burble.dn42/www
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

Update DNS service

Browse Source
This commit is contained in:
Simon Marsh 2020-05-25 11:30:08 +01:00
parent 1c5a42efc1
commit 231565f5ec
3 changed files with 112 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pages/01.home/burble-dn42-services/default.md
View File

@ -40,21 +40,24 @@ The looking glass is hosted on fr-sbg1 behind [CloudFlare](https://www.cloudflar
|Authoritative Service||
|:--|:--|
| ns1.burble.dn42<br/>b.delegation-servers.dn42| 172.20.129.1<br/>fd42:4242:2601:ac53::1 |
|ns1.burble.dn42<br/>b.delegation-servers.dn42| 172.20.129.1<br/>fd42:4242:2601:ac53::1 |
|Recursive Service||
|:--|:--|
| dns.burble.dn42<br/>b.recursive-servers.dn42| 172.20.129.2<br/>fd42:4242:2601:ac53::53 |
|dns.burble.dn42<br/>b.recursive-servers.dn42| 172.20.129.2<br/>fd42:4242:2601:ac53::53 |
|DN42 Anycast Service|
|:--|:--|
|a3.recursive-servers.dn42||172.23.0.53<br/>fd42:d42:d42:53::1|
<br/>
**DNS over HTTPs (DoH)**
* https://dns.burble.dn42/dns-query
* https://[fd42:4242:2601:ac53::53]/dns-query
* https://172.20.129.2/dns-query
burble.dn42 provides a local, anycast, authoritative and recursive DNS service.
The [DNS Service](/home/dns) has it's own page.
**DNS over HTTPs (DoH)**
**DNS over TLS**
All services support DNS over HTTPs on port 443, and DNS over TLS on port 843.
## DN42 Wiki Mirror
|Mirror URLs||

