burble.dn42/www
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity
master
www/content/services/dns.md
Simon Marsh dd8d989c3e
All checks were successful
continuous-integration/drone/push Build is passing
Details
update shell stuff
2023-02-05 14:02:29 +00:00

197 lines
6.9 KiB
Markdown
Raw Permalink Blame History

---
title: "DNS"
geekdocDescription: "DNS services"
weight: 50
---
burble.dn42 provides a suite of DNS services, including running one of the two
DN42 DNS master nodes that exports registry information to the DNS infrastructure.
|Role|Names|
|:--|:--|
|DN42 DNS Master|b.master.delegation-servers.dn42|
|Authoritative DNS Service|b.delegation-servers.dn42<br>ns1.burble.dn42|
|Recursive DNS Service|b.recursive-servers.dn42<br/>dns.burble.dn42|
|dns64 Service|dns64.burble.dn42|
Apart from the Master, all DNS services are anycast across every node to provide fast,
local responses network wide. The services support DNSSEC and are available over UDP, TCP,
DNS over HTTPs and DNS over TLS.
## DN42 DNS Master
|Name|IP|
|:--|:--|
|b.master.delegation-servers.dn42|fd42:180:3de0:30::1|
burble.dn42 runs one of the two master servers that support the DN42 DNS infrastructure.
See the [wiki](https://dn42.dev/services/New-DNS#instances_master-delegation-servers-dn42) for
more information on the role of the master service.
The master is hosted on ca-bhs2, providing geographic and network redundancy against the other DN42 master service, hosted in Europe.
## Authoritative DNS Service
|Name|IP|
|:--|:--|
| ns1.burble.dn42<br/>b.delegation-servers.dn42| 172.20.129.1<br/>fd42:4242:2601:ac53::1 |
ns1.burble.dn42 is slaved to master.delegation-servers.dn42, and provides
DNSSEC signed, authoritative data for DN42 related zones.
The authoritative service may be used as the root for a local DNS resolver, with the assurance
that returned DNS records are traceable via DNSSEC to the DN42 registry. The service
also supports AXFR and may be used as a master to a local, slaved, root zone.
*Note that ns1.burble.dn42 will not forward DNS queries.
Forwarding is provided by the recursive service, dns.burble.dn42.*
### Slaved DN42 zones
* .dn42
* .recursive-servers.dn42
* .delegation-servers.dn42
* .registry-sync.dn42
* d.f.ip6.arpa.
* 20.172.in-addr.arpa.
* 21.172.in-addr.arpa.
* 22.172.in-addr.arpa.
* 23.172.in-addr.arpa.
* 31.172.in-addr.arpa.
* 10.in-addr.arpa.
### Mastered Zones
|Zone|Role|
|:--|:--|
|burble.dn42|burble.dn42 forward zone|
|collector.dn42|Global Route Collector forward zone|
|1.0.6.2.2.4.2.4.2.4.d.f.ip6.arpa|burble.dn42 IPv6 reverse zone|
|0/27.129.20.172.in-addr.arpa|burble.dn42 services IPv4 reverse zone|
|160/27.129.20.172.in-addr.arpa|burble.dn42 nodes IPv4 reverse zone|
|0.3.0.0.0.e.d.3.0.8.1.0.2.4.d.f.ip6.arpa|DNS Master reverse zone|
|0.0.1.0.0.e.d.3.0.8.1.0.2.4.d.f.ip6.arpa|Registry services IPv6 reverse zone|
|0/28.63.22.172.in-addr.arpa|Register services, IPv4 reverse zone|
## Recursive DNS Service
|Name|IP|
|:--|:--|
| dns.burble.dn42<br/>b.recursive-servers.dn42| 172.20.129.2<br/>fd42:4242:2601:ac53::53 |
dns.burble.dn42 is a caching, recursive DNS service that returns results for both DN42
and clearnet domains. The service issues parallel queries from regional masters, the
recursive service takes advantage of the burble.dn42 global scale to reduce latency and
avoid local connectivity problems.
