docker-bind icon indicating copy to clipboard operation
docker-bind copied to clipboard

Published 20 hours ago verified publisher icon cytopia

Completely disable recursion

Open jgeusebroek opened this issue 2 years ago • 1 comments

First of all, awesome quality image; very well done!

I was wondering how to disable recursion? The docs say it's disabled by default but it is still resolving?

docker run --rm -ti \
-p 5553:53/tcp \
-p 5553:53/udp \
-e DNS_A='test.domain=1.2.3.4' \
-t cytopia/bind

dig @127.0.0.1 -p 5553 test.domain

; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5553 test.domain ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6228 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;test.domain. IN A

;; ANSWER SECTION: test.domain. 5 IN A 1.2.3.4

dig @127.0.0.1 -p 5553 google.com

; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 5553 google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51124 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN A

;; ANSWER SECTION: google.com. 300 IN A 142.251.39.110

jgeusebroek avatar Dec 04 '22 22:12 jgeusebroek

@jgeusebroek

Without

When starting this image without ALLOW_RECURSION:

docker run -it --rm \
   -e DEBUG_ENTRYPOINT=2 \
   -e DOCKER_LOGS=1 \
   -p 5553:53/tcp \
   -p 5553:53/udp \
   -e DNS_A='test.domain=1.2.3.4' \
   cytopia/bind

It produces the following in /etc/bind/named.conf.options

options {
    directory "/var/cache/bind";
    dnssec-validation no;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    max-cache-size 90%;
    response-policy { zone "rpz"; };
};

With ALLOW_RECURSION

When starting this image with ALLOW_RECURSION:

docker run -it --rm \
   -e DEBUG_ENTRYPOINT=2 \
   -e DOCKER_LOGS=1 \
   -p 5553:53/tcp \
   -p 5553:53/udp \
   -e DNS_A='test.domain=1.2.3.4' \
   -e ALLOW_RECURSION=127.0.0.1 \
   cytopia/bind

It produces the following in /etc/bind/named.conf.options

options {
    directory "/var/cache/bind";
    dnssec-validation no;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    max-cache-size 90%;
    response-policy { zone "rpz"; };
    recursion yes;
    allow-recursion {
        127.0.0.1;
    };
};

So the difference is:

+     recursion yes;
+     allow-recursion {
+         127.0.0.1;
+     };

Isn't that the desired behaviour?

cytopia avatar Dec 14 '22 14:12 cytopia