Further work

+These rules are reasonably tight, you can tighten or relax them as desired. [Interconnected networks'](/Interconnections) IPv4 ranges are included as well, if you don't want then you can ignore that rule.

+# E-mail Providers

+

+# Echo test services

+ * If you have an E-Mail service and would like to test it's functionality, send an email to [zane_reick@dmail.dn42](mailto:zane_reik@dmail.dn42). You will get a response usually within a few hours.

+You are asked to show some creativity in terms of network usage and content ([ideas](/internal/Ideas)).

+ - [magnet:?xt=urn:btih:5fd2dd3688fdb31fe554b15ed65228f3db29a9f9](magnet:?xt=urn:btih:5fd2dd3688fdb31fe554b15ed65228f3db29a9f9&dn=ubuntu-24.04.3-live-server-amd64&tr=udp%3A%2F%2Ftracker.leziblog.dn42%3A11451&tr=https%3A%2F%2Ftracker.leziblog.dn42%2Fannounce&tr=http%3A%2F%2Ftracker.leziblog.dn42%2Fannounce)

+

+# Tor network

+

+## Bridges

+| Name | Bandwidth | Contact | Protocol | Fingerprint | Info |

+|------------------------|-----------|-----------------------|----------|------------------------------------------|------|

+| tor.napshome.dn42:8443 | 3000KB/s+ | bjackson@napshome.net | obfs4 | 71C924A772F69451FE97FE5A9025DEDDEF3DB664 | |

+| tor.napshome.dn42:9001 | 3000KB/s+ | bjackson@napshome.net | plain | 71C924A772F69451FE97FE5A9025DEDDEF3DB664 | |

+## Anycast

+## SOCKS Proxies

+## DNS Proxy - Tor Hidden Services

+| Domain |

+|:---------|

+| dn42.dev |

+| dn42.cc |

+| dn42.jp |

+

+# Distributed Wiki

+This wiki is mirrored by multiple operators across both the public internet and on dn42.

+Current operators providing the wiki service can be found on the page footer.

+## Hosting the wiki

+

+For hosting the wiki one will need to decide whether they desire to host a public internet mirror, join the wiki.dn42 anycast or both.

+The idea is to deploy mirrors across dn42 using [anycast](https://en.wikipedia.org/wiki/Anycast) addressing (BGP), thus providing redundancy, load-balancing and improved access times to the wiki.

+ - Wiki Software (choose one):

+ + [dn42-wiki-go](https://github.com/iedon/dn42-wiki-go) (Recommended)

+ + [wiki-ng](https://git.dn42.dev/wiki/wiki-ng)

+

+ - Other Software:

+ + [Git](https://en.wikipedia.org/wiki/Git_(software))

+

+The local webserver is to be monitored with a simple [shell script](/services/Distributed-Wiki#watchdog-script) working [in conjunction](/services/Distributed-Wiki/#exabgp) with [ExaBGP](https://github.com/Exa-Networks/exabgp), announcing/withdrawing the assigned route if the service is up/down.

+Nginx acts as a reverse proxy and handles the encryption.

+

+Site files are stored in a local [DVCS](https://en.wikipedia.org/wiki/Distributed_revision_control) repository (Git) on each node and replicated through a central server.

+Since the wiki is hosted on top of Git, it is not overly complicated to keep the local site in sync with others, each site only triggers periodic pulls/pushes from/to the Git server.

+ Running in 10 minute intervals is reasonable, if you choose to change this, please keep it in the range from 5 to 15 minutes. Also consider using dn42notifyd to get a callbacks instead.

+ - Generate an SSL certificate using the main Certificate authority using a method that supports anycasted IP addresses.

+

+## Setting up the wiki software

+See the documentation below for both gollum and dn42-wiki-go.

+

+

+## gollum

+

+ - Install [gollum](https://github.com/gollum/gollum)

+ - Start two gollum instances, read-only and read/write on `127.0.0.1`:

+

+ Read/write (SSL only):

+ ```

+ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path>

+ ```

+ Read-only:

+ ```

+ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>

+ ```

+

+ Set `<path>` to the location where wiki Git repo was cloned.