137
pages/01.home/dns/default.md
View File

@ -10,7 +10,32 @@ burble.dn42 DNS services
# DNS Services
burble.dn42 DNS services are anycast across every node to provide fast, local responses network wide.
burble.dn42 provides a suite of DNS services, including running one of the two DN42 DNS master
nodes that exports registry information to the DNS infrastructure.
|||
|:--|:--|
|DN42 DNS Master|b.master.delegation-servers.dn42|
|Authoritative DNS Service|b.delegation-servers.dn42<br>ns1.burble.dn42|
|Recursive DNS Service|b.recursive-servers.dn42<br/>dns.burble.dn42|
|dns64 Service|dns64.burble.dn42|
<br/>
Apart from the Master, all DNS services are anycast across every node to provide fast,
local responses network wide. The services support DNSSEC and are available over UDP, TCP,
DNS over HTTPs and DNS over TLS.
## DN42 DNS Master
|||
|:--|:--|
|b.master.delegation-servers.dn42|fd42:180:3de0:30::1|
<br/>
burble.dn42 runs one of the two master servers that support the DN42 DNS infrastructure.
See the [wiki](https://dn42.dev/services/New-DNS#instances_master-delegation-servers-dn42) for
more information on the role of the master service.
The master is hosted on ca-bhs2, providing geographic and network redundancy against the other
DN42 master service, and has &lt; 0.5s latency to the DN42 git repository.
## Authoritative DNS Service
@ -45,15 +70,12 @@ Forwarding is provided by the recursive service, dns.burble.dn42.*
*burble.dn42 zones*
* . (local root zone)
* .burble.dn42.
* .collector.dn42.
* 1.0.6.2.2.4.2.4.2.4.d.f.ip6.arpa.
* 0/27.129.20.172.in-addr.arpa.
* 160/27.129.20.172.in-addr.arpa.
The root zone also includes stubs for resolving domains in networks associated to DN42 (e.g. .hack).
## Recursive DNS Service
@ -61,7 +83,10 @@ The root zone also includes stubs for resolving domains in networks associated t
|---|---|
| dns.burble.dn42<br/>b.recursive-servers.dn42| 172.20.129.2<br/>fd42:4242:2601:ac53::53 |
<br/>
dns.burble.dn42 is a caching, recursive DNS service that returns results for both DN42 and clearnet domains. By issuing parallel queries across four regional masters, the recursive service takes advantage of the burble.dn42 global scale to reduce latency and avoid local connectivity problems.
dns.burble.dn42 is a caching, recursive DNS service that returns results for both DN42
and clearnet domains. The service issues parallel queries from five regional masters, the
recursive service takes advantage of the burble.dn42 global scale to reduce latency and
avoid local connectivity problems.
The recursor is DNSSEC enabled and validates all queries.
@ -71,22 +96,16 @@ Users are encouraged to consult recursive-servers.dn42 to obtain a list of
recursive DNS services and configure at least two independent resolvers
to obtain the best resilience.
```
$ host -l recursive-servers.dn42 fd42:4242:2601:ac53::1
Using domain server:
Name: fd42:4242:2601:ac53::1
Address: fd42:4242:2601:ac53::1#53
Aliases:
See also the [DN42 Wiki](https://dn42.dev/services/DNS) for general guidelines and
best practice for setting up DNS in DN42.
recursive-servers.dn42 name server a.recursive-servers.dn42.
recursive-servers.dn42 name server b.recursive-servers.dn42.
recursive-servers.dn42 name server j.recursive-servers.dn42.
a.recursive-servers.dn42 has address 172.20.0.53
a.recursive-servers.dn42 has IPv6 address fd42:d42:d42:54::1
b.recursive-servers.dn42 has address 172.20.129.2
b.recursive-servers.dn42 has IPv6 address fd42:4242:2601:ac53::53
j.recursive-servers.dn42 has address 172.20.1.19
j.recursive-servers.dn42 has IPv6 address fd42:5d71:219:0:1::43
```
$ host -t SRV _dns._udp.recursive-servers.dn42
_dns._udp.recursive-servers.dn42 has SRV record 10 10 53 a3.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 b.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 10 10 53 a0.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 j.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 k.recursive-servers.dn42.
```
Example resolv.conf using IPv6 with IPv4 fallback
@ -103,17 +122,27 @@ nameserver fd42:4242:2601:ac53::53
nameserver 172.20.1.19
```
## DNS64 Service
|||
|---|---|
|dns64.burble.dn42|fd42:4242:2601:ac53::64|
<br/>
The dns64 service operates in a similar way to the main recursive service but also provides
dns64 translation for hostnames that only have IPv4 addresses.
The service will return IPv4 mapped to the [rfc6052](https://tools.ietf.org/html/rfc6052)
well-known prefix - `64:ff9b::/96`
#### DNS over HTTPS (DoH)
#### DNS over TLS
* https://dns.burble.dn42/dns-query
* https://[fd42:4242:2601:ac53::53]/dns-query
* https://172.20.129.2/dns-query
The recursive DNS service supports DNS over HTTPS. The HTTPS service is signed by the
burble.dn42 [Certificate Authority](/home/certificate-authority), and the CA certificate
will be required by the DoH client in order to use the service. Unfortunately, the
use of a self-signed CA means that OCSP stapling is not supported.
The burble.dn42 services support queries via DNS over HTTPS (on port 443) and
