diff options
author | Mike Crute <mike@crute.us> | 2021-01-18 06:24:42 +0000 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2021-01-18 06:24:42 +0000 |
commit | cd833bc2852ec204fbaecde7ada56798eba005da (patch) | |
tree | 339dbe06f2f23040c2c2dfa1c8d0e22883d73acf | |
parent | 7b931a911ce0bd11eebe3b8059423ec43895c58f (diff) | |
download | dockerfiles-cd833bc2852ec204fbaecde7ada56798eba005da.tar.bz2 dockerfiles-cd833bc2852ec204fbaecde7ada56798eba005da.tar.xz dockerfiles-cd833bc2852ec204fbaecde7ada56798eba005da.zip |
bind: new hosting config update
-rw-r--r-- | bind/Dockerfile | 8 | ||||
-rw-r--r-- | bind/conf/named.conf | 82 | ||||
-rwxr-xr-x | bind/entrypoint.sh | 23 |
3 files changed, 76 insertions, 37 deletions
diff --git a/bind/Dockerfile b/bind/Dockerfile index 677eaf4..bb23637 100644 --- a/bind/Dockerfile +++ b/bind/Dockerfile | |||
@@ -14,11 +14,13 @@ RUN set -euxo pipefail; \ | |||
14 | curl -o /etc/bind/db.root https://www.internic.net/domain/named.cache; | 14 | curl -o /etc/bind/db.root https://www.internic.net/domain/named.cache; |
15 | 15 | ||
16 | ADD conf/ /etc/bind/ | 16 | ADD conf/ /etc/bind/ |
17 | ADD bind_bootstrap / | 17 | ADD entrypoint.sh / |
18 | ADD zones.yaml /etc/bind/zones.yaml | 18 | #ADD bind_bootstrap / |
19 | #ADD zones.yaml /etc/bind/zones.yaml | ||
19 | 20 | ||
20 | RUN set -euxo pipefail; \ | 21 | RUN set -euxo pipefail; \ |
21 | chown -R named:named /etc/bind; | 22 | chown -R named:named /etc/bind; |
22 | 23 | ||
23 | ENTRYPOINT [ "/bind_bootstrap" ] | 24 | #ENTRYPOINT [ "/bind_bootstrap" ] |
25 | ENTRYPOINT [ "/entrypoint.sh" ] | ||
24 | CMD [ "/usr/sbin/named", "-u", "named", "-g" ] | 26 | CMD [ "/usr/sbin/named", "-u", "named", "-g" ] |
diff --git a/bind/conf/named.conf b/bind/conf/named.conf index dcf0cf3..b7d563d 100644 --- a/bind/conf/named.conf +++ b/bind/conf/named.conf | |||
@@ -2,41 +2,47 @@ | |||
2 | 2 | ||
3 | include "/etc/bind/rndc.key"; | 3 | include "/etc/bind/rndc.key"; |
4 | 4 | ||
5 | options { | 5 | //======================================================================== |
6 | directory "/etc/bind/local/cache"; | 6 | // If BIND logs error messages about the root key being expired, |
7 | bindkeys-file "/etc/bind/bind.keys"; | 7 | // you will need to update your keys. See https://www.isc.org/bind-keys |
8 | 8 | //======================================================================== | |
9 | //======================================================================== | ||
10 | // If BIND logs error messages about the root key being expired, | ||
11 | // you will need to update your keys. See https://www.isc.org/bind-keys | ||
12 | //======================================================================== | ||
13 | 9 | ||
14 | // mcrute: disable dnssec because the AWS resolvers return invalid zone | 10 | options { |
15 | // signatures | 11 | directory "/etc/bind/local/zones"; |
16 | dnssec-validation no; | 12 | managed-keys-directory "/etc/bind/local/managed-keys"; |
17 | 13 | bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-( | |
18 | zone-statistics full; | ||
19 | 14 | ||
20 | auth-nxdomain no; # conform to RFC1035 | 15 | dnssec-validation no; // AWS resolvers return invalid zone signatures |
21 | notify master-only; # don't send NOTIFY from secondaries | 16 | zone-statistics full; // Track full stats for prometheus export |
17 | masterfile-format text; // Write zonefiles in text even for secondary zones | ||
18 | auth-nxdomain no; // conform to RFC1035 | ||
