├── README.md ├── assets └── mp-bgp-and-extend-next-hop.png ├── bgp ├── Dockerfile ├── bird.conf ├── bird2-peers │ └── dn42-template.conf.temp ├── crontab.txt ├── enterpoint.sh ├── wg-peers │ └── wg-template.conf.temp └── wg-reresolve-dns.sh ├── bind9 ├── Dockerfile ├── dnssec_keys │ └── .gitignore ├── named.conf └── zones │ ├── 0%2F26.96.22.172.in-addr.arpa.zone │ ├── e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa.zone │ └── imlk.dn42.zone └── docker-compose.yml /README.md: -------------------------------------------------------------------------------- 1 | # 📜dn42-stuffs 2 | 3 | This project documents an effort to deploy dn42 Route Server (and some related services) in docker containers. The purpose is to avoid duplicate configurations by describing all service in the `docker-compose.yml`. You can also call it **Infrastructure as Code (IaC)**. Should be suitable for those who want to get in touch with dn42 quickly and those who want to add Route Server. 4 | 5 | # Services 6 | 7 | |services|components|status| 8 | |----|----|----| 9 | |bgp|bird2|✔️| 10 | |dns|bind9|✔️| 11 | |bird-lgproxy|xddxdd/bird-lgproxy-go|🚧| 12 | |bird-lg|xddxdd/bird-lg-go|🚧| 13 | 14 | # Setup 15 | 16 | We recommend to use [docker-compose v2](https://docs.docker.com/compose/cli-command/#install-on-linux) to setup containers. 17 | 18 | - Build all containers and docker networks 19 | ```sh 20 | docker compose up --build --no-start 21 | ``` 22 | - Start all containers 23 | ```sh 24 | docker compose start 25 | ``` 26 | - Show status of containers 27 | ```sh 28 | docker compose ps 29 | ``` 30 | - Enter specific container 31 | ```sh 32 | docker compose exec bgp bash 33 | ``` 34 | - Stop and delete all services and docker networks completely 35 | ```sh 36 | docker compose down 37 | ``` 38 | 39 | # Config 40 | 41 | > We only list the minimum configuration needed to make it work. For more configurations, please read the code or [docker-compose specification](https://docs.docker.com/compose/compose-file/) 42 | 43 | 44 | 1. Configure the `subnet` for `dn42-net` in `docker-compose.yml` 45 | 46 | ```yml 47 | networks: 48 | dn42-net: 49 | driver: bridge 50 | enable_ipv6: true 51 | internal: false 52 | ipam: 53 | driver: default 54 | config: 55 | - subnet: 56 | - subnet: 57 | ``` 58 | This is usually the range of dn42 addresses you get. But if you are expanding your dn42 network, **make sure that this subnet does not conflict with the rest of your dn42 subnet.** 59 | 60 | > !!! Note that the docker host will take up **the first address on the subnet**. So you cannot assign the first ip to any of the containers. 61 | 62 | 1. For each service, you may want to assign a dn42 ip address fot it. 63 | 64 | ```yml 65 | networks: 66 | dn42-net: 67 | ipv4_address: "" 68 | ipv6_address: "" 69 | ``` 70 | 71 | 2. And you can config the dns to a server that can provide `.dn42` resolution, for example, you can use `172.20.0.53` 72 | 73 | ```yml 74 | dns: 75 | - 172.20.0.53 # wildly used dns server in dn42. Or you can change this to your dns service ip address 76 | ``` 77 | 78 | 3. All containers except the bgp container need to manually configure routes to forward traffic going to the dn42 network to the bgp container. 