switch to custom apk build with tune=large

README.md

@@ -1,5 +1,5 @@
 # Alpine :: Bind (DNS)
-![pulls](https://img.shields.io/docker/pulls/11notes/bind?color=2b75d6) ![build](https://img.shields.io/docker/automated/11notes/bind?color=2b75d6) ![activity](https://img.shields.io/github/commit-activity/m/11notes/docker-bind?color=c91cb8) ![commit-last](https://img.shields.io/github/last-commit/11notes/docker-bind?color=c91cb8)
+![size](https://img.shields.io/docker/image-size/11notes/bind/13.5.3?color=0eb305) ![version](https://img.shields.io/docker/v/11notes/bind?color=eb7a09) ![pulls](https://img.shields.io/docker/pulls/11notes/bind?color=2b75d6) ![activity](https://img.shields.io/github/commit-activity/m/11notes/docker-bind?color=c91cb8) ![commit-last](https://img.shields.io/github/last-commit/11notes/docker-bind?color=c91cb8)
 
 Run Bind (DNS) based on Alpine Linux. Small, lightweight, secure and fast 🏔️
 
@@ -10,6 +10,9 @@ Run Bind (DNS) based on Alpine Linux. Small, lightweight, secure and fast 🏔
 ## Run
 ```shell
 docker run --name bind \
+  -p 53:53 \
+  -p 53:53/udp \
+  -p 8053:8053 \
   -v ../etc:/bind/etc \
   -v ../var:/bind/var \
   -d 11notes/bind:[tag]
@@ -28,12 +31,13 @@ docker exec bind rootdb
 | `gid` | 1000 | group id 1000 |
 | `home` | /bind | home directory of user docker |
 
-## Parent
+## Parent image
 * [11notes/alpine:stable](https://github.com/11notes/docker-alpine)
 
-## Built with
+## Built with and thanks to
 * [bind](https://www.isc.org/downloads/bind)
 * [Alpine Linux](https://alpinelinux.org)
 
 ## Tips
-* Don't bind to ports < 1024 (requires root), use NAT/reverse proxy
+* Only use rootless container runtime (podman, rootless docker)
+* Don't bind to ports < 1024 (requires root), use NAT/reverse proxy (haproxy, traefik, nginx)

amd64.dockerfile

@@ -1,6 +1,22 @@
+# :: Build
+  FROM 11notes/apk-build:stable as build
+  ENV APK_NAME="bind"
+
+  RUN set -ex; \
+    cd ~; \
+    newapkbuild ${APK_NAME};
+
+  COPY ./build /apk/${APK_NAME}
+
+  RUN set -ex; \
+    cd ~/${APK_NAME}; \
+    abuild checksum; \
+    abuild -r; \
+    ls -lah /apk/packages;
+
 # :: Header
   FROM 11notes/alpine:stable
-  ENV APP_VERSION=9.18.16-r0
+  COPY --from=build /apk/packages/apk /tmp
   ENV APP_ROOT=/bind
 
 # :: Run
@@ -8,17 +24,15 @@
 
   # :: prepare image
     RUN set -ex; \
+      ls -lah /tmp; \
       mkdir -p ${APP_ROOT}/etc \
-      mkdir -p ${APP_ROOT}/var;
+      mkdir -p ${APP_ROOT}/var; \
+      mkdir -p /var/run/named;
 
   # :: install application
     RUN set -ex; \
-      apk --no-cache add \
-        bash \
-        bind=${APP_VERSION} \
-        bind-dnssec-tools \
-        bind-tools \
-        bind-plugins; \
+      apk add --allow-untrusted --repository /tmp bind; \
+      rm -rf /tmp/*; \
       apk --no-cache upgrade;
 
   # :: copy root filesystem changes and add execution rights to init scripts
@@ -31,8 +45,7 @@
       usermod -d ${APP_ROOT} docker; \
       chown -R 1000:1000 \
         ${APP_ROOT} \
-        /var/run/named \
-        /usr/lib/bind;
+        /var/run/named;
 
 # :: Volumes
   VOLUME ["${APP_ROOT}/etc", "${APP_ROOT}/var"]

build/127.zone

@@ -0,0 +1,11 @@
+$ORIGIN 127.in-addr.arpa.
