This page covers guidance and examples on using DNS within DN42.
It is recommended to run your own DNS resolver as this provides you with the most security and privacy. However, to get started, or if running your own resolver isn't desirable an anycast service is available. The anycast service supports DNSSEC and will resolve public DNS names together with all the relevant DN42 and affiliated networks' names.
The DNS anycast service is provided by multiple operators, with each operator contributing to one of the two separate anycast services. By configuring both services, users get additional resiliency from having two, independent, resolvers.
To configure the service, ping both sets of addresses then set your primary nameserver to the lowest latency service and configure the other service as the secondary or backup nameserver.
Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
nameserver 172.20.0.53 nameserver 172.23.0.53 nameserver fd42:d42:d42:54::1 nameserver fd42:d42:d42:53::1 search dn42
Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
nameserver fd42:d42:d42:53::1 nameserver fd42:d42:d42:54::1 nameserver 172.23.0.53 nameserver 172.20.0.53 option inet6 # Linux/glibc family inet6 inet4 # BSD search dn42
There are multiple top level domains (TLDs) associated with DN42, its affiliated networks and for reverse DNS that must be configured in order to run your own resolver. The registry is the authoritative source of active TLDs, but see also this page dns/External-DNS in the wiki.
In this configuration, you run your own, caching resolver but forward DN42 related queries (with recursion bit set) to the anycast service. Example configurations for different recursor implementations are included in the dns/Configuration page.
Authoritative DNS for DN42 is provided by the *.delegation-servers.dn42 servers, see the DNS architecture here New DNS Delegations servers have full support for DNSSEC. Example configuration unbound implementations are included in the dns/Configuration page.