From 28b60bf0d6e4fc0eefe60a3717a8dc27ed7e3bcb Mon Sep 17 00:00:00 2001 From: casjay Date: Tue, 27 Aug 2024 10:37:59 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=97=83=EF=B8=8F=20Committing=20everything?= =?UTF-8?q?=20that=20changed=20=F0=9F=97=83=EF=B8=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit rootfs/tmp/ rootfs/usr/local/etc/docker/init.d/00-named.sh --- rootfs/tmp/etc/bind/named.conf | 87 ++++++++++++++++++ rootfs/tmp/etc/bind/rndc.key | 1 + rootfs/tmp/var/bind/root.cache | 92 +++++++++++++++++++ .../usr/local/etc/docker/init.d/00-named.sh | 25 +++-- 4 files changed, 197 insertions(+), 8 deletions(-) create mode 100644 rootfs/tmp/etc/bind/named.conf create mode 100644 rootfs/tmp/etc/bind/rndc.key create mode 100644 rootfs/tmp/var/bind/root.cache diff --git a/rootfs/tmp/etc/bind/named.conf b/rootfs/tmp/etc/bind/named.conf new file mode 100644 index 0000000..e2b2982 --- /dev/null +++ b/rootfs/tmp/etc/bind/named.conf @@ -0,0 +1,87 @@ +# default options - https://bind9.readthedocs.io/en/latest/chapter3.html +##################################################################### +# rndc keys +key "dhcp-key" { algorithm hmac-md5; secret "REPLACE_KEY_DHCP"; }; +key "rndc-key" { algorithm hmac-sha256; secret "REPLACE_KEY_RNDC"; }; +key "backup-key" { algorithm hmac-sha256; secret "MKEQ/REPLACE_KEY_BACKUP"; }; +key "certbot." { algorithm hmac-sha512; secret "REPLACE_KEY_CERTBOT"; }; +##################################################################### +# rndc settings +controls { inet 127.0.0.1 allow { trusted; } keys { "rndc-key"; }; }; +##################################################################### +# access settings +acl "all" { 0.0.0.0/0; ::/0; }; +acl "secondary" { DNS_SERVER_SECONDARY; }; +acl "trusted" { 10.0.0.0/8; 127.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; +acl "updates" { key "dhcp-key"; key "certbot."; }; +acl "transfers" {key "dhcp-key"; key "certbot."; key "backup-key"; secondary; }; +acl "forward" { 1.1.1.1; 8.8.8.8; 4.4.4.4; }; +##################################################################### +options { + version "9"; + listen-on { any; }; + listen-on-v6 { any; }; + zone-statistics yes; + max-cache-size 60m; + interface-interval 60; + max-ncache-ttl 10800; + max-udp-size 4096; + notify yes; + also-notify { DNS_SERVER_SECONDARY; }; + allow-update { updates; }; + allow-update-forwarding { DNS_SERVER_SECONDARY; }; + allow-transfer { trusted; }; + transfer-format many-answers; + allow-query { any; }; + allow-recursion { any; }; + allow-query-cache { any; }; + auth-nxdomain no; + dnssec-validation auto; + directory "REPLACE_VAR_DIR"; + managed-keys-directory "REPLACE_ETC_DIR/keys"; + pid-file "REPLACE_RUN_DIR/named.pid"; + dump-file "REPLACE_DATA_DIR/stats/dump.txt"; + statistics-file "REPLACE_DATA_DIR/stats/stats.txt"; + memstatistics-file "REPLACE_DATA_DIR/stats/mem.txt"; + forwarders { 1.1.1.1; 8.8.8.8; 4.4.4.4; }; +}; +##################################################################### +# named logging options +logging { +channel debug { file "REPLACE_LOG_DIR/debug.info" versions 0 size 5m; severity debug; }; +channel querylog { file "REPLACE_LOG_DIR/querylog.log" versions 0 size 5m; severity info; print-time yes; }; +channel security { file "REPLACE_LOG_DIR/security.log" versions 0 size 5m; severity dynamic; print-severity yes; print-time yes; }; +channel xfer-in { file "REPLACE_LOG_DIR/xfer.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; }; +channel xfer-out { file "REPLACE_LOG_DIR/xfer.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; }; +channel update { file "REPLACE_LOG_DIR/update.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; }; +channel notify { file "REPLACE_LOG_DIR/notify.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; }; +channel client { file "REPLACE_LOG_DIR/client.log" versions 0 size 5m; severity debug; print-category yes; print-severity yes; print-time yes; }; +channel default { file "REPLACE_LOG_DIR/default.log" versions 0 size 5m; severity debug; print-category yes; print-severity yes; print-time yes; }; +channel general { file "REPLACE_LOG_DIR/general.