diff --git a/production/bind9/bind/Dockerfile b/production/bind9/bind/Dockerfile new file mode 100644 index 0000000..0e4a098 --- /dev/null +++ b/production/bind9/bind/Dockerfile @@ -0,0 +1,2 @@ +FROM debian:buster-slim +RUN apt update && apt -y upgrade && apt install -y bind9 ipv6calc curl bc dehydrated dnsutils && apt clean diff --git a/production/bind9/bind/command.sh b/production/bind9/bind/command.sh new file mode 100755 index 0000000..dbade1b --- /dev/null +++ b/production/bind9/bind/command.sh @@ -0,0 +1,223 @@ +#!/bin/bash +# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -K /etc/bind _acme-challenge.hatthieves.es +# dnssec-keygen -K /etc/bind -a RSASHA256 -b 4096 -n ZONE -3 -f KSK hatthieves.es +# dnssec-keygen -K /etc/bind -a RSASHA256 -b 2048 -n ZONE hatthieves.es +# opendkim-genkey -b 2048 -h rsa-sha256 -r -s dkim -d hatthieves.es -v +DOMAIN="hatthieves.es" +DOMAIN2="hatthieves.com" +IP=82.223.3.135 +IPV6=2001:ba0:1800:80e0::1 +DKIM=$(sed -e 's/"/\"/g' /etc/bind/dkim.txt) +DKIM2=$(sed -e 's/"/\"/g' /etc/bind/dkim2.txt) +if [ $(cat /etc/bind/version) -gt 99 ]; then + echo 1 > /etc/bind/version +fi +rm -f /etc/bind/rev.* +echo -e "; +; BIND data for $DOMAIN +; +\$TTL 3h +@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( + $(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL + 3h ; Refresh + 1h ; Retry + 1w ; Expire + 1h ) ; Minimum +; +@ IN NS ns1.$DOMAIN. + +$DOMAIN. IN A $IP +$DOMAIN. IN AAAA $IPV6 +ns1 IN A $IP +ns1 IN AAAA $IPV6 +ns2 IN A $IP +ns2 IN AAAA $IPV6 +mail IN A $IP +pop IN A $IP +smtp IN A $IP +imap IN A $IP +* IN CNAME $DOMAIN. +$DOMAIN. IN MX 10 mail.$DOMAIN. +$DOMAIN. IN TXT \"v=spf1 ip4:172.200.0.0/24 a mx -all\" +_dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\" +$DKIM + +\$INCLUDE K$DOMAIN.+008+10060.key +\$INCLUDE K$DOMAIN.+008+00825.key +\$INCLUDE K_acme-challenge.$DOMAIN.+165+31790.key"> /etc/bind/$DOMAIN +echo -e "; +; BIND reverse file for $(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') +; +\$TTL 604800 +@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( + $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial + 3h ; Refresh + 1h ; Retry + 1w ; Expire + 1h ) ; Minimum +; +@ IN NS ns1.$DOMAIN. +@ IN NS ns2.$DOMAIN. + +$(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR $DOMAIN. +$(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') +echo -e "\$TTL 604800 +@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( + $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial + 3h ; Refresh + 1h ; Retry + 1w ; Expire + 1h ) ; Minimum +; +@ IN NS ns1.$DOMAIN. +@ IN NS ns2.$DOMAIN. + +; IPv6 PTR entries +$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR $DOMAIN. +$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') +echo -e "\$TTL 604800 +@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( + $(date +%Y%m%d)$(cat /etc/bind/version) ; Serial + 3h ; Refresh + 1h ; Retry + 1w ; Expire + 1h ) ; Minimum +; +@ IN NS ns1.$DOMAIN. +@ IN NS ns2.$DOMAIN. + +; IPv6 PTR entries +$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR $DOMAIN. +$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//') +echo -e "// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include \"/etc/bind/zones.rfc1918\"; + +zone \"$DOMAIN\" { + type master; + file \"/etc/bind/$DOMAIN.signed\"; + allow-update { + key \"$DOMAIN.\"; + key \"_acme-challenge.$DOMAIN.