OpenNIC and ICANN domains.
Recommended minimum system:
- Linux: Single cpu, 512MB of ram, 4GB HDD
When considering if you wish to set up a public tier-2 server for the OpenNIC project, please keep the following points in mind:
- Your server and network equipment, including your internet connection, must be reliable.
- Typical bandwidth usage may only be a few-hundred MB/month, but a DDoS attack can easily put you into hundreds of gigabytes in a few days!
- You will personally need to monitor your equipment and be willing to quickly resolve any failures. This includes having the knowledge to troubleshoot both hardware and software failures
- When your service becomes unavailable from the internet for more than two hours, you will receive an automated email warning. Please do not ignore these emails -- you will only receive them when there is a problem.
- Tier-2 servers will experience DDoS attacks. Please be sure to visit the Tier2Security page for information on how to mitigate these attacks. Other members will do what they can to provide assistance, however ultimately it is your responsibility to ensure that your own servers do not participate in man-in-the-middle or amplification attacks. You do not want to become part of an attack!
- Various attacks will use up a lot of bandwidth. If your provider places data caps on your monthly internet usage, you may want to reconsider having a public service. Every attack is different, so no predictions can be on what your data usage will be each month -- however as an example, attacks can continue for several months and have been known to blast up to 20Mb/s of queries to an individual server. If you wish to run a public service, be prepared for the worst!
Consider using the BIND root-hints method if you want:
- Easy configuration
- No local maintenance required
Consider using the BIND slaved zone method if you want:
- Local redundancy of zone files
- Minimize the number of queries sent to other servers
- No reliance on other OpenNic servers for resolving OpenNic domains
- Have a special case where you want to resolve OpenNic domains but also need to resolve local network entries
Consider using the BIND automated method if you want:
- All the advantages of slaved zones
- Minimal work required to keep up with current updates
Tier2Config-Script by Alejandro Marquez (since 2015-10-09 the host needed for this method is down)
opennicZoneScript by Jeff Taylor (This procedure and script no longer work)
For those who prefer DJBDNS, please refer to the DJBDNS guide.
For those who prefer Unbound, please refer to the Unbound guide.
For Debian OS users, AlejandroMarquez has contributed this set of scripts. (since 2015-10-09 the host needed for this method is down)
For Windows server users, please select from your version:
- Windows 2016 (Recommended Setup! Slave Zone Method)
- Windows 2012 (Root-Hint Method)
- Windows 2008 (Root-Hint Method)
- Windows 2000 (Depreciated!)
- This guide will help you configure BIND logging.
- If you prefer anonymity for your users, this page will help you obfuscate your log files.
- Please be sure to visit the tier-2 security and the OpenNIC mailing lists for information on how you can protect your server from various forms of attack.
There is not much to running a OpenNIC Tier2 server. Once you have it configured, the AuditingWG will monitor it, and let you know via email if anything goes wrong along the way. You can also expect to use a few gig of bandwidth each month of DNS traffic; this varies on how much your DNS server is used.