-- Leo's gemini proxy
-- Connecting to typed-hole.org:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
The other day there was a lively conversation on circumlunar.space BBS
about .org being acquired by some private equity firm. Solderpunk and
Sloum mentioned some alternative DNS services and OpenNIC. I recall
having heard of OpenNIC in the past but totally forgot about it. They
do provide a .gopher TLD so I should have known better :)
I love the idea of getting rid of all those TLD racketeers so I wanted
to help OpenNIC a bit by adding a tier 2 DNS server of my own.
Here is the setup I used.
First I opted for an OpenBSD server, this is the most robust and
simple OS I know, I just love it. So I headed to vultr.com which does
provide OpenBSD images for their VPC instances. Since I'm in Paris I
chose the datacenter here and opted for an OpenBSD 6.6 image.
After the machine booted I updated the system thanks to:
```shell
$ doas syspatch
```
and rebooted it.
unbound is a DNS server that's part of OpenBSD standard installation,
at least on Vultr, so we'll use this. First we need to edit unbound
config:
```/var/unbound/etc/unbound.conf
server:
interface: 0.0.0.0
interface: ::0
do-ip6: yes
do-tcp: yes
do-udp: yes
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
access-control: ::1 allow
hide-identity: yes
hide-version: yes
minimal-responses: yes
log-queries: yes
unwanted-reply-threshold: 10000
root-hints: "/var/unbound/etc/opennic.cache"
ip-ratelimit-factor: 0
ip-ratelimit: 20
ratelimit-below-domain: gov 30
ratelimit: 100
num-threads: 1
infra-cache-slabs: 1
key-cache-slabs: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
key-cache-size: 8m # default 4m
msg-cache-size: 8m # default 4m
neg-cache-size: 8m # default 1m
rrset-cache-size: 16m # rrset=msg*2 # default 4m
outgoing-range: 8192
num-queries-per-thread: 4096 # outgoing-range/2
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
```
Logging is disabled on purpose, I don't want to see what others are
searching and it saves drive space.
You may have noticed the root-hints line, we need to dig the latest
OpenNIC hints and use them in our DNS server. To do that add a line
in the crontab to refresh these hints once a month the 5th.
```crontab -e
0 0 5 * * /usr/sbin/dig . NS @75.127.96.89 > /var/unbound/etc/opennic.cache
```
and start unbound with:
```shell
$ rcctl enable
```
Let's add some firewall rules to add some security.
```/etc/pf.conf
tcp_services="{ ssh, domain }"
udp_services="{ domain }"
set skip on lo
block all
pass out all
pass on egress inet proto icmp all icmp-type 8 code 0
pass proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state
```
And reload pf to take our changes into account:
```shell
$ pfctl -f /etc/pf.conf
```
That's it, you should now have a nice tier 2 OpenNIC DNS server up and
running! You can test that it works on
I have not yet added my server to the official list, I'm using it on
all my devices before to see if there is some capacity issues. It's
possible to add zones to OpenNIC after having administered a server
for 3 months so obviously after the .gopher zone, we need a .gemini
zone :)
As usual if you notice errors, improvements or have questions don't
hesitate to contact me via any channel listed in
```shell
$ finger julien@typed-hole.org
```
---
Served by Pollux Gemini Server.
-- Response ended
-- Page fetched on Fri Apr 26 22:04:22 2024