79 | 80 | We provide two environment variable to configure the ip address of the dn42 gateway 81 | 82 | ```yml 83 | environment: 84 | - DN42_GATEWAY_V4= 85 | - DN42_GATEWAY_V6= 86 | ``` 87 | ## bgp 88 | 89 | 1. Edit `bgp/named.conf` 90 | 91 | You need to edit the config file of bird2 `bgp/named.conf` according to the guidance [here](https://dn42.eu/howto/Bird2). 92 | 93 | 2. For each of your peers, create files in dir `bgp/bird2-peers` and `bgp/wg-peers` 94 | 95 | 3. You need to add port mapping for your peers in `docker-compose.yml` 96 | 97 | ```yml 98 | ports: 99 | - "21742:21742/udp" # imlk 100 | ``` 101 | 102 | ## dns 103 | 104 | This service is both an **authoritative name server** and a **recursive name server**. 105 | 106 | > As an example, I've included my zone configuration(`imlk.dn42.zone` and `0%2F26.96.22.172.in-addr.arpa.zone` and `e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa.zone`), **!!! make sure you remove it before you deploy !!!**. 107 | 108 | 1. Edit `bind9/named.conf` to add your zones 109 | 110 | Typically, you will need to add three zones, one for domain name resolution, and two for reverse resolutions (PTR records for ipv4 and ipv6 address). 111 | 112 | Also, please put the zone files in the `zones` directory. 113 | 114 | 2. Setup dnssec 115 | 116 | You need to generate the `zone-signing key` and `key-signing key` for each zone. 117 | 118 | As an example, for zone `example.dn42`, run following command to generate keys in `bind9/dnssec_keys` directory. 119 | 120 | ```sh 121 | cd bind9/dnssec_keys 122 | # generate zone-signing key 123 | dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.dn42 124 | # generate key-signing key 125 | dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE example.dn42 126 | ``` 127 | Each run of `dnssec-keygen` will generate a pair of `.key` file and `.private` file. Remember to include the path of generated `.key` file in the corresponding .zone file. 128 | 129 | You do not need to sign your zone manually. When you build this service, it automatically generates `RRSIG` records using `dnssec-signzone`. **It will also print out the `DS` records so you can add them to the dn42/register git repository** 130 | 131 | # Q&A 132 | 133 | - Should I disable my firewall software on docker host? 134 | 135 | Normally it is not needed. But if you use `firewalld`, you need to set `IPv6_rpfilter=no` to make ipv6 forwarding work properly. 136 | 137 | - DNS configuration 138 | 139 | The dns management in docker is rather confusing. In containers using custom bridge network, an Embedded DNS server will be used, and there is only one `nameserver 127.0.0.11` in `/etc/resov.conf`. If you want to modify the dns server used, just add a dns entry in `docker-conpose.yml`, and the docker Embedded DNS server will forward dns request to that address. 140 | 141 | - Why not using a range mapping instead separate port mapping for each peers? 142 | 143 | Maybe you're talking about something like this: 144 | ```yml 145 | ports: 146 | - "20000-29999:20000-29999/udp" 147 | ``` 148 | However, large port mapping range will cost lost memory, it soon ate up all the memory in my host. see [this page](https://forums.docker.com/t/i-have-a-docker-container-that-needs-to-expose-10-000-ports/96048/15) 149 | 150 | - `DN42_GATEWAY_V4` and `DN42_GATEWAY_V6` looks like ugly script work, why not use `gateway` in [IPAM configuration](https://docs.docker.com/compose/compose-file/#ipam)? 151 | 152 | AFAIK, IPAM `gateway` options are ignored by the current version of docker compose. see [this issue](https://github.com/docker/compose/issues/8742). It seems to be a bug. 153 | 154 | On the other hand, the option does something different than what it looks like: **It only changes the ip address of the host**, while the gateway of the container is still set to host. 155 | 156 | This is why we need a script work to set the gateway for each container. 157 | 158 | - What is MP-BGP & extend next hop and when should I use them? 159 | - Multi Protocol BGP(BP-BGP): enable to announce route information for different type of address in parallel. 160 | - extend next hop: enable to use ipv6 address as next hop in ipv4 route table, and vice versa. 161 | 162 | ![](./assets/mp-bgp-and-extend-next-hop.png) 163 | -------------------------------------------------------------------------------- /assets/mp-bgp-and-extend-next-hop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/imlk0/dn42-stuffs/d4a2756ef48be72020a448ae0db3817cf5ce94d4/assets/mp-bgp-and-extend-next-hop.png -------------------------------------------------------------------------------- /bgp/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | RUN mkdir -p /tmp && chmod 777 /tmp && mkdir -p /var/cache/apt/archives/partial /var/tmp/ && \ 4 | apt-get update && apt-get install -y apt-utils 5 | 6 | RUN apt-get update && \ 7 | apt-get install -y curl cron iptables wireguard-tools iproute2 mtr inetutils-ping dnsutils 8 | 9 | RUN apt-get update && \ 10 | apt-get install -y tcpdump iperf3 11 | 12 | RUN curl -O http://ftp.us.debian.org/debian/pool/main/b/bird2/bird2_2.0.8-2_amd64.deb && \ 13 | apt-get install -y ./bird2_2.0.8-2_amd64.deb 14 | 15 | RUN mkdir -p /etc/bird/peers && mkdir -p /run/bird/ && \ 16 | touch /etc/bird/roa_dn42.conf && touch /etc/bird/roa_dn42_v6.conf 17 | 18 | COPY ./wg-reresolve-dns.sh /usr/local/bin/wg-reresolve-dns.sh 19 | 20 | COPY ./crontab.txt /crontab.txt 21 | RUN crontab < /crontab.txt 22 | 23 | COPY ./enterpoint.sh /enterpoint.sh 24 | 25 | CMD ["/enterpoint.sh"] 26 | 27 | -------------------------------------------------------------------------------- /bgp/bird.conf: -------------------------------------------------------------------------------- 1 | ################################################ 2 | # Variable header # 3 | ################################################ 4 | 5 | define OWNAS = ; 6 | define OWNIP = ; 7 | define OWNIPv6 = ; 8 | define OWNNET = ; 9 | define OWNNETv6 = ; 10 | define OWNNETSET = [+]; 11 | define OWNNETSETv6 = [+]; 12 | 13 | ################################################ 14 | # Header end # 15 | ################################################ 16 | 17 | router id OWNIP; 18 | 19 | protocol device { 20 | scan time 10; 21 | } 22 | 23 | /* 24 | * Utility functions 25 | */ 26 | 27 | function is_self_net() { 28 | return net ~ OWNNETSET; 29 | } 30 | 31 | function is_self_net_v6() { 32 | return net ~ OWNNETSETv6; 33 | } 34 | 35 | function is_valid_network() { 36 | return net ~ [ 37 | 172.20.0.0/14{21,29}, # dn42 38 | 172.20.0.0/24{28,32}, # dn42 Anycast 39 | 172.21.0.0/24{28,32}, # dn42 