Category: Network

Post dealing with changes to how we route packets and configure our network.

Updated DNS blocklist…

Around 1430EST today, our team started noticing that some of the DNS request that were coming in were for odd looking domains within the zones that the OpenNIC project controls. In an effort to not aid botnets, malware and other unwanted internet asbestos- We make use of iptables to block request from even reaching our DNS servers if our team’s research comes up as questionable or worrisome.

We will not post the domains that are blocked on our websites to avoid getting tagged with those questionable domains. But, if you are using our DNS servers, are a project member or a network tenant; you are welcome to reach out to our support desk to obtain a list of the currently blocked domains.

Something to note:
Our team does not block weird looking domains just because they seem odd. We only enact a block when we are able to verify that the domain in question is associated with malware or otherwise unsafe. Verification is done by checking the domains and associated IP addresses against multiple malware tracking labs and groups.

Still playing with DNS

While this should not affect routing at all, various services of ours might go offline and return later. We are still playing around with DNS and have made the move into serving our domain using “dns.marbledfennec.net” as the primary and DeSec.io as our secondary name servers. As we learn more about the services we rely on and how to host them ourselves, we will be working on moving them in house.

Update at 2pm:
At this time, our domain is using only our name servers to check and see if DNSSEC is working correctly on our end. Once verified, there will be another update.

Update at 10am:
Eventually this configuration will be duplicated on “dns2.marbledfennec.net” and then kept in sync with any zone changes automagically. For those who are curious, “dns.marbledfennec.net” and “dns2.marbledfennec.net” are really the servers “dns.fenfox.run” and “dns2.fenfox.run”.

The thing to remember about our project is that it is and always will be a grounds to learn on. Meaning a lot of our hosted machines and configurations are moving targets as our team learns from doing and managing.

Twin DNS Resolvers

Since we had some resources to spare, we have setup a second public DNS
resolver that anyone may use if they wish. Both of our resolvers are compatible
with ICANN and OpenNIC domains.