+

+

+## dn42-wiki-go

+

+### Introduction

+

+[dn42-wiki-go](https://github.com/iedon/dn42-wiki-go) is a lightweight, Git-backed wiki engine designed for DN42. It is based on [wiki-ng](https://git.dn42.dev/wiki/wiki-ng), aims to replace the old Gollum-based DN42 distributed wiki.

+

+It can serve pages live through its built-in Go HTTP server or generate a fully static HTML export for external hosting. All content is stored in a Git repository, making it easy to replicate across nodes or run in disconnected environments.

+

+### Live Version

+- [https://wiki.dn42/](https://wiki.dn42/) (DN42 Access)

+- [https://dn42.jp/](https://dn42.jp/) (Clearnet)

+

+

+

+### Operating Modes

+

+You can run `dn42-wiki-go` in three different ways:

+

+1. **Run static build once then exit (`--build` or `live=false`)**

+ The App renders all Markdown files into HTML under outputDir and exits.

+ Best for setups where your own cron job handles Git sync and file publishing.

+

+2. **Live mode without reverse proxy (`live=true`)**

+ The built-in HTTP server directly serves pages, assets, and APIs.

+ Suitable for simple deployments.

+

+3. **Live mode behind a reverse proxy**

+ The reverse proxy (nginx, Caddy, HAProxy, etc.) serves the generated files, and only API endpoints are forwarded to the App.

+ See `config.example.json` for example configs and `nginx-vhost.conf` for a reverse-proxy reference.

+

+ **Recommended for production and anycast nodes**.

+

+### Features

+

+- Live mode with automatic Markdown rendering and scheduled Git pull/push.

+- Static mode for fully pre-built HTML exports.

+- Optional in-browser editor with commit metadata (author, message prefix, remote IP).

+- Webhook endpoints for remote pull/push triggers and optional polling integration(see `dn42notifyd`).

+- Themeable templates and bundled UI assets.

+- Designed for distributed, multi-node and anycast environments.

+

+### Quick Start

+

+Pre-built binaries are available in the [GitHub releases](https://github.com/iedon/dn42-wiki-go/releases).

+

+Please do not forget to clone the repository to copy `config.example.json`(to `config.json`) and the `template` folder. They should be put together in the same production directory.

+

+#### Manual Build

+

+1. Install Go 1.24+ and ensure the git executable is available in PATH.

+2. Copy the example config:

+ cp config.example.json config.json

+ Then edit the settings you need.

+3. Build for your platform (example: Linux amd64):

+ ```bash

+ export GOOS=linux

+ export GOARCH=amd64

+ ./build.sh

+ ```

+

+Determine which user is used to run `dn42-wiki-go`, then create `~/.gitconfig` for this user, which will be used by `git`.

+

+For example:

+

+```ini

+[user]

+ email = noreply@dn42.jp

+ name = IEDON.DN42 Wiki Mirror(116)

+```

+

+To create the isolated, low-privileged user `dn42-wiki-go`, you may run:

+```bash

+# This user cannot log in or get a shell.

+# This user has /opt/dn42-wiki-go as working directory.

+# No default home folder created automatically.

+sudo useradd -r -s /usr/sbin/nologin -d /opt/dn42-wiki-go -M dn42-wiki-go

+```

+

+Both systemd socket enabler and UNIX domain socket are supported, check example configuration files: `dn42-wiki-go.socket` and `dn42-wiki-go.service`.

+

+If you would like to use with Docker: `Dockerfile` and `docker-compose.yml` are also provided, bind proper directories and map `config.json` for the App to use, then you are all set.

+

+### Webhook Endpoints

+

+When `webhook.enabled` = true, the server exposes:

+

+- GET | POST /api/webhook/pull

+ Runs git pull and rebuilds the cached HTML.

+

+- GET | POST /api/webhook/push

+ Pushes local commits to the remote.

+

+If `webhook.secret` is set, requests must include an Authorization header that matches the secret.

+If `webhook.secret` is empty, a random secret will be generated on startup to secure the endpoint (used for polling).

+

+#### Polling Integration

+

+When `webhook.polling.enabled` = true, the server registers with a remote notify service and triggers `/api/webhook/pull` whenever a refresh completes.

+

+This is compatible with `dn42notifyd` and similar tools.

+

+### Configuration Reference

+

+All settings are provided through a JSON file. Below is a concise reference of all options.

+

+#### Runtime

+

+- `live` *(bool, default `false`)*:

+ true -> run HTTP server and render on demand.

+ false -> render once to outputDir and exit.

+

+- `editable` *(bool, default `false`)*:

+ Enables in-browser editing and write operations.

+

+- `listen` *(string, default `":8080"`)*:

+ TCP address (host:port) or UNIX socket (unix:/path).

+

+ Advanced: See example systemd files `dn42-wiki-go.socket` and `dn42-wiki-go.service` in the repository.

+

+- `baseUrl` *(string, optional)*:

+ URL prefix when hosting under a subdirectory.

+

+- `siteName` *(string, default `"DN42 Wiki Go"`)*:

+ Display name of the wiki.

+

+#### Git

+- `git.binPath` *(string, default `git`)*: Path to the Git executable.

+- `git.remote` *(string, default empty)*: Remote URL. Leave empty for standalone/local repositories.

+- `git.localDirectory` *(string, default `./repo`)*: Directory where the wiki repository is cloned or initialised.

+- `git.pullIntervalSec` *(int, default `3600`)*: Seconds between background `git pull` operations in live mode. Disabled if no remote is set.

+- `git.author` *(string, default `"Anonymous <anonymous@localhost>"`)*: Author string used for commits generated by the application.

+- `git.commitMessagePrefix` *(string, default empty)*: Optional prefix prepended verbatim to commit messages supplied by users.

+- `git.commitMessageAppendRemoteAddr` *(string, default empty)*: Optional suffix appended when a request carries a remote address. If the value contains `%s` it is treated as a `fmt` format string; otherwise it is concatenated.

+

+#### Webhook

+- `webhook.enabled` *(bool, default `false`)*: Expose webhook endpoints on the main HTTP server.

+- `webhook.secret` *(string, default empty)*: Shared secret expected in the `Authorization` header. If empty, a random secret is generated on startup.

+- `webhook.polling.enabled` *(bool, default `false`)*: Keep a registration active with the remote notification service and trigger periodic pulls.

+- `webhook.polling.endpoint` *(string, default empty)*: URL of the notification service (eg. Usage with [dn42notifyd](https://git.dn42.dev/dn42/dn42notifyd): `https://git.dn42/dn42notify/poll`).

+- `webhook.polling.callbackUrl` *(string, default empty)*: Public URL for `/api/webhook/pull`. Required when `webhook.polling.enabled` is `true`.

+- `webhook.polling.pollingIntervalSec` *(int, default `3600`)*: Seconds between refresh attempts. Must be positive when polling is enabled.

+- `webhook.polling.skipRemoteCert` *(bool, default `false`)*: Insecure: Skip TLS verification.

+

+#### Paths and templating

+- `outputDir` *(string, default `./dist`)*: Destination directory for static builds or asset exports.

+- `templateDir` *(string, default `./template`)*: Location of layout templates and static assets bundled into the server/UI.

+- `homeDoc` *(string, default `Home.md`)*: Repository document to treat as the home page. Normalised to a `.md` path relative to the repo root.

+- `privatePagesPrefix` *(array of strings, default empty)*: Request to routes started with these prefixes will be blocked.

+

+#### Layout and footer

+- `ignoreHeader` *(bool, default `false`)*: Skip loading `_Header.md` when `true`. Leave `false` to include the fragment when present.

+- `ignoreFooter` *(bool, default `false`)*: Skip `_Footer.md` when `true`; otherwise render it if available.

+- `serverFooter` *(string, default empty)*: Markdown snippet rendered into the global footer at runtime.

+

+#### TLS

+- `enableTLS` *(bool, default `false`)*: Serve HTTPS using the provided certificate and key.

+- `tlsCert` *(string)*: Path to the TLS certificate. Required only when `enableTLS` is true.

+- `tlsKey` *(string)*: Path to the TLS private key. Required when `enableTLS` is true.

+

+#### Logging and client IP handling

+- `logLevel` *(string, default `info`)*: Minimum log level (`debug`, `info`, `warn`, or `error`).

