Changes in 324dd14: Merge branch 'master' of git.dn42.us:dn42/wiki

				Static-routes-on-Windows.md
			
          @@ -0,0 +1,63 @@

          +Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.

          +

          +```

          +@echo off

          +REM fill in YOUR network information

          +REM right click and RUN AS ADMIN

          +

          +REM our entire private network address space

          +set networkv4=172.20.0.0

          +set networkv4mask=255.252.0.0

          +set networkv6=fd00::/8

          +

          +REM our IPv4 subnet info

          +set subnetv4=172.20.184.240

          +set subnetv4mask=255.255.255.248

          +set gateway4=172.20.184.241

          +

          +REM our IPv6 subnet info

          +set subnetv6=fd43:6d1:3ee2::/48

          +set gateway6=fd43:6d1:3ee2:1000::1

          +

          +REM our address for this machine

          +set yournetaddr=172.20.184.242

          +set yournetaddr6=fd43:6d1:3ee2:1000::2/128

          +

          +REM add IPs

          +REM if different change wlan0 to YOUR interface name

          +REM first line here is for my LAN. Ignore it.

          +netsh interface ipv4 add address "wlan0" 192.168.2.254 255.255.255.0

          +netsh interface ipv4 add address "wlan0" %yournetaddr% %subnetv4mask%

          +netsh interface ipv6 add address "wlan0" %yournetaddr6%

          +

          +REM add IPv4 routes

          +route -4 add %subnetv4% mask %subnetv4mask% %gateway4%

          +route -4 add %networkv4% mask %networkv4mask% %gateway4%

          +

          +REM add IPv6 routes

          +route -6 add %gateway6% ::

          +route -6 add %subnetv6% %gateway6%

          +REM this last route wasn't working without manually filling in the info.

          +REM I don't know why.. Broken line commented out.

          +REM route -6 add %networkv6% %gateway6%

          +route -6 add fd00::/8 fd43:6d1:3ee2:1000::1

          +

          +echo Press enter to check your IPv4 routing table

          +echo Do not forget to add static routes to this computer on your BGP router!

          +echo Example: "root@router:~# ip route add 172.20.184.242 dev wlan0"

          +echo Example: "root@router:~# ip route add fd43:6d1:3ee2:1000::2/128 dev wlan0"

          +pause

          +cls

          +route -4 print

          +echo Press enter to check your IPv6 routing table

          +pause

          +cls

          +route -6 print

          +echo Press enter to try to ping gateway

          +pause

          +cls

          +ping %gateway4%

          +pause

          +ping %gateway6%

          +pause

          +```

          \ No newline at end of file

				_Sidebar.md
			
          @@ -2,6 +2,8 @@

            * [[Home]]

             * [[Getting started]]

          +  * [[Registry Authentication]]

          +  * [[Address Space]]

             * [[FAQ]]

           * [[How-to|/pages/howto/]]

          @@ -15,6 +17,7 @@

             * [[OpenBGPD|OpenBGPD]]

             * [[Mikrotik RouterOS|mikrotik]]

             * [[EdgeRouter|EdgeOS Config]]

          +  * [[Static routes on Windows]]

           * [[Services|/pages/services/]]

             * [[IRC]]

				home.md
			
          @@ -41,7 +41,7 @@ The [[Getting started]] page helps you to get your first node inside the network

            * [Lecture on GPN8](http://entropia.de/wiki/GPN8:dn42)

            * [soup.io group](http://dn42.soup.io/)

            * [nobody about dn42](http://nowhere.ws/guides/dn42/)

          - * [Lecture on mrmcd0x8](http://mrmcd0x8.metarheinmain.de/fahrplan/events/3321.de.html)

          + * [Lecture on mrmcd0x8](http://web.archive.org/web/20090831211324/http://mrmcd0x8.metarheinmain.de/fahrplan/events/3321.de.html)

            * [dn42-category in hackerspaces.org wiki](https://hackerspaces.org/wiki/Category:DN42)

            * [pentaradio24 – german podcast](https://www.c3d2.de/news/pentaradio24-20150428.html)

            * [dn42 in your browser](http://freerouter.nop.hu/online.html)

				howto/Address-Space.md
			
          @@ -0,0 +1,57 @@

          +DN42 uses network addresses in the [rfc1918](https://tools.ietf.org/html/rfc1918) and [ULA](https://tools.ietf.org/html/rfc4193) ranges. These are described in detail within the sections below. 