+$TTL 1W
+@			1D IN SOA	localhost. root.localhost. (
+					2002081601	; serial
+					3H		; refresh
+					15M		; retry
+					1W		; expiry
+					1D )		; minimum
+
+			1D IN NS	localhost.
+1			1D IN PTR	localhost.

build/APKBUILD

@@ -0,0 +1,296 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
+# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
+# Contributor: Carlo Landmeter <clandmeter@alpinelinux.org>
+# Contributor: Natanael Copa <ncopa@alpinelinux.org>
+# Contributor: ungleich <alpinelinux@ungleich.ch>
+# Maintainer: Mike Crute <mike@crute.us>
+pkgname=bind
+pkgver=9.18.19
+_ver=${pkgver%_p*}
+_p=${pkgver#*_p}
+_major=${pkgver%%.*}
+[ "$_p" != "$pkgver" ] && _ver="$_ver-P$_p"
+pkgrel=0
+pkgdesc="The ISC DNS server"
+url="https://www.isc.org/"
+arch="all"
+license="MPL-2.0"
+options="!check" # requires bind server
+pkgusers="named"
+pkggroups="named"
+depends="dns-root-hints bind-tools json-c jemalloc"
+depends_dev="$pkgname $pkgname-plugins $pkgname-tools"
+_depends_plugins="$pkgname"
+_root_keys_upstream="dnssec-root"
+_depends_root_keys="$_root_keys_upstream"
+makedepends="
+	bash
+	fstrm-dev
+  jemalloc-dev
+  json-c-dev
+  libidn2-dev
+	krb5-dev
+	libcap-dev
+	libuv-dev
+	libxml2-dev
+	linux-headers
+	nghttp2-dev
+	openldap-dev
+	openssl-dev>3
+	perl
+	protobuf-c-dev
+	$_depends_root_keys
+	"
+install="$pkgname.pre-install $pkgname.post-install"
+subpackages="
+	$pkgname-dbg
+	$pkgname-doc
+	$pkgname-dev
+	$pkgname-libs
+	$pkgname-openrc
+	$pkgname-${_root_keys_upstream}:root_keys:noarch
+	$pkgname-dnssec-tools:_dnssec_tools
+	$pkgname-plugins
+	$pkgname-tools
+	"
+source="
+	https://downloads.isc.org/isc/bind$_major/$_ver/bind-$_ver.tar.xz
+	named.initd
+	named.confd
+	named.conf.authoritative
+	named.conf.recursive
+	127.zone
+	localhost.zone
+	"
+
+# secfixes:
+#   9.18.19-r0:
+#     - CVE-2023-3341
+#     - CVE-2023-4236
+#   9.18.11-r0:
+#     - CVE-2022-3094
+#     - CVE-2022-3736
+#     - CVE-2022-3924
+#   9.18.7-r0:
+#     - CVE-2022-2795
+#     - CVE-2022-2881
+#     - CVE-2022-2906
+#     - CVE-2022-3080
+#     - CVE-2022-38177
+#     - CVE-2022-38178
+#   9.16.27-r0:
+#     - CVE-2022-0396
+#     - CVE-2021-25220
+#   9.16.22-r0:
+#     - CVE-2021-25219
+#   9.16.20-r0:
+#     - CVE-2021-25218
+#   9.16.15-r0:
+#     - CVE-2021-25214
+#     - CVE-2021-25215
+#     - CVE-2021-25216
+#   9.16.11-r2:
+#     - CVE-2020-8625
+#   9.16.6-r0:
+#     - CVE-2020-8620
+#     - CVE-2020-8621
+#     - CVE-2020-8622
+#     - CVE-2020-8623
+#     - CVE-2020-8624
+#   9.16.4-r0:
+#     - CVE-2020-8618
+#     - CVE-2020-8619
+#   9.14.12-r0:
+#     - CVE-2020-8616
+#     - CVE-2020-8617
+#   9.14.8-r0:
+#     - CVE-2019-6477
+#   9.14.7-r0:
+#     - CVE-2019-6475
+#     - CVE-2019-6476
+#   9.14.4-r0:
+#     - CVE-2019-6471
+#   9.14.1-r0:
+#     - CVE-2019-6467
+#     - CVE-2018-5743
+#   9.12.3_p4-r0:
+#     - CVE-2019-6465
+#     - CVE-2018-5745
