DNS

burble.dn42 provides a suite of DNS services, including running one of the two DN42 DNS master nodes that exports registry information to the DNS infrastructure.

Apart from the Master, all DNS services are anycast across every node to provide fast, local responses network wide. The services support DNSSEC and are available over UDP, TCP, DNS over HTTPs and DNS over TLS.

burble.dn42 runs one of the two master servers that support the DN42 DNS infrastructure.
See the wiki for more information on the role of the master service.

The master is hosted on ca-bhs2, providing geographic and network redundancy against the other DN42 master service, hosted in Europe.

ns1.burble.dn42 is slaved to master.delegation-servers.dn42, and provides DNSSEC signed, authoritative data for DN42 related zones.

The authoritative service may be used as the root for a local DNS resolver, with the assurance that returned DNS records are traceable via DNSSEC to the DN42 registry. The service also supports AXFR and may be used as a master to a local, slaved, root zone.

Note that ns1.burble.dn42 will not forward DNS queries.
Forwarding is provided by the recursive service, dns.burble.dn42.

• .dn42
• .recursive-servers.dn42
• .delegation-servers.dn42
• .registry-sync.dn42
• d.f.ip6.arpa.
• 20.172.in-addr.arpa.
• 21.172.in-addr.arpa.
• 22.172.in-addr.arpa.
• 23.172.in-addr.arpa.
• 31.172.in-addr.arpa.
• 10.in-addr.arpa.

dns.burble.dn42 is a caching, recursive DNS service that returns results for both DN42 and clearnet domains. The service issues parallel queries from regional masters, the recursive service takes advantage of the burble.dn42 global scale to reduce latency and avoid local connectivity problems.

The recursor is DNSSEC enabled and validates all queries.

Users are encouraged to consult recursive-servers.dn42 to obtain a list of recursive DNS services and configure at least two independent resolvers to obtain the best resilience.

See also the DN42 Wiki for general guidelines and best practice for setting up DNS in DN42.

$ host -t SRV _dns._udp.recursive-servers.dn42
_dns._udp.recursive-servers.dn42 has SRV record 10 10 53 a3.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 b.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 10 10 53 a0.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 j.recursive-servers.dn42.
_dns._udp.recursive-servers.dn42 has SRV record 20 10 53 k.recursive-servers.dn42.

Example resolv.conf using IPv6 with IPv4 fallback

# DN42 resolve.conf

search dn42

# burble.dn42 service
# b.recursive-servers.dn42 
nameserver fd42:4242:2601:ac53::53

# j.recursive-servers.dn42
nameserver 172.20.1.19

The dns64 service operates in a similar way to the main recursive service but also provides dns64 translation for hostnames that only have IPv4 addresses.

The service will return IPv4 mapped to the rfc6052 well-known prefix - 64:ff9b::/96

The burble.dn42 services support queries via DNS over HTTPS (on port 443) and DNS over TLS (on port 843). The HTTPS service is signed by the burble.dn42 Certificate Authority, and the CA certificate will be required by the client in order to use the service.

example

$ doh burble.dn42 https://[fd42:4242:2601:ac53::53]/dns-query
burble.dn42 from https://[fd42:4242:2601:ac53::53]/dns-query
TTL: 3600 seconds
A: 172.20.129.3
AAAA: fd42:4242:2601:ac80:0000:0000:0000:0001

The DNS service is implemented as a tiered, anycast service with each node in the network providing a local cache in front of regional, slave nodes.

Edge nodes provide a caching function for the slaves.

Recursive services (dns.burble.dn42 and dns64.burble.dn42) are provided by dnsmasq configured using the ‘all-servers’ mode. DN42 queries are forwarded to all regional slaves in parallel and the first response received is then returned. This approach ensures users get the lowest latency results possible, regardless of location, and that any local connectivity issues do not impact the results.

The authoritive service as well as DNS over HTTPS and DNS over TLS services are provided by dnsdist acting as a proxy. Requests are forwarded to either the regional slaves or local recursor services as appropriate and also cached.

Clearnet queries are forwarded on the edge nodes to a combination of Google and Cloudflare services.

The edge services are monitored and anycast routes automatically injected (or removed) with a health checking script.

The slave nodes are implemented using PowerDNS.

The Authoritative DNS servers are configured as slaves replicating from the DN42 master for .dn42 related zones and a hidden master located on the private, internal network for burble.dn42 zones.

The recursive service is provided by the pdns-recursor configured with DNSSEC validation and additional caching.

The DN42 DNS master is a custom java program running on us-dal3.