DNS over TLS (on port 843). The HTTPS service is signed by the burble.dn42
[Certificate Authority](/home/certificate-authority), and the CA certificate
will be required by the client in order to use the service.
example
```
$ doh burble.dn42 https://[fd42:4242:2601:ac53::53]/dns-query
burble.dn42 from https://[fd42:4242:2601:ac53::53]/dns-query
@ -125,48 +154,50 @@ AAAA: fd42:4242:2601:ac80:0000:0000:0000:0001
## Implementation
The DNS service is implemented as a tiered, anycast service with each node
in the network providing a local cache in front of four, regional, master nodes.
in the network providing a local cache in front of regional, slave nodes.
#### Edge Nodes
#### dns-edge
The ns1.burble.dn42 authoritative service is provided by [dnsdist](https://dnsdist.org/).
Queries are forwarded to the nearest regional master node and responses are then cached.
If the regional master is not available, the next nearest will be queried until a response
is found.
Edge nodes provide a caching function for the slaves.
The dns.burble.dn42 recursive service is provided by
Recursive services (dns.burble.dn42 and dns64.burble.dn42) are provided by
[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html)
configured using the 'all-servers' mode. DN42 queries are forwarded to all 5
regional masters in parallel and the first response received is then returned.
configured using the 'all-servers' mode. DN42 queries are forwarded to all
regional slaves in parallel and the first response received is then returned.
This approach ensures users get the lowest latency results possible, regardless of
location, and that any local connectivity issues do not impact the results.
Clearnet queries are forwarded to a combination of Google and Cloudflare services.
The authoritive service as well as DNS over HTTPS and DNS over TLS services are
provided by [dnsdist](https://dnsdist.org/) acting as a proxy. Requests are
forwarded to either the regional slaves or local recursor services as appropriate
and also cached.
Recursive queries are cached on the edge nodes and master nodes, creating a network
wide cache of results across all users of the service.
Clearnet queries are forwarded on the edge nodes to a combination of
Google and Cloudflare services.
Each edge node also runs [m13253/dns-over-https](https://github.com/m13253/dns-over-https)
to provide the DNS over HTTPS service.
The edge services are monitored and anycast routes automatically injected (or
removed) using [GoBGP](https://github.com/osrg/gobgp) and a health checking script.
Anycast routes to the DNS servers are advertised to the main Bird2 instance using
[GoBGP](https://github.com/osrg/gobgp) and a health checking script.
#### Master Nodes
#### dns-slave
| Region | Host | Location |
|:--|:--|:--|
| Europe | dns-master.fr-sbg1.burble.dn42 | OVH, Strasbourg, France |
| Americas (East) | dns-master.ca-bhs2.burble.dn42 | OVH, Beauharnois, Canada |
| Americas (Mid & West) &nbsp; | dns-master.us-dal1.burble.dn42 | DrServer, Dallas, USA |
| Asia and Oceania | dns-master.sg-sin1.burble.dn42 | ITLDC, Singapore |
| Europe | dns-slave.fr-sbg1.burble.dn42 | OVH, Strasbourg, France |
| Americas (East) | dns-slave.ca-bhs2.burble.dn42 | OVH, Beauharnois, Canada |
| Americas (Mid) &nbsp; | dns-slave.us-dal1.burble.dn42 | DrServer, Dallas, USA |
| Americas (West) &nbsp; | dns-slave.us-lax1.burble.dn42 | LetBox, Los Angeles, USA |
| Asia and Oceania | dns-slave.sg-sin1.burble.dn42 | ITLDC, Singapore |
<br/>
The master nodes are implemented using [PowerDNS](https://www.powerdns.com/).
The slave nodes are implemented using [PowerDNS](https://www.powerdns.com/).
The Authoritative DNS servers are configured as slaves replicating from the
DN42 master for .dn42 related zones and a hidden master located on the private,
internal network for burble.dn42 zones. The root zone is built automatically
from the registry using [dn42regsrv](https://git.dn42.us/burble/dn42regsrv).
internal network for burble.dn42 zones.
The recursive service is provided by the pdns-recursor configured with DNSSEC
validation and additional caching.
#### dns-master
The DN42 DNS master is a custom [java program](https://git.dn42.us/dn42/delegation-servers.dn42)
running on ca-bhs2.

17
pages/01.home/maintenance-log/default.md
View File

@ -10,6 +10,23 @@ A log of changes to the burble.dn42 network.
## burble.dn42 Maintenance Log
#### 25th May 2020
The new DNS implementation has been deployed across all nodes.
The DNS service now supports:
- Authoritative DNS for DN42 domains (b.delegation-servers.dn42)
- Recursive DNS (b.recursive-servers.dn42)
- DNS64 (dns64.burble.dn42)
All services support UDP, TCP, DNS over HTTPS and DNS over TLS queries.
See the [DNS](/home/dns) page for more info.
#### 23rd May 2020
A new implementation of the edge DNS service is currently being tested across
a few nodes, please let me know if you spot any DNS oddness.
#### 18th May 2020
Added whois.burble.dn42 service, see the [services](/home/burble-dn42-services)