+#     - CVE-2018-5744
+#   9.12.2_p1-r0:
+#     - CVE-2018-5740
+#     - CVE-2018-5738
+#   9.12.1_p2-r0:
+#     - CVE-2018-5737
+#     - CVE-2018-5736
+#   9.11.2_p1-r0:
+#     - CVE-2017-3145
+#   9.11.0_p5-r0:
+#     - CVE-2017-3136
+#     - CVE-2017-3137
+#     - CVE-2017-3138
+#   9.10.4_p5-r0:
+#     - CVE-2016-9131
+#     - CVE-2016-9147
+#     - CVE-2016-9444
+#   0:
+#     - CVE-2019-6470
+
+prepare() {
+	default_prepare
+	# Adjusting PATHs in manpages
+	for i in bin/named/named.rst bin/check/named-checkconf.rst bin/rndc/rndc.rst; do
+		sed -i \
+			-e 's:/etc/named.conf:/etc/bind/named.conf:g' \
+			-e 's:/etc/rndc.conf:/etc/bind/rndc.conf:g' \
+			-e 's:/etc/rndc.key:/etc/bind/rndc.key:g' \
+			"$i"
+	done
+}
+
+build() {
+	### https://bugs.gentoo.org/show_bug.cgi?id=227333
+	export CFLAGS="$CFLAGS -D_GNU_SOURCE"
+
+	./configure \
+		--build="$CBUILD" \
+		--host="$CHOST" \
+		--prefix=/usr \
+		--sysconfdir=/etc/bind \
+		--localstatedir=/var \
+		--mandir=/usr/share/man \
+		--infodir=/usr/share/info \
+		--with-tuning=large \
+    --with-gssapi \
+    --with-libxml2 \
+    --with-json-c \
+    --with-openssl \
+    --with-jemalloc \
+    --with-libidn2 \
+    --enable-dnstap \
+    --enable-largefile \
+    --enable-linux-caps \
+    --enable-shared \
+    --disable-static \
+    --enable-full-report
+	make
+}
+
+check() {
+	make test
+}
+
+package() {
+	install -d -m0770 -g named -o root "$pkgdir"/var/bind \
+		"$pkgdir"/var/bind/sec \
+		"$pkgdir"/var/bind/dyn \
+		"$pkgdir"/var/run/named
+
+	install -d -m0750 -g named -o root "$pkgdir"/etc/bind \
+		"$pkgdir"/var/bind/pri
+
+	make -j1 DESTDIR="$pkgdir" install
+
+	install -Dm755 "$srcdir"/named.initd \
+		"$pkgdir"/etc/init.d/named
+	install -Dm644 "$srcdir"/named.confd \
+		"$pkgdir"/etc/conf.d/named
+	install -Dm644 "$srcdir"/named.conf.authoritative \
+		"$pkgdir"/etc/bind/named.conf.authoritative
+	install -Dm644 "$srcdir"/named.conf.recursive \
+		"$pkgdir"/etc/bind/named.conf.recursive
+	install -Dm644 "$srcdir"/127.zone \
+		"$pkgdir"/var/bind/pri/127.zone
+	install -Dm644 "$srcdir"/localhost.zone \
+		"$pkgdir"/var/bind/pri/localhost.zone
+
+	cd "$pkgdir"/var/bind
+	ln -s ../../usr/share/dns-root-hints/named.root named.ca
+	ln -s named.ca root.cache
+}
+
+_dnssec_tools() {
+	pkgdesc="Utilities for DNSSEC keys and DNS zone files management"
+	mkdir -p "$subpkgdir"/usr/bin
+	mv  \
+		"$pkgdir"/usr/bin/nsec3hash \
+		"$pkgdir"/usr/bin/dnssec* \
+		"$subpkgdir"/usr/bin/
+}
+
+plugins() {
+	pkgdesc="The ISC DNS server plugins"
+	depends="$_depends_plugins"
+
+	mkdir -p "$subpkgdir"/usr/lib
+	mv "$pkgdir"/usr/lib/bind "$subpkgdir"/usr/lib/
+}
+
+tools() {
+	pkgdesc="The ISC DNS tools"
+	depends="$depends_tools"
+
+	mkdir -p "$subpkgdir"/usr/bin
+	for i in "$pkgdir"/usr/bin/*; do
+		case "${i##*/}" in
+			named-checkconf) ;;
+			*) mv "$i" "$subpkgdir"/usr/bin ;;
+		esac
+	done
+
