Everything more or less works

docker-compose.yml

@@ -0,0 +1,79 @@
+version: "3"
+
+services:
+
+  bind9:
+    image: internetsystemsconsortium/bind9:9.18
+    container_name: ${BND_CONTAINER_NAME:-bind9}
+    restart: ${BND_RESTART:-unless-stopped}
+    volumes:
+      - ${LOCAL_STACK_DIR:-./vol}/bind9/config:/etc/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9/cache:/var/cache/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9/lib:/var/lib/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9/log:/var/log
+    expose:
+      - 53/udp
+      - 53/tcp
+      - 953/tcp
+    networks:
+      vpcbr:
+        ipv4_address: 10.5.0.5
+
+  bind9-lan:
+    image: internetsystemsconsortium/bind9:9.18
+    container_name: ${BND_CONTAINER_NAME:-bind9-lan}
+    restart: ${BND_RESTART:-unless-stopped}
+    volumes:
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-lan/config:/etc/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-lan/cache:/var/cache/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-lan/lib:/var/lib/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-lan/log:/var/log
+    expose:
+      - 53/udp
+      - 53/tcp
+      - 953/tcp
+    networks:
+      vpcbr:
+        ipv4_address: 10.5.0.6
+
+  bind9-recursor:
+    image: internetsystemsconsortium/bind9:9.18
+    container_name: ${BND_CONTAINER_NAME:-bind9-recursor}
+    restart: ${BND_RESTART:-unless-stopped}
+    volumes:
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-recursor/config:/etc/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-recursor/cache:/var/cache/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-recursor/lib:/var/lib/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-recursor/log:/var/log
+    expose:
+      - 53/udp
+      - 53/tcp
+      - 953/tcp
+    networks:
+      vpcbr:
+        ipv4_address: 10.5.0.4
+
+  bind9-forwarder:
+    image: internetsystemsconsortium/bind9:9.18
+    container_name: ${BND_CONTAINER_NAME:-bind9-forwarder}
+    restart: ${BND_RESTART:-unless-stopped}
+    volumes:
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-forwarder/config:/etc/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-forwarder/cache:/var/cache/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-forwarder/lib:/var/lib/bind
+      - ${LOCAL_STACK_DIR:-./vol}/bind9-forwarder/log:/var/log
+    expose:
+      - 53/udp
+      - 53/tcp
+      - 953/tcp
+    networks:
+      vpcbr:
+        ipv4_address: 10.5.0.3
+
+networks:
+  vpcbr:
+    driver: bridge
+    ipam:
+     config:
+       - subnet: 10.5.0.0/16
+         gateway: 10.5.0.1

etc/db.0

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

etc/db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

etc/db.255

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

etc/db.empty

@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL	86400
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			  86400 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

etc/db.local

@@ -0,0 +1,14 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+@	IN	A	127.0.0.1
+@	IN	AAAA	::1

etc/named.conf

@@ -0,0 +1,11 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";

etc/named.conf.default-zones

@@ -0,0 +1,30 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/usr/share/dns/root.hints";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
+

etc/named.conf.local

@@ -0,0 +1,8 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+

etc/named.conf.options

@@ -0,0 +1,24 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-validation auto;
+
+	listen-on-v6 { any; };
+};

etc/zones.rfc1918

@@ -0,0 +1,20 @@
+zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
+ 
+zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+
+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

volumes/bind9/bind9-forwarder/config/db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

volumes/bind9/bind9-forwarder/config/named.conf

@@ -0,0 +1,56 @@
+
+acl my_net { 
+    192.168.2.0/24;
+    127.0.0.0/24;
+    10.5.0.0/16;
+};
+
+acl my_other_net {
+    172.0.0.0/8;
+};
+
+options {
+        directory "/var/cache/bind";
+        listen-on { any; };
+        listen-on-v6 { none; };
+
+        auth-nxdomain no;    # conform to RFC1035
+
+        allow-recursion {
+                my_net;
+        };
+        blackhole {
+                my_other_net;
+        };
+        allow-transfer {
+                none;
+        };
+        allow-update {
+                none;
+        };
+        dnssec-validation no;
+        recursion yes;
+        allow-query-cache { any; };
+        version "not available"; // Disable for security
+
+        # disable the integrated handling of RFC1918 and non-assigned IPv6 space reverse dns
+        empty-zones-enable no;
+
+};
+
+// the loopback reverse zone
+// why is this needed?
+// - when a reverse DNS lookup for 127.0.0.1 address is received,
+// the recursive server doesn’t have to look somewhere else for 
+// the answer. It has to be defined locally 
+// since it is just a localhost address 
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "." {
+  type forward;
+  forward only;
+  forwarders { 10.5.0.4; };
+};