The recursor is DNSSEC enabled and validates all queries.
#### Using the recursive DNS service
Users are encouraged to consult recursive-servers.dn42 to obtain a list of
recursive DNS services and configure at least two independent resolvers
to obtain the best resilience.
See also the [DN42 Wiki](https://dn42.dev/services/DNS) for general guidelines and
best practice for setting up DNS in DN42.
```
$ host -t SRV _dns._udp.recursive-servers.dn42
_dns._udp.recursive-servers.dn42 has SRV record 10 10 53 a3.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 b.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 10 10 53 a0.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 j.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 k.recursive-servers.dn42.
```
Example resolv.conf using IPv6 with IPv4 fallback
```
# DN42 resolve.conf
search dn42
# burble.dn42 service
# b.recursive-servers.dn42
nameserver fd42:4242:2601:ac53::53
# j.recursive-servers.dn42
nameserver 172.20.1.19
```
## DNS64 Service
|Name|IP|
|:--|:--|
|dns64.burble.dn42|fd42:4242:2601:ac53::64|
The dns64 service operates in a similar way to the main recursive service but also provides
dns64 translation for hostnames that only have IPv4 addresses.
The service will return IPv4 mapped to the [rfc6052](https://tools.ietf.org/html/rfc6052)
well-known prefix - `64:ff9b::/96`
## DNS over HTTPS (DoH)
## DNS over TLS
The burble.dn42 services support queries via DNS over HTTPS (on port 443) and
DNS over TLS (on port 843). The HTTPS service is signed by the burble.dn42
[Certificate Authority](/home/certificate-authority), and the CA certificate
will be required by the client in order to use the service.
example
```
$ doh burble.dn42 https://[fd42:4242:2601:ac53::53]/dns-query
burble.dn42 from https://[fd42:4242:2601:ac53::53]/dns-query
TTL: 3600 seconds
A: 172.20.129.3
AAAA: fd42:4242:2601:ac80:0000:0000:0000:0001
```
## Implementation
The DNS service is implemented as a tiered, anycast service with each node
in the network providing a local cache in front of regional, slave nodes.
### dns-edge
Edge nodes provide a caching function for the slaves.
Recursive services (dns.burble.dn42 and dns64.burble.dn42) are provided by
[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html)
configured using the 'all-servers' mode. DN42 queries are forwarded to all
regional slaves in parallel and the first response received is then returned.
This approach ensures users get the lowest latency results possible, regardless of
location, and that any local connectivity issues do not impact the results.
The authoritive service as well as DNS over HTTPS and DNS over TLS services are
provided by [dnsdist](https://dnsdist.org/) acting as a proxy. Requests are
forwarded to either the regional slaves or local recursor services as appropriate
and also cached.
Clearnet queries are forwarded on the edge nodes to a combination of
Google and Cloudflare services.
The edge services are monitored and anycast routes automatically injected (or
removed) with a health checking script.
### dns-slave
| Region | Host | Location |
|:--|:--|:--|
| Europe | dns-slave.de-fra1.burble.dn42 | PHP Friends, Frankfurt, Germany |
| Americas (East) | dns-slave.ca-bhs2.burble.dn42 | OVH, Beauharnois, Canada |
| Americas (West) | dns-slave.us-lax1.burble.dn42 | Alvin Servers, Los Angeles, USA |
The slave nodes are implemented using [PowerDNS](https://www.powerdns.com/).
The Authoritative DNS servers are configured as slaves replicating from the
DN42 master for .dn42 related zones and a hidden master located on the private,
internal network for burble.dn42 zones.
The recursive service is provided by the pdns-recursor configured with DNSSEC
validation and additional caching.
### dns-master
The DN42 DNS master is a custom [java program](https://git.dn42.us/dn42/delegation-servers.dn42)
running on us-dal3.
Reference in New Issue View Git Blame Copy Permalink