          +

          +The [DN42 registry](https://git.dn42.us/dn42/registry) is the authoritative source of information on address space assignment. Within the registry, the DN42 address space is divided in to blocks based on _policies_ that define how the addresses may be used. Policies are defined in `inetnum` and `inet6num` objects and can be:

          +

          + - **open** - users may request prefixes in this range, subject to any constraints that are described in the `remark` attributes

          + - **closed** - these ranges cannot be assigned

          + - **reserved** - these ranges are reserved for future use

          + - **ask** - these ranges are for specific uses, please ask on the mailing list before requesting assignments

          +

          +A simple way to see all the active policies in the registry is to search the registry content for policy attributes:

          +

          +```sh

          +grep -r ^policy data/inet{,6}num/

          +```

          +

          +The [filter.txt](https://git.dn42.us/dn42/registry/src/master/data/filter.txt) and [filter6.txt](https://git.dn42.us/dn42/registry/src/master/data/filter6.txt) files within the registry detail the network wide constraints on what address ranges are in use together with the global limits on what can be announced. 

          +

          +`inetnum` and `inet6num` objects within the registry are used to describe the allocation of address space to users. `route` and `route6` objects in the registry are used to validate routing announcements through [ROA](https://wiki.dn42/howto/Bird#route-origin-authorization). 

          +

          +In addition to the native DN42 address ranges, the registry also contains allocations for the address space used by affiliate networks. These are updated by a regular [sync script](https://git.dn42.us/dn42/registry-sync). 

          +

          +Globally routable prefixes are not supported in DN42; they are denied via the registry filter{6,}.txt files and many networks will filter both announcements and traffic for prefixes that are outside of the allowable ranges.

          +

          +# IPv6 Address Space

          +

          +DN42 uses the fd00::/8 ULA range for IPv6 addresses. Apart from a block of addresses reserved for anycast (fd42:d42:d42::/48), the whole fd00::/8 block has an open policy and users are free to request any prefix in this range, that is not already allocated. 

          +

          +**The DN42 registry is not authoritative for the fd00::/8 range**

          +

          +DN42 is interconnected with other networks, like icvpn, which also use the same ULA range and many users will also use this range for their own networks. A registration in the dn42 registry cannot prevent IPv6 conflicts, so a fully random prefix (see [RFC4193](https://tools.ietf.org/html/rfc4193)) is strongly recommended. If an address conflict is found, then needing to renumber your network is no fun.

          +

          +# IPv4 Address Space

          +

          +DN42 uses the 172.20.0.0/14 range for IPv4 addresses. As with the public internet, IPv4 space is more limited and users are encouraged to conserve space where possible. A typical assignment in DN42 is a /27 and any requests for assignments larger than /24 must provide justification. 

          +

          +Unlike the IPv6 address space, the DN42 IPv4 space is not fully open for assignment to users; some ranges are intended for specific uses and other ranges are reserved. See the policy section, below. Users should always check the policy in the registry before requesting a prefix to be assigned. 

          +

          +There are other IPv4 ranges in use within DN42 related to the affiliate networks, see the [filter.txt](https://git.dn42.us/dn42/registry/src/master/data/filter.txt) file in the registry. 

          +

          +## IPv4 Policies

          +

          +The diagram below shows the allocation policies for the DN42 address space. 

