From dc054c5bfd1d16aae3d6a1f66021d8904e601849 Mon Sep 17 00:00:00 2001
From: ale <ale@manalejandro.com>
Date: Sun, 27 Oct 2024 20:03:43 +0100
Subject: [PATCH] refactor and update bind v9.21

---
 .gitmodules                        |  4 ++
 README.md                          | 15 ++++++--
 bind/Dockerfile                    |  7 ++--
 bind/{command.sh => entrypoint.sh} | 59 +++++++++++++++++-------------
 bind9-docker                       |  1 +
 docker-compose.yml                 |  4 +-
 6 files changed, 57 insertions(+), 33 deletions(-)
 create mode 100644 .gitmodules
 rename bind/{command.sh => entrypoint.sh} (73%)
 mode change 100644 => 100755
 create mode 160000 bind9-docker

diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..a275acd
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,4 @@
+[submodule "bind9-docker"]
+	path = bind9-docker
+	url = https://github.com/isc-projects/bind9-docker
+	branch = v9.21
diff --git a/README.md b/README.md
index f508d3c..67b87eb 100644
--- a/README.md
+++ b/README.md
@@ -3,17 +3,26 @@
 ## Configure
 
 ```
-Edit /bind/command.sh file properties before first run
+$ git clone --recurse-submodules https://git.manalejandro.com/ale/bind9
+
+cd bind and edit ./bind/entrypoint.sh file properties before first run
+```
+
+##Build
+```
+$ docker buildx build -t bind9-docker ./bind9-docker
+
+$ docker-compose build
 ```
 
 ## Run
 
 ```
-docker-compose up -d
+$ docker-compose up -d
 ```
 
 #### by default all queries are logged under `/var/log/querylog`
 
 ## License
 
-### Mit
\ No newline at end of file
+### Mit
diff --git a/bind/Dockerfile b/bind/Dockerfile
index 006d493..98b2ec1 100644
--- a/bind/Dockerfile
+++ b/bind/Dockerfile
@@ -1,3 +1,4 @@
-FROM debian:buster-slim
-RUN apt update && apt -y upgrade && apt install -y bind9 ipv6calc curl bc && apt clean
-
+FROM bind9-docker
+RUN apk add ipcalc bash
+COPY ./bind/entrypoint.sh /etc/bind/
+ENTRYPOINT "/etc/bind/entrypoint.sh"
diff --git a/bind/command.sh b/bind/entrypoint.sh
old mode 100644
new mode 100755
similarity index 73%
rename from bind/command.sh
rename to bind/entrypoint.sh
index 6c5f891..c7952d8
--- a/bind/command.sh
+++ b/bind/entrypoint.sh
@@ -50,7 +50,7 @@ $DKIM
 \$INCLUDE K$DOMAIN.+XXX+YYYYY.key
 \$INCLUDE K$DOMAIN.+XXX+YYYYY.key"> /etc/bind/$DOMAIN
 echo -e ";
-; BIND reverse file for $(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
+; BIND reverse file for $(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
 ;
 \$TTL    604800
 @       IN      SOA     ns1.$DOMAIN. admin.$DOMAIN. (
@@ -63,9 +63,10 @@ echo -e ";
 @       IN      NS      ns1.$DOMAIN.
 @       IN      NS      ns2.$DOMAIN.
 
-$(ipv6calc -q -a $IP | sed -e 's/\..*$//')       IN      PTR     $DOMAIN.
-$(ipv6calc -q -a $IP | sed -e 's/\..*$//')       IN      PTR     mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
+$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/')       IN      PTR     $DOMAIN.
+$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/')       IN      PTR     mail.$DOMAIN." > /etc/bind/rev.$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
 echo -e "\$TTL    604800
+; BIND reverse file for $(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
 @       IN      SOA     ns1.$DOMAIN. admin.$DOMAIN. (
                                 $(date +%Y%m%d)$(cat /etc/bind/version)       ; Serial
                                 3h      ; Refresh
@@ -77,9 +78,8 @@ echo -e "\$TTL    604800
 @       IN      NS      ns2.$DOMAIN.
 
