diff --git a/README.md b/README.md index db87cab..c1390a0 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Alpine :: Bind (DNS) -![pulls](https://img.shields.io/docker/pulls/11notes/bind?color=2b75d6) ![build](https://img.shields.io/docker/automated/11notes/bind?color=2b75d6) ![activity](https://img.shields.io/github/commit-activity/m/11notes/docker-bind?color=c91cb8) ![commit-last](https://img.shields.io/github/last-commit/11notes/docker-bind?color=c91cb8) +![size](https://img.shields.io/docker/image-size/11notes/bind/13.5.3?color=0eb305) ![version](https://img.shields.io/docker/v/11notes/bind?color=eb7a09) ![pulls](https://img.shields.io/docker/pulls/11notes/bind?color=2b75d6) ![activity](https://img.shields.io/github/commit-activity/m/11notes/docker-bind?color=c91cb8) ![commit-last](https://img.shields.io/github/last-commit/11notes/docker-bind?color=c91cb8) Run Bind (DNS) based on Alpine Linux. Small, lightweight, secure and fast 🏔️ @@ -10,6 +10,9 @@ Run Bind (DNS) based on Alpine Linux. Small, lightweight, secure and fast 🏔 ## Run ```shell docker run --name bind \ + -p 53:53 \ + -p 53:53/udp \ + -p 8053:8053 \ -v ../etc:/bind/etc \ -v ../var:/bind/var \ -d 11notes/bind:[tag] @@ -28,12 +31,13 @@ docker exec bind rootdb | `gid` | 1000 | group id 1000 | | `home` | /bind | home directory of user docker | -## Parent +## Parent image * [11notes/alpine:stable](https://github.com/11notes/docker-alpine) -## Built with +## Built with and thanks to * [bind](https://www.isc.org/downloads/bind) * [Alpine Linux](https://alpinelinux.org) ## Tips -* Don't bind to ports < 1024 (requires root), use NAT/reverse proxy \ No newline at end of file +* Only use rootless container runtime (podman, rootless docker) +* Don't bind to ports < 1024 (requires root), use NAT/reverse proxy (haproxy, traefik, nginx) \ No newline at end of file diff --git a/amd64.dockerfile b/amd64.dockerfile index 3103173..460df13 100644 --- a/amd64.dockerfile +++ b/amd64.dockerfile @@ -1,6 +1,22 @@ +# :: Build + FROM 11notes/apk-build:stable as build + ENV APK_NAME="bind" + + RUN set -ex; \ + cd ~; \ + newapkbuild ${APK_NAME}; + + COPY ./build /apk/${APK_NAME} + + RUN set -ex; \ + cd ~/${APK_NAME}; \ + abuild checksum; \ + abuild -r; \ + ls -lah /apk/packages; + # :: Header FROM 11notes/alpine:stable - ENV APP_VERSION=9.18.16-r0 + COPY --from=build /apk/packages/apk /tmp ENV APP_ROOT=/bind # :: Run @@ -8,17 +24,15 @@ # :: prepare image RUN set -ex; \ + ls -lah /tmp; \ mkdir -p ${APP_ROOT}/etc \ - mkdir -p ${APP_ROOT}/var; + mkdir -p ${APP_ROOT}/var; \ + mkdir -p /var/run/named; # :: install application RUN set -ex; \ - apk --no-cache add \ - bash \ - bind=${APP_VERSION} \ - bind-dnssec-tools \ - bind-tools \ - bind-plugins; \ + apk add --allow-untrusted --repository /tmp bind; \ + rm -rf /tmp/*; \ apk --no-cache upgrade; # :: copy root filesystem changes and add execution rights to init scripts @@ -31,8 +45,7 @@ usermod -d ${APP_ROOT} docker; \ chown -R 1000:1000 \ ${APP_ROOT} \ - /var/run/named \ - /usr/lib/bind; + /var/run/named; # :: Volumes VOLUME ["${APP_ROOT}/etc", "${APP_ROOT}/var"] diff --git a/build/127.zone b/build/127.zone new file mode 100644 index 0000000..2ad28de --- /dev/null +++ b/build/127.zone @@ -0,0 +1,11 @@ +$ORIGIN 127.in-addr.arpa. +$TTL 1W +@ 1D IN SOA localhost. root.localhost. ( + 2002081601 ; serial + 3H ; refresh + 15M ; retry + 1W ; expiry + 1D ) ; minimum + + 1D IN NS localhost. +1 1D IN PTR localhost. diff --git a/build/APKBUILD b/build/APKBUILD new file mode 100644 index 0000000..c6fe29d --- /dev/null +++ b/build/APKBUILD @@ -0,0 +1,296 @@ +# Contributor: Sergei Lukin +# Contributor: Sören Tempel +# Contributor: Carlo Landmeter +# Contributor: Natanael Copa +# Contributor: ungleich +# Maintainer: Mike Crute +pkgname=bind +pkgver=9.18.19 +_ver=${pkgver%_p*} +_p=${pkgver#*_p} +_major=${pkgver%%.