aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Crute <mike@crute.us>2021-01-18 06:24:42 +0000
committerMike Crute <mike@crute.us>2021-01-18 06:24:42 +0000
commitcd833bc2852ec204fbaecde7ada56798eba005da (patch)
tree339dbe06f2f23040c2c2dfa1c8d0e22883d73acf
parent7b931a911ce0bd11eebe3b8059423ec43895c58f (diff)
downloaddockerfiles-cd833bc2852ec204fbaecde7ada56798eba005da.tar.bz2
dockerfiles-cd833bc2852ec204fbaecde7ada56798eba005da.tar.xz
dockerfiles-cd833bc2852ec204fbaecde7ada56798eba005da.zip
bind: new hosting config update
-rw-r--r--bind/Dockerfile8
-rw-r--r--bind/conf/named.conf82
-rwxr-xr-xbind/entrypoint.sh23
3 files changed, 76 insertions, 37 deletions
diff --git a/bind/Dockerfile b/bind/Dockerfile
index 677eaf4..bb23637 100644
--- a/bind/Dockerfile
+++ b/bind/Dockerfile
@@ -14,11 +14,13 @@ RUN set -euxo pipefail; \
14 curl -o /etc/bind/db.root https://www.internic.net/domain/named.cache; 14 curl -o /etc/bind/db.root https://www.internic.net/domain/named.cache;
15 15
16ADD conf/ /etc/bind/ 16ADD conf/ /etc/bind/
17ADD bind_bootstrap / 17ADD entrypoint.sh /
18ADD zones.yaml /etc/bind/zones.yaml 18#ADD bind_bootstrap /
19#ADD zones.yaml /etc/bind/zones.yaml
19 20
20RUN set -euxo pipefail; \ 21RUN set -euxo pipefail; \
21 chown -R named:named /etc/bind; 22 chown -R named:named /etc/bind;
22 23
23ENTRYPOINT [ "/bind_bootstrap" ] 24#ENTRYPOINT [ "/bind_bootstrap" ]
25ENTRYPOINT [ "/entrypoint.sh" ]
24CMD [ "/usr/sbin/named", "-u", "named", "-g" ] 26CMD [ "/usr/sbin/named", "-u", "named", "-g" ]
diff --git a/bind/conf/named.conf b/bind/conf/named.conf
index dcf0cf3..b7d563d 100644
--- a/bind/conf/named.conf
+++ b/bind/conf/named.conf
@@ -2,41 +2,47 @@
2 2
3include "/etc/bind/rndc.key"; 3include "/etc/bind/rndc.key";
4 4
5options { 5//========================================================================
6 directory "/etc/bind/local/cache"; 6// If BIND logs error messages about the root key being expired,
7 bindkeys-file "/etc/bind/bind.keys"; 7// you will need to update your keys. See https://www.isc.org/bind-keys
8 8//========================================================================
9 //========================================================================
10 // If BIND logs error messages about the root key being expired,
11 // you will need to update your keys. See https://www.isc.org/bind-keys
12 //========================================================================
13 9
14 // mcrute: disable dnssec because the AWS resolvers return invalid zone 10options {
15 // signatures 11 directory "/etc/bind/local/zones";
16 dnssec-validation no; 12 managed-keys-directory "/etc/bind/local/managed-keys";
17 13 bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-(
18 zone-statistics full;
19 14
20 auth-nxdomain no; # conform to RFC1035 15 dnssec-validation no; // AWS resolvers return invalid zone signatures
21 notify master-only; # don't send NOTIFY from secondaries 16 zone-statistics full; // Track full stats for prometheus export
17 masterfile-format text; // Write zonefiles in text even for secondary zones
18 auth-nxdomain no; // conform to RFC1035
19 notify master-only; // don't send NOTIFY from secondaries
22 20
23 version none; 21 version none;
24 hostname none; 22 hostname none;
25 23
26 listen-on { 24 // Force TCP if response would be larger than IPv6 fragment size
27 any; 25 // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
28 }; 26 max-udp-size 1220;
27 edns-udp-size 1220;
29 28
30 listen-on-v6 { 29 // Allow more transfers at once to improve secondary convergence
31 any; 30 transfers-in 50;
32 }; 31 transfers-out 50;
32
33 listen-on { any; };
34 listen-on-v6 { any; };
35 allow-update-forwarding { any; };
33 36
34 allow-update-forwarding { 37 // Typically this ACL is empty but exists so that it can be populated
35 any; 38 // during an attack to block bad clients.
39 blackhole {
40 blackhole-clients;
36 }; 41 };
37 42
38 allow-notify { 43 allow-notify {
39 all-dns-servers; 44 internal-keys;
45 external-keys;
40 }; 46 };
41 47
42 allow-recursion { 48 allow-recursion {
@@ -48,15 +54,6 @@ options {
48 internal-nets; 54 internal-nets;
49 localhost; 55 localhost;
50 }; 56 };
51
52 // Force TCP if response would be larger than IPv6 fragment size
53 // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
54 max-udp-size 1220;
55 edns-udp-size 1220;
56
57 // Allow more transfers at once to improve secondary convergence
58 transfers-in 50;
59 transfers-out 50;
60}; 57};
61 58
62statistics-channels { 59statistics-channels {
@@ -69,4 +66,21 @@ controls {
69 inet ::1 allow { localhost; } keys { "rndc-key"; }; 66 inet ::1 allow { localhost; } keys { "rndc-key"; };
70}; 67};
71 68
72include "/etc/bind/named_local.conf"; 69acl internal-nets {
70 // Internal RFC1918
71 172.16.0.0/12;
72
73 // Unknown? Maybe Docker bridge?
74 192.168.255.0/24;
75
76 // Pomona ARIN
77 23.149.16.0/24;
78 2602:0803:4000::/40;
79
80 // AWS
81 2600:1f14:f39:e000::/56;
82 2600:1f16:33:500::/56;
83 2a05:d01c:7ba:b800::/56;
84};
85
86include "/etc/bind/local/named.conf";
diff --git a/bind/entrypoint.sh b/bind/entrypoint.sh
new file mode 100755
index 0000000..b8b5a9c
--- /dev/null
+++ b/bind/entrypoint.sh
@@ -0,0 +1,23 @@
1#!/bin/sh
2
3set -e
4
5RNDC_KEY_FILE="/etc/bind/rndc.key"
6
7# Generate an rndc key fresh for every server startup. This is only used for
8# internal management with the rndc command so there's no need to persist it.
9touch $RNDC_KEY_FILE
10chown named:named $RNDC_KEY_FILE
11chmod 0660 $RNDC_KEY_FILE
12/usr/sbin/ddns-confgen -q -k rndc-key > $RNDC_KEY_FILE
13
14# Create directories for secondaries
15for i in $(grep ^view /etc/bind/local/named.conf | cut -d' ' -f2); do
16 mkdir -p /etc/bind/local/zones/$i
17done
18mkdir -p /etc/bind/local/managed-keys
19
20# Make sure BIND can write everything
21chown -R named:named /etc/bind/local
22
23exec "$@"