; }; - allow-recursion { 127.0.0.1; }; - - // If your ISP provided one or more IP addresses for stable - // nameservers, you probably want to use them as forwarders. - // Uncomment the following block, and insert the addresses replacing - // the all-0's placeholder. - - forwarders { - 8.8.8.8; - 8.8.4.4; - }; - - // FORWARD - Recommended for caching servers - // Default: first - // Values : first, only - // - // first: Query "forwarders" first, then resolve request ourself - // only : Only query the "forwarders" to resolve requests - // - forward first; - - - // NOTIFY - Relevant to authoritative servers - // Default: yes - // Values : yes, explicit, no - // - // yes : Send DNS NOTIFY messages to slave servers in zone NS records when zone changes - // explicit: Only send DNS NOTIFY messages to "also-notify" hosts - // no : Never automatically send DNS NOTIFY messages - // - notify yes; - - // Need this for SRV records - check-names master ignore; - + //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys @@ -102,4 +30,9 @@ options { dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 + + // Need this for SRV records + check-names master ignore; + + include "/etc/bind/named.conf.options.local"; }; diff --git a/container/configs/named.conf.options.authoritative b/container/configs/named.conf.options.authoritative new file mode 100644 index 0000000..c9ceef3 --- /dev/null +++ b/container/configs/named.conf.options.authoritative @@ -0,0 +1,30 @@ +// Configure the IPs to listen on here. +listen-on { 127.0.0.1; }; +listen-on-v6 { none; }; + +// RECURSION - Required for caching servers +// Default: yes +// Values : yes, no +// +// yes: Attempt to resolve requests we are not authoritative for +// no : Do not resolve requests we are not authoritative for +// +// NOTE: Commented out because specified in each zone/view +//recursion yes; +recursion no; + +// ALLOW-RECURSION - Who may use our caching server? +// Default: any; +// Values : any, none, (addresslist) +// +// any : anybody may use the caching server +// none : noone may use the caching server +// address: List of IP addresses that may use the caching server. +// allow-recursion { localhost; localnets; }; +// +// NOTE: Commented out because specified in each zone/view +// allow-recursion { clients; servers; lan; }; +//allow-recursion { recursors; }; +allow-recursion { none; }; + +allow-query-cache { none; }; diff --git a/container/configs/named.conf.options.local b/container/configs/named.conf.options.local new file mode 100644 index 0000000..9140b7a --- /dev/null +++ b/container/configs/named.conf.options.local @@ -0,0 +1,6 @@ +// +// Do any local options configuration here +// + +include "/etc/bind/named.conf.options.recursive"; +//include "/etc/bind/named.conf.options.authoritative"; diff --git a/container/configs/named.conf.options.recursive b/container/configs/named.conf.options.recursive new file mode 100644 index 0000000..37055be --- /dev/null +++ b/container/configs/named.conf.options.recursive @@ -0,0 +1,58 @@ +// Configure the IPs to listen on here. +//listen-on { any; }; +listen-on-v6 { none; }; + +// QUERY SOURCE - Useful for caching servers behind a firewall +// Default: address * port * +// Values : The IP address and port to use as the source of queries to other servers +// If you have problems and are behind a firewall, uncomment: +//query-source address * port *; + +// If there is a firewall between you and nameservers you want +// to talk to, you may need to fix the firewall to allow multiple +// ports to talk. See http://www.kb.cert.org/vuls/id/800113 + +// RECURSION - Required for caching servers +// Default: yes +// Values : yes, no +// +// yes: Attempt to resolve requests we are not authoritative for +// no : Do not resolve requests we are not authoritative for +// +// NOTE: Commented out