*} +[ "$_p" != "$pkgver" ] && _ver="$_ver-P$_p" +pkgrel=0 +pkgdesc="The ISC DNS server" +url="https://www.isc.org/" +arch="all" +license="MPL-2.0" +options="!check" # requires bind server +pkgusers="named" +pkggroups="named" +depends="dns-root-hints bind-tools json-c jemalloc" +depends_dev="$pkgname $pkgname-plugins $pkgname-tools" +_depends_plugins="$pkgname" +_root_keys_upstream="dnssec-root" +_depends_root_keys="$_root_keys_upstream" +makedepends=" + bash + fstrm-dev + jemalloc-dev + json-c-dev + libidn2-dev + krb5-dev + libcap-dev + libuv-dev + libxml2-dev + linux-headers + nghttp2-dev + openldap-dev + openssl-dev>3 + perl + protobuf-c-dev + $_depends_root_keys + " +install="$pkgname.pre-install $pkgname.post-install" +subpackages=" + $pkgname-dbg + $pkgname-doc + $pkgname-dev + $pkgname-libs + $pkgname-openrc + $pkgname-${_root_keys_upstream}:root_keys:noarch + $pkgname-dnssec-tools:_dnssec_tools + $pkgname-plugins + $pkgname-tools + " +source=" + https://downloads.isc.org/isc/bind$_major/$_ver/bind-$_ver.tar.xz + named.initd + named.confd + named.conf.authoritative + named.conf.recursive + 127.zone + localhost.zone + " + +# secfixes: +# 9.18.19-r0: +# - CVE-2023-3341 +# - CVE-2023-4236 +# 9.18.11-r0: +# - CVE-2022-3094 +# - CVE-2022-3736 +# - CVE-2022-3924 +# 9.18.7-r0: +# - CVE-2022-2795 +# - CVE-2022-2881 +# - CVE-2022-2906 +# - CVE-2022-3080 +# - CVE-2022-38177 +# - CVE-2022-38178 +# 9.16.27-r0: +# - CVE-2022-0396 +# - CVE-2021-25220 +# 9.16.22-r0: +# - CVE-2021-25219 +# 9.16.20-r0: +# - CVE-2021-25218 +# 9.16.15-r0: +# - CVE-2021-25214 +# - CVE-2021-25215 +# - CVE-2021-25216 +# 9.16.11-r2: +# - CVE-2020-8625 +# 9.16.6-r0: +# - CVE-2020-8620 +# - CVE-2020-8621 +# - CVE-2020-8622 +# - CVE-2020-8623 +# - CVE-2020-8624 +# 9.16.4-r0: +# - CVE-2020-8618 +# - CVE-2020-8619 +# 9.14.12-r0: +# - CVE-2020-8616 +# - CVE-2020-8617 +# 9.14.8-r0: +# - CVE-2019-6477 +# 9.14.7-r0: +# - CVE-2019-6475 +# - CVE-2019-6476 +# 9.14.4-r0: +# - CVE-2019-6471 +# 9.14.1-r0: +# - CVE-2019-6467 +# - CVE-2018-5743 +# 9.12.3_p4-r0: +# - CVE-2019-6465 +# - CVE-2018-5745 +# - CVE-2018-5744 +# 9.12.2_p1-r0: +# - CVE-2018-5740 +# - CVE-2018-5738 +# 9.12.1_p2-r0: +# - CVE-2018-5737 +# - CVE-2018-5736 +# 9.11.2_p1-r0: +# - CVE-2017-3145 +# 9.11.0_p5-r0: +# - CVE-2017-3136 +# - CVE-2017-3137 +# - CVE-2017-3138 +# 9.10.4_p5-r0: +# - CVE-2016-9131 +# - CVE-2016-9147 +# - CVE-2016-9444 +# 0: +# - CVE-2019-6470 + +prepare() { + default_prepare + # Adjusting PATHs in manpages + for i in bin/named/named.rst bin/check/named-checkconf.rst bin/rndc/rndc.rst; do + sed -i \ + -e 's:/etc/named.conf:/etc/bind/named.conf:g' \ + -e 's:/etc/rndc.conf:/etc/bind/rndc.conf:g' \ + -e 's:/etc/rndc.key:/etc/bind/rndc.key:g' \ + "$i" + done +} + +build() { + ### https://bugs.gentoo.org/show_bug.cgi?id=227333 + export CFLAGS="$CFLAGS -D_GNU_SOURCE" + + ./configure \ + --build="$CBUILD" \ + --host="$CHOST" \ + --prefix=/usr \ + --sysconfdir=/etc/bind \ + --localstatedir=/var \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --with-tuning=large \ + --with-gssapi \ + --with-libxml2 \ + --with-json-c \ + --with-openssl \ + --with-jemalloc \ + --with-libidn2 \ + --enable-dnstap \ + --enable-largefile \ + --enable-linux-caps \ + --enable-shared \ + --disable-static \ + --enable-full-report + make +} + +check() { + make test +} + +package() { + install -d -m0770 -g named -o root "$pkgdir"/var/bind \ + "$pkgdir"/var/bind/sec \ + "$pkgdir"/var/bind/dyn \ + "$pkgdir"/var/run/named + + install -d -m0750 -g named -o root "$pkgdir"/etc/bind \ + "$pkgdir"/var/bind/pri + + make -j1 DESTDIR="$pkgdir" install + + install -Dm755 "$srcdir"/named.initd \ + "$pkgdir"/etc/init.d/named + install -Dm644 "$srcdir"/named.confd \ + "$pkgdir"/etc/conf.d/named + install -Dm644 "$srcdir"/named.conf.authoritative \ + "$pkgdir"/etc/bind/named.conf.authoritative + install -Dm644 "$srcdir"/named.conf.recursive \ + "$pkgdir"/etc/bind/named.conf.recursive + install -Dm644 "$srcdir"/127.zone \ + "$pkgdir"/var/bind/pri/127.zone + install -Dm644 "$srcdir"/localhost.zone \ + "$pkgdir"/var/bind/pri/localhost.zone + + cd "$pkgdir"/var/bind + ln -s ../../usr/share/dns-root-hints/named.root named.ca + ln -s named.ca root.cache +} + +_dnssec_tools() { + pkgdesc="Utilities for DNSSEC keys and DNS zone files management" + mkdir -p "$subpkgdir"/usr/bin + mv \ + "$pkgdir"/usr/bin/nsec3hash \ + "$pkgdir"/usr/bin/dnssec* \ + "$subpkgdir"/usr/bin/ +} + +plugins() { + pkgdesc="The ISC DNS server plugins" + depends="$_depends_plugins" + + mkdir -p "$subpkgdir"/usr/lib + mv "$pkgdir"/usr/lib/bind "$subpkgdir"/usr/lib/ +} + +tools() { + pkgdesc="The ISC DNS tools" + depends="$depends_tools" + + mkdir -p "$subpkgdir"/usr/bin + for i in "$pkgdir"/usr/bin/*; do + case "${i##*/}" in + named-checkconf) ;; + *) mv "$i" "$subpkgdir"/usr/bin ;; + esac + done + + mkdir -p "$subpkgdir"/usr/sbin + for i in "$pkgdir"/usr/sbin/*; do + case "${i##*/}" in + named|rndc) ;; + *) mv "$i" "$subpkgdir"/usr/sbin ;; + esac + done +} + +root_keys() { + pkgdesc="ISC BIND DNSSEC Root Keys" + depends="$depends_root_keys" + + local _dir _file _link + _dir="usr/share/$_root_keys_upstream" + _file="$pkgname-$_root_keys_upstream.keys" + _link="$pkgdir/etc/bind/bind.keys" + + mkdir -p "$subpkgdir/$_dir" + cd "$subpkgdir/$_dir" + + mv "$_link" "$_file" + ln -s "$_file" bind.keys + + ln -s "../../$_dir/$_file" "$_link" +} + +# The default_libs() in abuild uses the wrong pattern. +libs() { + depends="$depends_libs" + pkgdesc="$pkgdesc (libraries)" + local dir= file= + for dir in lib usr/lib; do + for file in "$pkgdir"/$dir/lib*.so; do + [ -f "$file" ] || continue + mkdir -p "$subpkgdir"/$dir + mv "$file" "$subpkgdir"/$dir/ + done + done +} + +_gpg_signature_extensions="sha512.asc" +_gpgfingerprints=" + good:AE3F AC79 6711 EC59 FC00 7AA4 74BB 6B9A 4CBB 3D38 + BE0E 9748 B718 253A 28BB 89FF F1B1 1BF0 5CF0 2E57 + " + +sha512sums=" +51af9a246f23afc9ac9a1ef2d793bc91f43fe835b6c4101ad557799ee3aa4253bd12b2f12d9d101c1ce616e2a852a42c5567b031adaaaf06677fcc11c98cf393 bind-9.18.19.tar.xz +3d1d3e954aaee5e125f6b6f3cb660b51fc91d803df4cad43c47dbe97f19789cef20b5ca2834624668f0d761a5b81ac72db8959745d6eb293ca1154a1b390a007 named.initd +127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf named.confd +d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative +3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive +eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone +340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone +" diff --git a/build/bind.post-install b/build/bind.post-install new file mode 100644 index 0000000..1a24852 --- /dev/null +++ b/build/bind.post-install @@ -0,0 +1 @@ +#!/bin/sh diff --git a/build/bind.pre-install b/build/bind.pre-install new file mode 100644 index 0000000..3f7c368 --- /dev/null +++ b/build/bind.pre-install @@ -0,0 +1,6 @@ +#!