 ; IPv6 PTR entries
-$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//')	IN    PTR    $DOMAIN.
-$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//')	IN    PTR    mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/
-^[[:digit:]]\+\.//' -e 's/\.$//')
+$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/')	IN    PTR    $DOMAIN.
+$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/')	IN    PTR    mail.$DOMAIN." > /etc/bind/rev.$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
 echo -e "\$TTL    604800
 @       IN      SOA     ns1.$DOMAIN. admin.$DOMAIN. (
                                 $(date +%Y%m%d)$(cat /etc/bind/version)       ; Serial
@@ -103,26 +103,23 @@ echo -e "//
 //include \"/etc/bind/zones.rfc1918\";
 
 zone \"$DOMAIN\" {
-     type master;
+     type primary;
      file \"/etc/bind/$DOMAIN.signed\";
+     notify explicit;
 };
 
-zone \"$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
+zone \"$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\" {
      type master;
-     file \"/etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
+     file \"/etc/bind/rev.$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\";
 };
 
-zone \"$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
+zone \"$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\" {
      type master;
-     file \"/etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
+     file \"/etc/bind/rev.$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\";
 };
 
-zone \"$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
-     type master;
-     file \"/etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
-};" > /etc/bind/named.conf.local
-echo -e "acl \"trusted\" {
-        ::1/128; 127.0.0.0/8; 172.0.0.0/8; $IP; $IPV6;
+acl \"trusted\" {
+        127.0.0.0/8;
 };
 
 options {
@@ -154,9 +151,20 @@ options {
         listen-on-v6 { any; };
 
         // config-bind9.txt
-        recursion yes;
-        notify yes;
-        interface-interval 0;
+        disable-empty-zone \".\";
+//        root-delegation-only;
+        require-server-cookie no;
+        send-cookie yes;
+        check-wildcard no;
+        clients-per-query 20;
+        max-clients-per-query 30;
+        auth-nxdomain yes;
+        listen-on { any; };
+        listen-on-v6 { any; };
+        max-udp-size 512;
+        recursion no;
+        minimal-responses yes;
+        notify no;
         allow-transfer { none; };
         allow-query { any; };
         allow-query-cache { trusted; };
@@ -169,22 +177,23 @@ options {
         check-names master warn;
         check-names slave warn;
         check-names response warn;
-//        querylog yes;
+        querylog yes;
+        hostname \"$DOMAIN\";
+        server-id \"$DOMAIN\";
 };
 
 logging {
     channel querylog{
         file \"/var/log/querylog\";
-        severity debug 10;
+        severity info;
         print-category yes;
         print-time yes;
         print-severity yes;
     };
     category queries { querylog; };
 };"> /etc/bind/named.conf.options
+chown $(id -u bind):$(id -g bind) -R /etc/bind
 echo $(echo $(cat /etc/bind/version)"+1" | bc) > /etc/bind/version
-mkdir /run/named
-chown 101.101 -R /etc/bind /run/named
 cd /etc/bind
 dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN
-named -c named.conf -f -u bind
\ No newline at end of file
+/usr/sbin/named -u bind
diff --git a/bind9-docker b/bind9-docker
new file mode 160000
index 0000000..cb3c182
--- /dev/null
+++ b/bind9-docker
@@ -0,0 +1 @@
+Subproject commit cb3c1822602ee8b9a951e550a8a44b695fd2c13e
diff --git a/docker-compose.yml b/docker-compose.yml
index 25f827e..51e9ffa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,7 @@ services:
     container_name: bind
     restart: always
     entrypoint:
-      - /etc/bind/command.sh
+      - /etc/bind/entrypoint.sh
     ports:
       - "53:53"
       - "53:53/udp"
@@ -15,6 +15,6 @@ services:
       - ./bind:/etc/bind
     networks:
       bindnet:
-        
+
 networks:
   bindnet: