search

cytopia / docker-bind

Bind (bind9) caching DNS server on Alpine or Debian with wild-card domain support [multi-arch]
http://devilbox.org/
MIT License
91 stars 50 forks source link

Completely disable recursion #59

Open jgeusebroek opened 1 year ago

jgeusebroek commented 1 year ago

First of all, awesome quality image; very well done!

I was wondering how to disable recursion? The docs say it's disabled by default but it is still resolving?

docker run --rm -ti \
-p 5553:53/tcp \
-p 5553:53/udp \
-e DNS_A='test.domain=1.2.3.4' \
-t cytopia/bind

dig @127.0.0.1 -p 5553 test.domain

; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5553 test.domain ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6228 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;test.domain. IN A

;; ANSWER SECTION: test.domain. 5 IN A 1.2.3.4

dig @127.0.0.1 -p 5553 google.com

; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5553 google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51124 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN A

;; ANSWER SECTION: google.com. 300 IN A 142.251.39.110

cytopia commented 1 year ago

@jgeusebroek

Without

When starting this image without ALLOW_RECURSION:

docker run -it --rm \
   -e DEBUG_ENTRYPOINT=2 \
   -e DOCKER_LOGS=1 \
   -p 5553:53/tcp \
   -p 5553:53/udp \
   -e DNS_A='test.domain=1.2.3.4' \
   cytopia/bind

It produces the following in /etc/bind/named.conf.options

options {
    directory "/var/cache/bind";
    dnssec-validation no;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    max-cache-size 90%;
    response-policy { zone "rpz"; };
};

With ALLOW_RECURSION

When starting this image with ALLOW_RECURSION:

docker run -it --rm \
   -e DEBUG_ENTRYPOINT=2 \
   -e DOCKER_LOGS=1 \
   -p 5553:53/tcp \
   -p 5553:53/udp \
   -e DNS_A='test.domain=1.2.3.4' \
   -e ALLOW_RECURSION=127.0.0.1 \
   cytopia/bind

It produces the following in /etc/bind/named.conf.options

options {
    directory "/var/cache/bind";
    dnssec-validation no;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    max-cache-size 90%;
    response-policy { zone "rpz"; };
    recursion yes;
    allow-recursion {
        127.0.0.1;
    };
};

So the difference is:

+     recursion yes;
+     allow-recursion {
+         127.0.0.1;
+     };

Isn't that the desired behaviour?