19 | notify master-only; // don't send NOTIFY from secondaries | ||
22 | 20 | ||
23 | version none; | 21 | version none; |
24 | hostname none; | 22 | hostname none; |
25 | 23 | ||
26 | listen-on { | 24 | // Force TCP if response would be larger than IPv6 fragment size |
27 | any; | 25 | // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/ |
28 | }; | 26 | max-udp-size 1220; |
27 | edns-udp-size 1220; | ||
29 | 28 | ||
30 | listen-on-v6 { | 29 | // Allow more transfers at once to improve secondary convergence |
31 | any; | 30 | transfers-in 50; |
32 | }; | 31 | transfers-out 50; |
32 | |||
33 | listen-on { any; }; | ||
34 | listen-on-v6 { any; }; | ||
35 | allow-update-forwarding { any; }; | ||
33 | 36 | ||
34 | allow-update-forwarding { | 37 | // Typically this ACL is empty but exists so that it can be populated |
35 | any; | 38 | // during an attack to block bad clients. |
39 | blackhole { | ||
40 | blackhole-clients; | ||
36 | }; | 41 | }; |
37 | 42 | ||
38 | allow-notify { | 43 | allow-notify { |
39 | all-dns-servers; | 44 | internal-keys; |
45 | external-keys; | ||
40 | }; | 46 | }; |
41 | 47 | ||
42 | allow-recursion { | 48 | allow-recursion { |
@@ -48,15 +54,6 @@ options { | |||
48 | internal-nets; | 54 | internal-nets; |
49 | localhost; | 55 | localhost; |
50 | }; | 56 | }; |
51 | |||
52 | // Force TCP if response would be larger than IPv6 fragment size | ||
53 | // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/ | ||
54 | max-udp-size 1220; | ||
55 | edns-udp-size 1220; | ||
56 | |||
57 | // Allow more transfers at once to improve secondary convergence | ||
58 | transfers-in 50; | ||
59 | transfers-out 50; | ||
60 | }; | 57 | }; |
61 | 58 | ||
62 | statistics-channels { | 59 | statistics-channels { |
@@ -69,4 +66,21 @@ controls { | |||
69 | inet ::1 allow { localhost; } keys { "rndc-key"; }; | 66 | inet ::1 allow { localhost; } keys { "rndc-key"; }; |
70 | }; | 67 | }; |
71 | 68 | ||
72 | include "/etc/bind/named_local.conf"; | 69 | acl internal-nets { |
70 | // Internal RFC1918 | ||
71 | 172.16.0.0/12; | ||
72 | |||
73 | // Unknown? Maybe Docker bridge? | ||
74 | 192.168.255.0/24; | ||
75 | |||
76 | // Pomona ARIN | ||
77 | 23.149.16.0/24; | ||
78 | 2602:0803:4000::/40; | ||
79 | |||
80 | // AWS | ||
81 | 2600:1f14:f39:e000::/56; | ||
82 | 2600:1f16:33:500::/56; | ||
83 | 2a05:d01c:7ba:b800::/56; | ||
84 | }; | ||
85 | |||
86 | include "/etc/bind/local/named.conf"; | ||
diff --git a/bind/entrypoint.sh b/bind/entrypoint.sh new file mode 100755 index 0000000..b8b5a9c --- /dev/null +++ b/bind/entrypoint.sh | |||
@@ -0,0 +1,23 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | set -e | ||
4 | |||
5 | RNDC_KEY_FILE="/etc/bind/rndc.key" | ||
6 | |||
7 | # Generate an rndc key fresh for every server startup. This is only used for | ||
8 | # internal management with the rndc command so there's no need to persist it. | ||
9 | touch $RNDC_KEY_FILE | ||
10 | chown named:named $RNDC_KEY_FILE | ||
11 | chmod 0660 $RNDC_KEY_FILE | ||
12 | /usr/sbin/ddns-confgen -q -k rndc-key > $RNDC_KEY_FILE | ||
13 | |||
14 | # Create directories for secondaries | ||
15 | for i in $(grep ^view /etc/bind/local/named.conf | cut -d' ' -f2); do | ||
16 | mkdir -p /etc/bind/local/zones/$i | ||
17 | done | ||
18 | mkdir -p /etc/bind/local/managed-keys | ||
19 | |||
20 | # Make sure BIND can write everything | ||
21 | chown -R named:named /etc/bind/local | ||
22 | |||
23 | exec "$@" | ||