---
title: DNS
published: true
visible: true
---
burble.dn42 DNS services
===
# DNS Services
burble.dn42 DNS services are anycast across every node to provide fast, local responses network wide.
## Authoritative DNS Service
|||
|---|---|
| ns1.burble.dn42
b.delegation-servers.dn42| 172.20.129.1
fd42:4242:2601:ac53::1 |
ns1.burble.dn42 is slaved to master.delegation-servers.dn42, and provides
DNSSEC signed, authoritative data for DN42 related zones.
The authoritative service may be used as the root for a local DNS resolver, with the assurance
that returned DNS records are traceable via DNSSEC to the DN42 registry. The service
also supports AXFR and may be used as a master to a local, slaved, root zone.
*Note that ns1.burble.dn42 will not forward DNS queries.
Forwarding is provided by the recursive service, dns.burble.dn42.*
*Slaved DN42 zones*
* .dn42
* .recursive-servers.dn42
* .delegation-servers.dn42
* .registry-sync.dn42
* d.f.ip6.arpa.
* 20.172.in-addr.arpa.
* 21.172.in-addr.arpa.
* 22.172.in-addr.arpa.
* 23.172.in-addr.arpa.
* 31.172.in-addr.arpa.
* 10.in-addr.arpa.
*burble.dn42 zones*
* . (local root zone)
* .burble.dn42.
* .collector.dn42.
* 1.0.6.2.2.4.2.4.2.4.d.f.ip6.arpa.
* 0/27.129.20.172.in-addr.arpa.
* 160/27.129.20.172.in-addr.arpa.
The root zone also includes stubs for resolving domains in networks associated to DN42 (e.g. .hack).
## Recursive DNS Service
|||
|---|---|
| dns.burble.dn42
b.recursive-servers.dn42| 172.20.129.2
fd42:4242:2601:ac53::53 |
dns.burble.dn42 is a caching, recursive DNS service that returns results for both DN42 and clearnet domains. By issuing parallel queries across five regional masters, the recursive service takes advantage of the burble.dn42 global scale to reduce latency and avoid local connectivity problems.
The recursor is DNSSEC enabled and validates all queries.
#### Using the recursive DNS service
Users are encouraged to consult recursive-servers.dn42 to obtain a list of
recursive DNS services and configure at least two independent resolvers
to obtain the best resilience.
```
$ host -l recursive-servers.dn42 fd42:4242:2601:ac53::1
Using domain server:
Name: fd42:4242:2601:ac53::1
Address: fd42:4242:2601:ac53::1#53
Aliases:
recursive-servers.dn42 name server a.recursive-servers.dn42.
recursive-servers.dn42 name server b.recursive-servers.dn42.
recursive-servers.dn42 name server j.recursive-servers.dn42.
recursive-servers.dn42 name server y.recursive-servers.dn42.
a.recursive-servers.dn42 has address 172.20.0.53
a.recursive-servers.dn42 has IPv6 address fd42:d42:d42:54::1
b.recursive-servers.dn42 has address 172.20.129.2
b.recursive-servers.dn42 has IPv6 address fd42:4242:2601:ac53::53
j.recursive-servers.dn42 has address 172.20.1.19
j.recursive-servers.dn42 has IPv6 address fd42:5d71:219:0:1::43
y.recursive-servers.dn42 has address 172.20.20.65
y.recursive-servers.dn42 has IPv6 address fd42:c01d:beef::2
```
Example resolv.conf using IPv6 with IPv4 fallback
```
# DN42 resolve.conf
search dn42
# burble.dn42 service
# b.recursive-servers.dn42
nameserver fd42:4242:2601:ac53::53
# j.recursive-servers.dn42
nameserver fd42:5d71:219:0:1::43
# y.recursive-servers.dn42
nameserver 172.20.20.65
```
#### DNS over HTTPS (DoH)
* https://dns.burble.dn42/dns-query
* https://[fd42:4242:2601:ac53::53]/dns-query
* https://172.20.129.2/dns-query
The recursive DNS service supports DNS over HTTPS. The HTTPS service is signed by the
burble.dn42 [Certificate Authority](/home/certificate-authority), and the CA certificate
will be required by the DoH client in order to use the service. Unfortunately, the
use of a self-signed CA means that OCSP stapling is not supported.
```
$ doh burble.dn42 https://[fd42:4242:2601:ac53::53]/dns-query
burble.dn42 from https://[fd42:4242:2601:ac53::53]/dns-query
TTL: 3600 seconds
A: 172.20.129.3
AAAA: fd42:4242:2601:ac80:0000:0000:0000:0001
```
## Implementation
The DNS service is implemented as a tiered, anycast service with each node
in the network providing a local cache in front of five, regional, master nodes.
#### Edge Nodes
The ns1.burble.dn42 authoritative service is provided by [dnsdist](https://dnsdist.org/).
Queries are forwarded to the nearest regional master node and responses are then cached.
If the regional master is not available, the next nearest will be queried until a response
is found.
The dns.burble.dn42 recursive service is provided by
[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html)
configured using the 'all-servers' mode. DN42 queries are forwarded to all 5
regional masters in parallel and the first response received is then returned.
This approach ensures users get the lowest latency results possible, regardless of
location, and that any local connectivity issues do not impact the results.
Clearnet queries are forwarded to a combination of Google and Cloudflare services.
Recursive queries are cached on the edge nodes and master nodes, creating a network
wide cache of results across all users of the service.
Each edge node also runs [m13253/dns-over-https](https://github.com/m13253/dns-over-https)
to provide the DNS over HTTPS service.
Anycast routes to the DNS servers are advertised to the main Bird2 instance using
[GoBGP](https://github.com/osrg/gobgp) and a health checking script.
#### Master Nodes
| Region | Host | Location |
|:--|:--|:--|
| Europe | dns-master.fr-rbx1.burble.dn42 | OVH, Roubaix, France |
| Eastern Europe | dns-master.lt-vil1.burble.dn42 | Time4VPS, Vilnius, Lithuania |
| Americas (East) | dns-master.ca-bhs2.burble.dn42 | OVH, Beauharnois, Canada |
| Americas (Mid & West) | dns-master.us-dal3.burble.dn42 | HostDoc, Dallas, USA |
| Asia and Oceania | dns-master.sg-sin2.burble.dn42 | OVH, Singapore |
The master nodes are implemented using [PowerDNS](https://www.powerdns.com/).
The Authoritative DNS servers are configured as slaves replicating from the
DN42 master for .dn42 related zones and a hidden master located on the private,
internal network for burble.dn42 zones. The root zone is built automatically
from the registry using [dn42regsrv](https://git.dn42.us/burble/dn42regsrv).
The recursive service is provided by the pdns-recursor configured with DNSSEC
validation and additional caching.