+- `trustedProxies` *(array of strings, default empty)*: CIDR blocks or literal IPs that are trusted to populate `X-Forwarded-For`.

+- `trustedRemoteAddrLevel` *(int, default `1`)*: Number of additional trusted hops to peel off when deriving the end-user IP from the forwarded chain. Values less than `1` are coerced to `1` during load.

+

+### Notes

+

+- live = true requires write access to the Git repo for local commits.

+- With no remote configured, `dn42-wiki-go` initializes a local-only repository.

+- Template changes require restarting the server or rebuilding static output.

+

+This client is used for automating the process of requesting TLS certificates. (Available via: [dn42](https://ca.dn42/ca-client), [iana](https://ca.dn42.us/ca-client))

+# Current DNS Architecture

+

+After frequent issues with the [Old Hierarchical DNS](/services/dns/historical/Old-Hierarchical-DNS) system in early 2018, work has started to build a new and more reliable DNS system. The main goals are:

+* Reliability and Consistency to avoid debugging very obscure issues that are also hard to reproduce.

+* Low maintenance burden on operators.

+* Proper DNSSEC support for everything.

+

+# End Users

+It is **strongly recommended** to run your own resolver for security and privacy reasons. Setting it up and maintaining it should be easy, see [services/dns/Configuration](/services/dns/Configuration).

+

+If running your own resolver is not possible or desirable, you can choose one or more instances from [dns/recursive-servers.dn42 in the registry](https://git.dn42.dev/dn42/registry/src/master/data/dns/recursive-servers.dn42). Please make sure you fully understand the consequences and fully trust these operators.

+

+You can also use the globally anycasted a.recursive-servers.dn42 but you won't have any control over which instance you get. This is a **very bad idea** from a security standpoint.

+

+# Instances

+The new DNS system has two different components:

+* *.recursive-servers.dn42 and local resolvers responsible for handling queries from clients, validating DNSSEC and directing the queries at clearnet/dn42/ICVPN.

+* *.delegation-servers.dn42 and *.master.delegation-servers.dn42 are a normal master-slave setup for providing the few official infrastructural zones.

+

+## *.recursive-servers.dn42

+These are simple resolvers capable of resolving dn42 domains. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is also the global anycast a.recursive-servers.dn42 which includes some/all other instances. Whether an *.recursive-servers.dn42 can resolve clearnet queries or not is decided by its operator but all a.recursive-servers.dn42 instances MUST resolve clearnet queries correctly. It is explicitly not supported to use clearnet nservers for dn42 zones and dn42 nservers for clearnet zones.

+

+## *.delegation-servers.dn42

+These are simple authoritative servers for the dn42 zone, rDNS and a few DNS infrastructure zones. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is no anycast instance because that would make debugging much harder and *.recursive-servers.dn42 instances should do loadbalancing/failover across all instances listed in the registry.

+

+## *.master.delegation-servers.dn42

+These instances do not serve any clients. They poll the registry regularly and rebuild and resign (DNSSEC) the zones as needed. If any zone changes, all *.delegation-servers.dn42 instances are notified ([RFC1996](https://tools.ietf.org/html/rfc1996)) which then load the new zone data over AXFR ([RFC5936](https://tools.ietf.org/html/rfc5936)). The pool of masters is intentionally kept very small because of its much higher coordination needs and also the lacking support of a multi-master mode in many authoritative server implementations. The masters are only reachable over dedicated IPv6 assignments which are set up in a way that any master operator can hijack the address of a problematic master without having to wait for its operator to fix something.

+

+# Running your own instances

+* If you want to run your own instances, make sure you are subscribed to the [mailinglist](/contact). It is also strongly recommended to join #dn42-dns@hackint. All changes are announced to the mailinglist but IRC makes debugging sessions much easier.

+* Choose the implementation(s) you want to use. It should support at least AXFR+NOTIFY (*.delegation-servers.dn42) or DNSSEC (*.recursive-servers.dn42).

+* Check if [TODO](/TODO) already has configuration snippets for your implementation.

+ * If yes, download it from there and include it in the main configuration.

+ * If not, then join us in #dn42-dns@hackint so we can add it together.