          +

          +![Policy Map Image](images/PolicyMap.png)

          +

          +Specific policy restrictions:

          +

          +| Prefix | Usage |

          +|--------|-------|

          +| 172.20.0.0/24<br/>172.21.0.0/24<br/>172.22.0.0/24<br/>172.23.0.0/24 | Reserved for anycast addresses |

          +| 172.20.240.0/20<br/>172.22.240.0/20 | Reserved for transfer networks |

          +| 172.20.64.0/18 | Reserved for allocations larger than /23, up to /21 |

          +| 172.22.0.0/18 | Reserved for allocations of /24 or larger, up to /21 |

          +| 172.23.16.0/21 | Closed to new allocations |

          +| 172.21.0.0/18<br/>172.21.128.0/17<br/>172.22.192.0/18 | Reserved for future use |

          +

          +

				howto/Bird.md
			
          @@ -87,7 +87,7 @@ template bgp dnpeers {

               reject;

             };

             export filter {

          -    if is_valid_network() then {

          +    if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {

                 accept;

               }

               reject;

          @@ -195,7 +195,7 @@ template bgp dnpeers {

             };

             export filter {

               # here we export the whole net

          -    if is_valid_network() then {

          +    if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {

                 accept;

               }

               reject;

howto/EMail.md

...	...	@@ -5,12 +5,17 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
5	5	* configure your mail server if needed
6	6
7	7	## Redirect
	8	+~~There are forwarding rules for _PERSON_ @ dn42.org to the mail addresses which have been given in the registry. Please note that the trailing `-DN42` is stripped from the local part.~~
8	9
9		-There are forwarding rules for _PERSON_ @ dn42.org to the mail addresses which hav been given in the registry. Please note that the trailing `-DN42` is stripped from the local part.
	10	+####Example####
	11	+
	12	+\| Handle \| Alias \| Redirection \|
	13	+\|:------------ \|:-------------- \|:--------------------- \|
	14	+\| `STV0G-DN42` \| [email protected] \| [email protected]` \|
10	15
11	16	## Test email
12	17
13		-Send an email to `[email protected]` to check if your mail setup is correct. This host will reply using the following
	18	+~~Send an email to `[email protected]` to check if your mail setup is correct.~~ This host will reply using the following
14	19	sieve filter:
15	20
16	21	```
...	...	@@ -23,12 +28,6 @@ if header :contains "To" ["[email protected]"] {
23	28	}
24	29	```
25	30
26		-####Example####
27		-
28		-\| Handle \| Alias \| Redirection \|
29		-\|:------------ \|:-------------- \|:--------------------- \|
30		-\| `STV0G-DN42` \| [email protected] \| [email protected]` \|
31		-
32	31	## Exim tips
33	32
34	33	### Sending emails

				howto/IPsecWithPublicKeys/strongSwan5Example.md
			
          @@ -2,6 +2,8 @@

           ## Setup

           ### Installation hints

           For IPsec with Public Keys you'll need the package _strongswan-plugin-pubkey_ installed.

          +

          +Don't forget to disable selinux :)

           ### Generate an RSA keypair

               root@debian:~# mkdir /etc/ipsec.d/public

				howto/OpenBGPD.md
			
          @@ -12,7 +12,7 @@ The goal is to have a small, yet complete setup for all peers with ROA validatio

           As per the manual, configuration is divided into logical sections;  [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on.

          -By default, [`bgpd(8)`](http://man.openbsd.org/bgpd.8) listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.

          +By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.

           ## local host

           Information such as ASN, router ID and allocated networks are required:

          @@ -40,7 +40,7 @@ network prefix-set mynetworks set large-community $ASN:1:1

           ## neighbors

           For each neighbor its ASN and transfer ULA is required.

          -An optional description is provided such that [**bgpctl(8)**](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:

          +An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:

           ```

           # peer A, transport over IPSec/GRE

           $A_local="fd00:12:34:A::1"

          @@ -99,17 +99,11 @@ match from ebgp set { large-community delete $ASN:*:* }

           match from any community GRACEFUL_SHUTDOWN set { localpref 0 }

           ```

          -Misbehaving peers can be adjusted;  for example Bird on FreeBSD is known to sometimes announce routes with incorrect `nexthop` attributes:

          -```

          -# XXX otherwise routes are installed with ::/128 nexthop

          -match from AS $A_ASN set { nexthop $A_remote }

          -```

          -

           # ROA

          -OpenBSD ships with [**rpki-client(8)**](http://man.openbsd.org/rpki-client.8) which nicely integrates with **bgpd**.

