NS service

1. About

The Domain Name System (DNS) is the naming system used to identify computers reachable through the network. It maps human-friendly domain names to the numerical IP addresses computers need to locate each other.

Note: The NS service consists of authoritative nameservers only, for recursive resolvers see DNS service instead.

2. Systems

2.1 Frontend


2.2 Backend

Always use the frontend DNS record

Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

node1.ns.bfh.info 2a07:6b40::21
node2.ns.bfh.info 2a07:6b40::22
node3.ns.bfh.info 2a07:6b40::23
node4.ns.bfh.info 2a07:6b40::24
ns.bfh.info 2a07:6b40::20
node1.proxy.ns.bfh.info 2a07:6b40::26
node2.proxy.ns.bfh.info 2a07:6b40::27
node3.proxy.ns.bfh.info 2a07:6b40::28
node4.proxy.ns.bfh.info 2a07:6b40::29
ns-static.bfh.info 2a07:6b40::100
node1.ns-static.bfh.info 2a07:6b40::101
node2.ns-static.bfh.info 2a07:6b40::102
ns-dynamic.bfh.info 2a07:6b40::110
node1.ns-dynamic.bfh.info 2a07:6b40::111
node2.ns-dynamic.bfh.info 2a07:6b40::112

3. Features

3.1 Protocols

  • DNS (UDP/TCP) on port 53 (frontend and backends)

  • DNS over TLS on port 853 (frontend only)

  • DNS over HTTPS on port 443 (frontend only)

3.2 ACLs

  • queries are accepted from everywhere

  • zone transfers for all local zones are accepted from 2a07:6b40::/29, and only, everything else is denied (!= drop)

  • DDNS is accepted from dhcp.bfh.info nodes and Microsoft Active Directory

3.3 TTL, Cache

  • global TTL of 1m for all zones

  • queries to frontend are not cached on purpose

  • queries to frontend for own zones are not cached on purpose and are directly forwarded to NS servers

3.4 Forwarding

  • forwarded queries to authoritative backend are based on least outstanding connection count

3.5 Details

  • both frontend and backends use SO_REUSEADDR and SO_REUSEPORT

  • DNS cookies are renewed every 24h, bad cookies are set to (until enabling RRL) no query being slipped

4. Operations

4.1 Clear all zones on NS secondaries

    ssh node1.ns.bfh.info sudo knot-zones-reset
    ssh node2.ns.bfh.info sudo knot-zones-reset
    ssh node3.ns.bfh.info sudo knot-zones-reset
    ssh node4.ns.bfh.info sudo knot-zones-reset

4.2 Usage

4.2.1 Show all zones on nameserver (catalog zone)

    # from BFH internal network only
    kdig @ns.bfh.info AXFR catalog

4.2.2 Show all records within zone (zone transfer)

    # from BFH internal network only
    kdig @ns.bfh.info AXFR bfh.info

4.2.3 Show specific records within zone (record query)

    kdig @ns.bfh.info AAAA web.bfh.info
    kdig @ns.bfh.info A web.bfh.info

6. Backlog


  • resetup node{5,6}.ns.bfh.info (carrying all zones)

  • cleanup all zone data

  • review all zone authority

  • complete all reverse zones, use auto-reverse where applicable

  • verify zone inventory (autodns.com): all domains should have an active zone (automatic via API)

  • run zone checks in parallel

  • skip empty dynamic zones

  • lock deployment during a triggered run

  • verify/review HA-setup of the primaries

  • add server-side zone checks via git hooks

  • add client-side zone checks via pre-commit

  • allow Microsoft Active Directory to write its zones

  • provide static seeds for Microsoft Active Directory zones


  • regenerate containers with Debian 12

  • upgrade to current knot/dnsdist

  • autoincrement serial on ns-static.bfh.info

  • moving dnsdist webfrontend behind apache with ldap auth

  • restricting backend subnet access to frontend and management only

  • verify if enabling auto_reverse (#576) on primaries is a good idea

  • static rate limiting

  • document and cleanup zone inventory (autodns.com), enable users and MFA


  • split user-zones to ns*.bfh.science

  • enabling DNSSEC

  • anycasting ns.bfh.info

  • test environment

  • benchmarking

Known issues

  • no known issues