+	mkdir -p "$subpkgdir"/usr/sbin
+	for i in "$pkgdir"/usr/sbin/*; do
+		case "${i##*/}" in
+			named|rndc) ;;
+			*) mv "$i" "$subpkgdir"/usr/sbin ;;
+		esac
+	done
+}
+
+root_keys() {
+	pkgdesc="ISC BIND DNSSEC Root Keys"
+	depends="$depends_root_keys"
+
+	local _dir _file _link
+	_dir="usr/share/$_root_keys_upstream"
+	_file="$pkgname-$_root_keys_upstream.keys"
+	_link="$pkgdir/etc/bind/bind.keys"
+
+	mkdir -p "$subpkgdir/$_dir"
+	cd "$subpkgdir/$_dir"
+
+	mv "$_link" "$_file"
+	ln -s "$_file" bind.keys
+
+	ln -s "../../$_dir/$_file" "$_link"
+}
+
+# The default_libs() in abuild uses the wrong pattern.
+libs() {
+	depends="$depends_libs"
+	pkgdesc="$pkgdesc (libraries)"
+	local dir= file=
+	for dir in lib usr/lib; do
+		for file in "$pkgdir"/$dir/lib*.so; do
+			[ -f "$file" ] || continue
+			mkdir -p "$subpkgdir"/$dir
+			mv "$file" "$subpkgdir"/$dir/
+		done
+	done
+}
+
+_gpg_signature_extensions="sha512.asc"
+_gpgfingerprints="
+	good:AE3F AC79 6711 EC59 FC00  7AA4 74BB 6B9A 4CBB 3D38
+	BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57
+	"
+
+sha512sums="
+51af9a246f23afc9ac9a1ef2d793bc91f43fe835b6c4101ad557799ee3aa4253bd12b2f12d9d101c1ce616e2a852a42c5567b031adaaaf06677fcc11c98cf393  bind-9.18.19.tar.xz
+3d1d3e954aaee5e125f6b6f3cb660b51fc91d803df4cad43c47dbe97f19789cef20b5ca2834624668f0d761a5b81ac72db8959745d6eb293ca1154a1b390a007  named.initd
+127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf  named.confd
+d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5  named.conf.authoritative
+3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe  named.conf.recursive
+eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c  127.zone
+340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b  localhost.zone
+"

build/bind.post-install

@@ -0,0 +1 @@
+#!/bin/sh

build/bind.pre-install

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+addgroup -S named 2>/dev/null
+adduser -S -D -H -h /etc/bind -s /sbin/nologin -G named -g named named 2>/dev/null
+
+exit 0

build/localhost.zone

@@ -0,0 +1,11 @@
+$TTL 1W
+@       IN      SOA     ns.localhost. root.localhost.  (
+                                      2002081601 ; Serial
+                                      28800      ; Refresh
+                                      14400      ; Retry
+                                      604800     ; Expire - 1 week
+                                      86400 )    ; Minimum
+@		IN      NS      ns
+ns		IN	A	127.0.0.1
+
+ns		IN	AAAA	::1

build/named.conf.authoritative

@@ -0,0 +1,56 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as an
+// authoritative nameserver. If you want to run a recursive DNS resolver
+// instead, see /etc/bind/named.conf.recursive.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a secure starting point for running an authoritative nameserver.
+
+options {
+	directory "/var/bind";
+
+	// Configure the IPs to listen on here.
+	listen-on { 127.0.0.1; };
+	listen-on-v6 { none; };
+
+	// If you want to allow only specific hosts to use the DNS server:
+	//allow-query {
+	//	127.0.0.1;
+	//};
+
+	// Specify a list of IPs/masks to allow zone transfers to here.
+	//
+	// You can override this on a per-zone basis by specifying this inside a zone
+	// block.
+	//
+	// Warning: Removing this block will cause BIND to revert to its default
+	//          behaviour of allowing zone transfers to any host (!).
+	allow-transfer {
+		none;
+	};
+
+	// If you have problems and are behind a firewall:
+	//query-source address * port 53;
+
+	pid-file "/var/run/named/named.pid";
+
+	// Changing this is NOT RECOMMENDED; see the notes above and in
+	// named.conf.recursive.
+	allow-recursion { none; };
+	recursion no;
+};
+
+// Example of how to configure a zone for which this server is the master:
+//zone "example.com" IN {
+//	type master;
+//	file "/etc/bind/master/example.com";
+//};
+
+// You can include files:
+//include "/etc/bind/example.conf";

build/named.conf.recursive

@@ -0,0 +1,104 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as a
+// recursive DNS resolver. If you want to run an authoritative nameserver
+// instead, see /etc/bind/named.conf.authoritative.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a starting point for running a recursive resolver.
+//
+//
+// *** IMPORTANT ***
+// You should note that running an open DNS resolver (that is, a resolver which
+// answers queries from any globally routable IP) makes the resolver vulnerable
+// to abuse in the form of reflected DDoS attacks.
+//
+// These attacks are now widely prevalent on the open internet. Even if
+// unadvertised, attackers can and will find your resolver by portscanning the
+// global IPv4 address space.
+//
+// In one case the traffic generated using such an attack reached 300 Gb/s (!).
+//
+// It is therefore imperative that you take care to configure the resolver to
+// only answer queries from IP address space you trust or control. See the
+// "allow-recursion" directive below.
+//
+// Bear in mind that with these attacks, the "source" of a query will actually
+// be the intended target of a DDoS attack, so this only protects other networks
+// from attack, not your own; ideally therefore you should firewall DNS traffic
+// at the borders of your network to eliminate spoofed traffic.
+//
+// This is a complex issue and some level of understanding of these attacks is
+// advisable before you attempt to configure a resolver.
+
+options {
+	directory "/var/bind";
+
+	// Specify a list of CIDR masks which should be allowed to issue recursive
+	// queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
+	allow-recursion {
+		127.0.0.1/32;
+	};
+
+	// If you want this resolver to itself resolve via means of another recursive
+	// resolver, uncomment this block and specify the IP addresses of the desired
+	// upstream resolvers.
+	//forwarders {
+	//	123.123.123.123;
+	//	123.123.123.123;
+	//};
+
+	// By default the resolver will attempt to perform recursive resolution itself
+	// if the forwarders are unavailable. If you want this resolver to fail outright
+	// if the upstream resolvers are unavailable, uncomment this directive.
+	//forward only;
+
+	// Configure the IPs to listen on here.
+	listen-on { 127.0.0.1; };
+	listen-on-v6 { none; };
+
+	// If you have problems and are behind a firewall:
+	//query-source address * port 53;
+
+	pid-file "/var/run/named/named.pid";
+
+	// Removing this block will cause BIND to revert to its default behaviour
+	// of allowing zone transfers to any host (!). There is no need to allow zone
+	// transfers when operating as a recursive resolver.
+	allow-transfer { none; };
+};
+
+// Briefly, a zone which has been declared delegation-only will be effectively
+// limited to containing NS RRs for subdomains, but no actual data beyond its
+// own apex (for example, its SOA RR and apex NS RRset). This can be used to
+// filter out "wildcard" or "synthesized" data from NAT boxes or from
+// authoritative name servers whose undelegated (in-zone) data is of no
+// interest.
