[2019-12-16] Setup a tier 2 OpenNIC DNS server

The other day there was a lively conversation on circumlunar.space BBS

about .org being acquired by some private equity firm. Solderpunk and

Sloum mentioned some alternative DNS services and OpenNIC. I recall

having heard of OpenNIC in the past but totally forgot about it. They

do provide a .gopher TLD so I should have known better :)

I love the idea of getting rid of all those TLD racketeers so I wanted

to help OpenNIC a bit by adding a tier 2 DNS server of my own.

Here is the setup I used.

Creating a server.

First I opted for an OpenBSD server, this is the most robust and

simple OS I know, I just love it. So I headed to vultr.com which does

provide OpenBSD images for their VPC instances. Since I'm in Paris I

chose the datacenter here and opted for an OpenBSD 6.6 image.

After the machine booted I updated the system thanks to:

```shell

$ doas syspatch

```

and rebooted it.

Adding a DNS server.

unbound is a DNS server that's part of OpenBSD standard installation,

at least on Vultr, so we'll use this. First we need to edit unbound

config:

```/var/unbound/etc/unbound.conf

$OpenBSD: unbound.conf,v 1.17 2019/08/25 15:50:21 ajacoutot Exp $

server:

interface: 0.0.0.0

interface: ::0

do-ip6: yes

do-tcp: yes

do-udp: yes

access-control: 0.0.0.0/0 allow

access-control: ::0/0 allow

access-control: ::1 allow

hide-identity: yes

hide-version: yes

minimal-responses: yes

log-queries: yes

unwanted-reply-threshold: 10000

root-hints: "/var/unbound/etc/opennic.cache"

ratelimiting examples

ip-ratelimit-factor: 0

ip-ratelimit: 20

ratelimit-below-domain: gov 30

ratelimit: 100

See https://nlnetlabs.nl/documentation/unbound/howto-optimise/

num-threads: 1

infra-cache-slabs: 1

key-cache-slabs: 1

msg-cache-slabs: 1

rrset-cache-slabs: 1

key-cache-size: 8m # default 4m

msg-cache-size: 8m # default 4m

neg-cache-size: 8m # default 1m

rrset-cache-size: 16m # rrset=msg*2 # default 4m

outgoing-range: 8192

num-queries-per-thread: 4096 # outgoing-range/2

remote-control:

control-enable: yes

control-interface: /var/run/unbound.sock

```

Logging is disabled on purpose, I don't want to see what others are

searching and it saves drive space.

You may have noticed the root-hints line, we need to dig the latest

OpenNIC hints and use them in our DNS server. To do that add a line

in the crontab to refresh these hints once a month the 5th.

```crontab -e

0 0 5 * * /usr/sbin/dig . NS @75.127.96.89 > /var/unbound/etc/opennic.cache

```

and start unbound with:

```shell

$ rcctl enable

```

A bit of security

Let's add some firewall rules to add some security.

```/etc/pf.conf

tcp_services="{ ssh, domain }"

udp_services="{ domain }"

don't filter local interface

set skip on lo

block all

pass out all

allow ping

pass on egress inet proto icmp all icmp-type 8 code 0

accept outgoing traffic

pass proto tcp to any port $tcp_services keep state

pass proto udp to any port $udp_services keep state

```

And reload pf to take our changes into account:

```shell

$ pfctl -f /etc/pf.conf

```

That's it, you should now have a nice tier 2 OpenNIC DNS server up and

running! You can test that it works on

the OpenNIC server test page

I have not yet added my server to the official list, I'm using it on

all my devices before to see if there is some capacity issues. It's

possible to add zones to OpenNIC after having administered a server

for 3 months so obviously after the .gopher zone, we need a .gemini

zone :)

As usual if you notice errors, improvements or have questions don't

hesitate to contact me via any channel listed in

```shell

$ finger julien@typed-hole.org

```

---

Served by Pollux Gemini Server.