/bin/sh + +addgroup -S named 2>/dev/null +adduser -S -D -H -h /etc/bind -s /sbin/nologin -G named -g named named 2>/dev/null + +exit 0 diff --git a/build/localhost.zone b/build/localhost.zone new file mode 100644 index 0000000..338d705 --- /dev/null +++ b/build/localhost.zone @@ -0,0 +1,11 @@ +$TTL 1W +@ IN SOA ns.localhost. root.localhost. ( + 2002081601 ; Serial + 28800 ; Refresh + 14400 ; Retry + 604800 ; Expire - 1 week + 86400 ) ; Minimum +@ IN NS ns +ns IN A 127.0.0.1 + +ns IN AAAA ::1 diff --git a/build/named.conf.authoritative b/build/named.conf.authoritative new file mode 100644 index 0000000..71e98dd --- /dev/null +++ b/build/named.conf.authoritative @@ -0,0 +1,56 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as an +// authoritative nameserver. If you want to run a recursive DNS resolver +// instead, see /etc/bind/named.conf.recursive. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a secure starting point for running an authoritative nameserver. + +options { + directory "/var/bind"; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you want to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + // Specify a list of IPs/masks to allow zone transfers to here. + // + // You can override this on a per-zone basis by specifying this inside a zone + // block. + // + // Warning: Removing this block will cause BIND to revert to its default + // behaviour of allowing zone transfers to any host (!). + allow-transfer { + none; + }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Changing this is NOT RECOMMENDED; see the notes above and in + // named.conf.recursive. + allow-recursion { none; }; + recursion no; +}; + +// Example of how to configure a zone for which this server is the master: +//zone "example.com" IN { +// type master; +// file "/etc/bind/master/example.com"; +//}; + +// You can include files: +//include "/etc/bind/example.conf"; diff --git a/build/named.conf.recursive b/build/named.conf.recursive new file mode 100644 index 0000000..a068b22 --- /dev/null +++ b/build/named.conf.recursive @@ -0,0 +1,104 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as a +// recursive DNS resolver. If you want to run an authoritative nameserver +// instead, see /etc/bind/named.conf.authoritative. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a starting point for running a recursive resolver. +// +// +// *** IMPORTANT *** +// You should note that running an open DNS resolver (that is, a resolver which +// answers queries from any globally routable IP) makes the resolver vulnerable +// to abuse in the form of reflected DDoS attacks. +// +// These attacks are now widely prevalent on the open internet. Even if +// unadvertised, attackers can and will find your resolver by portscanning the +// global IPv4 address space. +// +// In one case the traffic generated using such an attack reached 300 Gb/s (!). +// +// It is therefore imperative that you take care to configure the resolver to +// only answer queries from IP address space you trust or control. See the +// "allow-recursion" directive below. +// +// Bear in mind that with these attacks, the "source" of a query will actually +// be the intended target of a DDoS attack, so this only protects other networks +// from attack, not your own; ideally therefore you should firewall DNS traffic +// at the borders of your network to eliminate spoofed traffic. +// +// This is a complex issue and some level of understanding of these attacks is +// advisable before you attempt to configure a resolver. + +options { + directory "/var/bind"; + + // Specify a list of CIDR masks which should be allowed to issue recursive + // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above. + allow-recursion { + 127.0.0.1/32; + }; + + // If you want this resolver to itself resolve via means of another recursive + // resolver, uncomment this block and specify the IP addresses of the desired + // upstream resolvers. + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + // By default the resolver will attempt to perform recursive resolution itself + // if the forwarders are unavailable. If