Initial Commit (#1)

* Added container
* Added continer description
* Added docker to Dependabot
* Added Github Action
* Added Vulnerability Scanning
* Comply with trivy
* Added Kubernetes deployment file

.github/dependabot.yml

@@ -19,3 +19,23 @@ updates:
       separator: '-'
     reviewers:
       - 'aessing'
+
+  # Maintain dependencies for docker images
+  - package-ecosystem: 'docker'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+      time: '06:00'
+      timezone: 'Europe/Berlin'
+    assignees:
+      - 'aessing'
+    commit-message:
+      prefix: 'Docker'
+      include: 'scope'
+    labels:
+      - 'dependencies'
+    open-pull-requests-limit: 10
+    pull-request-branch-name:
+      separator: '-'
+    reviewers:
+      - 'aessing'

.github/workflows/container-build.yml

@@ -0,0 +1,77 @@
+name: Container Build
+
+on:
+  push:
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - 'main'
+
+env:
+  IMAGE_NAME: 'aessing/bind'
+
+permissions:
+  packages: write
+
+jobs:
+  build:
+    name: Build container
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set release date
+        run: |
+          echo "RELEASE_DATE=$(date -u '+%Y-%m-%dT%H:%M:%S%z')" >> ${GITHUB_ENV}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      # https://github.com/docker/setup-qemu-action
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      # https://github.com/docker/login-action
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # https://github.com/docker/metadata-action
+      - name: Set container meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.IMAGE_NAME }}
+            ghcr.io/${{ env.IMAGE_NAME }}
+          tags: |
+            type=schedule,pattern={{date 'YYYYMMDD-HHmmss' tz='UTC'}}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      # https://github.com/docker/build-push-action
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64/v8, linux/ppc64le, linux/s390x
+          build-args: BUILD_DATE=${{ env.RELEASE_DATE }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/trivy.yml

@@ -0,0 +1,51 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Trivy vulnerability scan
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ['main']
+  schedule:
+    - cron: '32 5 * * 2'
+
+env:
+  IMAGE_NAME: 'aessing/bind'
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Trivy vulnerability scan
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
+        with:
+          image-ref: 'docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -0,0 +1,64 @@
+# =============================================================================
+# Dockerfile
+# Bind Name Server Container
+# https://github.com/aessing/bind-container
+# -----------------------------------------------------------------------------
+# Developer.......: Andre Essing (https://github.com/aessing)
+#                                (https://www.linkedin.com/in/aessing/)
+# -----------------------------------------------------------------------------
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# =============================================================================
+
+###############################################################################
+# Get the base Linux image
+FROM alpine:3.18
+
+###############################################################################
+# Set parameters
+ARG BUILD_DATE
+ENV TZ='UTC'
+EXPOSE 53/tcp \
+       53/udp \
+       80/tcp \
+       443/tcp \ 
+       853/tcp
+VOLUME ["/etc/bind", "/var/lib/bind"]
+
+###############################################################################
+# Set some information
+LABEL org.opencontainers.image.created=${BUILD_DATE} \
+      org.opencontainers.image.authors="Andre Essing" \
+      org.opencontainers.image.description="BIND is an open source DNS software system including an authoritative server or a recursive resolver." \
+      org.opencontainers.image.documentation="https://github.com/aessing/bind-container" \
+      org.opencontainers.image.licenses="MIT" \
+      org.opencontainers.image.title="Bind Name Server Container" \
+      org.opencontainers.image.url="https://github.com/aessing/bind-container" \
+      org.opencontainers.image.vendor="Andre Essing"
+
+################################################### ############################
+# Install chronyd and necessary packages
+RUN apk add --update --no-cache bind ca-certificates tzdata \
+    && update-ca-certificates \
+    && cp /usr/share/zoneinfo/${TZ} /etc/localtime \
+    && echo $TZ > /etc/timezone \
+    && mkdir -p /etc/bind /var/cache/bind/run /var/lib/bind/zones
+
+###############################################################################
+# Copy files
+COPY container-files/named.conf /etc/bind/named.conf
+COPY container-files/db.* /var/lib/bind/zones/
+RUN chown -R named:named /etc/bind /var/cache/bind /var/lib/bind \
+    && chmod -R o-rwx /etc/bind /var/cache/bind /var/lib/bind
+
+###############################################################################
+# Healthcheck
+HEALTHCHECK CMD dig +norecurse +short +retry=0 @127.0.0.1 localhost || exit 1
+
+###############################################################################
+# Start chronyd
+CMD [ "/usr/sbin/named", "-u named", "-c /etc/bind/named.conf", "-g"]
+
+###############################################################################
+#EOF

README.md

@@ -1,16 +1,37 @@
-# Project Title
+# Bind Name Server Container
 
-A README file, along with a repository license, contribution guidelines, and a code of conduct, helps you communicate expectations and manage contributions to your project.
+[BIND](https://bind.isc.org/) BIND is an open source DNS software system including an authoritative server or a recursive resolver.
 