          +OpenBSD ships with [rpki-client(8)](http://man.openbsd.org/rpki-client.8) which nicely integrates with **bgpd**.

           Since DN42 emulates an IRR WHOIS service through the registry repository instead of providing an RPKI repository, this tool cannot be used.

          -Instead, a shell script parses route objects from the registry repository and generates a `roa-set {...}` block that is to be included in the main configuration file.

          +Instead, [a shell script](https://t4-2.high5.nl/pub/dn42/generate_roa-set.sh) parses route objects from the registry repository and generates a `roa-set {...}` block that is to be included in the main configuration file.

           One single `roa-set` may be defined, against which **bgpd** will validate the origin of each prefix;  this allows filter rules to use the `ovs` keyword as demonstrated above.

          @@ -128,4 +122,8 @@ Include it in `/etc/bgpd.conf`:

           include "/etc/dn42.roa-set"

           ```

          -# Looking glass

          \ No newline at end of file

          +# Looking glass

          +This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.

          +The **bgplg** manual contains the few steps and example [httpd.conf(5)](http://man.openbsd.org/httpd.conf.5) required to enable the looking glass.

          +

          +See https://t4-2.high5.nl/bgplg for a running instance operating within DN42.

          \ No newline at end of file

				howto/images/PolicyMap.png
			
          Binary files /dev/null and b/howto/images/PolicyMap.png differ

				howto/systemd-networkd-configuration-example.md
			
          @@ -0,0 +1,46 @@

          +# systemd-networkd configuration example

          +This is the config that is used on ZOTAN Networks (AS4242422341). Full network configuration available on [my Git](https://git.zotan.dn42/zotan/dn42) (dn42) or alternatively [my Git](https://git.prod.zotan.network/zotan/dn42) (clear)

          +

          +

          +# Configuration

          +

          +## loopback device (lo.network)

          +```

          +[Match]

          +Name=lo

          +

          +[Network]

          +Address=fdff:b02d:2ef7::2/128

          +```

          +

          +## wireguard netdev (dn42p1.netdev)

          +```

          +[NetDev]

          +Name = dn42p1

          +Kind = wireguard

          +Description = WireGuard

          +

          +[WireGuard]

          +ListenPort = 42421

          +PrivateKeyFile = /etc/wireguard/private.key

          +

          +[WireGuardPeer]

          +PublicKey = <peer wg pubkey>

          +Endpoint = <peer wg endpoint>:<peer wg port>

          +AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8

          +```

          +

          +## wireguard network (dn42p1.network)

          +```

          +[Match]

          +Name = dn42p1

          +

          +[Address]

          +Address = fe80::2342/128 # arbitrary, doesn't need to be unique for each interface

          +Peer = <peer tunnel linklocal address>/128

          +

          +[Address]

          +Address = <your DN42 ipv4>/32

          +Peer = <peer DN42 ipv4>/32

          +

          +```

          \ No newline at end of file

				internal/Historical-Services.md
			
          @@ -59,7 +59,7 @@ An alternative is available at https://ip.naive.network, which displays your cle

           | _Configuring Yacy Network settings:_     |[YaCy Network Configuration](http://yacy.dn42/yacy.network.dn42.unit) |

          -## File sharing

          +## File Sharing

           ### Tahoe LAFS

           Some people runs [Tahoe LAFS](/services/Tahoe-LAFS) nodes to provide a secure decentralized crypted file storage but in dn42.

				internal/Internal-Services.md
			
          @@ -8,11 +8,17 @@ You are asked to show some creativity in terms of network usage and content. ;)

           xuu is maintaining an [[certificate authority]] for internal services.

          +zotan is maintaining an (experimental, but working) [ACME server](https://acme.dn42) (with accompanying CA), compatible with any LetsEncrypt client like Certbot, Dehydrated or Caddy.

