From a60609600f53321dfe70e6f054a5ce6550001980 Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Fri, 27 Sep 2024 07:03:25 +0200
Subject: [PATCH] Allow recursion in dns server

---
 dns/Dockerfile         |  3 ++-
 dns/named.conf.local   |  1 +
 dns/named.conf.options | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 dns/named.conf.local
 create mode 100644 dns/named.conf.options

diff --git a/dns/Dockerfile b/dns/Dockerfile
index b34d3c6..ba91457 100644
--- a/dns/Dockerfile
+++ b/dns/Dockerfile
@@ -11,7 +11,8 @@ RUN apt-get update && \
         && rm -rf /var/lib/apt/lists/*
 
 RUN sed 's/include "\/etc\/bind\/named.conf.default-zones";//g' /etc/bind/named.conf
-RUN echo "include \"/etc/dns/master.conf\";" > /etc/bind/named.conf.local
+COPY named.conf.local /etc/bind/named.conf.local
+COPY named.conf.options /etc/bind/named.conf.options
 
 COPY start.sh /start.sh
 COPY restart-bind /usr/bin
diff --git a/dns/named.conf.local b/dns/named.conf.local
new file mode 100644
index 0000000..726d8d5
--- /dev/null
+++ b/dns/named.conf.local
@@ -0,0 +1 @@
+include "/etc/dns/master.conf";
diff --git a/dns/named.conf.options b/dns/named.conf.options
new file mode 100644
index 0000000..0fed5de
--- /dev/null
+++ b/dns/named.conf.options
@@ -0,0 +1,32 @@
+acl "everybody" {
+        0.0.0.0/0;
+};
+
+options {
+        directory "/var/cache/bind";
+
+        // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+        // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+
+        // forwarders {
+        //      0.0.0.0;
+        // };
+
+        //======================================================================                                                                                            ==
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //======================================================================                                                                                            ==
+        dnssec-validation auto;
+
+        listen-on-v6 { any; };
+
+        recursion yes;
+        allow-recursion { everybody; };
+        allow-transfer { none; };
+};