\"; + }; +}; + +zone \"$DOMAIN2\" { + type master; + file \"/etc/bind/$DOMAIN2.signed\"; + allow-update { + key \"$DOMAIN2.\"; + key \"_acme-challenge.$DOMAIN2.\"; + }; +}; + +zone \"$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" { + type master; + file \"/etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\"; +}; + +zone \"$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" { + type master; + file \"/etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\"; +}; + +zone \"$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" { + type master; + file \"/etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\"; +};" > /etc/bind/named.conf.local +echo -e "acl \"trusted\" { + ::1/128; 127.0.0.0/8; 172.0.0.0/8; $IP; $IPV6; +}; + +options { + directory \"/var/cache/bind\"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-enable yes; + dnssec-validation auto; + dnssec-lookaside auto; + //dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on { any; }; + listen-on-v6 { any; }; + + // config-bind9.txt + recursion yes; + notify yes; + interface-interval 0; + allow-transfer { trusted; }; + allow-query { any; }; + allow-query-cache { trusted; }; + allow-recursion { trusted; }; + allow-notify { trusted; }; + allow-update { none; }; + version none; + check-names master warn; + check-names slave warn; + check-names response warn; +}; + +key \"_acme-challenge.$DOMAIN.\" { + algorithm hmac-sha512; + secret \"GC9RKMhiWpRxwtBvxNQ8abBSTsfLE8kOuDxMA04q0YuyWPBo9YshtkOGEr9yGC6UPgzYOj7CNKYpn3OF9wEgzA==\"; +}; + +key \"_acme-challenge.$DOMAIN2.\" { + algorithm hmac-sha512; + secret \"JlCDMOnkKuNHSiDi6GnxurCwGpnw85NngKogSqKjSU+cvb8RJSQEZekkfW88hZIPUf0cY+Td9c2SttUL05xQEw==\"; +};"> /etc/bind/named.conf.options +echo -e "; +; BIND data for $DOMAIN2 +; +\$TTL 3h +@ IN SOA ns1.$DOMAIN2. admin.$DOMAIN2. ( + $(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL + 3h ; Refresh + 1h ; Retry + 1w ; Expire + 1h ) ; Minimum +; +@ IN NS ns1.$DOMAIN. +@ IN NS ns2.$DOMAIN. + +$DOMAIN2. IN A $IP +$DOMAIN2. IN AAAA $IPV6 +* IN CNAME $DOMAIN2. +$DOMAIN2. IN MX 10 mail.$DOMAIN2. +$DOMAIN2. IN TXT \"v=spf1 ip4:172.200.0.0/24 a mx -all\" +_dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\" +$DKIM2 + +\$INCLUDE K$DOMAIN2.+008+61170.key +\$INCLUDE K$DOMAIN2.+008+28449.key +\$INCLUDE K_acme-challenge.$DOMAIN2.+165+29132.key"> /etc/bind/$DOMAIN2 +COUNT=$(echo $(cat /etc/bind/version)"+1" | bc) +echo $COUNT > /etc/bind/version +mkdir /run/named +chown 101.101 -R /etc/bind +chown 101.101 -R /run/named +cd /etc/bind +dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN +dnssec-signzone -P -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN2 +named -c named.conf -g -u bind diff --git a/production/bind9/docker-compose.yml b/production/bind9/docker-compose.yml new file mode 100644 index 0000000..74bdcc8 --- /dev/null +++ b/production/bind9/docker-compose.yml @@ -0,0 +1,30 @@ +version: '2.1' + +services: + bind: + build: ./bind + restart: always + container_name: bind + hostname: bind + entrypoint: + - /bin/bash + - /etc/bind/command.sh + volumes: + - ./bind:/etc/bind + - ./dehydrated:/etc/dehydrated + - ./letsencrypt:/root/letsencrypt + ports: + - "53:53/tcp" + - "53:53/udp" + networks: + mynet: + ipv4_address: 172.3.0.101 + +networks: + mynet: + enable_ipv6: true + driver: bridge + ipam: + config: + - subnet: 172.3.0.0/24 + - subnet: fe80:0:250:56fd::/64