cytopia / docker-bind Goto Github PK
View Code? Open in Web Editor NEWBind (bind9) caching DNS server on Alpine or Debian with wild-card domain support [multi-arch]
Home Page: http://devilbox.org/
License: MIT License
Bind (bind9) caching DNS server on Alpine or Debian with wild-card domain support [multi-arch]
Home Page: http://devilbox.org/
License: MIT License
Today a CNAME/IP specified for EXTRA_HOSTS
/WILDCARD_DNS
is assumed to be resolved to a single IP using dig @8.8.8.8 +short "${my_add}" A
.
Imagine use cases:
example.com -> <elb_id>.<aws_region>.elb.amazonaws.com.
$ dig @8.8.8.8 +short example.com A
54.XX.XX.XX
3.XX.XX.XX
example1.com -> example.com -> <elb_id>.<aws_region>.elb.amazonaws.com.
$ dig @8.8.8.8 +short example1.com A
example.com
54.XX.XX.XX
3.XX.XX.XX
The IP set behind load balancer is dynamic and might change a couple times a day thus it doesn't make sense to create a zone with IPs which can become stale at any time.
Suggestion:
For CNAME specified WILDCARD_DNS and EXTRA_HOSTS and resolved not to a single IP create a CNAME zone instead:
$TTL 3600
@ IN SOA example.com. root.example.com. (
...
;
IN NS example1.com.
* IN CNAME example1.com.
Building the zone file from the DNS_A
environment variable seems to fail in the debian image (tag latest
) when the container was created by docker compose. When creating a container from the command line, everything works fine, when creating it via docker compose, the hostname -A
command here seems to be returning a hostname containing a space (2e520b409724 2e520b409724
in the log below), messing up the zone file syntax.
I don't have any explanation for why hostname
would return different things depending on if the container was created by compose or not or why this problem only occurs for debian and not for alpine. Switching to the alpine tag worked as a workaround for me.
dns_1 | [ERR] Configuration failed.
dns_1 | dns_rdata_fromtext: /etc/bind/custom/zone/rpz:2: near 'admin.2e520b409724': not a valid number
dns_1 | dns_rdata_fromtext: /etc/bind/custom/zone/rpz:11: near '2e520b409724.': extra input text
dns_1 | zone rpz/IN: loading from master file /etc/bind/custom/zone/rpz failed: not a valid number
dns_1 | zone rpz/IN: not loaded due to errors.
dns_1 |
dns_1 | --------------------------------------------------------------------------------
dns_1 | /etc/bind/custom/conf/rpz.conf
dns_1 | --------------------------------------------------------------------------------
dns_1 | zone "rpz" IN {
dns_1 | type master;
dns_1 | allow-transfer { any; };
dns_1 | allow-update { any; };
dns_1 | file "/etc/bind/custom/zone/rpz";
dns_1 | };
dns_1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
dns_1 |
dns_1 | --------------------------------------------------------------------------------
dns_1 | /etc/bind/custom/zone/rpz
dns_1 | --------------------------------------------------------------------------------
dns_1 | $TTL 3600
dns_1 | @ IN SOA 2e520b409724 2e520b409724. admin.2e520b409724 2e520b409724. (
dns_1 | 1654539831 ; Serial number
dns_1 | 1200 ; Refresh time
dns_1 | 180 ; Retry time
dns_1 | 1209600 ; Expiry time
dns_1 | 10800 ; Negative Cache TTL
dns_1 | )
dns_1 |
dns_1 | ; NS Records
dns_1 | IN NS 2e520b409724 2e520b409724.
dns_1 |
dns_1 | ; Custom Records
dns_1 | <domain> IN A <ip>
First of all, awesome quality image; very well done!
I was wondering how to disable recursion? The docs say it's disabled by default but it is still resolving?
docker run --rm -ti \ -p 5553:53/tcp \ -p 5553:53/udp \ -e DNS_A='test.domain=1.2.3.4' \ -t cytopia/bind
dig @127.0.0.1 -p 5553 test.domain
; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5553 test.domain
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.domain. IN A;; ANSWER SECTION:
test.domain. 5 IN A 1.2.3.4
dig @127.0.0.1 -p 5553 google.com
; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5553 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A;; ANSWER SECTION:
google.com. 300 IN A 142.251.39.110
following the readme, I try to resolve two hosts like below
docker service create \
--name bind-dns \
-p 53:53/tcp \
-p 53:53/udp \
-e EXTRA_HOSTS='hetzner1=10.8.0.5=hetzner1,hetzner2=10.8.0.9=hetzner2' \
cytopia/bind
and I get following log with error error - docker service fails
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Debug level: 1
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Using default DNS TTL time: 3600 sec
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Using default DNS Refresh time: 1200 sec
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Using default DNS Retry time: 180 sec
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Using default DNS Expiry time: 1209600 sec
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Using default DNS Max Cache time: 10800 sec
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Adding extra host: hetzner1 -> 10.8.0.5 (PTR: hetzner1)
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Adding extra host: hetzner2 -> 10.8.0.9 (PTR: hetzner2)
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] DNSSEC Validation: no
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Adding custom DNS forwarder: 8.8.8.8,8.8.4.4
bind-dns.1.8wkm3glijglg@kimsufi1 | [INFO] Starting BIND 9.11.4
bind-dns.1.8wkm3glijglg@kimsufi1 | /etc/bind/devilbox-extra_hosts.hetzner2.conf:7: zone '0.8.10.in-addr.arpa': already exists previous definition: /etc/bind/devilbox-extra_hosts.hetzner1.conf:7
Everything is working fine with only one specified host.
If I try to define EXTRA_HOST twice, the last one wins
I am getting the following error when running the container:
$ docker-compose up
Creating network "docker-bind_default" with the default driver
Creating docker-bind_bind_1 ... done
Attaching to docker-bind_bind_1
bind_1 | [INFO] Debug level: 1
bind_1 | [INFO] Using default DNS TTL time: 3600 sec
bind_1 | [INFO] Using default DNS Refresh time: 1200 sec
bind_1 | [INFO] Using default DNS Retry time: 180 sec
bind_1 | [INFO] Using default DNS Expiry time: 1209600 sec
bind_1 | [INFO] Using default DNS Max Cache time: 10800 sec
bind_1 | xargs: unmatched single quote; by default quotes are special to xargs unless you use the -0 option
docker-bind_bind_1 exited with code 1
I used the following docker-compose.yml
to run it:
version: '2'
services:
bind:
build: .
restart: always
ports:
- "53:53/udp"
- "53:53/tcp"
environment:
- WILDCARD_DNS='loc=192.168.1.103'
Hello
The way the WILDCARD_DNS parameter is used we cannot use it without having to map the domain aswell,
and using something like *.DOMAIN.com is not supported by the system,
how would I let domain.com handled by normal dns (8.8.8.8 for example) and all its subdomain handled by bind ?
Thanks
I need to use xdebug to debug something in php. Normally you can use the special DNS name 'host.docker.internal' from docker to connect xdebug to the host system. But when cytopia/bind is active xdebug can't establish a connection. If I disable cytopia/bind, it's working. Is there something I need to configure to make this work while cytopia/bind is active?
Different environment configurations.
Make xdebug work.
For some reason, my container keeps crashing/restarting, but I'm not sure what error exactly is causing this behavior.
I'm using v0.27 of this container with devilbox if that helps.
Here's the logs: https://pastebin.com/cWLZL4r2
Would love to see an environment variable to initialize statistics-channels
No response
No response
None
I tried adding a CNAME to EXTRA_HOSTS and it bombs with...
Invalid IP address 'internal-foo-bar-baz-1234567890.us-east-1.elb.amazonaws.com': for sandbox.example.com -> internal-foo-bar-baz-1234567890.us-east-1.elb.amazonaws.com. Skipping to add extra host
Based on the error message, maybe the is_cname
isn't picking this up properly?
Hi,
I just updated to use the 0.16 docker image from 0.15, but was getting errors like this on any dns forwarded queries;
bind9 | 10-Jun-2019 11:36:29.603 client @0x7fe3d817f860 192.168.1.10#54157 (www.reddit.com): query: www.reddit.com IN A +E(0) (172.19.0.2)
bind9 | 10-Jun-2019 11:36:29.604 client @0x7fe3d817f860 192.168.1.10#54157 (www.reddit.com): query (cache) 'www.reddit.com/A/IN' denied
bind9 | 10-Jun-2019 11:36:29.604 client @0x7fe3d817f860 192.168.1.10#54157 (www.reddit.com): query failed (REFUSED) for www.reddit.com/IN/A at ../../../bin/named/query.c:7145
The extra hosts and wildcard queries works fine, but all forwarded queries gets that error.
I had to rollback to 0.15, where everything works fine.
My config looks like this;
version: '2.1'
services:
bind:
image: cytopia/bind:0.15
container_name: bind9
restart: unless-stopped
environment:
- TZ=Europe/Oslo
- WILDCARD_DNS=anon.xyz=192.168.1.5
- EXTRA_HOSTS=sheets.anon.xyz=anon.github.io
- DNS_FORWARDER=208.67.222.222,208.67.220.220,192.168.1.1,8.8.8.8
- DOCKER_LOGS=1
- TTL_TIME=300
ports:
- "53:53"
- "53:53/udp"
Hello,
I am working with https://github.com/cytopia/devilbox and had everything working yesterday.
I can't find anything in today's update that could have caused this, but the bind container is giving back DNSSEC errors whenever I have a dns forwarder set:
Apr 20 19:21:03 00015d8a4ceb named[1]: broken trust chain resolving 'google.com/A/IN': 192.168.1.10#53
Apr 20 19:21:03 00015d8a4ceb named[1]: validating ./NS: no valid signature found
Apr 20 19:21:03 00015d8a4ceb named[1]: no valid RRSIG resolving './NS/IN': 192.168.1.11#53
Apr 20 19:21:03 00015d8a4ceb named[1]: validating ./NS: no valid signature found
Apr 20 19:21:03 00015d8a4ceb named[1]: no valid RRSIG resolving './NS/IN': 199.7.91.13#53
Apr 20 19:21:03 00015d8a4ceb named[1]: validating ./NS: no valid signature found
I have gone into the container, and turned off dnssec verification and that seems to make it work.
echo " dnssec-validation off;"
docker-bind/scripts/docker-entrypoint.sh
Line 188 in 1c1b3c7
If you know of anything that may have changed, that would be helpful.
Or if we could add an ENV variable to turn off DNSSEC validation?
Do you have any other ideas on how this could be resolved?
Thanks!
I would like to use docker-bind as a caching, forwarding only dns server.
Would it be possible to add an option to add "forward only;" to named.conf.options ?
Hi,
I am wondering, if there is any way update_policy can be added to generated named conf file?
https://certbot-dns-rfc2136.readthedocs.io/en/stable/#sample-bind-configuration - I want to try and generate certs for bind zone. Thus, I can generate a key via
tsig-keygen -a hmac-sha512 keyname > /etc/bind/tsig.key
However, cant figure out how can I add update policy to generated conf file?
Thank you
No response
when query domain,time out happen.
nslookup cas.wow.cn 10.2.10.147 ;; connection timed out; no servers could be reached
query dns server ,return domain's ip address.
cytopia/bind
in private harbor repositorystart a docker container on centos 7
docker run --restart=always -d -p 53:53/tcp -p 53:53/udp -e DNS_A='*.wow.cn=10.2.10.125' -e DOCKER_LOGS=1 -e ALLOW_QUERY=any -t harbor.xxx.com/cytopia/bind
query the dns server ip
nslookup cas.wow.cn 10.2.10.147
;; connection timed out; no servers could be reached
Linux
amd64
No, SELinux is disabled
20.10.22
/etc/bind/custom/zone/rpz
--------------------------------------------------------------------------------
$TTL 3600
@ IN SOA 090be6331014. admin.090be6331014. (
1673478408 ; Serial number
1200 ; Refresh time
180 ; Retry time
1209600 ; Expiry time
10800 ; Negative Cache TTL
)
; NS Records
IN NS 090be6331014.
; Custom Records
*.wow.cn IN A 10.2.10.125
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[INFO] Starting BIND 9.16.33
11-Jan-2023 23:06:48.275 managed-keys-zone: loaded serial 0
11-Jan-2023 23:06:48.276 zone 0.in-addr.arpa/IN: loaded serial 1
11-Jan-2023 23:06:48.278 zone rpz/IN: loaded serial 1673478408
11-Jan-2023 23:06:48.278 rpz: rpz: reload start
11-Jan-2023 23:06:48.278 rpz: rpz: reload done
11-Jan-2023 23:06:48.281 zone localhost/IN: loaded serial 2
11-Jan-2023 23:06:48.281 zone 127.in-addr.arpa/IN: loaded serial 1
11-Jan-2023 23:06:48.282 zone 255.in-addr.arpa/IN: loaded serial 1
11-Jan-2023 23:06:48.283 all zones loaded
11-Jan-2023 23:06:48.283 running
12-Jan-2023 03:22:55.017 client @0x7f7888850f70 172.17.0.1#57150 (225.8.2.10.in-addr.arpa): query: 225.8.2.10.in-addr.arpa IN PTR + (172.17.0.2)
12-Jan-2023 03:25:02.049 client @0x7f7888850f70 10.2.10.147#58112 (cas.wow.cn): query: cas.wow.cn IN A + (172.17.0.2)
12-Jan-2023 03:25:07.049 client @0x7f7888864730 10.2.10.147#58112 (cas.wow.cn): query: cas.wow.cn IN A + (172.17.0.2)
12-Jan-2023 03:25:12.049 client @0x7f7888864730 10.2.10.147#58112 (cas.wow.cn): query: cas.wow.cn IN A + (172.17.0.2)
12-Jan-2023 03:25:12.050 resolver priming query complete
12-Jan-2023 03:25:22.051 resolver priming query complete
12-Jan-2023 03:25:22.051 client @0x7f7888850f70 10.2.10.147#58112 (cas.wow.cn): query failed (timed out) for cas.wow.cn/IN/A at query.c:7375
12-Jan-2023 03:26:58.518 client @0x7f788000c090 172.17.0.1#47826 (cas.wow.cn): query: cas.wow.cn IN A + (172.17.0.2)
No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.