-A README is often the first item a visitor will see when visiting your repository. README files typically include information on:
+As the ISC only published a container with BIND9 DNS server for AMD64, this repository builds a Docker container for other architectures / platforms, based on [Alpine Linux](https://www.alpinelinux.org).
 
-- What the project does?
-- Why the project is useful?
-- How can users get started with the project?
-- Where can users get help with your project?
-- Who maintains and contributes to the project?
+### :hammer_and_wrench: Configuration
 
-:exclamation: Please also have a look at the [license](LICENSE) and if the license fits the needs of your project. :exclamation:
+You can mount the following volumes:
+
+| Volume          | Description                                               |
+| --------------- | --------------------------------------------------------- |
+| /etc/bind       | For the server configuration (your named.conf lives here) |
+| /var/cache/bind | This is the working directory                             |
+| /var/lib/bind   | This is the place where the secondary zones are placed    |
+
+You can expose the following ports:
+
+| Port    | Description                                                                                                                                                                                                                                                                          |
+| ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| 53/udp  | The most popular port and protocol of DNS is UDP 53                                                                                                                                                                                                                                  |
+| 53/tcp  | Is used as fallback. Bind9 uses TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet.                                                                                                                     |
+| 443/tcp | If you want to use DNS over HTTPS (DoH), you can expose this port. To get this running, you have to configure it in your named.conf and provide the certificates.                                                                                                                    |
+| 80/tcp  | You can also use DNS over HTTPS (DoH) without certificates over port 80. To get this running, you have to configure it in your named.conf. Please note, that the traffic is not encrypted. This is only for testing purposes, or when you offload the encryption to a reverse proxy. |
+| 853/tcp | If you want to use DNS over TLS (DoT), you can expose this port. To get this running, you have to configure it in your named.conf and provide the certificates.                                                                                                                      |
+
+## :eyeglasses: Documentation
+
+For further information, how to configure Bind9, please visit the [Bind9 documentation](https://bind9.readthedocs.io/en/latest/).
+
+## :rocket: Deployment
+
+I added a Kubernetes deployment file to deploy the container to a Kubernetes cluster. You can find the file in the `kubernetes` folder.
+The deployment.yaml file is just an example and uses Traefik as a reverse proxy. You can and probably have to change the deployment file to your needs.
 
 ---
 

build.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# =============================================================================
+# Script to build the Docker image
+# Bind Name Server Container
+# https://github.com/aessing/bind-container
+# -----------------------------------------------------------------------------
+# Developer.......: Andre Essing (https://github.com/aessing)
+#                                (https://www.linkedin.com/in/aessing/)
+# -----------------------------------------------------------------------------
+# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+# =============================================================================
+
+source vars
+DOCKER=$(which docker)
+BUILD_DATE=$(date -u '+%Y-%m-%dT%H:%M:%S%z')
+
+# build image
+$DOCKER build --pull \
+              --tag ${IMAGE_NAME}:Manual \
+              --build-arg BUILD_DATE=${BUILD_DATE} \
+              .

container-files/db.0

@@ -0,0 +1,15 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL    604800
+@       IN      SOA     localhost. root.localhost. (
+                              1         ; Serial
+                          604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          604800 )       ; Negative Cache TTL
+;
+@       IN      NS      localhost.
+
+; -----------------------------------------------------------------------------
+; EOF

container-files/db.10.in-addr.arpa

@@ -0,0 +1,21 @@
+$ORIGIN 10.in-addr.arpa.
+$TTL    3600
+
+@       IN      SOA     nameserver.example.com. hostmaster.example.com. (
+                      2023070101         ; Serial
+                          604800         ; Refresh
+                           86400         ; Retry
+                         2419200         ; Expire
+                           86400 )       ; Negative Cache TTL
+;
+
+@               3600    IN      NS      ns01.example.com.
+@               3600    IN      NS      ns02.example.com.
+
+0.0.132         3600    IN      PTR     ns01.example.com.
+3.53.10         3600    IN      PTR     ns02.example.com..
+129.31.124      3600    IN      PTR     server01.example.com.
+13.235.221      3600    IN      PTR     server02.example.com.
+
+; -----------------------------------------------------------------------------
+; EOF

container-files/db.127

@@ -0,0 +1,16 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL    604800
+@       IN      SOA     localhost. root.localhost. (
+                              1         ; Serial
+                          604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          604800 )       ; Negative Cache TTL
+;
+@       IN      NS      localhost.
+1.0.0   IN      PTR     localhost.
+
+; -----------------------------------------------------------------------------
+; EOF

container-files/db.255

@@ -0,0 +1,15 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL    604800
+@       IN      SOA     localhost. root.localhost. (
+                              1         ; Serial
+                          604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          604800 )       ; Negative Cache TTL
+;
+@       IN      NS      localhost.
+
+; -----------------------------------------------------------------------------
+; EOF

container-files/db.empty

@@ -0,0 +1,17 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL    86400
+@       IN      SOA     localhost. root.localhost. (
+                              1         ; Serial
+                          604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+;
+@       IN      NS      localhost.
+
+; -----------------------------------------------------------------------------
+; EOF