DNS

burble.dn42 provides a suite of DNS services, including running one of the two dn42 DNS master nodes that exports registry information to the DNS infrastructure.

Apart from the Master, all DNS services are anycast across every node to provide fast, local responses network wide. The services support DNSSEC and are available over UDP, TCP, DNS over HTTPs and DNS over TLS.

burble.dn42 runs one of the two master servers that support the dn42 DNS infrastructure. See the wiki for more information on the role of the master service.

The master is typically hosted on either ca-bhs1 or us-ash1, providing geographic and network redundancy against the other dn42 master service which is hosted in Europe.

ns1.burble.dn42 replicates from master.delegation-servers.dn42, and provides DNSSEC signed, authoritative data for dn42 related zones.

The authoritative service may be used as the root for a local DNS resolver, with the assurance that returned DNS records are traceable via DNSSEC to the dn42 registry. The service also supports AXFR and may be used as a primary to a local, replicated, root zone.

Note that ns1.burble.dn42 will not forward DNS queries. Forwarding is provided by the recursive service, dns.burble.dn42.

• .dn42
• .recursive-servers.dn42
• .delegation-servers.dn42
• .registry-sync.dn42
• d.f.ip6.arpa.
• 20.172.in-addr.arpa.
• 21.172.in-addr.arpa.
• 22.172.in-addr.arpa.
• 23.172.in-addr.arpa.
• 31.172.in-addr.arpa.
• 10.in-addr.arpa.

dns.burble.dn42 is a caching, recursive DNS service that returns results for both dn42 and clearnet domains. The service issues parallel queries from regional resolvers taking advantage of the burble.dn42 global scale to reduce latency and avoid local connectivity problems.

The recursor is DNSSEC enabled and validates all queries.

Users are encouraged to consult recursive-servers.dn42 to obtain a list of recursive DNS services and configure at least two independent resolvers to obtain the best resilience.

See also the dn42 Wiki for general guidelines and best practice for setting up DNS in dn42.

$ host -t SRV _dns._udp.recursive-servers.dn42
_dns._udp.recursive-servers.dn42 has SRV record 10 10 53 a3.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 b.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 10 10 53 a0.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 j.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 k.recursive-servers.dn42.

Example resolv.conf using IPv6 with IPv4 fallback

# dn42 resolve.conf

search dn42

# burble.dn42 service
# b.recursive-servers.dn42
nameserver fd42:4242:2601:ac53::53

# j.recursive-servers.dn42
nameserver 172.20.1.19

The dns64 service operates in a similar way to the main recursive service but also provides dns64 translation for hostnames that only have IPv4 addresses.

The service will return IPv4 mapped to the rfc6052 well-known prefix - 64:ff9b::/96

The burble.dn42 services support queries via DNS over HTTPS (on port 443) and DNS over TLS (on port 843). The HTTPS service is signed by the burble.dn42 Certificate Authority, and the CA certificate will be required by the client in order to use the service.

example

$ doh burble.dn42 https://[fd42:4242:2601:ac53::53]/dns-query
burble.dn42 from https://[fd42:4242:2601:ac53::53]/dns-query
TTL: 3600 seconds
A: 172.20.129.3
AAAA: fd42:4242:2601:ac80:0000:0000:0000:0001

The DNS service is implemented as a tiered, anycast service with each node in the network providing a local cache in front of regional, secondary nodes.

Edge nodes provide a caching function for the secondaries.

Recursive services (dns.burble.dn42 and dns64.burble.dn42) are provided by dnsdist and dnsproxy.

dnsproxy is configured in ‘parallel’ mode; dn42 queries are forwarded to regional recursors in parallel and the first response received is then returned. This approach ensures users get the lowest latency results possible, regardless of location, and that any local connectivity issues do not impact the results.

The authoritive service as well as DNS over HTTPS and DNS over TLS services are provided by dnsdist acting as a proxy. Requests are forwarded to either the regional or local recursor services as appropriate and also cached.

Clearnet queries are forwarded on the edge nodes to random mix of Google and Cloudflare services.

The edge services are monitored and anycast routes automatically injected (or removed) with a health checking script.

The regional recursors perform parallel dns lookup requests on behalf of dns-edge nodes.
Each recursor performs lookups, caching and DNSSEC validation.

The recursor nodes are implemented using PowerDNS Recursor.

The dns-secondary servers are configured as replicas from the dn42 master for .dn42 related zones and a hidden primary located on the internal network for burble.dn42 zones.

The secondary nodes are implemented using PowerDNS.

The dn42 DNS master is a custom java program.

The service typically runs on either ca-bhs1 or us-ash1.