+* Verify that everything works:

+ * For *.delegation-servers.dn42: Do an AXFR against all zones and compare with the result of an existing instance. The result should be identical.

+ * For *.recursive-servers.dn42: Query clearnet, dn42 and ICVPN domains including rDNS. Make sure that both signed and unsigned domains work properly.

+* (Optional) Choose your single letter name and ask in #dn42-dns@hackint to get it added to the registry. Once added to the list, you must implement changes announced to the mailinglist within a week (faster is obviously better) or you might get removed again. We try to keep maintenance work as low as possible but we can't do it without the cooperation of all operators!

+

+# [Monitoring](https://grafana.burble.com/d/E4iCaHoWk/dn42-dns-status?orgId=1&refresh=1m)

+burble is providing monitoring for the new DNS system. It does simple checks on all instances every minute and also logs all changes into #dn42-dns@hackint.

+

+Also, gatuno provides another simple [dns checker for all the top level domains](http://gatuno.dn42/dns/) in the registry. If you want to check whatever a domain is resolving or not, this tool may be useful. The tool gets in sync with the registry every 12 hours. You can schedule checks for any domain.

+

+# DNSSEC

+There are currently two KSKs managed by BURBLE-MNT and JRB0001-MNT. They are used once per quarter to sign the DNSKEY RRset. Each master operator has one ZSK which is used to sign the zones (except for the DNSKEY RRset). This setup leads to bigger responses but allows each KSK holder to solve emergencies independently. The signatures of the DNSKEY RRset are valid until the end of the first month of the next quarter to give enough time for coordinating the next signing. All other signatures are valid for 3 days and replaced at least once per day.

+

+The set of valid KSKs can be found in the registry.

+

+# See also

+

+* [DNS Quick Start](/services/dns/Overview)

+* [Old Hierarchical DNS](/services/dns/historical/Old-Hierarchical-DNS) - deprecated

+* [Original DNS (deprecated)](/services/dns/historical/Original-DNS-(deprecated)) - deprecated

+DN42 is [interconnected](/Interconnections) with the Inter City VPN or in short "ICVPN". The registry of the ICVPN includes all the DNS information such as the Top level domains (TLDs) used inside ICVPN and the reverse DNS for the IP ranges of the ICVPN. Additionally, it includes the TLDs of some other networks that are interconnected with dn42 and share some of the IP space of ICVPN. The ICVPN [repository](https://github.com/freifunk/icvpn-scripts#dns-mkdns) includes a handy script to automatically generate all the required zones.

+For more information about DNSSEC visit the [dns architecture#dnssec](/services/dns/Architecture#dnssec) page.

+the [External-DNS](/services/dns/External-DNS) page in the wiki.

+to the anycast service. Example configurations for different recursor implementations are included in the [Configuration](/services/dns/Configuration) page.

+Delegations servers have full support for DNSSEC. Example configuration unbound implementations are included in the [Configuration](/services/dns/Configuration#resolver-setup) page.

+* [Configuration](/services/dns/Configuration) - Forwarder/Resolver configuration examples

+* [Architecture](/services/dns/Architecture) - Current DNS system architecture

+* [External-DNS](/services/dns/External-DNS) - External DNS zones from interconnected networks

+

+This information is now **deprecated**.

+

+***

+

+DNS in the global internet is designed as a tree starting from "." and traveling outward in layers. Currently in DN42 dns is flat. This leads to issues when trying to debug problems and makes it difficult to delegate to subnets smaller than /24. Another problem that arises is having the root dns setup as an anycast. If one of the anycast roots is having problems it creates inconsistent errors for some users. This has led to the problem of when a user has a poorly configured anycast available to create their own root anycast.

+

+The purpose of this project is to create a system of high quality dns roots. With them in place, an anycast resolver would only need to be a simple caching resolver that uses the roots to query.

+

+## Hierarchy in DN42

+

+ - . (dot)

+ - arpa

+ - in-addr

+ - 172

+ - 20

+ - 22

+ - 23

+ - 31

+ - dn42

+ - \<dn42 domain names>

+ - hack

+ - ffhh

+ - \<Future Top Level Domains?>

+ - \<ano, bit or other organisation TLDs?>

+ - \<ICANN TLDs>

+

+Note: With this system it could be possible to merge the IANA root file.. but it would be beyond the scope of this project.