volumes/bind9/bind9-lan/config/lan.zone

@@ -0,0 +1,11 @@
+@	IN	SOA	a0.dns.nic.lan. hostmaster.nic.lan. (
+			      2		; Serial
+			   1800		; Refresh after 30 min
+			    900		; Retry after 15 min
+			 604800		; Expire after 1 week
+			  86400 )	; Minimum TTL of 1 day
+;
+			    518400	IN	NS	a0.dns.nic.lan.
+a0.dns.nic		518400	IN	A	10.5.0.6
+
+pippo			172800	IN	A	10.0.0.2

volumes/bind9/bind9-lan/config/named.conf

@@ -0,0 +1,23 @@
+
+options {
+        directory "/var/cache/bind";
+        listen-on { any; };
+        #listen-on-v6 { ::1; };
+        allow-recursion {
+                none;
+        };
+        allow-transfer {
+                none;
+        };
+        allow-update {
+                none;
+        };
+        dnssec-validation no;
+        recursion no;
+        allow-query-cache { none; };
+};
+
+zone "lan." {
+        type primary;
+        file "/etc/bind/lan.zone";
+};

volumes/bind9/bind9-recursor/config/db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

volumes/bind9/bind9-recursor/config/named.conf

@@ -0,0 +1,57 @@
+acl my_net { 
+    192.168.2.0/24;
+    127.0.0.0/24;
+    10.5.0.0/16;
+};
+
+acl my_other_net {
+    172.0.0.0/8;
+};
+
+options {
+        directory "/var/cache/bind";
+        listen-on { any; };
+        #listen-on-v6 { ::1; };
+
+        auth-nxdomain no;    # conform to RFC1035
+
+        allow-recursion {
+                my_net;
+        };
+        blackhole {
+                my_other_net;
+        };
+        allow-transfer {
+                none;
+        };
+        allow-update {
+                none;
+        };
+        dnssec-validation no;
+        recursion yes;
+        allow-query-cache { any; };
+
+        # disable the integrated handling of RFC1918 and non-assigned IPv6 space reverse dns
+        empty-zones-enable no;
+
+};
+
+// the loopback reverse zone
+// why is this needed?
+// - when a reverse DNS lookup for 127.0.0.1 address is received,
+// the recursive server doesn’t have to look somewhere else for 
+// the answer. It has to be defined locally 
+// since it is just a localhost address 
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+
+// recursive/caching name server configuration
+// this will tell named that the IP address of all the root servers are inside
+// the root hints file named named.root
+zone "." {
+	type hint;
+	file "/etc/bind/named.root";
+};

volumes/bind9/bind9-recursor/config/named.root

@@ -0,0 +1,20 @@
+;       This file holds the information on root name servers needed to 
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers). 
+; 
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache 
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:     January 31, 2022
+;       related version of root zone:     2022013101
+; 
+; FORMERLY NS.INTERNIC.NET 
+;
+.                        3600000      NS    A.ROOT-SERVERS.LOCAL.
+A.ROOT-SERVERS.LOCAL.    3600000      A     10.5.0.5
+;A.ROOT-SERVERS.LOCAL.    3600000      AAAA  2001:503:ba3e::2:30
+; End of file

volumes/bind9/bind9/cache/managed-keys.bind

@@ -0,0 +1,9 @@
+$ORIGIN .
+$TTL 0	; 0 seconds
+@			IN SOA	. . (
+				3          ; serial
+				0          ; refresh (0 seconds)
+				0          ; retry (0 seconds)
+				0          ; expire (0 seconds)
+				0          ; minimum (0 seconds)
+				)

volumes/bind9/bind9/config/named.conf

@@ -0,0 +1,24 @@
+
+options {
+        directory "/var/cache/bind";
+        listen-on { any; };
+        #listen-on-v6 { ::1; };
+        allow-recursion {
+                none;
+        };
+        allow-transfer {
+                none;
+        };
+        allow-update {
+                none;
+        };
+        dnssec-validation no;
+        recursion no;
+        allow-query-cache { none; };
+        #minimal-any yes; // Closer but not compliant to RFC8482
+};
+
+zone "." {
+        type primary;
+        file "/etc/bind/root.zone";
+};

volumes/bind9/bind9/config/root.zone

@@ -0,0 +1,16 @@
+@	IN	SOA	a.root-servers.local. root.root-servers.local. (
+			      2		; Serial
+			   1800		; Refresh after 30 min
+			    900		; Retry after 15 min
+			 604800		; Expire after 1 week
+			  86400 )	; Minimum TTL of 1 day
+;
+.			    518400	IN	NS	a.root-servers.local.
+a.root-servers.local.	518400	IN	A	10.5.0.5
+lan.			172800	IN	NS	a0.dns.nic.lan.
+a0.dns.nic.lan.  	518400	IN	A	10.5.0.6
+
+
+;arpa.			172800	IN	NS	a.root-servers.local.
+;local.			172800	IN	NS	a0.dns.nic.local.
+;a0.dns.nic.local.	518400	IN	A	192.168.2.19