Initial commit
This commit is contained in:
commit
4b554abcd9
3
bind/Dockerfile
Normal file
3
bind/Dockerfile
Normal file
@ -0,0 +1,3 @@
|
||||
FROM debian:buster-slim
|
||||
RUN apt update && apt -y upgrade && apt install -y bind9 ipv6calc curl bc && apt clean
|
||||
|
||||
194
bind/command.sh
Normal file
194
bind/command.sh
Normal file
@ -0,0 +1,194 @@
|
||||
#!/bin/bash
|
||||
# Execute these commands first time in order to create required files
|
||||
# $ dnssec-keygen -K /etc/bind -a RSASHA256 -b 4096 -n ZONE -3 -f KSK $DOMAIN
|
||||
# $ dnssec-keygen -K /etc/bind -a RSASHA256 -b 2048 -n ZONE $DOMAIN
|
||||
# $ opendkim-genkey -b 2048 -h rsa-sha256 -r -s dkim -d $DOMAIN -v
|
||||
DOMAIN="DOMAIN.COM"
|
||||
IP=MACHINE-IPV4
|
||||
IPV6=MACHINE-IPV6
|
||||
DKIM=$(sed -e 's/"/\"/g' /etc/bind/dkim.txt)
|
||||
if [ $(cat /etc/bind/version) -gt 99 ] || [ ! -e /etc/bind/version ]; then
|
||||
echo 1 > /etc/bind/version
|
||||
fi
|
||||
rm -f /etc/bind/rev.*
|
||||
echo -e ";
|
||||
; BIND data for $DOMAIN
|
||||
;
|
||||
\$TTL 3h
|
||||
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
|
||||
$(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL
|
||||
3h ; Refresh
|
||||
1h ; Retry
|
||||
1w ; Expire
|
||||
1h ) ; Minimum
|
||||
;
|
||||
@ IN NS ns1.$DOMAIN.
|
||||
|
||||
$DOMAIN. IN A $IP
|
||||
$DOMAIN. IN AAAA $IPV6
|
||||
$DOMAIN. IN NS ns1
|
||||
$DOMAIN. IN NS ns2
|
||||
ns1 IN A $IP
|
||||
ns1 IN AAAA $IPV6
|
||||
ns2 IN A $IP
|
||||
ns2 IN AAAA $IPV6
|
||||
mail IN A $IP
|
||||
mail IN AAAA $IPV6
|
||||
pop IN A $IP
|
||||
pop IN AAAA $IPV6
|
||||
smtp IN A $IP
|
||||
smtp IN AAAA $IPV6
|
||||
imap IN A $IP
|
||||
imap IN AAAA $IPV6
|
||||
* IN CNAME $DOMAIN.
|
||||
$DOMAIN. IN MX 10 mail.$DOMAIN.
|
||||
$DOMAIN. IN TXT \"v=spf1 a mx -all\"
|
||||
_dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=80;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\"
|
||||
;_acme-challenge IN TXT \"xxx\"
|
||||
$DKIM
|
||||
|
||||
\$INCLUDE K$DOMAIN.+XXX+YYYYY.key
|
||||
\$INCLUDE K$DOMAIN.+XXX+YYYYY.key"> /etc/bind/$DOMAIN
|
||||
echo -e ";
|
||||
; BIND reverse file for $(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
|
||||
;
|
||||
\$TTL 604800
|
||||
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
|
||||
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
|
||||
3h ; Refresh
|
||||
1h ; Retry
|
||||
1w ; Expire
|
||||
1h ) ; Minimum
|
||||
;
|
||||
@ IN NS ns1.$DOMAIN.
|
||||
@ IN NS ns2.$DOMAIN.
|
||||
|
||||
$(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR $DOMAIN.
|
||||
$(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
|
||||
echo -e "\$TTL 604800
|
||||
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
|
||||
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
|
||||
3h ; Refresh
|
||||
1h ; Retry
|
||||
1w ; Expire
|
||||
1h ) ; Minimum
|
||||
;
|
||||
@ IN NS ns1.$DOMAIN.
|
||||
@ IN NS ns2.$DOMAIN.
|
||||
|
||||
; IPv6 PTR entries
|
||||
$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR $DOMAIN.
|
||||
$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/
|
||||
^[[:digit:]]\+\.//' -e 's/\.$//')
|
||||
echo -e "\$TTL 604800
|
||||
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
|
||||
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
|
||||
3h ; Refresh
|
||||
1h ; Retry
|
||||
1w ; Expire
|
||||
1h ) ; Minimum
|
||||
;
|
||||
@ IN NS ns1.$DOMAIN.
