Add alpine version for internal DNS

2025-05-02 17:40:52 -04:00 · 2025-05-02 17:40:52 -04:00 · 3e527b1a93
commit 3e527b1a93
parent 83a6f00b7b
4 changed files with 295 additions and 0 deletions
--- a/alpine-etc-bind/named.conf
+++ b/alpine-etc-bind/named.conf
@ -0,0 +1,43 @@
+options {
+    directory "/var/bind";           # Working directory for BIND
+    # pid-file "/var/run/named.pid";   # PID file location, was causing permission errors
+    listen-on { 127.0.0.1; any; };   # Listen on localhost and all interfaces
+    listen-on-v6 { none; };          # Disable IPv6 listening
+    allow-query { any; };            # Allow queries from any client
+    recursion yes;                   # Enable recursive queries
+    forwarders { 8.8.8.8; 8.8.4.4; }; # Forward unresolved queries to Google DNS
+    dnssec-validation no;            # Disable DNSSEC validation
+};
+
+include "/etc/bind/keys/tsig.key";
+
+logging {
+    channel default_log {
+        file "/var/log/named.log";
+        severity info;
+    };
+    category default { default_log; };
+
+    # Add update debugging
+    channel update_debug {
+        file "/var/log/named/update_debug.log" versions 3 size 100m;
+        severity debug;
+        print-category yes;
+        print-severity yes;
+        print-time yes;
+    };
+    category update { update_debug; };
+    category security { update_debug; };
+    category database { update_debug; };
+};
+
+zone "moeny.internal" {
+    type master;
+    file "/etc/bind/zones/moeny.internal";
+    allow-update { key "tsig-internal"; };
+};
+
+zone "." IN {
+    type hint;
+    file "/etc/bind/root.hints";
+};
--- a/alpine-etc-bind/named.conf.authoritative
+++ b/alpine-etc-bind/named.conf.authoritative
@ -0,0 +1,56 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as an
+// authoritative nameserver. If you want to run a recursive DNS resolver
+// instead, see /etc/bind/named.conf.recursive.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a secure starting point for running an authoritative nameserver.
+
+options {
+        directory "/var/bind";
+
+        // Configure the IPs to listen on here.
+        listen-on { 127.0.0.1; };
+        listen-on-v6 { none; };
+
+        // If you want to allow only specific hosts to use the DNS server:
+        //allow-query {
+        //      127.0.0.1;
+        //};
+
+        // Specify a list of IPs/masks to allow zone transfers to here.
+        //
+        // You can override this on a per-zone basis by specifying this inside a zone
+        // block.
+        //
+        // Warning: Removing this block will cause BIND to revert to its default
+        //          behaviour of allowing zone transfers to any host (!).
+        allow-transfer {
+                none;
+        };
+
+        // If you have problems and are behind a firewall:
+        //query-source address * port 53;
+
+        pid-file "/var/run/named/named.pid";
+
+        // Changing this is NOT RECOMMENDED; see the notes above and in
+        // named.conf.recursive.
+        allow-recursion { none; };
+        recursion no;
+};
+
+// Example of how to configure a zone for which this server is the master:
+//zone "example.com" IN {
+//      type master;
+//      file "/etc/bind/master/example.com";
+//};
+
+// You can include files:
+//include "/etc/bind/example.conf";
--- a/alpine-etc-bind/named.conf.recursive
+++ b/alpine-etc-bind/named.conf.recursive
@ -0,0 +1,104 @@
+// Copy this file to /etc/bind/named.conf if you want to run bind as a
+// recursive DNS resolver. If you want to run an authoritative nameserver
+// instead, see /etc/bind/named.conf.authoritative.
+//
+// BIND supports using the same daemon as both authoritative nameserver and
+// recursive resolver; it supports this because it is the oldest and original
+// nameserver and so was designed before it was realized that combining these
+// functions is inadvisable.
+//
+// In actual fact, combining these functions is a very bad idea. It is thus
+// recommended that you run a given instance of BIND as either an authoritative
+// nameserver or recursive resolver, not both. The example configuration herein
+// provides a starting point for running a recursive resolver.