because specified in each zone/view +//recursion yes; +//recursion no; + +// ALLOW-RECURSION - Who may use our caching server? +// Default: any; +// Values : any, none, (addresslist) +// +// any : anybody may use the caching server +// none : noone may use the caching server +// address: List of IP addresses that may use the caching server. +// allow-recursion { localhost; localnets; }; +// +// NOTE: Commented out because specified in each zone/view +// allow-recursion { clients; servers; lan; }; +allow-recursion { recursors; }; +//allow-recursion { none; }; + +// FORWARD - Recommended for caching servers +// Default: first +// Values : first, only +// +// first: Query "forwarders" first, then resolve request ourself +// only : Only query the "forwarders" to resolve requests +// +//forward first; + +// If your ISP provided one or more IP addresses for stable +// nameservers, you probably want to use them as forwarders. +// Uncomment the following block, and insert the addresses replacing +// the all-0's placeholder. + +forwarders { + 9.9.9.9; + 8.8.8.8; + 8.8.4.4; +}; diff --git a/container/configs/named.conf.rfc1918 b/container/configs/named.conf.rfc1918 index 937d6a5..402399e 100644 --- a/container/configs/named.conf.rfc1918 +++ b/container/configs/named.conf.rfc1918 @@ -1,20 +1,20 @@ -zone "10.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "10.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; -zone "16.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "17.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "18.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "19.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "20.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "21.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "22.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "23.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "24.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "25.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "26.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "27.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "28.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "29.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "30.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; -zone "31.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; -zone "168.192.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; }; +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; }; diff --git a/container/entrypoint.sh b/container/entrypoint.sh index c5f4364..b959317 100755 --- a/container/entrypoint.sh +++ b/container/entrypoint.sh @@ -1,6 +1,38 @@ #!/bin/sh -chown -R root:named /etc/bind /var/bind /var/run/named -chmod -R 770 /var/bind /var/run/named -chmod -R 750 /etc/bind + +# Generate rndc.key file +rndc-confgen -a -b 512 -r /dev/urandom -c /var/bind/rndc.key + +# Update bind.keys file +( + cd /dev/shm + wget 'https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11.sha512.asc' + wget 'https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11' + wget -O - 'https://www.isc.org/downloads/software-support-policy/openpgp-key/' | sed -e 's/-----BEGIN/\n&/' | gpg --import + trap "rm -f bind.keys*" EXIT + gpg --verify bind.keys.v9_11.sha512.asc bind.keys.v9_11 || exit $? + cmp -s bind.keys.v9_11 /var/bind/bind.keys && exit 0 + cp -p /var/bind/bind.keys . && \ + cp bind.keys.v9_11 bind.keys && \ + mv -v bind.keys /var/bind/bind.keys +) + +# Ensure bind.keys file +test -s /etc/bind/bind.keys || cp -p /var/bind/bind.keys /etc/bind/ + +# Fix up permissions on mounts +chgrp -R named /etc/bind /var/cache/bind + +chmod -R g+r /etc/bind +chown root:named /etc/bind +chmod 0750 /etc/bind + +chmod -R g+rw /var/cache/bind +chown named:named /var/cache/bind +chmod 0770 /var/cache/bind + +# Check for configuration