Anycast 40 | 172.22.0.0/24{28,32}, # dn42 Anycast 41 | 172.23.0.0/24{28,32}, # dn42 Anycast 42 | 172.31.0.0/16+, # ChaosVPN 43 | 10.100.0.0/14+, # ChaosVPN 44 | 10.127.0.0/16{16,32}, # neonetwork 45 | 10.0.0.0/8{15,24} # Freifunk.net 46 | ]; 47 | } 48 | 49 | roa4 table dn42_roa; 50 | roa6 table dn42_roa_v6; 51 | 52 | protocol static { 53 | roa4 { table dn42_roa; }; 54 | include "/etc/bird/roa_dn42.conf"; 55 | }; 56 | 57 | protocol static { 58 | roa6 { table dn42_roa_v6; }; 59 | include "/etc/bird/roa_dn42_v6.conf"; 60 | }; 61 | 62 | function is_valid_network_v6() { 63 | return net ~ [ 64 | fd00::/8{44,64} # ULA address space as per RFC 4193 65 | ]; 66 | } 67 | 68 | protocol kernel { 69 | scan time 20; 70 | 71 | ipv6 { 72 | import none; 73 | export filter { 74 | if source = RTS_STATIC then reject; 75 | krt_prefsrc = OWNIPv6; 76 | accept; 77 | }; 78 | }; 79 | }; 80 | 81 | protocol kernel { 82 | scan time 20; 83 | 84 | ipv4 { 85 | import none; 86 | export filter { 87 | if source = RTS_STATIC then reject; 88 | krt_prefsrc = OWNIP; 89 | accept; 90 | }; 91 | }; 92 | } 93 | 94 | protocol static { 95 | route OWNNET reject; 96 | 97 | ipv4 { 98 | import all; 99 | export none; 100 | }; 101 | } 102 | 103 | protocol static { 104 | route OWNNETv6 reject; 105 | 106 | ipv6 { 107 | import all; 108 | export none; 109 | }; 110 | } 111 | 112 | template bgp dnpeers { 113 | local as OWNAS; 114 | path metric 1; 115 | 116 | ipv4 { 117 | extended next hop on; 118 | 119 | import filter { 120 | if is_valid_network() && !is_self_net() then { 121 | if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then { 122 | print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; 123 | reject; 124 | } else accept; 125 | } else reject; 126 | }; 127 | 128 | export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; 129 | import limit 1000 action block; 130 | }; 131 | 132 | ipv6 { 133 | import filter { 134 | if is_valid_network_v6() && !is_self_net_v6() then { 135 | if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then { 136 | print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; 137 | reject; 138 | } else accept; 139 | } else reject; 140 | }; 141 | export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; 142 | import limit 1000 action block; 143 | }; 144 | } 145 | 146 | 147 | include "/etc/bird/peers/*.conf"; -------------------------------------------------------------------------------- /bgp/bird2-peers/dn42-template.conf.temp: -------------------------------------------------------------------------------- 1 | # 如果对方使用extended next hop，则可以同时配置v4的protocol bgp条目，否则只需要配置v6的 2 | # protocol bgp dn42_4242421742_v4 from dnpeers { 3 | # # 设置成我的（或者你的 Peer 的）DN42 IPv4 地址以及 ASN 4 | # neighbor 172.22.96.2 as 4242421742; 5 | # direct; 6 | # # 在 IPv4 BGP 中禁用 IPv6 路由传递，强烈推荐保留以下内容 7 | # ipv6 { 8 | # import none; 9 | # export none; 10 | # }; 11 | # }; 12 | 13 | protocol bgp dn42_4242421742_v6 from dnpeers { 14 | # 设置成我的（或者你的 Peer 的）DN42 IPV6 或者Link-local IPv6，隧道名称，以及 ASN 15 | neighbor fe80::1742 % 'wg-4242421742' as 4242421742; 16 | direct; 17 | # 在 IPv6 BGP 中禁用 IPv4 路由传递 18 | # 如对方也使用 Multiprotocol BGP（MP-BGP），则注释以下内容 19 | # ipv4 { 20 | # import none; 21 | # export none; 22 | # }; 23 | }; 24 | 25 | -------------------------------------------------------------------------------- /bgp/crontab.txt: -------------------------------------------------------------------------------- 1 | */15 * * * * curl -sfSLR -o/etc/bird/roa_dn42.conf -z/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf && curl -sfSLR -o/etc/bird/roa_dn42_v6.conf -z/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf && /usr/sbin/birdc configure 2 | */15 * * * * find /etc/wireguard/ -type f -name '*.conf' -exec /usr/local/bin/wg-reresolve-dns.sh {} \; 3 | -------------------------------------------------------------------------------- /bgp/enterpoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | set -x 5 | 6 | # 初始化所有基于wg的peers连接 7 | if ls /etc/wireguard/*.conf ; then 8 | for i in /etc/wireguard/*.conf; do wg-quick up $i; done 9 | fi 10 | 11 | # 先更新一次bird的roa文件 12 | curl -sfSLR -o/etc/bird/roa_dn42.conf -z/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf && curl -sfSLR -o/etc/bird/roa_dn42_v6.conf -z/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf 13 | # 启动cron 14 | cron 15 | 16 | # 启动bird 17 | bird -d -------------------------------------------------------------------------------- /bgp/wg-peers/wg-template.conf.temp: -------------------------------------------------------------------------------- 1 | [Interface] 2 | PrivateKey = 3 | ListenPort = 21742 # 根据对方的ASN后5位决定 4 | Table = off # 不要自动添加路由 5 | # 如果使用IPV4-DN42 + IPV6-DN42： 6 | # PostUp = /sbin/ip addr add dev %i 172.22.96.2/32 peer /32 7 | # PostUp = /sbin/ip addr add dev %i fd42:d2aa:8a0e::2/128 peer /128 8 | # 如果使用IPV6-link-local： 9 | PostUp = /sbin/ip addr add fe80::1742/64 dev %i 10 | 11 | [Peer] 12 | Endpoint = sjc1.us.dn42.imlk.top:21742 13 | PublicKey = 34s2HSa76GP/lfFjZsh0uhJly8rUXWl2JgO47BJsj2Q= 14 | AllowedIPs = 172.16.0.0/12, 10.0.0.0/8, fd00::/8, fe80::/10 15 | # PersistentKeepalive = 10 16 | -------------------------------------------------------------------------------- /bgp/wg-reresolve-dns.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: GPL-2.0 3 | # 4 | # Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. 5 | 6 | # https://github.com/WireGuard/wireguard-tools/blob/master/contrib/reresolve-dns/reresolve-dns.sh 7 | 8 | set -e 9 | shopt -s nocasematch 10 | shopt -s extglob 11 | export LC_ALL=C 12 | 13 | CONFIG_FILE="$1" 14 | [[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/wireguard/$CONFIG_FILE.conf" 15 | [[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]] 16 | INTERFACE="${BASH_REMATCH[1]}" 17 | 18 | process_peer() { 19 | [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0 20 | [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\ ([0-9]+) ]] || return 0 21 | (( ($(date +%s) - ${BASH_REMATCH[1]}) > 135 )) || return 0 22 | wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT" 23 | reset_peer_section 24 | } 25 | 26 | reset_peer_section() { 27 | PEER_SECTION=0 28 | PUBLIC_KEY="" 29 | ENDPOINT="" 30 | } 31 | 32 | reset_peer_section 33 | while read -r line || [[ -n $line ]]; do 34 | stripped="${line%%\#*}" 35 | key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}" 36 | value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}" 37 | [[ $key == "["* ]] && { process_peer; reset_peer_section; } 38 | [[ $key == "[Peer]" ]] && PEER_SECTION=1 39 | if [[ $PEER_SECTION -eq 1 ]]; then 