paulmataruso/11note-docker-bind
1
0
Fork 0
mirror of https://github.com/11notes/docker-bind.git synced 2025-11-02 12:53:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

9.18.30, compile from source (no apk)

Browse Source
This commit is contained in:
ElevenNotes
2024-09-25 22:05:02 +02:00
parent 7fa2f914f4
commit 92f1856428
20 changed files with 292 additions and 662 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.dockerignore
View File

@@ -1,3 +1,5 @@
.gitignore
.git*
*.md
LICENSE
LICENSE
maintain/
project*

26
.github/workflows/release.yml vendored Normal file
View File

@@ -0,0 +1,26 @@
name: create release notes
on:
push:
tags:
- "*"
- "!amd64*"
- "!arm64*"
permissions:
contents: write
jobs:
release:
name: release
runs-on: ubuntu-latest
steps:
- name: create release notes
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ github.ref_name }}
run: |
gh release create "$tag" \
--repo="$GITHUB_REPOSITORY" \
--title="${tag#v}" \
--generate-notes

40
README.md
View File

@@ -1,9 +1,9 @@
![Banner](https://github.com/11notes/defaults/blob/main/static/img/banner.png?raw=true)
# 🏔️ Alpine - BIND9
![size](https://img.shields.io/docker/image-size/11notes/bind/9.18.24?color=0eb305) ![version](https://img.shields.io/docker/v/11notes/bind/9.18.24?color=eb7a09) ![pulls](https://img.shields.io/docker/pulls/11notes/bind?color=2b75d6) ![activity](https://img.shields.io/github/commit-activity/m/11notes/docker-bind?color=c91cb8) ![commit-last](https://img.shields.io/github/last-commit/11notes/docker-bind?color=c91cb8) ![stars](https://img.shields.io/docker/stars/11notes/bind?color=e6a50e)
# 🏔️ Alpine - BIND
![size](https://img.shields.io/docker/image-size/11notes/bind/9.18.30?color=0eb305) ![version](https://img.shields.io/docker/v/11notes/bind/9.18.30?color=eb7a09) ![pulls](https://img.shields.io/docker/pulls/11notes/bind?color=2b75d6)
**BIND9 DNS server**
**BIND DNS server**
# SYNOPSIS
What can I do with this? This image will run BIND9 DNS server precompiled for large installations and maximum performance.
@@ -12,12 +12,25 @@ What can I do with this? This image will run BIND9 DNS server precompiled for la
* **/bind/etc** - Directory of named.conf
* **/bind/var** - Directory of zone data
# RUN
```shell
docker run --name bind \
-v .../etc:/bind/etc \
-v .../var:/bind/var \
-d 11notes/bind:[tag]
# COMPOSE
```yaml
services:
bind:
image: "11notes/bind:9.18.30"
container_name: "bind"
environment:
TZ: "Europe/Zurich"
volumes:
- "etc:/bind/etc"
- "var:/bind/var"
ports:
- "53:53/udp"
- "53:53/tcp"
- "8053:8053/tcp"
restart: always
volumes:
etc:
var:
```
# EXAMPLES
@@ -56,19 +69,20 @@ server ::/0 { bogus yes; };
| `TZ` | [Time Zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) | |
| `DEBUG` | Show debug information | |
# SOURCE
* [11notes/bind](https://github.com/11notes/docker-bind)
# PARENT IMAGE
* [11notes/alpine:stable](https://hub.docker.com/r/11notes/alpine)
# BUILT WITH
* [bind9](https://www.isc.org/downloads/bind)
* [bind](https://www.isc.org/downloads/bind)
* [alpine](https://alpinelinux.org)
# TIPS
* Only use rootless container runtime (podman, rootless docker)
* Allow non-root ports < 1024 via `echo "net.ipv4.ip_unprivileged_port_start=53" > /etc/sysctl.d/ports.conf`
* Use a reverse proxy like Traefik, Nginx to terminate TLS with a valid certificate
* Use Lets Encrypt certificates to protect your SSL endpoints
# ElevenNotes<sup>™️</sup>
This image is provided to you at your own risk. Always make backups before updating an image to a new version. Check the changelog for breaking changes.
