ale/docker-compose-hatthieves
2
Fork 0
Código Incidencias Pull Requests Lanzamientos Wiki Actividad

bind9

Explorar el Código
Este commit está contenido en:
Your Name
2020-05-27 17:44:48 +00:00
padre ada9dd5fa7
commit 8d1ad71241
Se han modificado 3 ficheros con 255 adiciones y 0 borrados
Descargar archivo de parche Descargar archivo de diferencias Expandir todos los archivos Contraer todos los archivos

2
production/bind9/bind/Dockerfile Archivo normal
Ver fichero

@@ -0,0 +1,2 @@
FROM debian:buster-slim
RUN apt update && apt -y upgrade && apt install -y bind9 ipv6calc curl bc dehydrated dnsutils && apt clean

223
production/bind9/bind/command.sh Archivo ejecutable
Ver fichero

@@ -0,0 +1,223 @@
#!/bin/bash
# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -K /etc/bind _acme-challenge.hatthieves.es
# dnssec-keygen -K /etc/bind -a RSASHA256 -b 4096 -n ZONE -3 -f KSK hatthieves.es
# dnssec-keygen -K /etc/bind -a RSASHA256 -b 2048 -n ZONE hatthieves.es
# opendkim-genkey -b 2048 -h rsa-sha256 -r -s dkim -d hatthieves.es -v
DOMAIN="hatthieves.es"
DOMAIN2="hatthieves.com"
IP=82.223.3.135
IPV6=2001:ba0:1800:80e0::1
DKIM=$(sed -e 's/"/\"/g' /etc/bind/dkim.txt)
DKIM2=$(sed -e 's/"/\"/g' /etc/bind/dkim2.txt)
if [ $(cat /etc/bind/version) -gt 99 ]; then
echo 1 > /etc/bind/version
fi
rm -f /etc/bind/rev.*
echo -e ";
; BIND data for $DOMAIN
;
\$TTL 3h
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN.
$DOMAIN. IN A $IP
$DOMAIN. IN AAAA $IPV6
ns1 IN A $IP
ns1 IN AAAA $IPV6
ns2 IN A $IP
ns2 IN AAAA $IPV6
mail IN A $IP
pop IN A $IP
smtp IN A $IP
imap IN A $IP
* IN CNAME $DOMAIN.
$DOMAIN. IN MX 10 mail.$DOMAIN.
$DOMAIN. IN TXT \"v=spf1 ip4:172.200.0.0/24 a mx -all\"
_dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\"
$DKIM
\$INCLUDE K$DOMAIN.+008+10060.key
\$INCLUDE K$DOMAIN.+008+00825.key
\$INCLUDE K_acme-challenge.$DOMAIN.+165+31790.key"> /etc/bind/$DOMAIN
echo -e ";
; BIND reverse file for $(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
;
\$TTL 604800
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN.
@ IN NS ns2.$DOMAIN.
$(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR $DOMAIN.
$(ipv6calc -q -a $IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
echo -e "\$TTL 604800
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN.
@ IN NS ns2.$DOMAIN.
; IPv6 PTR entries
$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR $DOMAIN.
$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
echo -e "\$TTL 604800
@ IN SOA ns1.$DOMAIN. admin.$DOMAIN. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN.
@ IN NS ns2.$DOMAIN.
; IPv6 PTR entries
$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR $DOMAIN.
$(ipv6calc -q -a ::ffff:$IP | sed -e 's/\..*$//') IN PTR mail.$DOMAIN." > /etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')
echo -e "//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include \"/etc/bind/zones.rfc1918\";
zone \"$DOMAIN\" {
type master;
file \"/etc/bind/$DOMAIN.signed\";
allow-update {
key \"$DOMAIN.\";
key \"_acme-challenge.$DOMAIN.\";
};
};
zone \"$DOMAIN2\" {
type master;
file \"/etc/bind/$DOMAIN2.signed\";
allow-update {