          +

           ## Network-related

             * See [[Looking Glasses]] for more network diagnostic tools

             * Map of the network: [map.nixnodes.net](http://map.nixnodes.net)

             * An alternate network map: [map.dn42](http://map.dn42/) (Note: Currently DN42 only, will be public available after testing,  this is a direct copy of nixnodes map with some fixes and new functions since original map is no longer maintained)

             * DN42 IP address lookup tool: [dn42.g-load.eu/ip](https://dn42.g-load.eu/ip/)

          +  * New DNS System monitoring: [grafana.burble.com/d/E4iCaHoWk/dn42-dns-status](https://grafana.burble.com/d/E4iCaHoWk/dn42-dns-status?orgId=1&refresh=1m)

          +  * DN42 Toplevel domain DNS monitoring: [gatuno.dn42/dns](http://gatuno.dn42/dns)

          +  * Free DNS Hosting. You can host any toplevel or subdomain from dn42: [gatuno.dn42/managed](http://gatuno.dn42/managed/)

          +  * What is my IP: [whatismyip.dn42](http://whatismyip.dn42/), [ip4.dn42](http://ip4.dn42/), [ip6.dn42](http://ip6.dn42/)

           ### Proving ASN ownership

           Through this automated service you prove your ASN ownership to KIOUBIT-MNT who then automatically creates a "ownership verification signature".

          @@ -49,12 +55,15 @@ API: https://dn42.g-load.eu/verify/documentation.txt

           |:------------------------------------------------- |:-------------------------------------------------------- |

           | http://img.dn42                                   | Imagehoster                                              |

           | http://chan.dn42                                  | DN42-Chan, an imageboard                                 |

          +| http://j.munsternet.dn42                          | Jellyfin instance with movies and TV shows (test)

          +|

           ## Radio and Video Streaming

           | Hostname / IP                                     | Remarks                                                  |

           |:------------------------------------------------- |:-------------------------------------------------------- |

           | http://stream.media.dn42/                         | icecast-relay, contact toBee for more streams            |

          +| https://invidious.doxz.dn42/                       | Invidious instance with proxy (Youtube)                  |

           ### Direct Connect

           Some [Advanced Direct Connect](https://en.wikipedia.org/wiki/Advanced_Direct_Connect) Hubs are being run DN42 internally. Choose a [client](https://en.wikipedia.org/wiki/Comparison_of_ADC_software#Client_software) and connect to exchange files.

          @@ -79,11 +88,6 @@ Some [Advanced Direct Connect](https://en.wikipedia.org/wiki/Advanced_Direct_Con

           - https://magnetic.dn42 (DHT Search Engine)

          -### BitTorrent tracker

          -- http://172.20.184.241/ (IPv4)

          -- http://[fd43:6d1:3ee2:1000:1]/ (IPv6)

          -- http://tracker.dn42/ (info page)

          -

           ## Proxies

            See http://wiki.hamburg.ccc.de/ChaosVPN:Proxy

          @@ -115,6 +119,15 @@ Repository Mirrors are listed on another page: [Repository Mirrors](/services/Re

           | Hostname / IP                                     | Game                   | Remarks                    |

           |:------------------------------------------------- |:---------------------- |:-------------------------- |

           | hulk.mhm.dn42 (172.23.67.1)                       | Tetrinet               |                            |

          +| mc.nia.dn42 (172.20.168.131)                      | Minecraft              | 1.15.2, Optimized for CN   |

          +

          +## Shell

          +

          +Providers of shell access:

          +

          +| Person        | Hostname                             | Net              | Description | Contact       |

          +|:------------- |:------------------------------------ |:---------------- |:----------- |:------------- |

          +| mc36          | telnet test.nop.dn42                  | dn42 only        |looking glass| -             |

           ## Misc 

          @@ -130,6 +143,7 @@ Repository Mirrors are listed on another page: [Repository Mirrors](/services/Re

           | https://git.dn42[.us]/pubkeys/[username]          | Get ssh public keys from Git Users of git.dn42. |

           | http://wiki.dn42, http://internal.dn42, [dn42.i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/) (i2p), jsptropkiix3ki5u.onion  | This wiki! Web Hosted by [xuu](https://xuu.dn42). Git Repo hosted on git.dn42  |                

           | http://jack.pyropeter.eu/dn42/routecount/         | Statistics about the number of v4/v6 routes seen by AS76115 (Since Aug. 2014)  |

          +| https://git.zotan.dn42                            | Git Repository Hosting, open signup (Powered by gitea)|               

