Replace Coredns magic with bind response-policy

Signed-off-by: Knut Ahlers <knut@ahlers.me>

.gitignore

@@ -1,2 +1,3 @@
 blacklist
+blacklist.named
 named.stubs

Corefile

@@ -1,11 +0,0 @@
-. {
-  hosts /etc/bind/blacklist {
-    fallthrough
-  }
-
-  forward . 127.0.0.1:1053
-
-  errors
-
-  log
-}

Dockerfile

@@ -17,9 +17,6 @@ RUN set -ex \
 
 FROM alpine:latest
 
-ENV DNSMASQ_HOSTSFILE=/etc/bind/blacklist \
-    DNSMASQ_POLL=60
-
 LABEL maintainer Knut Ahlers <knut@ahlers.me>
 
 COPY build.sh /usr/local/bin/
@@ -31,12 +28,10 @@ RUN set -ex \
       bind-tools \
  && /usr/local/bin/build.sh
 
-COPY --from=builder /src/named.stubs /etc/bind/
-COPY --from=builder /src/blacklist /etc/bind/
-
-COPY named.conf /etc/bind/
-COPY Corefile /etc/
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY --from=builder /src/named.stubs      /etc/bind/
+COPY --from=builder /src/named.blacklist  /etc/bind/
+COPY                named.conf            /etc/bind/
+COPY                docker-entrypoint.sh  /usr/local/bin/
 
 EXPOSE 53/udp 53
 

Makefile

@@ -1,4 +1,4 @@
 default:
 
 blacklist:
-	bash build_blacklist.sh
+	bash -x build_blacklist.sh

blacklist.local

@@ -1,5 +1,2 @@
-# Server health check address - not to be removed
-0.0.0.0 health.server.test
-
 # Block TAZ
 0.0.0.0 taz.de

blacklist.tpl

@@ -0,0 +1,10 @@
+$TTL 1H
+
+@ SOA LOCALHOST. personal-dns.luzifer.io. (1 1h 15m 30d 2h)
+  NS  LOCALHOST.
+
+; Healthcheck record - don't remove
+health.server.test  A 127.0.1.1
+
+; vim: set ft=bindzone:
+; Blacklist entries

build.sh

@@ -5,17 +5,10 @@ set -euxo pipefail
 apk --no-cache add curl
 
 # Get latest versions of tools using latestver
-#COREDNS_VERSION=$(curl -sSfL 'https://lv.luzifer.io/catalog-api/coredns/latest.txt?p=version')
-COREDNS_VERSION=1.5.2
 DUMB_INIT_VERSION=$(curl -sSfL 'https://lv.luzifer.io/catalog-api/dumb-init/latest.txt?p=version')
-
-[ -z "${COREDNS_VERSION}" ] && { exit 1; }
 [ -z "${DUMB_INIT_VERSION}" ] && { exit 1; }
 
 # Install tools
-curl -sSfL https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_amd64.tgz |
-	tar -x -z -C /usr/local/bin
-
 curl -sSfLo /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_amd64
 chmod +x /usr/local/bin/dumb-init
 

build_blacklist.sh

@@ -3,6 +3,13 @@ set -euo pipefail
 
 target=blacklist
 
+function cleanup() {
+	rm -rf \
+		${target} \
+		${target}.tmp
+}
+trap cleanup EXIT
+
 # Download compiled blacklist
 curl -sSfL https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '/^(#.*|0.0.0.0.*|)$$/' >${target}
 
@@ -14,3 +21,9 @@ done
 
 # Add local blacklist
 cat blacklist.local >>${target}
+
+# Convert into named response-policy file
+cp blacklist.tpl named.${target}
+awk '/^0.0.0.0/{ printf "%s  CNAME .\n", $2 }' blacklist |
+	grep -v '^0.0.0.0  ' |
+	sort >>named.${target}

docker-entrypoint.sh

@@ -1,8 +1,5 @@
 #!/usr/local/bin/dumb-init /bin/bash
 set -euxo pipefail
 
-# Start bind in background
-named -p 1053 -c /etc/bind/named.conf -g &
-
-# Start coredns to filter blacklist
-coredns -conf /etc/Corefile
+# Start bind
+exec named -c /etc/bind/named.conf -g

named.conf

@@ -4,9 +4,17 @@ options {
   allow-recursion { any; };
   allow-transfer { none; };
 
-  listen-on port 1053 { 127.0.0.1; };
+  listen-on port 53 { any; };
+
+  response-policy { zone "blacklist"; };
 
   pid-file "/var/run/named/named.pid";
 };
 
+zone "blacklist" {
+  type master;
+  file "/etc/bind/named.blacklist";
+  allow-query { none; };
+};
+
 include "/etc/bind/named.stubs";