9fa63d2e8c05a9ef00d1538a0a6e00254e87b5de
services/DNS.md
| ... | ... | @@ -1,14 +1,66 @@ |
| 1 | -# DN42 DNS Architecture |
|
| 1 | +# DN42 DNS |
|
| 2 | 2 | |
| 3 | -Simple setup for new users: |
|
| 3 | +This page covers guidance and examples on using DNS within DN42. |
|
| 4 | 4 | |
| 5 | -All I want is to access an .dn42 / .hack / freifunk domain. You can configure the following DNS servers: |
|
| 6 | -* **fd42:d42:d42:54::1 , 172.20.0.53** (a.recursive-servers.dn42) |
|
| 5 | +## Quick Start |
|
| 7 | 6 | |
| 8 | -It is recommended that you setup your own DNS resolver, please check [[dns/Configuration|Configuration]] - DN42 DNS forward configuration for BIND, dnsmasq, Unbound, PowerDNS, etc. |
|
| 7 | +It is recommended to run your own DNS resolver as this provides you with the most security and privacy. |
|
| 8 | +However, to get started, or if running your own resolver isn't desirable an anycast service |
|
| 9 | +is available. The anycast service supports DNSSEC and will resolve public DNS names together with all the |
|
| 10 | +relevant DN42 and affiliated networks' names. |
|
| 9 | 11 | |
| 10 | -Please check [[New DNS]] - for details about the current DNS system architecture |
|
| 12 | +### Using the DNS Anycast Service |
|
| 11 | 13 | |
| 14 | +The DNS anycast service is provided by multiple operators, with each operator contributing to one of the two separate |
|
| 15 | +anycast services. By configuring both services, users get additional resiliency from having two, independent, resolvers. |
|
| 16 | + |
|
| 17 | +| Name | IPv4 | IPv6 | |
|
| 18 | +|---|---|---| |
|
| 19 | +| a0.recursive-servers.dn42 | 172.20.0.53 | fd42:d42:d42:54::1 | |
|
| 20 | +| a3.recursive-servers.dn42 | 172.23.0.53 | fd42:d42:d42:53::1 | |
|
| 21 | + |
|
| 22 | +To configure the service, ping both sets of addresses then set your primary nameserver to the lowest latency |
|
| 23 | +service and configure the other service as the secondary or backup nameserver. |
|
| 24 | + |
|
| 25 | +Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4: |
|
| 26 | + |
|
| 27 | +```text |
|
| 28 | +nameserver 172.20.0.53 |
|
| 29 | +nameserver 172.23.0.53 |
|
| 30 | +nameserver fd42:d42:d42:54::1 |
|
| 31 | +nameserver fd42:d42:d42:53::1 |
|
| 32 | +search dn42 |
|
| 33 | +``` |
|
| 34 | + |
|
| 35 | +Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6: |
|
| 36 | + |
|
| 37 | +```text |
|
| 38 | +nameserver fd42:d42:d42:53::1 |
|
| 39 | +nameserver fd42:d42:d42:54::1 |
|
| 40 | +nameserver 172.23.0.53 |
|
| 41 | +nameserver 172.20.0.53 |
|
| 42 | +search dn42 |
|
| 43 | +``` |
|
| 44 | + |
|
| 45 | +## Advanced Configuration |
|
| 46 | + |
|
| 47 | +There are multiple top level domains (TLDs) associated with DN42, its affiliated networks and for reverse DNS that must |
|
| 48 | +be configured in order to run your own resolver. The registry is the authoritative source of active TLDs, but see also |
|
| 49 | +this page [[dns/External-DNS|External-DNS]] in the wiki. |
|
| 50 | + |
|
| 51 | +### Split horizon DNS |
|
| 52 | + |
|
| 53 | +In this configuration, you run your own, caching resolver but forward DN42 related queries (with recursion bit set) |
|
| 54 | +to the anycast service. Example configurations for different recursor implementations are included in the [[dns/Configuration|Configuration]] page. |
|
| 55 | + |
|
| 56 | +### Full recursion |
|
| 57 | + |
|
| 58 | +Authoritative DNS for DN42 is provided by the *.delegation-servers.dn42 servers, see the DNS architecture here |
|
| 59 | +[[New DNS]] Delegations servers have full support for DNSSEC. |
|
| 60 | + |
|
| 61 | +## Further Information |
|
| 62 | + |
|
| 63 | +* [[dns/Configuration|Configuration]] - Forwarder configuration examples |
|
| 12 | 64 | * [[New DNS]] - current architecture |
| 13 | 65 | * [[dns/External-DNS|External-DNS]] - external DNS zones from interconnected networks |
| 14 | 66 | * [[Old Hierarchical DNS]] - deprecated |