This image is provided to you at your own risk. Always make backups before updating an image to a new version. Check the changelog for breaking changes. You can find all my repositories on [github](https://github.com/11notes).

111
amd64.dockerfile
View File

@@ -7,39 +7,120 @@
git clone https://github.com/11notes/util.git;
# :: Build
FROM 11notes/apk-build:stable as build
ENV APK_NAME="bind"
COPY ./build /src
FROM 11notes/alpine:stable as build
ARG BUILD_VERSION=9.18.30
ARG BUILD_DIR=/bind9
USER root
RUN set -ex; \
apk-build
apk add --no-cache --update \
alpine-sdk \
openssl-dev \
libuv-dev \
curl \
wget \
unzip \
build-base \
linux-headers \
make \
cmake \
autoconf \
automake \
libtool \
bash \
userspace-rcu \
fstrm-dev \
jemalloc-dev \
json-c-dev \
libidn2-dev \
krb5-dev \
libcap-dev \
libuv-dev \
libxml2-dev \
linux-headers \
nghttp2-dev \
openldap-dev \
openssl-dev>3 \
perl \
protobuf-c-dev \
g++ \
git;
RUN set -ex; \
git clone https://gitlab.isc.org/isc-projects/bind9.git -b v${BUILD_VERSION};
RUN set -ex; \
cd ${BUILD_DIR}; \
autoreconf --install; \
./configure \
--prefix=/opt/bind \
--sysconfdir=/bind/etc \
--localstatedir=/var \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--with-tuning=large \
--with-gssapi \
--with-libxml2 \
--with-json-c \
--with-openssl \
--with-jemalloc \
--with-libidn2 \
--enable-dnstap \
--enable-largefile \
--enable-linux-caps \
--enable-shared \
--disable-static \
--enable-full-report;
RUN set -ex; \
cd ${BUILD_DIR}; \
make -j$(nproc);
RUN set -ex; \
cd ${BUILD_DIR}; \
make install-strip;
# :: Header
FROM 11notes/alpine:stable
COPY --from=util /util/linux/shell/elevenLogJSON /usr/local/bin
COPY --from=build /apk /apk/custom
COPY --from=build /opt/bind /opt/bind
ENV APP_NAME="bind"
ENV APP_VERSION=9.18.30
ENV APP_ROOT=/bind
# :: Run
USER root
# :: prepare image
# :: prepare
RUN set -ex; \
ls -lah /tmp; \
mkdir -p ${APP_ROOT}/etc \
mkdir -p ${APP_ROOT}/var; \
mkdir -p /var/run/named;
mkdir -p \
${APP_ROOT}/etc \
${APP_ROOT}/var \
/var/run/named;
# :: install application
# :: install
RUN set -ex; \
apk add --no-cache --allow-untrusted --repository /apk/custom bind; \
apk --no-cache upgrade;
apk --no-cache --update add \
json-c \
libuv \
libxml2 \
protobuf-c \
fstrm \
libcap \
jemalloc \
krb5;
# :: copy root filesystem changes and add execution rights to init scripts
# :: upgrade
RUN set -ex; \
apk --no-cache --update upgrade;
# :: copy root filesystem
COPY ./rootfs /
RUN set -ex; \
chmod +x -R /usr/local/bin
# :: change home path for existing user and set correct permission
# :: change permissions
RUN set -ex; \
usermod -d ${APP_ROOT} docker; \
chown -R 1000:1000 \

114
arm64v8.dockerfile
View File

@@ -10,40 +10,122 @@
git clone https://github.com/11notes/util.git;
# :: Build
FROM 11notes/apk-build:stable as build
ENV APK_NAME="bind"
COPY ./build /src
FROM --platform=linux/arm64 11notes/alpine:stable as build
COPY --from=qemu /usr/bin/qemu-aarch64-static /usr/bin
ARG BUILD_VERSION=9.18.30
ARG BUILD_DIR=/bind9
USER root
RUN set -ex; \
apk-build
apk add --no-cache --update \
alpine-sdk \
openssl-dev \
libuv-dev \
curl \
wget \
unzip \
build-base \
linux-headers \
make \
cmake \
autoconf \
automake \
libtool \
bash \
userspace-rcu \
fstrm-dev \
jemalloc-dev \
json-c-dev \
libidn2-dev \
krb5-dev \
libcap-dev \
libuv-dev \
libxml2-dev \
linux-headers \
nghttp2-dev \
openldap-dev \
openssl-dev>3 \
perl \
protobuf-c-dev \
g++ \
git;
RUN set -ex; \
git clone https://gitlab.isc.org/isc-projects/bind9.git -b v${BUILD_VERSION};
RUN set -ex; \
cd ${BUILD_DIR}; \
autoreconf --install; \
./configure \
--prefix=/opt/bind \
--sysconfdir=/bind/etc \
--localstatedir=/var \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--with-tuning=large \
--with-gssapi \
--with-libxml2 \
--with-json-c \
--with-openssl \
--with-jemalloc \
--with-libidn2 \
--enable-dnstap \
--enable-largefile \
--enable-linux-caps \
--enable-shared \
--disable-static \
--enable-full-report;
RUN set -ex; \
cd ${BUILD_DIR}; \
make -j$(nproc);
RUN set -ex; \
cd ${BUILD_DIR}; \
make install-strip;
# :: Header
FROM 11notes/alpine:arm64v8-stable
FROM --platform=linux/arm64 11notes/alpine:stable
COPY --from=qemu /usr/bin/qemu-aarch64-static /usr/bin
COPY --from=util /util/linux/shell/elevenLogJSON /usr/local/bin
COPY --from=build /apk /apk/custom
COPY --from=build /opt/bind /opt/bind
ENV APP_NAME="bind"
ENV APP_VERSION=9.18.30
ENV APP_ROOT=/bind
# :: Run
USER root
# :: prepare image
# :: prepare
RUN set -ex; \
ls -lah /tmp; \
mkdir -p ${APP_ROOT}/etc \
mkdir -p ${APP_ROOT}/var; \
mkdir -p /var/run/named;
mkdir -p \
${APP_ROOT}/etc \
${APP_ROOT}/var \
/var/run/named;
# :: install application
# :: install
RUN set -ex; \
apk add --no-cache --allow-untrusted --repository /apk/custom bind; \
apk --no-cache upgrade;
apk --no-cache --update add \
json-c \
libuv \
libxml2 \
protobuf-c \
fstrm \
libcap \
jemalloc \
krb5;
# :: copy root filesystem changes and add execution rights to init scripts
# :: upgrade
RUN set -ex; \
apk --no-cache --update upgrade;
# :: copy root filesystem
COPY ./rootfs /
RUN set -ex; \
chmod +x -R /usr/local/bin
# :: change home path for existing user and set correct permission
# :: change permissions
RUN set -ex; \
usermod -d ${APP_ROOT} docker; \
chown -R 1000:1000 \

11
build/127.zone
View File

@@ -1,11 +0,0 @@
$ORIGIN 127.in-addr.arpa.
$TTL 1W
@ 1D IN SOA localhost. root.localhost. (
2002081601 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS localhost.
1 1D IN PTR localhost.

