When considering if you wish to set up a public tier-2 server for the OpenNIC project, please keep the following points in mind:
- Your server and network equipment, including your internet connection, must be reliable.
- You will personally need to monitor your equipment and be willing to quickly resolve any failures. This includes having the knowledge to troubleshoot both hardware and software failures
- When your service becomes unavailable from the internet for more than two hours, you will receive an automated email warning. Please do not ignore these emails -- you will only receive them when there is a problem.
- Many tier-2 servers will experience DDoS attacks. Other operators will do what they can to provide assistance, however ultimately it is your responsibility to ensure that your own servers do not participate in man-in-the-middle or amplification attacks. You do not want to become part of an attack!
- Various attacks will use up a lot of bandwidth. If your provider places data caps on your monthly internet usage, you want to reconsider having a public service. Every attack is different, so no predictions can be on what your data usage will be each month -- however as an example, while writing this page I am currently weathering an attack which has lasted more than ten days and sent over 300GB of data to my firewall. If you wish to run a public service, be prepared for the worst!
Consider using the BIND root-hints method if you want:
- Easy configuration
- No local maintenance required
Consider using the BIND slaved zone method if you want:
- Local redundancy of zone files
- Minimize the number of queries sent to other servers
- No reliance on other OpenNic servers for resolving OpenNic domains
- Have a special case where you want to resolve OpenNic domains but also need to resolve local network entries
Consider using the BIND automated method if you want:
- All the advantages of slaved zones
- No manual updates required
For those who prefer DJBDNS, please refer to the DJBDNS guide.
For those who prefer Unbound, please refer to the Unbound guide.
For Windows server users, please select from your version:
- This guide will help you configure BIND logging.
- If you prefer anonymity for your users, this page will help you obfuscate your log files.
- Please be sure to visit the tier-2 security and the OpenNIC mailing lists for information on how you can protect your server from various forms of attack.
There is not much to running a OpenNIC Tier2 server. Once you have it configured, the AuditingWG will monitor it, and let you know via email if anything goes wrong along the way. You can also expect to use a few gig of bandwidth each month of DNS traffic; this varies on how much your DNS server is used.