Add OpenNIC DNS Servers


#1

I’d love to see OpenNIC servers added to the default list, it’s been around since 2000 and it’s relatively popular among privacy-minded techies :wink:

There’s a lot of DNS servers available since it’s a community project, but I think it’d make the most sense to add the main Anycast servers:

  • 185.121.177.177 2a05:dfc7:5::53
  • 169.239.202.202 2a05:dfc7:5353::53

Edit: see my post below.

More info at https://www.opennic.org/


#2

#3

I did see that post, and I think we reasonably meet all the requirements.

The two servers I mentioned do technically log, in the sense that they cache queries and responses in a redis database for performance across all nodes, but that seems like a reasonable limitation and all logs are anonymized (no user data retained).

We also have DNSSEC, but not using the default trust anchors (like I mentioned in my other post).

I really don’t think these are major issues (especially if you’d be willing to work with us on DNSSEC), since it’s essentially impossible to find a DNS server that doesn’t log in some form (caching). If they are, let me know, and I’ll see if we can work something out.

I personally think it’d be beneficial for you to start endorsing open-source services with aligned values vs servers from the likes of Google, OpenDNS, etc.


#4

It’s come to my attention that the two servers operated by Fusl I mentioned above don’t seem to always validate DNSSEC queries properly.

You’re welcome to use the unlisted Tier 2 servers (OpenNIC DNS resolvers) I use for backend work across a lot of my OpenNIC related services (including Tier 1 operation) if you wish to add OpenNIC to your default options:

  • 138.197.153.165 / 2604:a880:cad:d0::9a7:1
  • 159.203.64.84 / 2604:a880:800:a1::1180:a001

These servers don’t log in any way and fully support DNSSEC with the following trust-anchor configuration:

root@nyc1:~# cat /etc/dnsmasq.d/02-trustanchor.conf
trust-anchor=.,33750,8,2,ced6135102155c7a9c8a99945068ee0dcc21e2f70a5046b4e50ae98ad3ba9de2
trust-anchor=.,47089,8,2,6d81988a88bd546e429486cc0a97518f90f9fc6c6c6b7e5bc2788469858c7324

FWIW, I’m not just some random server operator, I run two of the ten root DNS servers for OpenNIC, a few DNS resolvers (including a primary anycast server and a newly created public Pi-hole instance), and some main organizational infrastructure including our homepage. Feel free to reply/PM me here if you have any questions/concerns.