search

cytopia / docker-bind

Bind (bind9) caching DNS server on Alpine or Debian with wild-card domain support [multi-arch]
http://devilbox.org/
MIT License
91 stars 50 forks source link

query failed (REFUSED) with version (tag) 0.16 #19

Closed soofstad closed 2 years ago

soofstad commented 5 years ago

Hi, I just updated to use the 0.16 docker image from 0.15, but was getting errors like this on any dns forwarded queries;

bind9   | 10-Jun-2019 11:36:29.603 client @0x7fe3d817f860 192.168.1.10#54157 (www.reddit.com): query: www.reddit.com IN A +E(0) (172.19.0.2)
bind9   | 10-Jun-2019 11:36:29.604 client @0x7fe3d817f860 192.168.1.10#54157 (www.reddit.com): query (cache) 'www.reddit.com/A/IN' denied
bind9   | 10-Jun-2019 11:36:29.604 client @0x7fe3d817f860 192.168.1.10#54157 (www.reddit.com): query failed (REFUSED) for www.reddit.com/IN/A at ../../../bin/named/query.c:7145

The extra hosts and wildcard queries works fine, but all forwarded queries gets that error. I had to rollback to 0.15, where everything works fine.

My config looks like this;

version: '2.1'
services:
  bind:
    image: cytopia/bind:0.15
    container_name: bind9
    restart: unless-stopped
    environment:
      - TZ=Europe/Oslo
      - WILDCARD_DNS=anon.xyz=192.168.1.5
      - EXTRA_HOSTS=sheets.anon.xyz=anon.github.io
      - DNS_FORWARDER=208.67.222.222,208.67.220.220,192.168.1.1,8.8.8.8
      - DOCKER_LOGS=1
      - TTL_TIME=300
    ports:
      - "53:53"
      - "53:53/udp"
Apple-G commented 5 years ago

you only have to add - ALLOW_QUERY=any

version: '2.1'
services:
  bind:
    image: cytopia/bind:0.15
    container_name: bind9
    restart: unless-stopped
    environment:
      - TZ=Europe/Oslo
      - WILDCARD_DNS=anon.xyz=192.168.1.5
      - EXTRA_HOSTS=sheets.anon.xyz=anon.github.io
      - DNS_FORWARDER=208.67.222.222,208.67.220.220,192.168.1.1,8.8.8.8
      - DOCKER_LOGS=1
      - TTL_TIME=300
      - ALLOW_QUERY=any
    ports:
      - "53:53"
      - "53:53/udp"
soofstad commented 4 years ago

Thanks for the reply, I will try that. But from the documentation I quote;

ALLOW_QUERY string   Specify a comma separated list of IP addresses with optional CIDR mask to allow queries from a specific IP address or ranges of IP addresses. This allows for control over who is allowed to query the DNS server. If not specified all hosts are allowed to make queries (defaults to any). See BIND QUERIESExample: ALLOW_QUERY=192.168.1.0/24,127.0.0.1

I read this to mean that any/*/0.0.0.0/0 IP address can query by default, so this should not be needed. Will try adding it regardless :)

soofstad commented 4 years ago

Tried out ALLOW_QUERY=any on the cytopia/bind:0.16 image. Still get the same error.

cytopia commented 2 years ago

@soofstad

thanks for the issue. I have made a major rewrite which addresses the fix here: https://github.com/cytopia/docker-bind/pull/36

The new command to achieve what you've described above will be:

docker run -it --rm \
  -e DOCKER_LOGS=1 \
  -e DEBUG_ENTRYPOINT=2 \
  -p 5300:53/tcp \
  -p 5300:53/udp \
  -e DNS_A="*.anon.xyz=192.168.1.5" \
  -e DNS_CNAME="sheets.anon.xyz=anon.github.io" \
  -e DNS_FORWARDER="208.67.222.222, 208.67.220.220, 192.168.1.1, 8.8.8.8" \
  -e DOCKER_LOGS=1 \
  -e TTL_TIME=300  \
  cytopia/bind