+

+## Servers

+

+For all of these servers they have a specific IP assigned, only respond to their authoritative zones, and do not allow recursion.

+

+**\<name>.root-servers.dn42** - This server is authoritative for "." (root zone). Is authorative for ICANN root as well. "172.in-addr.arpa" is delegated to ICANN, except rfc1918 zones which are delegated to dn42. The rest of rfc1918 as well as rfc4193 address space is delegated to dn42.

+

+**\<name>.zone-servers.dn42** - This server is authoritative for "dn42", "hack", .. This would be where the records for all forward dns nameservers would be. Similar to our current root setup.

+

+**\<name>.in-addr-servers.arpa** - This server is authoritative for "arpa", "in-addr", and each of the 172 zones for dn42 ip space. For non dn42 ip space NS records to the respective darknet would need to be registered.

+

+**\<name>.dn42-servers.arpa** - This server is authoritative for RFC 2317 delegations. For any inetnum object smaller than /24 and whos parent has no nameserver records, a C class parent zone is created (all its subnetworks are delegated to appropriate nameservers with CNAME)

+

+Real-time server monitor is available at <http://nixnodes.net/dn42/dnsview>

+

+## Setup

+

+Contact one of the root-servers.dn42 operators if you wish to set up a root/zone/dn42 server.

+

+You may want to set up a resolver, see link below or use 172.23.0.53 directly.

+

+Techical information available [here](https://nixnodes.net/wiki/n/DN42_DNS)

+# Original DNS (deprecated)

+This information is now **deprecated**.

+

+***

+

+*(tl;dr)* We have a TLD for dn42, which is `.dn42`. The anycast resolver for `.dn42` runs on `172.20.0.53` and `fd42:d42:d42:54::1`.

+

+**DNS is built from the [whois database](/services/Whois). Please edit your DNS records there.**

+

+## Using the DNS service

+

+Below are several ways to use the `dn42` DNS service, from easiest to more challenging. The recommended method is the second one.

+

+### Using the anycast resolver directly

+

+Please be aware that this method sends **all** your DNS queries (e.g. `google.com`) to a random DNS server inside dn42. The server could fake the result and point you towards the russian mafia. They probably won't, but think about what you are doing. At the end of the day, your ISP could be evil as well, so it always boils down to a question of trust.

+

+To do this, just use `172.20.0.53` or `fd42:d42:d42:54::1` as your resolver, for instance in `/etc/resolv.conf`.

+

+### Forwarding `.dn42` queries to the anycast resolver

+

+If you run your own resolver (`unbound`, `dnsmasq`, `bind`), you can configure it to forward dn42 queries to the anycast DNS resolver. See [DNS forwarder configuration](/services/dns/Configuration).

+

+### Recursive resolver

+

+You may also want to configure your resolver to recursively resolve dn42 domains. For this, you need to find authoritative DNS servers for the `dn42` zone (and for the reverse zones). See [services/dns/Recursive DNS resolver](/services/dns/Recursive-DNS-resolver).

+

+### Building the dn42 zones from the registry

+

+Finally, you may want to host your own authoritative DNS server for the `dn42` zone and the reverse zones. The zone files are built from the monotone repository: scripts are provided in the repository itself.

+

+## Register a `.dn42` domain name

+

+The root zone for `dn42.` is built from the [whois registry](/services/Whois). If you want to register a domain name, you need to add it to the registry (of course, you also need one or two authoritative nameservers).

+

+## DNS services for other networks

+

+Other networks are interconnected with dn42 (ChaosVPN, Freifunk, etc). Some of them also provide DNS service, you can configure your resolver to use it. See [External DNS](/services/dns/External-DNS).

+

+## Providing DNS services

+

+See [Providing Anycast DNS](/services/dns/Providing-Anycast-DNS).

+

+## [Old Hierarchical DNS](/services/Old-Hierarchical-DNS)

+

+This is a new effort to build a DNS system that mirrors how DNS was designed to work in clearnet.

+|SERNET-IX|[https://blog.sherpherd.net/ix.html](https://blog.sherpherd.net/ix.html)|