errors before running named +named-checkconf -z /etc/bind/named.conf || exit $? + # Run in foreground and log to STDERR (console): exec /usr/sbin/named -c /etc/bind/named.conf -g -u named From 307f43c8513961dece2a87daaacc6e81205db9b1 Mon Sep 17 00:00:00 2001 From: tcely Date: Thu, 15 Feb 2018 21:22:26 -0500 Subject: [PATCH 2/9] Fixes from build / testing. --- container/Dockerfile | 4 ++-- container/configs/named.conf.options | 2 +- container/entrypoint.sh | 9 ++++----- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/container/Dockerfile b/container/Dockerfile index 60379d9..5d83a0c 100644 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -5,12 +5,12 @@ COPY entrypoint.sh / ENTRYPOINT ["/entrypoint.sh"] RUN apk --update upgrade && \ - apk add bind gnupg1 && \ + apk add bind ca-certificates curl gnupg1 && \ rm -rf /var/cache/apk/* && \ chmod g-w /var/bind && \ cp -p /etc/bind/bind.keys /var/bind/ && \ install -d -m 0770 -o named -g named /var/cache/bind && \ - ln -s ../../var/bind/rndc.key /etc/bind/rndc.key + ln -s ../../var/run/named/rndc.key /etc/bind/rndc.key COPY configs/. /etc/bind/ diff --git a/container/configs/named.conf.options b/container/configs/named.conf.options index cf0203a..5a10acd 100644 --- a/container/configs/named.conf.options +++ b/container/configs/named.conf.options @@ -2,7 +2,7 @@ options { directory "/var/cache/bind"; lock-file none; - pid-file "/var/run/named.pid"; + pid-file "/var/run/named/named.pid"; random-device "/dev/urandom"; automatic-interface-scan no; diff --git a/container/entrypoint.sh b/container/entrypoint.sh index b959317..f9e7f92 100755 --- a/container/entrypoint.sh +++ b/container/entrypoint.sh @@ -1,21 +1,20 @@ #!/bin/sh # Generate rndc.key file -rndc-confgen -a -b 512 -r /dev/urandom -c /var/bind/rndc.key +rndc-confgen -a -b 512 -u named -r /dev/urandom -c /var/run/named/rndc.key # Update bind.keys file ( cd /dev/shm - wget 'https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11.sha512.asc' - wget 'https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11' - wget -O - 'https://www.isc.org/downloads/software-support-policy/openpgp-key/' | sed -e 's/-----BEGIN/\n&/' | gpg --import + curl -JLRO 'https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11{,.sha512.asc}' + curl 'https://www.isc.org/downloads/software-support-policy/openpgp-key/' | sed -e 's/-----BEGIN/\n&/' | gpg --import trap "rm -f bind.keys*" EXIT gpg --verify bind.keys.v9_11.sha512.asc bind.keys.v9_11 || exit $? cmp -s bind.keys.v9_11 /var/bind/bind.keys && exit 0 cp -p /var/bind/bind.keys . && \ cp bind.keys.v9_11 bind.keys && \ mv -v bind.keys /var/bind/bind.keys -) +) >/dev/null 2>&1 # Ensure bind.keys file test -s /etc/bind/bind.keys || cp -p /var/bind/bind.keys /etc/bind/ From 4fa1407ef6c532a0e2b9bc890ea7a8f332e221e2 Mon Sep 17 00:00:00 2001 From: tcely Date: Thu, 15 Feb 2018 21:52:33 -0500 Subject: [PATCH 3/9] place managed-keys.bind* files in their own directory --- container/configs/named.conf.options | 1 + 1 file changed, 1 insertion(+) diff --git a/container/configs/named.conf.options b/container/configs/named.conf.options index 5a10acd..9de0231 100644 --- a/container/configs/named.conf.options +++ b/container/configs/named.conf.options @@ -1,5 +1,6 @@ options { directory "/var/cache/bind"; + managed-keys-directory "/var/bind/dyn"; lock-file none; pid-file "/var/run/named/named.pid"; From 5c17e1c0223e99eec9eee6ba1eda70a4c1e33c0d Mon Sep 17 00:00:00 2001 From: tcely Date: Fri, 16 Feb 2018 03:43:58 -0500 Subject: [PATCH 4/9] Add Drone CI configuration. --- .drone.yml | 27 +++++++++++++++++++++++++++ .drone.yml.sig | 27 +++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 .drone.yml create mode 100644 .drone.yml.sig diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..4aac403 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,27 @@ +labels: + cpus: '1' + ram: '512' + mhz: '2000' +clone: + git: + image: 'plugins/git' + tags: true +pipeline: + edge: + image: 'plugins/docker' + context: 'container' + dockerfile: 'container/Dockerfile' + secrets: ["docker_username", "docker_password"] + repo: '${DRONE_REPO_OWNER}/${DRONE_REPO_NAME##docker-}' + tag: 'edge' + when: + branch: 'edge' + configs: + image: 'plugins/docker' + context: 'container' + dockerfile: 'container/Dockerfile' + secrets: ["docker_username", "docker_password"] + repo: '${DRONE_REPO_OWNER}/${DRONE_REPO_NAME##docker-}' + tag: 'configs' + when: + branch: 'config-changes' diff --git a/.drone.yml.sig b/.drone.yml.sig new file mode 100644 index 0000000..aafae16 --- /dev/null +++ b/.drone.yml.sig @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + + + + + + + + + From 7aaed93e590750c9a5ffbd80e021993fab2ea614 Mon Sep 17 00:00:00 2001 From: tcely Date: Fri, 16 Feb 2018 03:53:25 -0500 Subject: [PATCH 5/9] Gave Drone CI a distinct tag --- .drone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index 4aac403..0bf7cbd 100644 --- a/.drone.yml +++ b/.drone.yml @@ -13,7 +13,7 @@ pipeline: dockerfile: 'container/Dockerfile' secrets: ["docker_username", "docker_password"] repo: '${DRONE_REPO_OWNER}/${DRONE_REPO_NAME##docker-}' - tag: 'edge' + tag: 'edge-droneci' when: branch: 'edge' configs: @@ -22,6 +22,6 @@ pipeline: dockerfile: 'container/Dockerfile' secrets: ["docker_username", "docker_password"] repo: '${DRONE_REPO_OWNER}/${DRONE_REPO_NAME##docker-}' - tag: 'configs' + tag: 'configs-droneci' when: branch: 'config-changes' From 12f73e0b297839a9321c1eaf2689aa2c029a9b98 Mon Sep 17 00:00:00 2001 From: tcely Date: Sat, 4 Jan 2020 10:08:51 -0500 Subject: [PATCH 6/9] Use my base to rebuild automatically --- container/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/Dockerfile b/container/Dockerfile index 5d83a0c..888dea8 100644 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:latest +FROM tcely/alpine-aports EXPOSE 53 53/udp COPY entrypoint.sh / From 9ae97fa27dd2288303dbe87814ce61ae95ee646e Mon Sep 17 00:00:00 2001 From: tcely Date: Sat, 4 Jan 2020 10:33:36 -0500 Subject: [PATCH 7/9] Remove rndc.key created by the package --- container/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/Dockerfile b/container/Dockerfile index 888dea8..79cc8c0 100644 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -6,7 +6,7 @@ ENTRYPOINT ["/entrypoint.sh"] RUN apk --update upgrade && \ apk add bind ca-certificates curl gnupg1 && \ - rm -rf /var/cache/apk/* && \ + rm -rf /etc/bind/rndc.key /var/cache/apk/* && \ chmod g-w /var/bind && \ cp -p /etc/bind/bind.keys /var/bind/ && \ install -d -m 0770 -o named -g named /var/cache/bind && \ From e84565f67d948208d188b1782af745b055c7519c Mon Sep 17 00:00:00 2001 From: tcely Date: Sat, 4 Jan 2020 12:00:09 -0500 Subject: [PATCH 8/9] Do not rebuild with edge base --- container/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/Dockerfile b/container/Dockerfile index 79cc8c0..31e52b6 100644 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -1,4 +1,4 @@ -FROM tcely/alpine-aports +FROM tcely/alpine-stable EXPOSE 53 53/udp COPY entrypoint.sh / From f2a77e82343d7d5e9b35cb47c004de0fc71c1c82 Mon Sep 17 00:00:00 2001 From: tcely Date: Sat, 17 Jul 2021 21:31:12 -0400 Subject: [PATCH 9/9] gnupg1 won't install on 3.13 --- container/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/Dockerfile b/container/Dockerfile index 31e52b6..22099e7 100644 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -5,7 +5,7 @@ COPY entrypoint.sh / ENTRYPOINT ["/entrypoint.sh"] RUN apk --update upgrade && \ - apk add bind ca-certificates curl gnupg1 && \ + apk add bind ca-certificates curl gnupg && \ rm -rf /etc/bind/rndc.key /var/cache/apk/* && \ chmod g-w /var/bind && \ cp -p /etc/bind/bind.keys /var/bind/ && \