+// See http://www.isc.org/products/BIND/delegation-only.html for more info
+
+//zone "COM" { type delegation-only; };
+//zone "NET" { type delegation-only; };
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+zone "localhost" IN {
+	type master;
+	file "pri/localhost.zone";
+	allow-update { none; };
+	notify no;
+};
+
+zone "127.in-addr.arpa" IN {
+	type master;
+	file "pri/127.zone";
+	allow-update { none; };
+	notify no;
+};

build/named.confd

@@ -0,0 +1,8 @@
+# Set various named options here.
+OPTS=""
+
+# Set this to the number of processors you have.
+# CPU="1"
+
+# Scheduling priority: 19 is the lowest and -20 is the highest.
+# NICELEVEL="0"

build/named.initd

@@ -0,0 +1,91 @@
+#!/sbin/openrc-run
+
+extra_commands="checkconfig checkzones"
+extra_started_commands="reload"
+: ${NAMED_CONF:=/etc/bind/named.conf}
+
+depend() {
+	need net
+	after firewall entropy
+	use logger
+	provide dns
+}
+
+_get_pidfile() {
+	[ -n "${PIDFILE}" ] || PIDFILE=$(\
+		/usr/bin/named-checkconf -p ${NAMED_CONF} | grep 'pid-file' | cut -d\" -f2)
+	[ -z "${PIDFILE}" ] && PIDFILE=/var/run/named/named.pid
+}
+
+checkconfig() {
+	ebegin "Checking named configuration"
+
+	if [ ! -f "${NAMED_CONF}" ] ; then
+		eerror "No ${NAMED_CONF} file exists! See the examples in /etc/bind."
+		return 1
+	fi
+
+	/usr/bin/named-checkconf ${NAMED_CONF} || {
+		eerror "named-checkconf failed! Please fix your config first."
+		return 1
+	}
+	eend 0
+	return 0
+}
+
+checkzones() {
+	ebegin "Checking named configuration and zones"
+	/usr/bin/named-checkconf -z -j ${NAMED_CONF}
+	eend $?
+}
+
+start() {
+	local piddir
+	ebegin "Starting named"
+	_get_pidfile
+	piddir="${PIDFILE%/*}"
+	if [ ! -d "${piddir}" ]; then
+		checkpath -q -d -o root:named -m 0770 "${piddir}" || {
+			eend 1
+			return 1
+		}
+	fi
+
+	checkconfig || { eend 1; return 1; }
+
+	# create piddir (usually /var/run/named) if necessary, bug 334535
+	_get_pidfile
+	piddir="${PIDFILE%/*}"
+	if [ ! -d "${piddir}" ]; then
+		checkpath -q -d -o root:named -m 0770 "${piddir}" || {
+			eend 1
+			return 1
+		}
+	fi
+
+	# In case someone have $CPU set in /etc/conf.d/named
+	if [ -n "${CPU}" ] && [ "${CPU}" -gt 0 ]; then
+		CPU="-n ${CPU}"
+	fi
+
+	start-stop-daemon --start --pidfile ${PIDFILE} \
+		--nicelevel ${NICELEVEL:-0} \
+		--exec /usr/sbin/named \
+		-- -u named ${CPU} ${OPTS}
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping named"
+	_get_pidfile
+	start-stop-daemon --stop --quiet --pidfile $PIDFILE
+	eend $?
+}
+
+reload() {
+	checkconfig
+
+	ebegin "Reloading $name"
+	rndc reload
+	eend $?
+}

rootfs/bind/etc/named.conf

@@ -3,11 +3,15 @@ options {
   directory "/bind/etc";
   recursion no;
   allow-notify { none; };
-  forwarders { 208.67.220.220; 208.67.222.222; };
+  forwarders { 9.9.9.9; 9.9.9.10; };
   version "0.0";
   auth-nxdomain no;
-  max-cache-size 4G;
+  max-cache-size 0;
   dnssec-validation auto;
 };
 
+statistics-channels {
+  inet 0.0.0.0 port 8053;
+};
+
 server ::/0 { bogus yes; };

rootfs/usr/local/bin/entrypoint.sh

@@ -8,7 +8,8 @@
     set -- "named" \
       -fg \
       -c "/bind/etc/named.conf"  \
-      -u docker
+      -u docker \
+      -4
   fi
 
   exec "$@"