296
build/APKBUILD
View File

@@ -1,296 +0,0 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Contributor: ungleich <alpinelinux@ungleich.ch>
# Maintainer: Mike Crute <mike@crute.us>
pkgname=bind
pkgver=9.18.24
_ver=${pkgver%_p*}
_p=${pkgver#*_p}
_major=${pkgver%%.*}
[ "$_p" != "$pkgver" ] && _ver="$_ver-P$_p"
pkgrel=0
pkgdesc="The ISC DNS server"
url="https://www.isc.org/"
arch="all"
license="MPL-2.0"
options="!check" # requires bind server
pkgusers="named"
pkggroups="named"
depends="dns-root-hints bind-tools bind-dnssec-tools bind-plugins json-c jemalloc"
depends_dev="$pkgname $pkgname-plugins $pkgname-tools"
_depends_plugins="$pkgname"
_root_keys_upstream="dnssec-root"
_depends_root_keys="$_root_keys_upstream"
makedepends="
bash
fstrm-dev
jemalloc-dev
json-c-dev
libidn2-dev
krb5-dev
libcap-dev
libuv-dev
libxml2-dev
linux-headers
nghttp2-dev
openldap-dev
openssl-dev>3
perl
protobuf-c-dev
$_depends_root_keys
"
install="$pkgname.pre-install $pkgname.post-install"
subpackages="
$pkgname-dbg
$pkgname-doc
$pkgname-dev
$pkgname-libs
$pkgname-openrc
$pkgname-${_root_keys_upstream}:root_keys:noarch
$pkgname-dnssec-tools:_dnssec_tools
$pkgname-plugins
$pkgname-tools
"
source="
https://downloads.isc.org/isc/bind$_major/$_ver/bind-$_ver.tar.xz
named.initd
named.confd
named.conf.authoritative
named.conf.recursive
127.zone
localhost.zone
"
# secfixes:
# 9.18.19-r0:
# - CVE-2023-3341
# - CVE-2023-4236
# 9.18.11-r0:
# - CVE-2022-3094
# - CVE-2022-3736
# - CVE-2022-3924
# 9.18.7-r0:
# - CVE-2022-2795
# - CVE-2022-2881
# - CVE-2022-2906
# - CVE-2022-3080
# - CVE-2022-38177
# - CVE-2022-38178
# 9.16.27-r0:
# - CVE-2022-0396
# - CVE-2021-25220
# 9.16.22-r0:
# - CVE-2021-25219
# 9.16.20-r0:
# - CVE-2021-25218
# 9.16.15-r0:
# - CVE-2021-25214
# - CVE-2021-25215
# - CVE-2021-25216
# 9.16.11-r2:
# - CVE-2020-8625
# 9.16.6-r0:
# - CVE-2020-8620
# - CVE-2020-8621
# - CVE-2020-8622
# - CVE-2020-8623
# - CVE-2020-8624
# 9.16.4-r0:
# - CVE-2020-8618
# - CVE-2020-8619
# 9.14.12-r0:
# - CVE-2020-8616
# - CVE-2020-8617
# 9.14.8-r0:
# - CVE-2019-6477
# 9.14.7-r0:
# - CVE-2019-6475
# - CVE-2019-6476
# 9.14.4-r0:
# - CVE-2019-6471
# 9.14.1-r0:
# - CVE-2019-6467
# - CVE-2018-5743
# 9.12.3_p4-r0:
# - CVE-2019-6465
# - CVE-2018-5745
# - CVE-2018-5744
# 9.12.2_p1-r0:
# - CVE-2018-5740
# - CVE-2018-5738
# 9.12.1_p2-r0:
# - CVE-2018-5737
# - CVE-2018-5736
# 9.11.2_p1-r0:
# - CVE-2017-3145
# 9.11.0_p5-r0:
# - CVE-2017-3136
# - CVE-2017-3137
# - CVE-2017-3138
# 9.10.4_p5-r0:
# - CVE-2016-9131
# - CVE-2016-9147
# - CVE-2016-9444
# 0:
# - CVE-2019-6470
prepare() {
default_prepare
