From 8ea9df365ec30a9a703530ae77cf1adaca44ef4c Mon Sep 17 00:00:00 2001 From: meliurwen Date: Mon, 7 Feb 2022 10:11:16 +0100 Subject: [PATCH] Everything more or less works --- docker-compose.yml | 79 ++++++++++++++++++ etc/db.0 | 12 +++ etc/db.127 | 13 +++ etc/db.255 | 12 +++ etc/db.empty | 14 ++++ etc/db.local | 14 ++++ etc/named.conf | 11 +++ etc/named.conf.default-zones | 30 +++++++ etc/named.conf.local | 8 ++ etc/named.conf.options | 24 ++++++ etc/zones.rfc1918 | 20 +++++ volumes/bind9/bind9-forwarder/config/db.127 | 13 +++ .../bind9/bind9-forwarder/config/named.conf | 56 +++++++++++++ volumes/bind9/bind9-lan/config/lan.zone | 11 +++ volumes/bind9/bind9-lan/config/named.conf | 23 +++++ volumes/bind9/bind9-recursor/config/db.127 | 13 +++ .../bind9/bind9-recursor/config/named.conf | 57 +++++++++++++ .../bind9/bind9-recursor/config/named.root | 20 +++++ volumes/bind9/bind9/cache/managed-keys.bind | 9 ++ .../bind9/bind9/cache/managed-keys.bind.jnl | Bin 0 -> 906 bytes volumes/bind9/bind9/config/named.conf | 24 ++++++ volumes/bind9/bind9/config/root.zone | 16 ++++ 22 files changed, 479 insertions(+) create mode 100644 docker-compose.yml create mode 100644 etc/db.0 create mode 100644 etc/db.127 create mode 100644 etc/db.255 create mode 100644 etc/db.empty create mode 100644 etc/db.local create mode 100644 etc/named.conf create mode 100644 etc/named.conf.default-zones create mode 100644 etc/named.conf.local create mode 100644 etc/named.conf.options create mode 100644 etc/zones.rfc1918 create mode 100644 volumes/bind9/bind9-forwarder/config/db.127 create mode 100644 volumes/bind9/bind9-forwarder/config/named.conf create mode 100644 volumes/bind9/bind9-lan/config/lan.zone create mode 100644 volumes/bind9/bind9-lan/config/named.conf create mode 100644 volumes/bind9/bind9-recursor/config/db.127 create mode 100644 volumes/bind9/bind9-recursor/config/named.conf create mode 100644 volumes/bind9/bind9-recursor/config/named.root create mode 100644 volumes/bind9/bind9/cache/managed-keys.bind create mode 100644 volumes/bind9/bind9/cache/managed-keys.bind.jnl create mode 100644 volumes/bind9/bind9/config/named.conf create mode 100644 volumes/bind9/bind9/config/root.zone diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..a058e06 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,79 @@ +version: "3" + +services: + + bind9: + image: internetsystemsconsortium/bind9:9.18 + container_name: ${BND_CONTAINER_NAME:-bind9} + restart: ${BND_RESTART:-unless-stopped} + volumes: + - ${LOCAL_STACK_DIR:-./vol}/bind9/config:/etc/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9/cache:/var/cache/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9/lib:/var/lib/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9/log:/var/log + expose: + - 53/udp + - 53/tcp + - 953/tcp + networks: + vpcbr: + ipv4_address: 10.5.0.5 + + bind9-lan: + image: internetsystemsconsortium/bind9:9.18 + container_name: ${BND_CONTAINER_NAME:-bind9-lan} + restart: ${BND_RESTART:-unless-stopped} + volumes: + - ${LOCAL_STACK_DIR:-./vol}/bind9-lan/config:/etc/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9-lan/cache:/var/cache/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9-lan/lib:/var/lib/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9-lan/log:/var/log + expose: + - 53/udp + - 53/tcp + - 953/tcp + networks: + vpcbr: + ipv4_address: 10.5.0.6 + + bind9-recursor: + image: internetsystemsconsortium/bind9:9.18 + container_name: ${BND_CONTAINER_NAME:-bind9-recursor} + restart: ${BND_RESTART:-unless-stopped} + volumes: + - ${LOCAL_STACK_DIR:-./vol}/bind9-recursor/config:/etc/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9-recursor/cache:/var/cache/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9-recursor/lib:/var/lib/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9-recursor/log:/var/log + expose: + - 53/udp + - 53/tcp + - 953/tcp + networks: + vpcbr: + ipv4_address: 10.5.0.4 + + bind9-forwarder: + image: internetsystemsconsortium/bind9:9.18 + container_name: ${BND_CONTAINER_NAME:-bind9-forwarder} + restart: ${BND_RESTART:-unless-stopped} + volumes: + - ${LOCAL_STACK_DIR:-./vol}/bind9-forwarder/config:/etc/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9-forwarder/cache:/var/cache/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9-forwarder/lib:/var/lib/bind + - ${LOCAL_STACK_DIR:-./vol}/bind9-forwarder/log:/var/log + expose: + - 53/udp + - 53/tcp + - 953/tcp + networks: + vpcbr: + ipv4_address: 10.5.0.3 + +networks: + vpcbr: + driver: bridge + ipam: + config: + - subnet: 10.5.0.0/16 + gateway: 10.5.0.1 diff --git a/etc/db.0 b/etc/db.0 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/etc/db.0 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/etc/db.127 b/etc/db.127 new file mode 100644 index 0000000..cd05bef --- /dev/null +++ b/etc/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. diff --git a/etc/db.255 b/etc/db.255 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/etc/db.255 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/etc/db.empty b/etc/db.empty new file mode 100644 index 0000000..8a12858 --- /dev/null +++ b/etc/db.empty @@ -0,0 +1,14 @@ +; BIND reverse data file for empty rfc1918 zone +; +; DO NOT EDIT THIS FILE - it is used for multiple zones. +; Instead, copy it, edit named.conf, and use that copy. +; +$TTL 86400 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/etc/db.local b/etc/db.local new file mode 100644 index 0000000..2f272d4 --- /dev/null +++ b/etc/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 diff --git a/etc/named.conf b/etc/named.conf new file mode 100644 index 0000000..880786a --- /dev/null +++ b/etc/named.conf @@ -0,0 +1,11 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; diff --git a/etc/named.conf.default-zones b/etc/named.conf.default-zones new file mode 100644 index 0000000..1a85ad3 --- /dev/null +++ b/etc/named.conf.default-zones @@ -0,0 +1,30 @@ +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/usr/share/dns/root.hints"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; + + diff --git a/etc/named.conf.local b/etc/named.conf.local new file mode 100644 index 0000000..7a57b10 --- /dev/null +++ b/etc/named.conf.local @@ -0,0 +1,8 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + diff --git a/etc/named.conf.options b/etc/named.conf.options new file mode 100644 index 0000000..4778d18 --- /dev/null +++ b/etc/named.conf.options @@ -0,0 +1,24 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + listen-on-v6 { any; }; +}; diff --git a/etc/zones.rfc1918 b/etc/zones.rfc1918 new file mode 100644 index 0000000..03b5546 --- /dev/null +++ b/etc/zones.rfc1918 @@ -0,0 +1,20 @@ +zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; diff --git a/volumes/bind9/bind9-forwarder/config/db.127 b/volumes/bind9/bind9-forwarder/config/db.127 new file mode 100644 index 0000000..cd05bef --- /dev/null +++ b/volumes/bind9/bind9-forwarder/config/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. diff --git a/volumes/bind9/bind9-forwarder/config/named.conf b/volumes/bind9/bind9-forwarder/config/named.conf new file mode 100644 index 0000000..c19685a --- /dev/null +++ b/volumes/bind9/bind9-forwarder/config/named.conf @@ -0,0 +1,56 @@ + +acl my_net { + 192.168.2.0/24; + 127.0.0.0/24; + 10.5.0.0/16; +}; + +acl my_other_net { + 172.0.0.0/8; +}; + +options { + directory "/var/cache/bind"; + listen-on { any; }; + listen-on-v6 { none; }; + + auth-nxdomain no; # conform to RFC1035 + + allow-recursion { + my_net; + }; + blackhole { + my_other_net; + }; + allow-transfer { + none; + }; + allow-update { + none; + }; + dnssec-validation no; + recursion yes; + allow-query-cache { any; }; + version "not available"; // Disable for security + + # disable the integrated handling of RFC1918 and non-assigned IPv6 space reverse dns + empty-zones-enable no; + +}; + +// the loopback reverse zone +// why is this needed? +// - when a reverse DNS lookup for 127.0.0.1 address is received, +// the recursive server doesn’t have to look somewhere else for +// the answer. It has to be defined locally +// since it is just a localhost address +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "." { + type forward; + forward only; + forwarders { 10.5.0.4; }; +}; diff --git a/volumes/bind9/bind9-lan/config/lan.zone b/volumes/bind9/bind9-lan/config/lan.zone new file mode 100644 index 0000000..5bff3ea --- /dev/null +++ b/volumes/bind9/bind9-lan/config/lan.zone @@ -0,0 +1,11 @@ +@ IN SOA a0.dns.nic.lan. hostmaster.nic.lan. ( + 2 ; Serial + 1800 ; Refresh after 30 min + 900 ; Retry after 15 min + 604800 ; Expire after 1 week + 86400 ) ; Minimum TTL of 1 day +; + 518400 IN NS a0.dns.nic.lan. +a0.dns.nic 518400 IN A 10.5.0.6 + +pippo 172800 IN A 10.0.0.2 diff --git a/volumes/bind9/bind9-lan/config/named.conf b/volumes/bind9/bind9-lan/config/named.conf new file mode 100644 index 0000000..8d2bc9a --- /dev/null +++ b/volumes/bind9/bind9-lan/config/named.conf @@ -0,0 +1,23 @@ + +options { + directory "/var/cache/bind"; + listen-on { any; }; + #listen-on-v6 { ::1; }; + allow-recursion { + none; + }; + allow-transfer { + none; + }; + allow-update { + none; + }; + dnssec-validation no; + recursion no; + allow-query-cache { none; }; +}; + +zone "lan." { + type primary; + file "/etc/bind/lan.zone"; +}; diff --git a/volumes/bind9/bind9-recursor/config/db.127 b/volumes/bind9/bind9-recursor/config/db.127 new file mode 100644 index 0000000..cd05bef --- /dev/null +++ b/volumes/bind9/bind9-recursor/config/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. diff --git a/volumes/bind9/bind9-recursor/config/named.conf b/volumes/bind9/bind9-recursor/config/named.conf new file mode 100644 index 0000000..e6c9adf --- /dev/null +++ b/volumes/bind9/bind9-recursor/config/named.conf @@ -0,0 +1,57 @@ +acl my_net { + 192.168.2.0/24; + 127.0.0.0/24; + 10.5.0.0/16; +}; + +acl my_other_net { + 172.0.0.0/8; +}; + +options { + directory "/var/cache/bind"; + listen-on { any; }; + #listen-on-v6 { ::1; }; + + auth-nxdomain no; # conform to RFC1035 + + allow-recursion { + my_net; + }; + blackhole { + my_other_net; + }; + allow-transfer { + none; + }; + allow-update { + none; + }; + dnssec-validation no; + recursion yes; + allow-query-cache { any; }; + + # disable the integrated handling of RFC1918 and non-assigned IPv6 space reverse dns + empty-zones-enable no; + +}; + +// the loopback reverse zone +// why is this needed? +// - when a reverse DNS lookup for 127.0.0.1 address is received, +// the recursive server doesn’t have to look somewhere else for +// the answer. It has to be defined locally +// since it is just a localhost address +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + + +// recursive/caching name server configuration +// this will tell named that the IP address of all the root servers are inside +// the root hints file named named.root +zone "." { + type hint; + file "/etc/bind/named.root"; +}; diff --git a/volumes/bind9/bind9-recursor/config/named.root b/volumes/bind9/bind9-recursor/config/named.root new file mode 100644 index 0000000..0a28499 --- /dev/null +++ b/volumes/bind9/bind9-recursor/config/named.root @@ -0,0 +1,20 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: January 31, 2022 +; related version of root zone: 2022013101 +; +; FORMERLY NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.LOCAL. +A.ROOT-SERVERS.LOCAL. 3600000 A 10.5.0.5 +;A.ROOT-SERVERS.LOCAL. 3600000 AAAA 2001:503:ba3e::2:30 +; End of file \ No newline at end of file diff --git a/volumes/bind9/bind9/cache/managed-keys.bind b/volumes/bind9/bind9/cache/managed-keys.bind new file mode 100644 index 0000000..2207ea4 --- /dev/null +++ b/volumes/bind9/bind9/cache/managed-keys.bind @@ -0,0 +1,9 @@ +$ORIGIN . +$TTL 0 ; 0 seconds +@ IN SOA . . ( + 3 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 0 ; minimum (0 seconds) + ) diff --git a/volumes/bind9/bind9/cache/managed-keys.bind.jnl b/volumes/bind9/bind9/cache/managed-keys.bind.jnl new file mode 100644 index 0000000000000000000000000000000000000000..6c8c6514df7f30ae6fab75fae3f58164790a55e8 GIT binary patch literal 906 zcmcC^^7M02@bPz72(#2P;$naRCJ@C8L|s7I0wRWw1gmFcU|^~QsseJD1@WmKl^awc zkO_1RFs{J>7>5js3=C`xAO-`27?{LHU?_rUKvgQu@c%E=Bmq