+//
+//
+// *** IMPORTANT ***
+// You should note that running an open DNS resolver (that is, a resolver which
+// answers queries from any globally routable IP) makes the resolver vulnerable
+// to abuse in the form of reflected DDoS attacks.
+//
+// These attacks are now widely prevalent on the open internet. Even if
+// unadvertised, attackers can and will find your resolver by portscanning the
+// global IPv4 address space.
+//
+// In one case the traffic generated using such an attack reached 300 Gb/s (!).
+//
+// It is therefore imperative that you take care to configure the resolver to
+// only answer queries from IP address space you trust or control. See the
+// "allow-recursion" directive below.
+//
+// Bear in mind that with these attacks, the "source" of a query will actually
+// be the intended target of a DDoS attack, so this only protects other networks
+// from attack, not your own; ideally therefore you should firewall DNS traffic
+// at the borders of your network to eliminate spoofed traffic.
+//
+// This is a complex issue and some level of understanding of these attacks is
+// advisable before you attempt to configure a resolver.
+
+options {
+        directory "/var/bind";
+
+        // Specify a list of CIDR masks which should be allowed to issue recursive
+        // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
+        allow-recursion {
+                127.0.0.1/32;
+        };
+
+        // If you want this resolver to itself resolve via means of another recursive
+        // resolver, uncomment this block and specify the IP addresses of the desired
+        // upstream resolvers.
+        //forwarders {
+        //      123.123.123.123;
+        //      123.123.123.123;
+        //};
+
+        // By default the resolver will attempt to perform recursive resolution itself
+        // if the forwarders are unavailable. If you want this resolver to fail outright
+        // if the upstream resolvers are unavailable, uncomment this directive.
+        //forward only;
+
+        // Configure the IPs to listen on here.
+        listen-on { 127.0.0.1; };
+        listen-on-v6 { none; };
+
+        // If you have problems and are behind a firewall:
+        //query-source address * port 53;
+
+        pid-file "/var/run/named/named.pid";
+
+        // Removing this block will cause BIND to revert to its default behaviour
+        // of allowing zone transfers to any host (!). There is no need to allow zone
+        // transfers when operating as a recursive resolver.
+        allow-transfer { none; };
+};
+
+// Briefly, a zone which has been declared delegation-only will be effectively
+// limited to containing NS RRs for subdomains, but no actual data beyond its
+// own apex (for example, its SOA RR and apex NS RRset). This can be used to
+// filter out "wildcard" or "synthesized" data from NAT boxes or from
+// authoritative name servers whose undelegated (in-zone) data is of no
+// interest.
+// See http://www.isc.org/products/BIND/delegation-only.html for more info
+
+//zone "COM" { type delegation-only; };
+//zone "NET" { type delegation-only; };
+
+zone "." IN {
+        type hint;
+        file "named.ca";
+};
+
+zone "localhost" IN {
+        type master;
+        file "pri/localhost.zone";
+        allow-update { none; };
+        notify no;
+};
+
+zone "127.in-addr.arpa" IN {
+        type master;
+        file "pri/127.zone";
+        allow-update { none; };
+        notify no;
+};
--- a/alpine-etc-bind/root.hints
+++ b/alpine-etc-bind/root.hints
@ -0,0 +1,92 @@
+;       This file holds the information on root name servers needed to 
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers). 
+; 
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache 
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:     April 25, 2025
+;       related version of root zone:     2025042501
+; 
+; FORMERLY NS.INTERNIC.NET 
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+;A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+; 
+; FORMERLY NS1.ISI.EDU 
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
+;B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b
+; 
+; FORMERLY C.PSI.NET 
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+;C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+; 
+; FORMERLY TERP.UMD.EDU 
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+;D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+; 
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+;E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
+; 
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+;F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+; 
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+;G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
+; 
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+;H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+; 
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+;I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+; 
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+;J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+; 
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+;K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+; 
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+;L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+; 
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+;M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file