diff --git a/Dockerfile.bind b/Dockerfile.bind new file mode 100644 index 0000000..3b6fe47 --- /dev/null +++ b/Dockerfile.bind @@ -0,0 +1,11 @@ +FROM alpine:latest +MAINTAINER Team Lixo + +RUN apk add bind + +EXPOSE 53/udp 53/tcp + +VOLUME /var/cache/bind +VOLUME /etc/bind + +CMD [ "sh", "-c", "/usr/sbin/named -f -c /etc/bind/named.conf" ] diff --git a/README.md b/README.md index de841a3..ed8a1d9 100644 --- a/README.md +++ b/README.md @@ -136,6 +136,13 @@ For options we expose here, for information see: https://bird.network.cz/?get_do * `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`). If not specified, no password is used for the host. * `bgp_routes`: A comma-delimited list of routes to advertise over BGP. If not specified, no routes are propagated. +#### BIND options + +These settings are optional, and are already defaulted to general network common practices. + + * `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to. Defaults to the value of `internal_gateway`, which is proper in most if not all cases. Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`). + * `tld`: The network-wide TLD to use. Defaults to `lixo`. + # Setup #### Prerequisites: diff --git a/bind/lixo.rpz b/bind/lixo.rpz new file mode 100644 index 0000000..72884fb --- /dev/null +++ b/bind/lixo.rpz @@ -0,0 +1,11 @@ +$TTL 60 +@ IN SOA localhost. root.localhost. ( + 4 ; serial + 3H ; refresh + 1H ; retry + 1W ; expiry + 1H) ; minimum + + IN NS localhost. + +* CNAME . diff --git a/bind/lixo.rpz.whitelist.tmpl b/bind/lixo.rpz.whitelist.tmpl new file mode 100644 index 0000000..f7a229a --- /dev/null +++ b/bind/lixo.rpz.whitelist.tmpl @@ -0,0 +1,12 @@ +\$TTL 60 +@ IN SOA localhost. root.localhost. ( + 4 ; serial + 3H ; refresh + 1H ; retry + 1W ; expiry + 1H) ; minimum + + IN NS localhost. + +${tld:-lixo} CNAME rpz-passthru. +*.${tld:-lixo} CNAME rpz-passthru. diff --git a/bind/named.conf.tmpl b/bind/named.conf.tmpl new file mode 100644 index 0000000..57d92df --- /dev/null +++ b/bind/named.conf.tmpl @@ -0,0 +1,76 @@ +acl "lixonet_global" { + ${network_address}/${global_prefix:-16}; +}; + +acl "lixonet_local" { + {{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}{{.}}; + {{ end }}{{ end }} +}; + +options { + directory "/var/cache/bind"; + + listen-on { ${tinc_peer_address}; }; + + forward only; + forwarders { ${bind_forward_address-"${internal_gateway}"}; }; + + dnssec-enable no; + dnssec-validation no; +}; + +logging { + channel custom { + stderr; + print-time yes; + print-severity yes; + print-category yes; + severity debug 9; + }; + category default { custom; }; +}; + + + +view "lixonet" { + recursion yes; + match-clients { lixonet_global; }; + + allow-query { any; }; + allow-recursion { any; }; + + response-policy { zone "rpz.whitelist"; zone "rpz"; }; + + zone "rpz.whitelist" { + type master; + file "/etc/bind/lixo.rpz.whitelist"; + allow-query { none; }; + }; + + zone "rpz" { + type master; + file "/etc/bind/lixo.rpz"; + allow-query { none; }; + }; + + # Self zone + zone "{{ "$tinc_peer_name" | replace "_" "." }}" { + type forward; + forward only; + forwarders { ${bind_forward_address-"${internal_gateway}"}; }; + }; + + # Forwarders + {{ range files "bind/peers" }} {{ if ne . "${tinc_peer_name}" }} + zone "{{ . | replace "_" "." }}" { + type forward; + forward only; + {{ include (print "bind/peers/" .) }} + };{{ end }}{{ end }} +}; + +view "default" { + recursion no; + match-clients { any; }; + allow-recursion { none; }; +}; diff --git a/build.sh b/build.sh index 902e8e7..c9b7984 100644 --- a/build.sh +++ b/build.sh @@ -40,6 +40,7 @@ do # Copy default files cp -r ../tinc/* tinc/ cp -r ../bird/* bird/ + cp -r ../bind/* bind/ # Tinc # Remove existing configuration @@ -60,12 +61,21 @@ do # Bird # Remove existing configuration rm -v -rf /etc/bird/$netname/* - # Copy all tinc default files to /etc/(bird) + # Copy all bird default files to /etc/(bird) find bird -type d | sed -e "s@bird@bird/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{} find bird -type f | sed -e "s@bird/@@g" | xargs -I '{}' cp --verbose bird/{} /etc/bird/$netname/{} # Fill out templates and remove them after process_templates "/etc/bird/$netname/" "$sigil_vars" + # BIND + # Remove existing configuration + rm -v -rf /etc/bind/$netname/* + # Copy all bind default files to /etc/(bind) + find bind -type d | sed -e "s@bind@bind/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{} + find bind -type f | sed -e "s@bind/@@g" | xargs -I '{}' cp --verbose bind/{} /etc/bind/$netname/{} + # Fill out templates and remove them after + process_templates "/etc/bind/$netname/" "$sigil_vars" + echo "COMPOSE_PROJECT_NAME=$netname" > .env docker-compose -p $netname up -d --build rm .env diff --git a/docker-compose.yml b/docker-compose.yml index cba64e1..67b95d6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -30,3 +30,16 @@ services: cap_add: - NET_ADMIN restart: always + bind: + network_mode: host + depends_on: + - tinc + build: + context: . + dockerfile: Dockerfile.bind + ports: + - "53:53/udp" + - "53:53/tcp" + volumes: + - /etc/bind/${COMPOSE_PROJECT_NAME}/:/etc/bind/ + restart: always