           ### Usenet Servers / News

           There are some News Servers available [here](/services/News)

internal/services/Tor.md

...	...	@@ -8,10 +8,12 @@ Tor bridges allow for the Tor client to connect to a specific IP address and val
8	8	\|-----------------------\|-----------\|------------------\|----------\|------------------------------------------\|------------------------------------\|
9	9	\| photon.flat.dn42:8443 \| 500kB/s \| [email protected] \| obfs4 \| 83B02FB88253A7FD313B7912B12B05AF2A42D3B9 \| Limited to 100GB transfer per week \|
10	10	\| gouda.flat.dn42:8443 \| 500kB/s \| [email protected] \| obfs4 \| DF8CA08A9BED62B319D1E52610510959374444A2 \| \|
	11	+\| tor.napshome.dn42:8443 \| 3000KB/s+ \| [email protected] \| obfs4 \| 71C924A772F69451FE97FE5A9025DEDDEF3DB664 \| \|
	12	+\| tor.napshome.dn42:9001 \| 3000KB/s+ \| [email protected] \| plain \| 71C924A772F69451FE97FE5A9025DEDDEF3DB664 \| \|
11	13
12	14	# Anycast Tor
13	15
14		-There is an anycast address, 172.22.0.94 aka tor.dn42, that provides the following services:
	16	+There is an anycast address, 172.22.0.94 and fd42:d42:d42:9001::1 aka tor.dn42, that provides the following services:
15	17
16	18	\| Service \| Port \|
17	19	\|---------\|----------\|
...	...	@@ -27,6 +29,10 @@ There is also unfortunately no means by which to tell Tor to use a specific IP a
27	29
28	30	_Note that the same warnings above also apply to the following proxies._
29	31
30		-\| Proxy URL \| Bandwidth \| Contact \| Fingerprint \|
31		-\|---------------------------------------\|-------------\|-------------\|----------------------------------\|
32		-\| socks5://172.20.11.33:9050 \| 100 Mbit/s \| twink0r \| ? \|
...	...	\ No newline at end of file
	0	+\| Proxy URL \| Bandwidth \| Contact \|
	1	+\|---------------------------------------\|-------------\|-------------\|
	2	+\| socks5://tor.napshome.dn42:9050 \| 100+ Mbit/s \| Napsterbater\|
	3	+
	4	+\| Offline \| \| \|
	5	+\|---------------------------------------\|-------------\|-------------\|
	6	+\| socks5://172.20.11.33:9050 \| 100 Mbit/s \| twink0r \|
...	...	\ No newline at end of file

				services/DNS.md
			
          @@ -1,15 +1,67 @@

          -# DN42 Public DNS

          -* IPv4:172.20.0.53

          -* IPv6:fd42:d42:d42:54::1

          +# DN42 DNS

          -Tips:old DNS 172.23.0.53 and fd42:d42:d42:53::1 already stop updated.

          +This page covers guidance and examples on using DNS within DN42.

          -* [[dns/Configuration|Configuration]] - DN42 DNS forward configuration for openwrt and bind......

          -* [[dns/External-DNS|External-DNS]] - external DNS zones from interconnected networks

          +## Quick Start

          +

          +It is recommended to run your own DNS resolver as this provides you with the most security and privacy. 

          +However, to get started, or if running your own resolver isn't desirable an anycast service

          +is available. The anycast service supports DNSSEC and will resolve public DNS names together with all the 

          +relevant DN42 and affiliated networks' names.

          +

          +### Using the DNS Anycast Service

          +

          +The DNS anycast service is provided by multiple operators, with each operator contributing to one of the two separate 

          +anycast services. By configuring both services, users get additional resiliency from having two, independent, resolvers. 

          +

          +| Name | IPv4 | IPv6 |

          +|---|---|---|

          +| a0.recursive-servers.dn42 | 172.20.0.53 | fd42:d42:d42:54::1 |

          +| a3.recursive-servers.dn42 | 172.23.0.53 | fd42:d42:d42:53::1 |

          +

          +To configure the service, ping both sets of addresses then set your primary nameserver to the lowest latency 

          +service and configure the other service as the secondary or backup nameserver.