|
||||
@ IN NS ns2.$DOMAIN.
|
||||
|
||||
; IPv6 PTR entries
|
||||
$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR $DOMAIN.
|
||||
$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
|
||||
echo -e "//
|
||||
// Do any local configuration here
|
||||
//
|
||||
|
||||
// Consider adding the 1918 zones here, if they are not used in your
|
||||
// organization
|
||||
//include \"/etc/bind/zones.rfc1918\";
|
||||
|
||||
zone \"$DOMAIN\" {
|
||||
type master;
|
||||
file \"/etc/bind/$DOMAIN.signed\";
|
||||
allow-update {
|
||||
key \"$DOMAIN.\";
|
||||
key \"_acme-challenge.$DOMAIN.\";
|
||||
};
|
||||
};
|
||||
|
||||
zone \"$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
|
||||
type master;
|
||||
file \"/etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
|
||||
};
|
||||
|
||||
zone \"$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
|
||||
type master;
|
||||
file \"/etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
|
||||
};
|
||||
|
||||
zone \"$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
|
||||
type master;
|
||||
file \"/etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
|
||||
};" > /etc/bind/named.conf.local
|
||||
echo -e "acl \"trusted\" {
|
||||
::1/128; 127.0.0.0/8; 172.0.0.0/8; $IP; $IPV6;
|
||||
};
|
||||
|
||||
options {
|
||||
directory \"/var/cache/bind\";
|
||||
|
||||
// If there is a firewall between you and nameservers you want
|
||||
// to talk to, you may need to fix the firewall to allow multiple
|
||||
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
||||
|
||||
// If your ISP provided one or more IP addresses for stable
|
||||
// nameservers, you probably want to use them as forwarders.
|
||||
// Uncomment the following block, and insert the addresses replacing
|
||||
// the all-0's placeholder.
|
||||
|
||||
// forwarders {
|
||||
// 0.0.0.0;
|
||||
// };
|
||||
|
||||
//========================================================================
|
||||
// If BIND logs error messages about the root key being expired,
|
||||
// you will need to update your keys. See https://www.isc.org/bind-keys
|
||||
//========================================================================
|
||||
//dnssec-enable yes;
|
||||
dnssec-validation auto;
|
||||
//dnssec-lookaside auto;
|
||||
|
||||
auth-nxdomain no; # conform to RFC1035
|
||||
listen-on { any; };
|
||||
listen-on-v6 { any; };
|
||||
|
||||
// config-bind9.txt
|
||||
recursion yes;
|
||||
notify yes;
|
||||
interface-interval 0;
|
||||
allow-transfer { none; };
|
||||
allow-query { any; };
|
||||
allow-query-cache { trusted; };
|
||||
allow-query-cache-on { trusted; };
|
||||
allow-query-on { trusted; };
|
||||
allow-recursion { trusted; };
|
||||
allow-notify { trusted; };
|
||||
allow-update { none; };
|
||||
version none;
|
||||
check-names master warn;
|
||||
check-names slave warn;
|
||||
check-names response warn;
|
||||
// querylog yes;
|
||||
};
|
||||
|
||||
logging {
|
||||
channel querylog{
|
||||
file \"/var/log/querylog\";
|
||||
severity debug 10;
|
||||
print-category yes;
|
||||
print-time yes;
|
||||
print-severity yes;
|
||||
};
|
||||
category queries { querylog; };
|
||||
};"> /etc/bind/named.conf.options
|
||||
echo $(echo $(cat /etc/bind/version)"+1" | bc) > /etc/bind/version
|
||||
mkdir /run/named
|
||||
chown 101.101 -R /etc/bind /run/named
|
||||
cd /etc/bind
|
||||
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN
|
||||
named -c named.conf -f -u bind
|
||||
20
docker-compose.yml
Normal file
20
docker-compose.yml
Normal file
@ -0,0 +1,20 @@
|
||||
version: '2'
|
||||
|
||||
services:
|
||||
bind:
|
||||
build: ./bind
|
||||
hostname: bind
|
||||
container_name: bind
|
||||
restart: always
|
||||
entrypoint:
|
||||
- /etc/bind/command.sh
|
||||
ports:
|
||||
- "53:53"
|
||||
- "53:53/udp"
|
||||
volumes:
|
||||
- ./bind:/etc/bind
|
||||
networks:
|
||||
bindnet:
|
||||
|
||||
networks:
|
||||
bindnet:
|
||||
Loading…
Reference in New Issue
Block a user