key \"$DOMAIN2.\";
key \"_acme-challenge.$DOMAIN2.\";
};
};
zone \"$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
type master;
file \"/etc/bind/rev.$(ipv6calc -q -a $IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
};
zone \"$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
type master;
file \"/etc/bind/rev.$(ipv6calc -q -a $(ipv6calc -q --ipv4_to_6to4addr $IP) | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
};
zone \"$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\" {
type master;
file \"/etc/bind/rev.$(ipv6calc -q -a ::ffff:$IP | sed -e 's/^[[:digit:]]\+\.//' -e 's/\.$//')\";
};" > /etc/bind/named.conf.local
echo -e "acl \"trusted\" {
::1/128; 127.0.0.0/8; 172.0.0.0/8; $IP; $IPV6;
};
options {
directory \"/var/cache/bind\";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
//dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { any; };
// config-bind9.txt
recursion yes;
notify yes;
interface-interval 0;
allow-transfer { trusted; };
allow-query { any; };
allow-query-cache { trusted; };
allow-recursion { trusted; };
allow-notify { trusted; };
allow-update { none; };
version none;
check-names master warn;
check-names slave warn;
check-names response warn;
};
key \"_acme-challenge.$DOMAIN.\" {
algorithm hmac-sha512;
secret \"GC9RKMhiWpRxwtBvxNQ8abBSTsfLE8kOuDxMA04q0YuyWPBo9YshtkOGEr9yGC6UPgzYOj7CNKYpn3OF9wEgzA==\";
};
key \"_acme-challenge.$DOMAIN2.\" {
algorithm hmac-sha512;
secret \"JlCDMOnkKuNHSiDi6GnxurCwGpnw85NngKogSqKjSU+cvb8RJSQEZekkfW88hZIPUf0cY+Td9c2SttUL05xQEw==\";
};"> /etc/bind/named.conf.options
echo -e ";
; BIND data for $DOMAIN2
;
\$TTL 3h
@ IN SOA ns1.$DOMAIN2. admin.$DOMAIN2. (
$(date +%Y%m%d)$(cat /etc/bind/version) ; SERIAL
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Minimum
;
@ IN NS ns1.$DOMAIN.
@ IN NS ns2.$DOMAIN.
$DOMAIN2. IN A $IP
$DOMAIN2. IN AAAA $IPV6
* IN CNAME $DOMAIN2.
$DOMAIN2. IN MX 10 mail.$DOMAIN2.
$DOMAIN2. IN TXT \"v=spf1 ip4:172.200.0.0/24 a mx -all\"
_dmarc IN TXT \"v=DMARC1;p=reject;rua=mailto:postmaster@$DOMAIN;pct=100;ruf=mailto:postmaster@$DOMAIN;sp=reject;aspf=s;adkim=s;ri=86400;fo=0;rf=afrf\"
$DKIM2
\$INCLUDE K$DOMAIN2.+008+61170.key
\$INCLUDE K$DOMAIN2.+008+28449.key
\$INCLUDE K_acme-challenge.$DOMAIN2.+165+29132.key"> /etc/bind/$DOMAIN2
COUNT=$(echo $(cat /etc/bind/version)"+1" | bc)
echo $COUNT > /etc/bind/version
mkdir /run/named
chown 101.101 -R /etc/bind
chown 101.101 -R /run/named
cd /etc/bind
dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN
dnssec-signzone -P -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT $DOMAIN2
named -c named.conf -g -u bind

30
production/bind9/docker-compose.yml Archivo normal
Ver fichero

@@ -0,0 +1,30 @@
version: '2.1'
services:
bind:
build: ./bind
restart: always
container_name: bind
hostname: bind
entrypoint:
- /bin/bash
- /etc/bind/command.sh
volumes:
- ./bind:/etc/bind
- ./dehydrated:/etc/dehydrated
- ./letsencrypt:/root/letsencrypt
ports:
- "53:53/tcp"
- "53:53/udp"
networks:
mynet:
ipv4_address: 172.3.0.101
networks:
mynet:
enable_ipv6: true
driver: bridge
ipam:
config:
- subnet: 172.3.0.0/24
- subnet: fe80:0:250:56fd::/64