Category: Network

We have reached a point where our name servers are working well enough for daily use that we feel like we can cut down on some of the duplicate functionality in our routing stack. At present, each router in our stack is running its own instance of Unbound for client DNS and this leads to a bunch of duplication that is probably not needed and just adds to our hypervisor’s workload.

Starting around 1000EST today, we will be turning off each router’s Unbound instance and will be updating profiles to point their DNS at our two name servers. If you are an end user or project member and you notice that DNS functions stop working, you should update your connection profiles to point their DNS at the following addresses:

• 204.12.237.197
• 173.208.212.205
• 2604:4300:f03:c1::2
• 2604:4300:a:6e::5

For our WireGuard users, this most likely means replacing the line “DNS = 2604:4300:f03:XX::1, 10.0.XX.1” with the line “DNS = 2604:4300:f03:c1::2, 2604:4300:a:6e::5” to retain DNS functions after today. We know that our DNS changes have been a moving target for our project and our users, but this should wrap things up on that front.

Around 0030EST last night, we received emails stating that the domain “marbledfennec.net” was transferred over to Porkbun after a much stressful waiting period in which our domain was not working correctly and was even offline to various parts of the web.

As of 1245EST, we have our name servers fixed including DNSSEC. Everything should be working properly now and we should be back online.

Around 1430EST today, our team started noticing that some of the DNS request that were coming in were for odd looking domains within the zones that the OpenNIC project controls. In an effort to not aid botnets, malware and other unwanted internet asbestos- We make use of iptables to block request from even reaching our DNS servers if our team’s research comes up as questionable or worrisome.

We will not post the domains that are blocked on our websites to avoid getting tagged with those questionable domains. But, if you are using our DNS servers, are a project member or a network tenant; you are welcome to reach out to our support desk to obtain a list of the currently blocked domains.

Something to note:
Our team does not block weird looking domains just because they seem odd. We only enact a block when we are able to verify that the domain in question is associated with malware or otherwise unsafe. Verification is done by checking the domains and associated IP addresses against multiple malware tracking labs and groups.

While this should not affect routing at all, various services of ours might go offline and return later. We are still playing around with DNS and have made the move into serving our domain using “dns.marbledfennec.net” as the primary and DeSec.io as our secondary name servers. As we learn more about the services we rely on and how to host them ourselves, we will be working on moving them in house.

Update at 2pm:
At this time, our domain is using only our name servers to check and see if DNSSEC is working correctly on our end. Once verified, there will be another update.

Update at 10am:
Eventually this configuration will be duplicated on “dns2.marbledfennec.net” and then kept in sync with any zone changes automagically. For those who are curious, “dns.marbledfennec.net” and “dns2.marbledfennec.net” are really the servers “dns.fenfox.run” and “dns2.fenfox.run”.

The thing to remember about our project is that it is and always will be a grounds to learn on. Meaning a lot of our hosted machines and configurations are moving targets as our team learns from doing and managing.