          +

          +Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:

          +

          +```text

          +nameserver 172.20.0.53

          +nameserver 172.23.0.53

          +nameserver fd42:d42:d42:54::1

          +nameserver fd42:d42:d42:53::1

          +search dn42

          +```

          +Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:

          -# DN42 DNS Architecture

          +```text

          +nameserver fd42:d42:d42:53::1

          +nameserver fd42:d42:d42:54::1

          +nameserver 172.23.0.53

          +nameserver 172.20.0.53

          +search dn42

          +```

          +## Advanced Configuration

          +

          +There are multiple top level domains (TLDs) associated with DN42, its affiliated networks and for reverse DNS that must

          +be configured in order to run your own resolver. The registry is the authoritative source of active TLDs, but see also

          +this page [[dns/External-DNS|External-DNS]] in the wiki.

          +

          +### Split horizon DNS

          +

          +In this configuration, you run your own, caching resolver but forward DN42 related queries (with recursion bit set) 

          +to the anycast service. Example configurations for different recursor implementations are included in the [[dns/Configuration|Configuration]] page.

          +

          +### Full recursion 

          +

          +Authoritative DNS for DN42 is provided by the *.delegation-servers.dn42 servers, see the DNS architecture here 

          +[[New DNS]] Delegations servers have full support for DNSSEC. 

          +

          +## Further Information

          +

          +* [[dns/Configuration|Configuration]] - Forwarder configuration examples

           * [[New DNS]] - current architecture

          +* [[dns/External-DNS|External-DNS]] - external DNS zones from interconnected networks

           * [[Old Hierarchical DNS]] - deprecated

          -* [[Original DNS (deprecated)]] - deprecated

          \ No newline at end of file

          +* [[Original DNS (deprecated)]] - deprecated

				services/IPv6-Anycast.md
			
          @@ -12,7 +12,7 @@ Remember, if you announce an anycast /64, then you need to provide **all** servi

           | **Name**               | **Service address**       | **Protocol/port** | **Comment**                   | 

           | ---------------------- | ------------------------- | ----------------- | ----------------------------- |

          -| Recursive DNS resolver | `fd42:d42:d42:53::1/64`   | UDP/53            | `.` and `dn42.` [Providers][] |

          +| Recursive DNS resolver | `fd42:d42:d42:54::1/64`   | UDP/53            | `.` and `dn42.` [Providers][] |

           | Whois Database         | `fd42:d42:d42:43::1/64`   | TCP/43            |                               |

           | TOR SOCKS5 Proxy       | `fd42:d42:d42:9050::1/64` | TCP/9050          |                               |        

           | internal Wiki          | `fd42:d42:d42:80::1/64`   | TCP/80, TCP/443   |                               |

				services/IRC.md
			
          @@ -1,9 +1,8 @@

           # IRC

           > TLDR: irc.hackint.dn42, #dn42

          -We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is reachable from within DN42, ChaosVPN and the public internet. While a plain text connection is possible it is recommended to connect via TLS on port 9999.

          +We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is reachable from within DN42, ChaosVPN and the public internet. A connection is only possible via TLS on port 9999.

          -There's a little [statistic script](https://dev.0l.dn42/stats/) running hourly.

           ## hackint.org

				services/Looking-Glasses.md
			
          @@ -17,15 +17,20 @@ Please sort by AS number.

           | 4242421588 | dn42: http://lg.tech9computers.dn42 <br> Interactive (traceroute, BGP-map) | UP |

           | 4242421926 | dn42: https://lg.zhaofeng.dn42 <br> ext: https://lg.naive.network | UP |

           | 4242421955 | dn42: http://lg.nop.dn42/ <br> telnet:test.nop.dn42 <br> ext: http://freerouter.nop.hu/online.html| UP |

          +| 4242422547 | ext: https://lg.lantian.pub or https://lg-alt.lantian.pub <br> dn42: http://lg.lantian.dn42 or http://lg-alt.lantian.dn42 | UP |

           | 4242422601 | dn42: http://lg.burble.dn42 <br> ext: https://lg.burble.com/ | UP |

           | 4242422700 | dn42: http://lg.gotroot.dn42 <br> ext: http://dn42.gotroot.ca/ | UP |