# Adjusting PATHs in manpages
for i in bin/named/named.rst bin/check/named-checkconf.rst bin/rndc/rndc.rst; do
sed -i \
-e 's:/etc/named.conf:/etc/bind/named.conf:g' \
-e 's:/etc/rndc.conf:/etc/bind/rndc.conf:g' \
-e 's:/etc/rndc.key:/etc/bind/rndc.key:g' \
"$i"
done
}
build() {
### https://bugs.gentoo.org/show_bug.cgi?id=227333
export CFLAGS="$CFLAGS -D_GNU_SOURCE"
./configure \
--build="$CBUILD" \
--host="$CHOST" \
--prefix=/usr \
--sysconfdir=/etc/bind \
--localstatedir=/var \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--with-tuning=large \
--with-gssapi \
--with-libxml2 \
--with-json-c \
--with-openssl \
--with-jemalloc \
--with-libidn2 \
--enable-dnstap \
--enable-largefile \
--enable-linux-caps \
--enable-shared \
--disable-static \
--enable-full-report
make
}
check() {
make test
}
package() {
install -d -m0770 -g named -o root "$pkgdir"/var/bind \
"$pkgdir"/var/bind/sec \
"$pkgdir"/var/bind/dyn \
"$pkgdir"/var/run/named
install -d -m0750 -g named -o root "$pkgdir"/etc/bind \
"$pkgdir"/var/bind/pri
make -j1 DESTDIR="$pkgdir" install
install -Dm755 "$srcdir"/named.initd \
"$pkgdir"/etc/init.d/named
install -Dm644 "$srcdir"/named.confd \
"$pkgdir"/etc/conf.d/named
install -Dm644 "$srcdir"/named.conf.authoritative \
"$pkgdir"/etc/bind/named.conf.authoritative
install -Dm644 "$srcdir"/named.conf.recursive \
"$pkgdir"/etc/bind/named.conf.recursive
install -Dm644 "$srcdir"/127.zone \
"$pkgdir"/var/bind/pri/127.zone
install -Dm644 "$srcdir"/localhost.zone \
"$pkgdir"/var/bind/pri/localhost.zone
cd "$pkgdir"/var/bind
ln -s ../../usr/share/dns-root-hints/named.root named.ca
ln -s named.ca root.cache
}
_dnssec_tools() {
pkgdesc="Utilities for DNSSEC keys and DNS zone files management"
mkdir -p "$subpkgdir"/usr/bin
mv \
"$pkgdir"/usr/bin/nsec3hash \
"$pkgdir"/usr/bin/dnssec* \
"$subpkgdir"/usr/bin/
}
plugins() {
pkgdesc="The ISC DNS server plugins"
depends="$_depends_plugins"
mkdir -p "$subpkgdir"/usr/lib
mv "$pkgdir"/usr/lib/bind "$subpkgdir"/usr/lib/
}
tools() {
pkgdesc="The ISC DNS tools"
depends="$depends_tools"
mkdir -p "$subpkgdir"/usr/bin
for i in "$pkgdir"/usr/bin/*; do
case "${i##*/}" in
named-checkconf) ;;
*) mv "$i" "$subpkgdir"/usr/bin ;;
esac
done
mkdir -p "$subpkgdir"/usr/sbin
for i in "$pkgdir"/usr/sbin/*; do
case "${i##*/}" in
named|rndc) ;;
*) mv "$i" "$subpkgdir"/usr/sbin ;;
esac
done
}
root_keys() {
pkgdesc="ISC BIND DNSSEC Root Keys"
depends="$depends_root_keys"
local _dir _file _link
_dir="usr/share/$_root_keys_upstream"
_file="$pkgname-$_root_keys_upstream.keys"
_link="$pkgdir/etc/bind/bind.keys"
mkdir -p "$subpkgdir/$_dir"
cd "$subpkgdir/$_dir"
mv "$_link" "$_file"
ln -s "$_file" bind.keys
ln -s "../../$_dir/$_file" "$_link"