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; }; +channel database { file "REPLACE_LOG_DIR/database.log" versions 0 size 5m; severity info; print-category yes; print-severity yes; print-time yes; }; +category lame-servers { default; debug; }; +category dispatch { default; debug; }; +category queries { querylog; default; debug; }; +category update { update; default; debug; }; +category network { default; debug; }; +category unmatched { default; debug; }; +category client { client; default; debug; }; +category notify { notify; default; debug; }; +category xfer-out { xfer-out; default; debug; }; +category xfer-in { xfer-in; default; debug; }; +category resolver { default; debug; }; +category config { default; debug; }; +category security { security; default; debug; }; +category database { database; default; debug; }; +category general { general; default; debug; }; +category default { default; debug; }; +category dnssec { security; default; debug; }; +}; +##################################################################### +# ********** begin root info ********** +zone "." { + type hint; + file "REPLACE_VAR_DIR/root.cache"; +}; +# ********** end root info ********** +# end diff --git a/rootfs/tmp/etc/bind/rndc.key b/rootfs/tmp/etc/bind/rndc.key new file mode 100644 index 0000000..7c06d05 --- /dev/null +++ b/rootfs/tmp/etc/bind/rndc.key @@ -0,0 +1 @@ +key "rndc-key" { algorithm hmac-sha256; secret "REPLACE_KEY_RNDC"; }; diff --git a/rootfs/tmp/var/bind/root.cache b/rootfs/tmp/var/bind/root.cache new file mode 100644 index 0000000..0f1b4ed --- /dev/null +++ b/rootfs/tmp/var/bind/root.cache @@ -0,0 +1,92 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: August 14, 2024 +; related version of root zone: 2024081401 +; +; FORMERLY NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 170.247.170.2 +B.ROOT-SERVERS.NET. 3600000 AAAA 2801:1b8:10::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file \ No newline at end of file diff --git a/rootfs/usr/local/etc/docker/init.d/00-named.sh b/rootfs/usr/local/etc/docker/init.d/00-named.sh index ad473dd..06f0412 100755 --- a/rootfs/usr/local/etc/docker/init.d/00-named.sh +++ b/rootfs/usr/local/etc/docker/init.d/00-named.sh @@ -59,8 +59,10 @@ printf '%s\n' "# - - - Initializing $SERVICE_NAME - - - #" # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Custom functions __rndc_key() { grep -s 'key "rndc-key" ' /etc/named.conf | grep -v 'KEY_RNDC' | sed 's|.*secret ||g;s|"||g;s|;.*||g' | grep '^' || return 1; } +__dhcp_key() { grep -s 'key "dhcp-key" ' /etc/named.conf | grep -v 'KEY_DHCP' | sed 's|.*secret ||g;s|"||g;s|;.*||g' | grep '^' || return 1; } +__certbot_key() { grep -s 'key "certbot" ' /etc/named.conf | grep -v 'KEY_CERTBOT' | sed 's|.*secret ||g;s|"||g;s|;.*||g' | grep '^' || return 1; } +__backup_key() { grep -s 'key "backup-key" ' /etc/named.conf | grep -v 'KEY_BACKUP' | sed 's|.*secret ||g;s|"||g;s|;.*||g' | grep '^' || return 1; } __tsig_key() { tsig-keygen -a hmac-sha256 | grep 'secret' | sed 's|.*secret "||g;s|"||g;s|;||g' | grep '^' || echo 'wp/HApbthaVPjwqgp6ziLlmnkyLSNbRTehkdARBDcpI='; } - # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Script to execute START_SCRIPT="/usr/local/etc/docker/exec/$SERVICE_NAME" @@ -155,15 +157,16 @@ user_pass="${NAMED_USER_PASS_WORD:-}" # normal user password [ -f "/config/env/named.sh" ] && . "/config/env/named.sh" # Overwrite the variabes # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Additional predefined variables -KEY_RNDC="${KEY_RNDC:-$(__tsig_key)}" -KEY_DHCP="${KEY_DHCP:-$(__tsig_key)}" -KEY_BACKUP="${KEY_BACKUP:-$(__tsig_key)}" -KEY_CERTBOT="${KEY_CERTBOT:-$(__tsig_key)}" +KEY_RNDC="${KEY_RNDC:-$(__rndc_key || __tsig_key)}" +KEY_DHCP="${KEY_DHCP:-$(__dhcp_key || __tsig_key)}" +KEY_BACKUP="${KEY_BACKUP:-$(__backup_key || __tsig_key)}" +KEY_CERTBOT="${KEY_CERTBOT:-$(__certbot_key || __tsig_key)}" DNS_SERIAL="$(date +'%Y%m%d%S')" # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Additional variables -DNS_SERVER_PRIMARY="${DNS_SERVER_PRIMARY:-}" -DNS_SERVER_SECONDARY="${DNS_SERVER_SECONDARY:-}" +DNS_TYPE="${DNS_TYPE:-primary}" +DNS_SERVER_PRIMARY="${DNS_SERVER_PRIMARY:-127.0.0.1}" +DNS_SERVER_SECONDARY="${DNS_SERVER_SECONDARY:-127.0.0.1}" # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Specifiy custom directories to be created ADD_APPLICATION_FILES="" @@ -233,13 +236,19 @@ __update_conf_files() { # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # custom commands - mkdir -p "$ETC_DIR/keys" "$CONF_DIR/keys" "$VAR_DIR/zones" "$DATA_DIR/zones" + mkdir -p "$ETC_DIR/keys" "$CONF_DIR/keys" "$VAR_DIR/zones" "$DATA_DIR/zones" "$DATA_DIR/stats" for logfile in xfer update notify querylog default debug security; do touch "$LOG_DIR/$logfile.log" chmod -Rf 777 "$logfile" done # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # replace variables + __replace "REPLACE_KEY_RNDC" "$KEY_RNDC" "$ETC_DIR/rndc.key" + __replace "REPLACE_KEY_RNDC" "$KEY_RNDC" "$ETC_DIR/named.conf" + __replace "REPLACE_KEY_DHCP" "$KEY_DHCP" "$ETC_DIR/named.conf" + __replace "REPLACE_KEY_BACKUP" "$KEY_BACKUP" "$ETC_DIR/named.conf" + __replace "REPLACE_KEY_CERTBOT" "$KEY_CERTBOT" "$ETC_DIR/named.conf" + __replace "REPLACE_KEY_RNDC" "$KEY_RNDC" "$CONF_DIR/rndc.key" __replace "REPLACE_KEY_RNDC" "$KEY_RNDC" "$CONF_DIR/named.conf" __replace "REPLACE_KEY_DHCP" "$KEY_DHCP" "$CONF_DIR/named.conf"