40 | case "$key" in 41 | PublicKey) PUBLIC_KEY="$value"; continue ;; 42 | Endpoint) ENDPOINT="$value"; continue ;; 43 | esac 44 | fi 45 | done < "$CONFIG_FILE" 46 | process_peer 47 | -------------------------------------------------------------------------------- /bind9/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu/bind9:latest 2 | 3 | COPY --chown=bind:bind ./named.conf /etc/bind/named.conf 4 | COPY --chown=bind:bind ./zones /etc/bind/zones 5 | COPY --chown=bind:bind ./dnssec_keys /etc/bind/dnssec_keys 6 | 7 | # 在构建时对zone进行签名，同时还会基于DNSKEY产生DS记录 8 | RUN cd /etc/bind/zones && \ 9 | dnssec-signzone -K ../dnssec_keys -o imlk.dn42. ./imlk.dn42.zone && { echo "Generated DS record:"; cat ./dsset-imlk.dn42. ; } && \ 10 | dnssec-signzone -K ../dnssec_keys -o 0/26.96.22.172.in-addr.arpa. ./0%2F26.96.22.172.in-addr.arpa.zone && { echo "Generated DS record:"; cat ./dsset-0%2F26.96.22.172.in-addr.arpa. ; } && \ 11 | dnssec-signzone -K ../dnssec_keys -o e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa. ./e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa.zone && { echo "Generated DS record:"; cat ./dsset-e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa. ; } 12 | 13 | 14 | CMD ["sh", "-c", "\ 15 | # 加去往dn42的路由 16 | ip r add 172.20.0.0/14 via $DN42_GATEWAY_V4 && \ 17 | ip -6 r del default && ip -6 r add default via $DN42_GATEWAY_V6 && \ 18 | # 启动服务 19 | docker-entrypoint.sh \ 20 | "] 21 | -------------------------------------------------------------------------------- /bind9/dnssec_keys/.gitignore: -------------------------------------------------------------------------------- 1 | *.key 2 | *.private -------------------------------------------------------------------------------- /bind9/named.conf: -------------------------------------------------------------------------------- 1 | options { 2 | // disable the integrated handling of RFC1918 and non-assigned IPv6 space reverse dns 3 | empty-zones-enable no; 4 | 5 | // Working directory 6 | directory "/var/cache/bind"; 7 | // Allow access to cache 8 | allow-query-cache { any; }; 9 | // Provide recursive service 10 | recursion yes; 11 | allow-recursion { any; }; 12 | listen-on { any; }; 13 | listen-on-v6 { any; }; 14 | // config for forwarding 15 | forward first; 16 | forwarders { 17 | 8.8.8.8; 18 | 8.8.4.4; 19 | }; 20 | // Need to disable DNSSEC validation for some dn42 related TLDs, since they 21 | // are not valid TLDs and not be signed by root DNS server. 22 | // See: https://dn42.eu/services/dns/Configuration#forwarder-setup_bind 23 | validate-except { 24 | "dn42"; 25 | "20.172.in-addr.arpa"; 26 | "21.172.in-addr.arpa"; 27 | "22.172.in-addr.arpa"; 28 | "23.172.in-addr.arpa"; 29 | "10.in-addr.arpa"; 30 | "d.f.ip6.arpa"; 31 | }; 32 | }; 33 | 34 | // An authoritative name server for imlk.dn42 35 | zone "imlk.dn42" { 36 | type primary; 37 | file "/etc/bind/zones/imlk.dn42.zone.signed"; 38 | // Disable transfer to other servers. IP addresses of secondary servers allowed to transfer this domain 39 | allow-transfer { none; }; 40 | // Disable ddns update 41 | allow-update { none; }; 42 | }; 43 | 44 | // IPv4 reverse resolution 45 | zone "0/26.96.22.172.in-addr.arpa" { 46 | type primary; 47 | file "/etc/bind/zones/0%2F26.96.22.172.in-addr.arpa.zone.signed"; 48 | allow-transfer { none; }; 49 | allow-update { none; }; 50 | }; 51 | 52 | // IPv6 reverse resolution 53 | zone "e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa" { 54 | type primary; 55 | file "/etc/bind/zones/e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa.zone.signed"; 56 | allow-transfer { none; }; 57 | allow-update { none; }; 58 | }; 59 | 60 | zone "dn42" { 61 | type forward; 62 | forwarders { 172.20.0.53; fd42:d42:d42:54::1; }; 63 | }; 64 | zone "20.172.in-addr.arpa" { 65 | type forward; 66 | forwarders { 172.20.0.53; fd42:d42:d42:54::1; }; 67 | forward only; 68 | }; 69 | zone "21.172.in-addr.arpa" { 70 | type forward; 71 | forwarders { 172.20.0.53; fd42:d42:d42:54::1; }; 72 | forward only; 73 | }; 74 | zone "22.172.in-addr.arpa" { 75 | type forward; 76 | forwarders { 172.20.0.53; fd42:d42:d42:54::1; }; 77 | forward only; 78 | }; 79 | zone "23.172.in-addr.arpa" { 80 | type forward; 81 | forwarders { 172.20.0.53; fd42:d42:d42:54::1; }; 82 | forward only; 83 | }; 84 | zone "10.in-addr.arpa" { 85 | type forward; 86 | forwarders { 172.20.0.53; fd42:d42:d42:54::1; }; 87 | forward only; 88 | }; 89 | zone "d.f.ip6.arpa" { 90 | type forward; 91 | forwarders { 172.20.0.53; fd42:d42:d42:54::1; }; 92 | forward only; 93 | }; 94 | -------------------------------------------------------------------------------- /bind9/zones/0%2F26.96.22.172.in-addr.arpa.zone: -------------------------------------------------------------------------------- 1 | ; 0/26.96.22.172.in-addr.arpa. 2 | $TTL 300 ; default ttl for all RRs 3 | @ IN SOA ns1.imlk.dn42. me.imlk.top. ( ; ns1.imlk.dn42 is the domain of dns server 4 | 2022032901 ; Serial Number, should be change any time when modify happens 5 | 3600 ; Refresh 6 | 180 ; Retry 7 | 86400 ; Expire 8 | 300 ) ; Negative Cache TTL 9 | ; 10 | IN NS ns1.imlk.dn42. ; announce the name server of current zone(domain) to be ns1.imlk.dn42 11 | 4 IN PTR ns1.imlk.dn42. 12 | 2 IN PTR sjc1.us.imlk.dn42. 13 | 34 IN PTR bj2-cstnet.cn.imlk.dn42. 14 | 15 | ; zone-signing key 16 | ; dnssec-keygen -a ECDSAP256SHA256 -n ZONE 0/26.96.22.172.in-addr.arpa. 17 | $INCLUDE "/etc/bind/dnssec_keys/K0%2F26.96.22.172.in-addr.arpa.+013+04941.key" 18 | ; key-signing key 19 | ; dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE 0/26.96.22.172.in-addr.arpa. 20 | $INCLUDE "/etc/bind/dnssec_keys/K0%2F26.96.22.172.in-addr.arpa.+013+39446.key" 21 | -------------------------------------------------------------------------------- /bind9/zones/e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa.zone: -------------------------------------------------------------------------------- 1 | ; e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa. 2 | $TTL 300 ; default ttl for all RRs 3 | @ IN SOA ns1.imlk.dn42. me.imlk.top. ( ; ns1.imlk.dn42 is the domain of dns server 4 | 2022032901 ; Serial Number, should be change any time when modify happens 5 | 3600 ; Refresh 6 | 180 ; Retry 7 | 86400 ; Expire 8 | 300 ) ; Negative Cache TTL 9 | ; 10 | IN NS ns1.imlk.dn42. ; announce the name server of current zone(domain) to be ns1.imlk.dn42 11 | 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns1.imlk.dn42. 12 | 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR sjc1.us.imlk.dn42. 