}
# The default_libs() in abuild uses the wrong pattern.
libs() {
depends="$depends_libs"
pkgdesc="$pkgdesc (libraries)"
local dir= file=
for dir in lib usr/lib; do
for file in "$pkgdir"/$dir/lib*.so; do
[ -f "$file" ] || continue
mkdir -p "$subpkgdir"/$dir
mv "$file" "$subpkgdir"/$dir/
done
done
}
_gpg_signature_extensions="sha512.asc"
_gpgfingerprints="
good:AE3F AC79 6711 EC59 FC00 7AA4 74BB 6B9A 4CBB 3D38
BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57
"
sha512sums="
465f5b01570fdde5c95adfb780f54e0585814bd25baf914bb95bf5972f15a672e3e7b743a55f1804e69e17609d5a0cd66cc2bbab9174238b3c89e5ad732dc085 bind-9.18.24.tar.xz
3d1d3e954aaee5e125f6b6f3cb660b51fc91d803df4cad43c47dbe97f19789cef20b5ca2834624668f0d761a5b81ac72db8959745d6eb293ca1154a1b390a007 named.initd
127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf named.confd
d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative
3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive
eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone
340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone
"

1
build/bind.post-install
View File

@@ -1 +0,0 @@
#!/bin/sh

6
build/bind.pre-install
View File

@@ -1,6 +0,0 @@
#!/bin/sh
addgroup -S named 2>/dev/null
adduser -S -D -H -h /etc/bind -s /sbin/nologin -G named -g named named 2>/dev/null
exit 0

11
build/localhost.zone
View File

@@ -1,11 +0,0 @@
$TTL 1W
@ IN SOA ns.localhost. root.localhost. (
2002081601 ; Serial
28800 ; Refresh
14400 ; Retry
604800 ; Expire - 1 week
86400 ) ; Minimum
@ IN NS ns
ns IN A 127.0.0.1
ns IN AAAA ::1

56
build/named.conf.authoritative
View File

@@ -1,56 +0,0 @@
// Copy this file to /etc/bind/named.conf if you want to run bind as an
// authoritative nameserver. If you want to run a recursive DNS resolver
// instead, see /etc/bind/named.conf.recursive.
//
// BIND supports using the same daemon as both authoritative nameserver and
// recursive resolver; it supports this because it is the oldest and original
// nameserver and so was designed before it was realized that combining these
// functions is inadvisable.
//
// In actual fact, combining these functions is a very bad idea. It is thus
// recommended that you run a given instance of BIND as either an authoritative
// nameserver or recursive resolver, not both. The example configuration herein
// provides a secure starting point for running an authoritative nameserver.
options {
directory "/var/bind";
// Configure the IPs to listen on here.
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
// If you want to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// Specify a list of IPs/masks to allow zone transfers to here.
//
// You can override this on a per-zone basis by specifying this inside a zone
// block.
//
// Warning: Removing this block will cause BIND to revert to its default
// behaviour of allowing zone transfers to any host (!).
allow-transfer {
none;
};
// If you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/var/run/named/named.pid";
// Changing this is NOT RECOMMENDED; see the notes above and in
// named.conf.recursive.
allow-recursion { none; };
recursion no;
};
// Example of how to configure a zone for which this server is the master:
//zone "example.com" IN {
// type master;
// file "/etc/bind/master/example.com";
//};
// You can include files:
//include "/etc/bind/example.conf";

104
build/named.conf.recursive
View File

@@ -1,104 +0,0 @@
// Copy this file to /etc/bind/named.conf if you want to run bind as a
// recursive DNS resolver. If you want to run an authoritative nameserver
// instead, see /etc/bind/named.conf.authoritative.
//
// BIND supports using the same daemon as both authoritative nameserver and
// recursive resolver; it supports this because it is the oldest and original
// nameserver and so was designed before it was realized that combining these
// functions is inadvisable.