you want this resolver to fail outright + // if the upstream resolvers are unavailable, uncomment this directive. + //forward only; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Removing this block will cause BIND to revert to its default behaviour + // of allowing zone transfers to any host (!). There is no need to allow zone + // transfers when operating as a recursive resolver. + allow-transfer { none; }; +}; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; diff --git a/build/named.confd b/build/named.confd new file mode 100644 index 0000000..a9af567 --- /dev/null +++ b/build/named.confd @@ -0,0 +1,8 @@ +# Set various named options here. +OPTS="" + +# Set this to the number of processors you have. +# CPU="1" + +# Scheduling priority: 19 is the lowest and -20 is the highest. +# NICELEVEL="0" diff --git a/build/named.initd b/build/named.initd new file mode 100644 index 0000000..c7a8bb1 --- /dev/null +++ b/build/named.initd @@ -0,0 +1,91 @@ +#!/sbin/openrc-run + +extra_commands="checkconfig checkzones" +extra_started_commands="reload" +: ${NAMED_CONF:=/etc/bind/named.conf} + +depend() { + need net + after firewall entropy + use logger + provide dns +} + +_get_pidfile() { + [ -n "${PIDFILE}" ] || PIDFILE=$(\ + /usr/bin/named-checkconf -p ${NAMED_CONF} | grep 'pid-file' | cut -d\" -f2) + [ -z "${PIDFILE}" ] && PIDFILE=/var/run/named/named.pid +} + +checkconfig() { + ebegin "Checking named configuration" + + if [ ! -f "${NAMED_CONF}" ] ; then + eerror "No ${NAMED_CONF} file exists! See the examples in /etc/bind." + return 1 + fi + + /usr/bin/named-checkconf ${NAMED_CONF} || { + eerror "named-checkconf failed! Please fix your config first." + return 1 + } + eend 0 + return 0 +} + +checkzones() { + ebegin "Checking named configuration and zones" + /usr/bin/named-checkconf -z -j ${NAMED_CONF} + eend $? +} + +start() { + local piddir + ebegin "Starting named" + _get_pidfile + piddir="${PIDFILE%/*}" + if [ ! -d "${piddir}" ]; then + checkpath -q -d -o root:named -m 0770 "${piddir}" || { + eend 1 + return 1 + } + fi + + checkconfig || { eend 1; return 1; } + + # create piddir (usually /var/run/named) if necessary, bug 334535 + _get_pidfile + piddir="${PIDFILE%/*}" + if [ ! -d "${piddir}" ]; then + checkpath -q -d -o root:named -m 0770 "${piddir}" || { + eend 1 + return 1 + } + fi + + # In case someone have $CPU set in /etc/conf.d/named + if [ -n "${CPU}" ] && [ "${CPU}" -gt 0 ]; then + CPU="-n ${CPU}" + fi + + start-stop-daemon --start --pidfile ${PIDFILE} \ + --nicelevel ${NICELEVEL:-0} \ + --exec /usr/sbin/named \ + -- -u named ${CPU} ${OPTS} + eend $? +} + +stop() { + ebegin "Stopping named" + _get_pidfile + start-stop-daemon --stop --quiet --pidfile $PIDFILE + eend $? +} + +reload() { + checkconfig + + ebegin "Reloading $name" + rndc reload + eend $? +} diff --git a/rootfs/bind/etc/named.conf b/rootfs/bind/etc/named.conf index 7c96278..986d08a 100644 --- a/rootfs/bind/etc/named.conf +++ b/rootfs/bind/etc/named.conf @@ -3,11 +3,15 @@ options { directory "/bind/etc"; recursion no; allow-notify { none; }; - forwarders { 208.67.220.220; 208.67.222.222; }; + forwarders { 9.9.9.9; 9.9.9.10; }; version "0.0"; auth-nxdomain no; - max-cache-size 4G; + max-cache-size 0; dnssec-validation auto; }; +statistics-channels { + inet 0.0.0.0 port 8053; +}; + server ::/0 { bogus yes; }; \ No newline at end of file diff --git a/rootfs/usr/local/bin/entrypoint.sh b/rootfs/usr/local/bin/entrypoint.sh index ed0a0a3..8829a54 100644 --- a/rootfs/usr/local/bin/entrypoint.sh +++ b/rootfs/usr/local/bin/entrypoint.sh @@ -8,7 +8,8 @@ set -- "named" \ -fg \ -c "/bind/etc/named.conf" \ - -u docker + -u docker \ + -4 fi exec "$@" \ No newline at end of file