Our local setup for running a recent BIND version via Docker.
Go to file
2023-02-25 19:41:29 -05:00
cache add directories 2023-02-25 15:30:09 -05:00
cfg Add README.md, unit file 2023-02-25 19:30:43 -05:00
log/named add directories 2023-02-25 15:30:09 -05:00
zones remove generated zone data 2023-02-25 15:31:58 -05:00
.gitattributes remove accidental secondary; git-crypt setup 2023-02-24 19:58:57 -05:00
.gitignore comment out "dead" zones; tweaks 2023-02-25 14:48:21 -05:00
docker.named.service Add README.md, unit file 2023-02-25 19:30:43 -05:00
README.md Add README.md, unit file 2023-02-25 19:30:43 -05:00
run_bind_container.sh stop running out of my homedir 2023-02-25 19:41:29 -05:00
run_rndc.sh break up config; add run_rndc.sh 2023-02-24 20:37:14 -05:00
setup.sh add setup.sh 2023-02-25 19:35:27 -05:00

zeke.ecotroph.net DNS service

This repo and directory consists of the revamped DNS service for zeke.ecotroph.net. The goals of this service are:

  1. Host the primary zones we want.
  2. DNSSEC-sign those primary zones, if desired.
  3. Provide local recursive service for the host itself.

Overview

In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This system runs a recent version of BIND 9 via a docker image produced by ISC themselves. We are staring with 9.18.

This docker image imposes a few requirements:

  • Interally, the image runs named as the bind user, (104:105) by default. Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
  • We need some way to ensure that our container is run on system reboots, etc. Here we chose to use systemd to do this, although that is not ideal.
  • Presumably the normal way to do logging for a docker container is to use the standard journal service, however, this image is set up to bind-mount /var/log anyway. On the other hand, the standard command uses the -g flag, which is "debug" mode, and causes all of the logs to go to stderr.
  • We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (-g and -f).

Source

I have this in a local git repository on zeke, however we can see it (sort of) here: https://blacka.com/cgi-bin/gitweb.cgi?p=docker_bind.git;a=tree (athough the viewer here is subject to change, and when that does, the URL will change.)

Design

We have in this repo:

  • named configurations. I've broken this up into sections (options, keys, logging, primary, secondary, etc.), which all just get included in the primary named.conf. It isn't tricky.
  • "keys". Well, mostly TSIG keys. Those are are but are encrypted with git-crypt. With a key that is ... somewhere.
  • zone files. I have all of the zone files we started with, although currently the configuration does not load all of them.
  • A script to launch the container
  • A script to use as the internal "command" (cfg/run.sh) -- it isn't config, but we need to bind-mount it.
  • A helper script to run rndc that just runs that inside the container itself (via a docker exec). You would need to be in the docker group to run it.
  • A helper script to prepare zeke to run this container and properly work, in case we want to do this install again.

Installation

  1. Clone this repo to /etc/bind
  2. Create a user to match the internal user (uid 104): useradd -u 104 -g 105 -M --no-log-init bind
  3. Change the ownership of everything under /etc/bind to the bind user and group: chown -R 104:105 /etc/bind.
  4. Copy the supplied systemd unit file to /etc/systemd/system, and systemctl enable docker.bind.service, then systemctl start docker.bind.service.

Zone Changes

All of our zone files are now in this git repo, so we can just make changes and commit them, assuming you have write access to the local repo, that is. Root certainly does, though. Once you've changed your zone, you could bounce the service via systemctl, or we could use rndc. I've made a little script that will do this with docker exec, /etc/bind/run_rndc.sh. Thus:

cd /etc/bind/zones
vi <zonefile> # remember to update the serial
git commit -a <zonefile>
git push
cd ..
./run_rndc.sh reload <zone>

DNSSEC

More modern BIND releases have changed the configuration for this. Now, how your zone is signed is based on a dnssec-policy block (I've put those in cfg/named.dnssec.conf). Then, in your zone, you add:

  dnssec-policy "simple_alg15";
  inline-signing yes;

in your zone block. After restarting/reconfiguring BIND, it will create a .signed and .signed.jnl file, and start serving a DNSSEC signed version of the zone. It will then take care of resigning activities, key rollovers etc. Although the policy I'm starting with has just a single DNSKEY with an unlimited lifetime.