//
// In actual fact, combining these functions is a very bad idea. It is thus
// recommended that you run a given instance of BIND as either an authoritative
// nameserver or recursive resolver, not both. The example configuration herein
// provides a starting point for running a recursive resolver.
//
//
// *** IMPORTANT ***
// You should note that running an open DNS resolver (that is, a resolver which
// answers queries from any globally routable IP) makes the resolver vulnerable
// to abuse in the form of reflected DDoS attacks.
//
// These attacks are now widely prevalent on the open internet. Even if
// unadvertised, attackers can and will find your resolver by portscanning the
// global IPv4 address space.
//
// In one case the traffic generated using such an attack reached 300 Gb/s (!).
//
// It is therefore imperative that you take care to configure the resolver to
// only answer queries from IP address space you trust or control. See the
// "allow-recursion" directive below.
//
// Bear in mind that with these attacks, the "source" of a query will actually
// be the intended target of a DDoS attack, so this only protects other networks
// from attack, not your own; ideally therefore you should firewall DNS traffic
// at the borders of your network to eliminate spoofed traffic.
//
// This is a complex issue and some level of understanding of these attacks is
// advisable before you attempt to configure a resolver.
options {
directory "/var/bind";
// Specify a list of CIDR masks which should be allowed to issue recursive
// queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
allow-recursion {
127.0.0.1/32;
};
// If you want this resolver to itself resolve via means of another recursive
// resolver, uncomment this block and specify the IP addresses of the desired
// upstream resolvers.
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
// By default the resolver will attempt to perform recursive resolution itself
// if the forwarders are unavailable. If you want this resolver to fail outright
// if the upstream resolvers are unavailable, uncomment this directive.
//forward only;
// Configure the IPs to listen on here.
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
// If you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/var/run/named/named.pid";
// Removing this block will cause BIND to revert to its default behaviour
// of allowing zone transfers to any host (!). There is no need to allow zone
// transfers when operating as a recursive resolver.
allow-transfer { none; };
};
// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info
//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};

8
build/named.confd
View File

@@ -1,8 +0,0 @@
# Set various named options here.
OPTS=""
# Set this to the number of processors you have.
# CPU="1"
# Scheduling priority: 19 is the lowest and -20 is the highest.
# NICELEVEL="0"

91
build/named.initd
View File

@@ -1,91 +0,0 @@
#!/sbin/openrc-run
extra_commands="checkconfig checkzones"
extra_started_commands="reload"
: ${NAMED_CONF:=/etc/bind/named.conf}
depend() {
need net
after firewall entropy
use logger
provide dns
}
_get_pidfile() {
[ -n "${PIDFILE}" ] || PIDFILE=$(\
/usr/bin/named-checkconf -p ${NAMED_CONF} | grep 'pid-file' | cut -d\" -f2)
[ -z "${PIDFILE}" ] && PIDFILE=/var/run/named/named.pid
}
checkconfig() {
ebegin "Checking named configuration"
if [ ! -f "${NAMED_CONF}" ] ; then
eerror "No ${NAMED_CONF} file exists! See the examples in /etc/bind."
return 1
fi
/usr/bin/named-checkconf ${NAMED_CONF} || {
eerror "named-checkconf failed! Please fix your config first."
return 1
}
eend 0
return 0
}
checkzones() {
ebegin "Checking named configuration and zones"
/usr/bin/named-checkconf -z -j ${NAMED_CONF}
eend $?
}
start() {
local piddir
ebegin "Starting named"
_get_pidfile
piddir="${PIDFILE%/*}"
if [ ! -d "${piddir}" ]; then
checkpath -q -d -o root:named -m 0770 "${piddir}" || {
eend 1
return 1
}
fi
checkconfig || { eend 1; return 1; }
# create piddir (usually /var/run/named) if necessary, bug 334535
_get_pidfile
piddir="${PIDFILE%/*}"
if [ ! -d "${piddir}" ]; then
checkpath -q -d -o root:named -m 0770 "${piddir}" || {
eend 1
return 1
}
fi
# In case someone have $CPU set in /etc/conf.d/named
if [ -n "${CPU}" ] && [ "${CPU}" -gt 0 ]; then
CPU="-n ${CPU}"
fi
start-stop-daemon --start --pidfile ${PIDFILE} \
--nicelevel ${NICELEVEL:-0} \
--exec /usr/sbin/named \
-- -u named ${CPU} ${OPTS}
eend $?
}
stop() {
ebegin "Stopping named"
_get_pidfile
start-stop-daemon --stop --quiet --pidfile $PIDFILE
eend $?
}
reload() {
checkconfig
ebegin "Reloading $name"
rndc reload
eend $?
}

17
compose.yaml Normal file
View File

@@ -0,0 +1,17 @@
services:
bind:
image: "11notes/bind:9.18.30"
container_name: "bind"
environment:
TZ: "Europe/Zurich"
volumes:
- "etc:/bind/etc"
- "var:/bind/var"
ports:
- "53:53/udp"
- "53:53/tcp"
- "8053:8053/tcp"
restart: always
volumes:
etc:
var:

4
hooks/post_push
View File

@@ -1,4 +0,0 @@
#!/bin/bash
curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v0.9.0/manifest-tool-linux-amd64
chmod +x manifest-tool
./manifest-tool push from-spec multi-arch-manifest-version.yaml

6
multi-arch-manifest-version.yaml
View File

@@ -1,10 +1,10 @@
image: 11notes/bind:9.18.24
image: 11notes/bind:9.18.30
manifests:
- image: 11notes/bind:9.18.24
- image: 11notes/bind:9.18.30
platform:
architecture: amd64
os: linux
- image: 11notes/bind:9.18.24
- image: 11notes/bind:9.18.30
platform:
architecture: arm64
os: linux

36
rootfs/bind/var/root.db
View File

@@ -1,28 +1,26 @@
. 518400 IN NS e.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS f.root-servers.net.
;; ADDITIONAL SECTION:
e.root-servers.net. 518400 IN A 192.203.230.10
h.root-servers.net. 518400 IN A 198.97.190.53
l.root-servers.net. 518400 IN A 199.7.83.42
i.root-servers.net. 518400 IN A 192.36.148.17
a.root-servers.net. 518400 IN A 198.41.0.4
d.root-servers.net. 518400 IN A 199.7.91.13
b.root-servers.net. 518400 IN A 170.247.170.2
c.root-servers.net. 518400 IN A 192.33.4.12
b.root-servers.net. 518400 IN A 199.9.14.201
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
g.root-servers.net. 518400 IN A 192.112.36.4
m.root-servers.net. 518400 IN A 202.12.27.33
f.root-servers.net. 518400 IN A 192.5.5.241
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33

8
rootfs/usr/local/bin/entrypoint.sh
View File

@@ -1,17 +1,15 @@
#!/bin/ash
if [ -z "${1}" ]; then
if [ ! -f "/bind/var/root.db" ]; then
elevenLogJSON info "creating root db"
rootdb
fi
elevenLogJSON info "starting bind9"
set -- "named" \
elevenLogJSON info "starting ${APP_NAME} (${APP_VERSION})"
set -- "/opt/bind/sbin/named" \
-fg \
-c "/bind/etc/named.conf" \
-u docker \
-4
-u docker
fi
exec "$@"

2
rootfs/usr/local/bin/rootdb
View File

@@ -1,6 +1,6 @@
#!/bin/ash
if [ ! -f "/bind/var/root.db" ]; then
elevenLogJSON info "no root db found, using IP of a.root"
elevenLogJSON debug "no root db found, using IP of a.root"
ROOT_DB_NS=198.41.0.4
else
ROOT_DB_NS=a.root-servers.net