bind9/bind/entrypoint.sh

200 lines
7.8 KiB
Bash
Raw Permalink Normal View History

2020-12-14 20:50:47 +00:00
#!/bin/bash
# Execute these commands first time in order to create required files
# $ dnssec-keygen -K /etc/bind -a RSASHA256 -b 4096 -n ZONE -3 -f KSK $DOMAIN
# $ dnssec-keygen -K /etc/bind -a RSASHA256 -b 2048 -n ZONE $DOMAIN
# $ opendkim-genkey -b 2048 -h rsa-sha256 -r -s dkim -d $DOMAIN -v
DOMAIN=$DOMAIN
IP=$IP
IPV6=$IPV6
2020-12-14 20:50:47 +00:00
DKIM=$(sed -e 's/"/\"/g' /etc/bind/dkim.txt)
if [ $(cat /etc/bind/version) -gt 99 ] || [ ! -e /etc/bind/version ]; then
echo 1 > /etc/bind/version
fi
rm -f /etc/bind/rev.*
echo -e ";
; BIND data for $DOMAIN
;
\$TTL 3h
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN.
$DOMAIN. IN A $IP
$DOMAIN. IN AAAA $IPV6
$DOMAIN. IN NS ns1
$DOMAIN. IN NS ns2
ns1 IN A $IP
ns1 IN AAAA $IPV6
ns2 IN A $IP
ns2 IN AAAA $IPV6
mail IN A $IP
mail IN AAAA $IPV6
pop IN A $IP
pop IN AAAA $IPV6
smtp IN A $IP
smtp IN AAAA $IPV6
imap IN A $IP
imap IN AAAA $IPV6
* IN CNAME $DOMAIN.
$DOMAIN. IN MX 10 mail.$DOMAIN.
$DOMAIN. IN TXT \"v=spf1 a mx -all\"
_dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=80;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\"
;_acme-challenge IN TXT \"xxx\"
$DKIM
\$INCLUDE K$DOMAIN.+XXX+YYYYY.key
\$INCLUDE K$DOMAIN.+XXX+YYYYY.key"> /etc/bind/$DOMAIN
echo -e ";
2024-10-27 19:03:43 +00:00
; BIND reverse file for $(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
2020-12-14 20:50:47 +00:00
;
\$TTL 604800
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN.
@ IN NS ns2.$DOMAIN.
2024-10-27 19:03:43 +00:00
$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/') IN PTR $DOMAIN.
$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
2020-12-14 20:50:47 +00:00
echo -e "\$TTL 604800
2024-10-27 19:03:43 +00:00
; BIND reverse file for $(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
2020-12-14 20:50:47 +00:00
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN.
@ IN NS ns2.$DOMAIN.
; IPv6 PTR entries
2024-10-27 19:03:43 +00:00
$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/') IN PTR $DOMAIN.
$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
2020-12-14 20:50:47 +00:00
echo -e "\$TTL 604800
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN.
@ IN NS ns2.$DOMAIN.
; IPv6 PTR entries
$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR $DOMAIN.
$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
echo -e "//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include \"/etc/bind/zones.rfc1918\";
zone \"$DOMAIN\" {
2024-10-27 19:03:43 +00:00
type primary;
2020-12-14 20:50:47 +00:00
file \"/etc/bind/$DOMAIN.signed\";
2024-10-27 19:03:43 +00:00
notify explicit;
2020-12-14 20:50:47 +00:00
};
2024-10-27 19:03:43 +00:00
zone \"$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\" {
2020-12-14 20:50:47 +00:00
type master;
2024-10-27 19:03:43 +00:00
file \"/etc/bind/rev.$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\";
2020-12-14 20:50:47 +00:00
};
2024-10-27 19:03:43 +00:00
zone \"$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\" {
2020-12-14 20:50:47 +00:00
type master;
2024-10-27 19:03:43 +00:00
file \"/etc/bind/rev.$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\";
2020-12-14 20:50:47 +00:00
};
2024-10-27 19:03:43 +00:00
acl \"trusted\" {
127.0.0.0/8;
2020-12-14 20:50:47 +00:00
};
options {
directory \"/var/cache/bind\";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
//dnssec-enable yes;
dnssec-validation auto;
//dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { any; };
// config-bind9.txt
2024-10-27 19:03:43 +00:00
disable-empty-zone \".\";
// root-delegation-only;
require-server-cookie no;
send-cookie yes;
check-wildcard no;
clients-per-query 20;
max-clients-per-query 30;
auth-nxdomain yes;
listen-on { any; };
listen-on-v6 { any; };
max-udp-size 512;
recursion no;
minimal-responses yes;
notify no;
2020-12-14 20:50:47 +00:00
allow-transfer { none; };
allow-query { any; };
allow-query-cache { trusted; };
allow-query-cache-on { trusted; };
allow-query-on { trusted; };
allow-recursion { trusted; };
allow-notify { trusted; };
allow-update { none; };
version none;
check-names master warn;
check-names slave warn;
check-names response warn;
2024-10-27 19:03:43 +00:00
querylog yes;
hostname \"$DOMAIN\";
server-id \"$DOMAIN\";
2020-12-14 20:50:47 +00:00
};
logging {
channel querylog{
file \"/var/log/querylog\";
2024-10-27 19:03:43 +00:00
severity info;
2020-12-14 20:50:47 +00:00
print-category yes;
print-time yes;
print-severity yes;
};
category queries { querylog; };
};"> /etc/bind/named.conf.options
2024-10-27 19:03:43 +00:00
chown $(id -u bind):$(id -g bind) -R /etc/bind
2020-12-14 20:50:47 +00:00
echo $(echo $(cat /etc/bind/version)"+1" | bc) > /etc/bind/version
cd /etc/bind
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN
2024-10-27 19:03:43 +00:00
/usr/sbin/named -u bind