refactor and update bind v9.21

This commit is contained in:
ale 2024-10-27 20:03:43 +01:00
parent 55600d8b1a
commit dc054c5bfd
6 changed files with 57 additions and 33 deletions

4
.gitmodules vendored Normal file
View File

@ -0,0 +1,4 @@
[submodule "bind9-docker"]
path = bind9-docker
url = https://github.com/isc-projects/bind9-docker
branch = v9.21

View File

@ -3,17 +3,26 @@
## Configure ## Configure
``` ```
Edit /bind/command.sh file properties before first run $ git clone --recurse-submodules https://git.manalejandro.com/ale/bind9
cd bind and edit ./bind/entrypoint.sh file properties before first run
```
##Build
```
$ docker buildx build -t bind9-docker ./bind9-docker
$ docker-compose build
``` ```
## Run ## Run
``` ```
docker-compose up -d $ docker-compose up -d
``` ```
#### by default all queries are logged under `/var/log/querylog` #### by default all queries are logged under `/var/log/querylog`
## License ## License
### Mit ### Mit

View File

@ -1,3 +1,4 @@
FROM debian:buster-slim FROM bind9-docker
RUN apt update && apt -y upgrade && apt install -y bind9 ipv6calc curl bc && apt clean RUN apk add ipcalc bash
COPY ./bind/entrypoint.sh /etc/bind/
ENTRYPOINT "/etc/bind/entrypoint.sh"

59
bind/command.sh → bind/entrypoint.sh Normal file → Executable file
View File

@ -50,7 +50,7 @@ $DKIM
\$INCLUDE K$DOMAIN.+XXX+YYYYY.key \$INCLUDE K$DOMAIN.+XXX+YYYYY.key
\$INCLUDE K$DOMAIN.+XXX+YYYYY.key"> /etc/bind/$DOMAIN \$INCLUDE K$DOMAIN.+XXX+YYYYY.key"> /etc/bind/$DOMAIN
echo -e "; echo -e ";
; BIND reverse file for $(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') ; BIND reverse file for $(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
; ;
\$TTL 604800 \$TTL 604800
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
@ -63,9 +63,10 @@ echo -e ";
@ IN NS ns1.$DOMAIN. @ IN NS ns1.$DOMAIN.
@ IN NS ns2.$DOMAIN. @ IN NS ns2.$DOMAIN.
$(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR $DOMAIN. $(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/') IN PTR $DOMAIN.
$(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') $(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -r 's/^REVERSEDNS=([[:digit:]]+).*/\1/') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
echo -e "\$TTL 604800 echo -e "\$TTL 604800
; BIND reverse file for $(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
3h ; Refresh 3h ; Refresh
@ -77,9 +78,8 @@ echo -e "\$TTL 604800
@ IN NS ns2.$DOMAIN. @ IN NS ns2.$DOMAIN.
; IPv6 PTR entries ; IPv6 PTR entries
$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR $DOMAIN. $(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/') IN PTR $DOMAIN.
$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/ $(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=\([[:digit:]]\)\+.*/\1/') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')
^[[:digit:]]\+\.//' -e 's/\.$//')
echo -e "\$TTL 604800 echo -e "\$TTL 604800
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
@ -103,26 +103,23 @@ echo -e "//
//include \"/etc/bind/zones.rfc1918\"; //include \"/etc/bind/zones.rfc1918\";
zone \"$DOMAIN\" { zone \"$DOMAIN\" {
type master; type primary;
file \"/etc/bind/$DOMAIN.signed\"; file \"/etc/bind/$DOMAIN.signed\";
notify explicit;
}; };
zone \"$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" { zone \"$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\" {
type master; type master;
file \"/etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\"; file \"/etc/bind/rev.$(ipcalc -4 -a --reverse-dns $IP | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\";
}; };
zone \"$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" { zone \"$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\" {
type master; type master;
file \"/etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\"; file \"/etc/bind/rev.$(ipcalc -6 -a --reverse-dns $IPV6 | grep REVERSEDNS | sed -e 's/^REVERSEDNS=[[:digit:]]\+\.//')\";
}; };
zone \"$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" { acl \"trusted\" {
type master; 127.0.0.0/8;
file \"/etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
};" > /etc/bind/named.conf.local
echo -e "acl \"trusted\" {
::1/128; 127.0.0.0/8; 172.0.0.0/8; $IP; $IPV6;
}; };
options { options {
@ -154,9 +151,20 @@ options {
listen-on-v6 { any; }; listen-on-v6 { any; };
// config-bind9.txt // config-bind9.txt
recursion yes; disable-empty-zone \".\";
notify yes; // root-delegation-only;
interface-interval 0; require-server-cookie no;
send-cookie yes;
check-wildcard no;
clients-per-query 20;
max-clients-per-query 30;
auth-nxdomain yes;
listen-on { any; };
listen-on-v6 { any; };
max-udp-size 512;
recursion no;
minimal-responses yes;
notify no;
allow-transfer { none; }; allow-transfer { none; };
allow-query { any; }; allow-query { any; };
allow-query-cache { trusted; }; allow-query-cache { trusted; };
@ -169,22 +177,23 @@ options {
check-names master warn; check-names master warn;
check-names slave warn; check-names slave warn;
check-names response warn; check-names response warn;
// querylog yes; querylog yes;
hostname \"$DOMAIN\";
server-id \"$DOMAIN\";
}; };
logging { logging {
channel querylog{ channel querylog{
file \"/var/log/querylog\"; file \"/var/log/querylog\";
severity debug 10; severity info;
print-category yes; print-category yes;
print-time yes; print-time yes;
print-severity yes; print-severity yes;
}; };
category queries { querylog; }; category queries { querylog; };
};"> /etc/bind/named.conf.options };"> /etc/bind/named.conf.options
chown $(id -u bind):$(id -g bind) -R /etc/bind
echo $(echo $(cat /etc/bind/version)"+1" | bc) > /etc/bind/version echo $(echo $(cat /etc/bind/version)"+1" | bc) > /etc/bind/version
mkdir /run/named
chown 101.101 -R /etc/bind /run/named
cd /etc/bind cd /etc/bind
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN
named -c named.conf -f -u bind /usr/sbin/named -u bind

1
bind9-docker Submodule

@ -0,0 +1 @@
Subproject commit cb3c1822602ee8b9a951e550a8a44b695fd2c13e

View File

@ -7,7 +7,7 @@ services:
container_name: bind container_name: bind
restart: always restart: always
entrypoint: entrypoint:
- /etc/bind/command.sh - /etc/bind/entrypoint.sh
ports: ports:
- "53:53" - "53:53"
- "53:53/udp" - "53:53/udp"
@ -15,6 +15,6 @@ services:
- ./bind:/etc/bind - ./bind:/etc/bind
networks: networks:
bindnet: bindnet:
networks: networks:
bindnet: bindnet: