cytopia / docker-bind Goto Github PK

Today a CNAME/IP specified for EXTRA_HOSTS/WILDCARD_DNS is assumed to be resolved to a single IP using dig @8.8.8.8 +short "${my_add}" A.

Imagine use cases:

• A DNS entry pointing to Elastic Load Balancer, e.g. using Route53 A DNS entry with an Alias:
  example.com -> <elb_id>.<aws_region>.elb.amazonaws.com.

$ dig @8.8.8.8 +short example.com A
54.XX.XX.XX
3.XX.XX.XX

• CNAME DNS entry pointing to Alias A DNS entry in Route53 -
  example1.com -> example.com -> <elb_id>.<aws_region>.elb.amazonaws.com.

$ dig @8.8.8.8 +short example1.com A
 example.com
54.XX.XX.XX
3.XX.XX.XX

The IP set behind load balancer is dynamic and might change a couple times a day thus it doesn't make sense to create a zone with IPs which can become stale at any time.

Suggestion:
For CNAME specified WILDCARD_DNS and EXTRA_HOSTS and resolved not to a single IP create a CNAME zone instead:

$TTL  3600
@      IN SOA  example.com. root.example.com. (
 ...
;
      IN NS     example1.com.
*     IN CNAME  example1.com.

Building the zone file from the DNS_A environment variable seems to fail in the debian image (tag latest) when the container was created by docker compose. When creating a container from the command line, everything works fine, when creating it via docker compose, the hostname -A command here seems to be returning a hostname containing a space (2e520b409724 2e520b409724 in the log below), messing up the zone file syntax.

I don't have any explanation for why hostname would return different things depending on if the container was created by compose or not or why this problem only occurs for debian and not for alpine. Switching to the alpine tag worked as a workaround for me.

dns_1  | [ERR]  Configuration failed.
dns_1  | dns_rdata_fromtext: /etc/bind/custom/zone/rpz:2: near 'admin.2e520b409724': not a valid number
dns_1  | dns_rdata_fromtext: /etc/bind/custom/zone/rpz:11: near '2e520b409724.': extra input text
dns_1  | zone rpz/IN: loading from master file /etc/bind/custom/zone/rpz failed: not a valid number
dns_1  | zone rpz/IN: not loaded due to errors.
dns_1  |
dns_1  | --------------------------------------------------------------------------------
dns_1  | /etc/bind/custom/conf/rpz.conf
dns_1  | --------------------------------------------------------------------------------
dns_1  | zone "rpz" IN {
dns_1  |     type master;
dns_1  |     allow-transfer { any; };
dns_1  |     allow-update { any; };
dns_1  |     file "/etc/bind/custom/zone/rpz";
dns_1  | };
dns_1  | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
dns_1  |
dns_1  | --------------------------------------------------------------------------------
dns_1  | /etc/bind/custom/zone/rpz
dns_1  | --------------------------------------------------------------------------------
dns_1  | $TTL 3600
dns_1  | @                               IN   SOA     2e520b409724 2e520b409724. admin.2e520b409724 2e520b409724. (
dns_1  |                                              1654539831     ; Serial number
dns_1  |                                              1200           ; Refresh time
dns_1  |                                              180            ; Retry time
dns_1  |                                              1209600        ; Expiry time
dns_1  |                                              10800          ; Negative Cache TTL
dns_1  | )
dns_1  |
dns_1  | ; NS Records
dns_1  |                                 IN   NS      2e520b409724 2e520b409724.
dns_1  |
dns_1  | ; Custom Records
dns_1  | <domain>               IN   A       <ip>

First of all, awesome quality image; very well done!

I was wondering how to disable recursion? The docs say it's disabled by default but it is still resolving?

docker run --rm -ti \
-p 5553:53/tcp \
-p 5553:53/udp \
-e DNS_A='test.domain=1.2.3.4' \
-t cytopia/bind

dig @127.0.0.1 -p 5553 test.domain

; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5553 test.domain
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.domain. IN A

;; ANSWER SECTION:
test.domain. 5 IN A 1.2.3.4

dig @127.0.0.1 -p 5553 google.com

; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5553 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 300 IN A 142.251.39.110

following the readme, I try to resolve two hosts like below

docker service create \
  --name bind-dns \
  -p 53:53/tcp \
  -p 53:53/udp \
  -e EXTRA_HOSTS='hetzner1=10.8.0.5=hetzner1,hetzner2=10.8.0.9=hetzner2' \
  cytopia/bind

and I get following log with error error - docker service fails

bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Debug level: 1
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Using default DNS TTL time: 3600 sec
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Using default DNS Refresh time: 1200 sec
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Using default DNS Retry time: 180 sec
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Using default DNS Expiry time: 1209600 sec
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Using default DNS Max Cache time: 10800 sec
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Adding extra host: hetzner1 -> 10.8.0.5 (PTR: hetzner1)
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Adding extra host: hetzner2 -> 10.8.0.9 (PTR: hetzner2)
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] DNSSEC Validation: no
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Adding custom DNS forwarder: 8.8.8.8,8.8.4.4
bind-dns.1.8wkm3glijglg@kimsufi1    | [INFO] Starting BIND 9.11.4
bind-dns.1.8wkm3glijglg@kimsufi1    | /etc/bind/devilbox-extra_hosts.hetzner2.conf:7: zone '0.8.10.in-addr.arpa': already exists previous definition: /etc/bind/devilbox-extra_hosts.hetzner1.conf:7

Everything is working fine with only one specified host.
If I try to define EXTRA_HOST twice, the last one wins

I am getting the following error when running the container:

$ docker-compose up
Creating network "docker-bind_default" with the default driver
Creating docker-bind_bind_1 ... done
Attaching to docker-bind_bind_1
bind_1  | [INFO] Debug level: 1
bind_1  | [INFO] Using default DNS TTL time: 3600 sec
bind_1  | [INFO] Using default DNS Refresh time: 1200 sec
bind_1  | [INFO] Using default DNS Retry time: 180 sec
bind_1  | [INFO] Using default DNS Expiry time: 1209600 sec
bind_1  | [INFO] Using default DNS Max Cache time: 10800 sec
bind_1  | xargs: unmatched single quote; by default quotes are special to xargs unless you use the -0 option
docker-bind_bind_1 exited with code 1

I used the following docker-compose.yml to run it:

version: '2'

services:
  bind:
    build: .
    restart: always
    ports:
      - "53:53/udp"
      - "53:53/tcp"
    environment:
      - WILDCARD_DNS='loc=192.168.1.103'

Hello
The way the WILDCARD_DNS parameter is used we cannot use it without having to map the domain aswell,
and using something like *.DOMAIN.com is not supported by the system,

how would I let domain.com handled by normal dns (8.8.8.8 for example) and all its subdomain handled by bind ?

Thanks

Have you already checked elsewhere?

• I have checked existing issues
• I have googled already with no luck
• I have not done any of the above

What is your question?

I need to use xdebug to debug something in php. Normally you can use the special DNS name 'host.docker.internal' from docker to connect xdebug to the host system. But when cytopia/bind is active xdebug can't establish a connection. If I disable cytopia/bind, it's working. Is there something I need to configure to make this work while cytopia/bind is active?

What have you tried already?

Different environment configurations.

What is your goal?

Make xdebug work.

For some reason, my container keeps crashing/restarting, but I'm not sure what error exactly is causing this behavior.
I'm using v0.27 of this container with devilbox if that helps.

Here's the logs: https://pastebin.com/cWLZL4r2

What is your idea or feature suggestion?

Would love to see an environment variable to initialize statistics-channels

Benefits

No response

Where can we find information about this?

No response

Are you willing to provide a PR to address this?

None

I tried adding a CNAME to EXTRA_HOSTS and it bombs with...

Invalid IP address 'internal-foo-bar-baz-1234567890.us-east-1.elb.amazonaws.com': for sandbox.example.com -> internal-foo-bar-baz-1234567890.us-east-1.elb.amazonaws.com. Skipping to add extra host

Based on the error message, maybe the is_cname isn't picking this up properly?

Hi,
I just updated to use the 0.16 docker image from 0.15, but was getting errors like this on any dns forwarded queries;

bind9   | 10-Jun-2019 11:36:29.603 client @0x7fe3d817f860 192.168.1.10#54157 (www.reddit.com): query: www.reddit.com IN A +E(0) (172.19.0.2)
bind9   | 10-Jun-2019 11:36:29.604 client @0x7fe3d817f860 192.168.1.10#54157 (www.reddit.com): query (cache) 'www.reddit.com/A/IN' denied
bind9   | 10-Jun-2019 11:36:29.604 client @0x7fe3d817f860 192.168.1.10#54157 (www.reddit.com): query failed (REFUSED) for www.reddit.com/IN/A at ../../../bin/named/query.c:7145

The extra hosts and wildcard queries works fine, but all forwarded queries gets that error.
I had to rollback to 0.15, where everything works fine.

My config looks like this;

version: '2.1'
services:
  bind:
    image: cytopia/bind:0.15
    container_name: bind9
    restart: unless-stopped
    environment:
      - TZ=Europe/Oslo
      - WILDCARD_DNS=anon.xyz=192.168.1.5
      - EXTRA_HOSTS=sheets.anon.xyz=anon.github.io
      - DNS_FORWARDER=208.67.222.222,208.67.220.220,192.168.1.1,8.8.8.8
      - DOCKER_LOGS=1
      - TTL_TIME=300
    ports:
      - "53:53"
      - "53:53/udp"

Hello,

I am working with https://github.com/cytopia/devilbox and had everything working yesterday.

I can't find anything in today's update that could have caused this, but the bind container is giving back DNSSEC errors whenever I have a dns forwarder set:

Apr 20 19:21:03 00015d8a4ceb named[1]: broken trust chain resolving 'google.com/A/IN': 192.168.1.10#53
Apr 20 19:21:03 00015d8a4ceb named[1]: validating ./NS: no valid signature found
Apr 20 19:21:03 00015d8a4ceb named[1]: no valid RRSIG resolving './NS/IN': 192.168.1.11#53
Apr 20 19:21:03 00015d8a4ceb named[1]: validating ./NS: no valid signature found
Apr 20 19:21:03 00015d8a4ceb named[1]: no valid RRSIG resolving './NS/IN': 199.7.91.13#53
Apr 20 19:21:03 00015d8a4ceb named[1]: validating ./NS: no valid signature found

I have gone into the container, and turned off dnssec verification and that seems to make it work.

echo " dnssec-validation off;"

If you know of anything that may have changed, that would be helpful.

Or if we could add an ENV variable to turn off DNSSEC validation?

Do you have any other ideas on how this could be resolved?

Thanks!

I would like to use docker-bind as a caching, forwarding only dns server.

Would it be possible to add an option to add "forward only;" to named.conf.options ?

Hi,

I am wondering, if there is any way update_policy can be added to generated named conf file?

https://certbot-dns-rfc2136.readthedocs.io/en/stable/#sample-bind-configuration - I want to try and generate certs for bind zone. Thus, I can generate a key via

tsig-keygen -a hmac-sha512 keyname > /etc/bind/tsig.key

However, cant figure out how can I add update policy to generated conf file?

Thank you

(Optional) Error message

No response

What went wrong?

when query domain,time out happen.

nslookup cas.wow.cn 10.2.10.147 ;; connection timed out; no servers could be reached

Expected behaviour

query dns server ,return domain's ip address.

How can we reproduce the bug?

• the docker image cytopia/bind in private harbor repository
• the server(10.2.10.147) in interal network enviroment,could't reach internet

1. start a docker container on centos 7
   docker run --restart=always -d -p 53:53/tcp -p 53:53/udp -e DNS_A='*.wow.cn=10.2.10.125' -e DOCKER_LOGS=1 -e ALLOW_QUERY=any -t harbor.xxx.com/cytopia/bind

2. query the dns server ip
   nslookup cas.wow.cn 10.2.10.147
   ;; connection timed out; no servers could be reached

Host Operating System

Linux

Host Platform (amd64, arm64, other)

amd64

(Linux only) Is SELinux enabled?

No, SELinux is disabled

Docker version

20.10.22

Log: docker logs

/etc/bind/custom/zone/rpz
--------------------------------------------------------------------------------
$TTL 3600
@                               IN   SOA     090be6331014. admin.090be6331014. (
                                             1673478408     ; Serial number
                                             1200           ; Refresh time
                                             180            ; Retry time
                                             1209600        ; Expiry time
                                             10800          ; Negative Cache TTL
)

; NS Records
                                IN   NS      090be6331014.

; Custom Records
*.wow.cn                     IN   A       10.2.10.125
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[INFO] Starting BIND 9.16.33
11-Jan-2023 23:06:48.275 managed-keys-zone: loaded serial 0
11-Jan-2023 23:06:48.276 zone 0.in-addr.arpa/IN: loaded serial 1
11-Jan-2023 23:06:48.278 zone rpz/IN: loaded serial 1673478408
11-Jan-2023 23:06:48.278 rpz: rpz: reload start
11-Jan-2023 23:06:48.278 rpz: rpz: reload done
11-Jan-2023 23:06:48.281 zone localhost/IN: loaded serial 2
11-Jan-2023 23:06:48.281 zone 127.in-addr.arpa/IN: loaded serial 1
11-Jan-2023 23:06:48.282 zone 255.in-addr.arpa/IN: loaded serial 1
11-Jan-2023 23:06:48.283 all zones loaded
11-Jan-2023 23:06:48.283 running
12-Jan-2023 03:22:55.017 client @0x7f7888850f70 172.17.0.1#57150 (225.8.2.10.in-addr.arpa): query: 225.8.2.10.in-addr.arpa IN PTR + (172.17.0.2)
12-Jan-2023 03:25:02.049 client @0x7f7888850f70 10.2.10.147#58112 (cas.wow.cn): query: cas.wow.cn IN A + (172.17.0.2)
12-Jan-2023 03:25:07.049 client @0x7f7888864730 10.2.10.147#58112 (cas.wow.cn): query: cas.wow.cn IN A + (172.17.0.2)
12-Jan-2023 03:25:12.049 client @0x7f7888864730 10.2.10.147#58112 (cas.wow.cn): query: cas.wow.cn IN A + (172.17.0.2)
12-Jan-2023 03:25:12.050 resolver priming query complete
12-Jan-2023 03:25:22.051 resolver priming query complete
12-Jan-2023 03:25:22.051 client @0x7f7888850f70 10.2.10.147#58112 (cas.wow.cn): query failed (timed out) for cas.wow.cn/IN/A at query.c:7375
12-Jan-2023 03:26:58.518 client @0x7f788000c090 172.17.0.1#47826 (cas.wow.cn): query: cas.wow.cn IN A + (172.17.0.2)

(Optional) Additional information

No response