Feature bind

2020-06-13 04:22:42 +00:00 · 2020-06-13 04:22:42 +00:00 · e31a3d8970
commit e31a3d8970
parent 43482b3c1a
7 changed files with 141 additions and 1 deletions
--- a/Dockerfile.bind
+++ b/Dockerfile.bind
@ -0,0 +1,11 @@
+FROM alpine:latest
+MAINTAINER Team Lixo <lixonet@team.lixo>
+
+RUN apk add bind
+
+EXPOSE 53/udp 53/tcp
+
+VOLUME /var/cache/bind
+VOLUME /etc/bind
+
+CMD [ "sh", "-c", "/usr/sbin/named -f -c /etc/bind/named.conf" ]
--- a/README.md
+++ b/README.md
@ -136,6 +136,13 @@ For options we expose here, for information see: https://bird.network.cz/?get_do
 * `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`).  If not specified, no password is used for the host.
 * `bgp_routes`: A comma-delimited list of routes to advertise over BGP.  If not specified, no routes are propagated.

+#### BIND options
+
+These settings are optional, and are already defaulted to general network common practices.
+
+ * `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to.  Defaults to the value of `internal_gateway`, which is proper in most if not all cases.  Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`).
+ * `tld`: The network-wide TLD to use.  Defaults to `lixo`.
+
 # Setup

 #### Prerequisites:
--- a/bind/lixo.rpz
+++ b/bind/lixo.rpz
@ -0,0 +1,11 @@
+$TTL 60
+@            IN    SOA  localhost. root.localhost.  (
+                     4   ; serial
+                     3H  ; refresh
+                     1H  ; retry
+                     1W  ; expiry
+                     1H) ; minimum
+
+             IN      NS    localhost.
+
+*                    CNAME .
--- a/bind/lixo.rpz.whitelist.tmpl
+++ b/bind/lixo.rpz.whitelist.tmpl
@ -0,0 +1,12 @@
+\$TTL 60
+@            IN    SOA  localhost. root.localhost.  (
+                      4   ; serial
+                      3H  ; refresh
+                      1H  ; retry
+                      1W  ; expiry
+                      1H) ; minimum
+
+                      IN     NS      localhost.
+
+${tld:-lixo}                         CNAME   rpz-passthru.
+*.${tld:-lixo}                       CNAME   rpz-passthru.
--- a/bind/named.conf.tmpl
+++ b/bind/named.conf.tmpl
@ -0,0 +1,76 @@
+acl "lixonet_global" {
+    ${network_address}/${global_prefix:-16};
+};
+
+acl "lixonet_local" {
+    {{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}{{.}};
+    {{ end }}{{ end }}
+};
+
+options {
+    directory "/var/cache/bind";
+    
+    listen-on { ${tinc_peer_address}; };
+    
+    forward only;
+    forwarders { ${bind_forward_address-"${internal_gateway}"}; };
+    
+    dnssec-enable no;
+    dnssec-validation no;
+};
+
+logging {
+	channel custom {
+		stderr;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+		severity debug 9;
+	};
+	category default { custom; };
+};
+
+
+
+view "lixonet" {
+    recursion yes;
+    match-clients { lixonet_global; };
+	
+    allow-query { any; };
+    allow-recursion { any; };
+    
+    response-policy { zone "rpz.whitelist"; zone "rpz"; };
+    
+    zone "rpz.whitelist" {
+        type master;
+        file "/etc/bind/lixo.rpz.whitelist";
+        allow-query { none; };
+    };
+
+    zone "rpz" {
+       type master;
+       file "/etc/bind/lixo.rpz";
+       allow-query { none; };
+    };
+    
+    # Self zone
+    zone "{{ "$tinc_peer_name" | replace "_" "." }}" {
+        type forward;
+        forward only;
+        forwarders { ${bind_forward_address-"${internal_gateway}"}; };
+    };
+    
+    # Forwarders
+    {{ range files "bind/peers" }} {{ if ne . "${tinc_peer_name}" }}
+    zone "{{ . | replace "_" "." }}" {
+        type forward;
+        forward only;
+        {{ include (print "bind/peers/" .) }}
+    };{{ end }}{{ end }}
+};
+
+view "default" {
+	recursion no;
+	match-clients { any; };
+	allow-recursion { none; };
+};
--- a/build.sh
+++ b/build.sh
@ -40,6 +40,7 @@ do
    # Copy default files
    cp -r ../tinc/* tinc/
    cp -r ../bird/* bird/
+    cp -r ../bind/* bind/

    # Tinc
    #  Remove existing configuration
@ -60,12 +61,21 @@ do
    # Bird
    #  Remove existing configuration
    rm -v -rf /etc/bird/$netname/*
-    #  Copy all tinc default files to /etc/(bird)
+    #  Copy all bird default files to /etc/(bird)
    find bird -type d | sed -e "s@bird@bird/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
    find bird -type f | sed -e "s@bird/@@g" | xargs -I '{}' cp --verbose bird/{} /etc/bird/$netname/{}
    #  Fill out templates and remove them after
    process_templates "/etc/bird/$netname/" "$sigil_vars"

+    # BIND
+    #  Remove existing configuration
+    rm -v -rf /etc/bind/$netname/*
+    #  Copy all bind default files to /etc/(bind)
+    find bind -type d | sed -e "s@bind@bind/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
+    find bind -type f | sed -e "s@bind/@@g" | xargs -I '{}' cp --verbose bind/{} /etc/bind/$netname/{}
+    #  Fill out templates and remove them after
+    process_templates "/etc/bind/$netname/" "$sigil_vars"
+
    echo "COMPOSE_PROJECT_NAME=$netname" > .env
    docker-compose -p $netname up -d --build
    rm .env
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -30,3 +30,16 @@ services:
    cap_add:
      - NET_ADMIN
    restart: always
+  bind:
+    network_mode: host
+    depends_on:
+      - tinc
+    build:
+      context: .
+      dockerfile: Dockerfile.bind
+    ports:
+      - "53:53/udp"
+      - "53:53/tcp"
+    volumes:
+      - /etc/bind/${COMPOSE_PROJECT_NAME}/:/etc/bind/
+    restart: always