diff --git a/alpine-etc-bind/named.conf b/alpine-etc-bind/named.conf new file mode 100644 index 0000000..a7f8c5b --- /dev/null +++ b/alpine-etc-bind/named.conf @@ -0,0 +1,43 @@ +options { + directory "/var/bind"; # Working directory for BIND + # pid-file "/var/run/named.pid"; # PID file location, was causing permission errors + listen-on { 127.0.0.1; any; }; # Listen on localhost and all interfaces + listen-on-v6 { none; }; # Disable IPv6 listening + allow-query { any; }; # Allow queries from any client + recursion yes; # Enable recursive queries + forwarders { 8.8.8.8; 8.8.4.4; }; # Forward unresolved queries to Google DNS + dnssec-validation no; # Disable DNSSEC validation +}; + +include "/etc/bind/keys/tsig.key"; + +logging { + channel default_log { + file "/var/log/named.log"; + severity info; + }; + category default { default_log; }; + + # Add update debugging + channel update_debug { + file "/var/log/named/update_debug.log" versions 3 size 100m; + severity debug; + print-category yes; + print-severity yes; + print-time yes; + }; + category update { update_debug; }; + category security { update_debug; }; + category database { update_debug; }; +}; + +zone "moeny.internal" { + type master; + file "/etc/bind/zones/moeny.internal"; + allow-update { key "tsig-internal"; }; +}; + +zone "." IN { + type hint; + file "/etc/bind/root.hints"; +}; \ No newline at end of file diff --git a/alpine-etc-bind/named.conf.authoritative b/alpine-etc-bind/named.conf.authoritative new file mode 100644 index 0000000..7e0ce39 --- /dev/null +++ b/alpine-etc-bind/named.conf.authoritative @@ -0,0 +1,56 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as an +// authoritative nameserver. If you want to run a recursive DNS resolver +// instead, see /etc/bind/named.conf.recursive. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a secure starting point for running an authoritative nameserver. + +options { + directory "/var/bind"; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you want to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + // Specify a list of IPs/masks to allow zone transfers to here. + // + // You can override this on a per-zone basis by specifying this inside a zone + // block. + // + // Warning: Removing this block will cause BIND to revert to its default + // behaviour of allowing zone transfers to any host (!). + allow-transfer { + none; + }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Changing this is NOT RECOMMENDED; see the notes above and in + // named.conf.recursive. + allow-recursion { none; }; + recursion no; +}; + +// Example of how to configure a zone for which this server is the master: +//zone "example.com" IN { +// type master; +// file "/etc/bind/master/example.com"; +//}; + +// You can include files: +//include "/etc/bind/example.conf"; \ No newline at end of file diff --git a/alpine-etc-bind/named.conf.recursive b/alpine-etc-bind/named.conf.recursive new file mode 100644 index 0000000..45d4c94 --- /dev/null +++ b/alpine-etc-bind/named.conf.recursive @@ -0,0 +1,104 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as a +// recursive DNS resolver. If you want to run an authoritative nameserver +// instead, see /etc/bind/named.conf.authoritative. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a starting point for running a recursive resolver. +// +// +// *** IMPORTANT *** +// You should note that running an open DNS resolver (that is, a resolver which +// answers queries from any globally routable IP) makes the resolver vulnerable +// to abuse in the form of reflected DDoS attacks. +// +// These attacks are now widely prevalent on the open internet. Even if +// unadvertised, attackers can and will find your resolver by portscanning the +// global IPv4 address space. +// +// In one case the traffic generated using such an attack reached 300 Gb/s (!). +// +// It is therefore imperative that you take care to configure the resolver to +// only answer queries from IP address space you trust or control. See the +// "allow-recursion" directive below. +// +// Bear in mind that with these attacks, the "source" of a query will actually +// be the intended target of a DDoS attack, so this only protects other networks +// from attack, not your own; ideally therefore you should firewall DNS traffic +// at the borders of your network to eliminate spoofed traffic. +// +// This is a complex issue and some level of understanding of these attacks is +// advisable before you attempt to configure a resolver. + +options { + directory "/var/bind"; + + // Specify a list of CIDR masks which should be allowed to issue recursive + // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above. + allow-recursion { + 127.0.0.1/32; + }; + + // If you want this resolver to itself resolve via means of another recursive + // resolver, uncomment this block and specify the IP addresses of the desired + // upstream resolvers. + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + // By default the resolver will attempt to perform recursive resolution itself + // if the forwarders are unavailable. If you want this resolver to fail outright + // if the upstream resolvers are unavailable, uncomment this directive. + //forward only; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Removing this block will cause BIND to revert to its default behaviour + // of allowing zone transfers to any host (!). There is no need to allow zone + // transfers when operating as a recursive resolver. + allow-transfer { none; }; +}; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; \ No newline at end of file diff --git a/alpine-etc-bind/root.hints b/alpine-etc-bind/root.hints new file mode 100644 index 0000000..c1a53fe --- /dev/null +++ b/alpine-etc-bind/root.hints @@ -0,0 +1,92 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: April 25, 2025 +; related version of root zone: 2025042501 +; +; FORMERLY NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +;A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 170.247.170.2 +;B.ROOT-SERVERS.NET. 3600000 AAAA 2801:1b8:10::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +;C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +;D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +;E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +;F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +;G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +;H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +;I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +;J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +;K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +;L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +;M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file \ No newline at end of file