13 | 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 IN PTR bj2-cstnet.cn.imlk.dn42. 14 | 15 | ; zone-signing key 16 | ; dnssec-keygen -a ECDSAP256SHA256 -n ZONE e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa. 17 | $INCLUDE "/etc/bind/dnssec_keys/Ke.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa.+013+32599.key" 18 | ; key-signing key 19 | ; dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE e.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa. 20 | $INCLUDE "/etc/bind/dnssec_keys/Ke.0.a.8.a.a.2.d.2.4.d.f.ip6.arpa.+013+63894.key" 21 | -------------------------------------------------------------------------------- /bind9/zones/imlk.dn42.zone: -------------------------------------------------------------------------------- 1 | ; imlk.dn42 2 | $TTL 300 ; default ttl for all RRs 3 | @ IN SOA ns1.imlk.dn42. me.imlk.top. ( ; ns1.imlk.dn42 is the domain of dns server 4 | 2022032901 ; Serial Number, should be change any time when modify happens 5 | 3600 ; Refresh 6 | 180 ; Retry 7 | 86400 ; Expire 8 | 300 ) ; Negative Cache TTL 9 | ; 10 | IN NS ns1.imlk.dn42. ; announce the name server of current zone(domain) to be ns1.imlk.dn42 11 | ns1 IN A 172.22.96.4 12 | ns1 IN AAAA fd42:d2aa:8a0e::4 13 | sjc1.us IN A 172.22.96.2 14 | sjc1.us IN AAAA fd42:d2aa:8a0e::2 15 | bj2-cstnet.cn IN A 172.22.96.34 16 | bj2-cstnet.cn IN AAAA fd42:d2aa:8a0e:1::2 17 | 18 | ; zone-signing key 19 | ; dnssec-keygen -a ECDSAP256SHA256 -n ZONE imlk.dn42 20 | $INCLUDE "/etc/bind/dnssec_keys/Kimlk.dn42.+013+61270.key" 21 | ; key-signing key 22 | ; dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE imlk.dn42 23 | $INCLUDE "/etc/bind/dnssec_keys/Kimlk.dn42.+013+31267.key" 24 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | services: 3 | # BGP服务 4 | bgp: 5 | build: ./bgp 6 | volumes: 7 | - ./bgp/bird2-peers/:/etc/bird/peers/:rw 8 | - ./bgp/wg-peers/:/etc/wireguard/:rw 9 | - ./bgp/bird.conf:/etc/bird/bird.conf:rw 10 | cap_add: 11 | - NET_ADMIN 12 | sysctls: 13 | - "net.ipv4.ip_forward=1" 14 | - "net.ipv6.conf.all.disable_ipv6=0" 15 | - "net.ipv6.conf.all.forwarding=1" # 必须为container开启v6 forwarding，因为它默认不会继承init_net的值，参考：https://unix.stackexchange.com/questions/690999/ipv6-forwarding-doesnt-work-in-a-network-namespace 16 | # 此外，如果host上使用的防火墙是 firewalld ，务必在 firewalld 中设置IPv6_rpfilter=no，否则数据包将无法被转发到别的服务 17 | - "net.ipv4.conf.all.rp_filter=0" # 允许数据包去程和回程不一致的情况，这在dn42网络中非常常见，并且在存在多个RS的情况下十分重要 18 | - "net.ipv4.conf.default.rp_filter=0" 19 | networks: 20 | dn42-net: 21 | ipv4_address: 22 | ipv6_address: 23 | dns: 24 | - 172.20.0.53 # wildly used dns server in dn42. Or you can change this to your dns service ip address 25 | ports: 26 | - "21742:21742/udp" # imlk 27 | restart: always 28 | # dns服务 29 | dns: 30 | build: ./bind9 31 | cap_add: 32 | - NET_ADMIN 33 | networks: 34 | dn42-net: 35 | ipv4_address: 36 | ipv6_address: 37 | ports: 38 | - "53:53/udp" 39 | environment: 40 | - DN42_GATEWAY_V4= 41 | - DN42_GATEWAY_V6= 42 | restart: always 43 | 44 | networks: 45 | default: 46 | dn42-net: 47 | driver: bridge 48 | enable_ipv6: true 49 | internal: false # 控制能否通过host访问外部网络。需要设置为false，否则docker生成的防火墙规则会阻止其余服务将数据包转发到bgp服务 50 | ipam: 51 | driver: default 52 | config: 53 | - subnet: 54 | - subnet: 55 | --------------------------------------------------------------------------------