          +| 4242422904 | ext: https://lg.doxz.net/ | UP |

           | 4242423905 | ext: https://dn42-svc.weiti.org/ulg/ <br> dn42: https://lg.weiti.dn42/ | UP |

          -| 4242423088 | ext: http://lg.dn42.6700.cc <br> dn42: http://lg.sun.dn42/ | UP |

          +| 4242423088 | ext: https://lg.dn42.6700.cc <br> dn42: http://lg.sun.dn42/ | UP |

           | 4242421722 | ext: https://lg42.tchekda.fr <br> dn42: http://lg42.tchekda.dn42/ | UP |

           | 4242422237 | ext: https://lg.dn42.munsternet.eu | UP |

           | 4242420181 | ext: https://lg.dn42.miegl.cz <br> dn42: http://lg.mgl.dn42 | UP |

           | 4242421331 | ext: https://net-lg.nia.ac.cn <br> dn42: http://lg.nia.dn42 | UP |

          -| 4242422189 | dn42: http://lg.iedon.dn42/ | UP |

          +| 4242422189 | dn42: http://lg.iedon.dn42 | UP |

          +| 4242422341 | ext: https://lg.dn42.zotan.network <br> dn42: https://lg.zotan.dn42 | UP |

          +| 4242423078 | dn42: http://lg.hex.dn42 <br> Interactive (traceroute, BGP-map) <br> IPv6 only | UP |

          +| 4242421050 | ext: https://lg.dn42.napshome.net <br> dn42: http://lg.napshome.dn42 | UP |

           ## Down

				services/New-DNS.md
			
          @@ -4,7 +4,7 @@ After frequent issues with the [[Old Hierarchical DNS]] system in early 2018, wo

           * Proper DNSSEC support for everything.

           # End Users

          -It is **strongly recommended** to run your own resolver for security and privacy reasons. Setting it up and maintaining it should be easy, see [Running your own instances](#running-your-own-instances).

          +It is **strongly recommended** to run your own resolver for security and privacy reasons. Setting it up and maintaining it should be easy, see [[dns/Configuration|Configuration]].

           If running your own resolver is not possible or undesirable, you can choose one or more instances from [dns/recursive-servers.dn42 in the registry](https://git.dn42.us/dn42/registry/src/master/data/dns/recursive-servers.dn42). Please make sure you fully understand the consequences and fully trust these operators.

          @@ -38,6 +38,8 @@ These instances do not serve any clients. They poll the registry regularly and r

           # [Monitoring](https://grafana.burble.com/d/E4iCaHoWk/dn42-dns-status?orgId=1&refresh=1m)

           burble is providing monitoring for the new DNS system. It does simple checks on all instances every minute and also logs all changes into #dn42-dns@hackint.

          +Also, gatuno provides another simple [dns checker for all the top level domains](http://gatuno.dn42/dns/) in the registry. If you want to check whatever a domain is resolving or not, this tool may be useful. The tool gets in sync with the registry every 12 hours. You can schedule checks for any domain.

          +

           # DNSSEC

           There are currently two KSKs managed by BURBLE-MNT and JRB0001-MNT. They are used once per quarter to sign the DNSKEY RRset. Each master operator has one ZSK which is used to sign the zones (except for the DNSKEY RRset). This setup leads to bigger responses but allows each KSK holder to solve emergencies independently. The signatures of the DNSKEY RRset are valid until the end of the first month of the next quarter to give enough time for coordinating the next siging. All other signatures are valid for 3 days and replaced at least once per day.

				services/Old-Hierarchical-DNS.md
			
          @@ -1,3 +1,7 @@

          +This information is now **deprecated**. Please check [[New DNS]] for the current architecture.

          +

          +***

          +

           DNS in the global internet is designed as a tree starting from "." and traveling outward in layers. Currently in DN42 dns is flat. This leads to issues when trying to debug problems and makes it difficult to delegate to subnets smaller than /24. Another problem that arises is having the root dns setup as an anycast. If one of the anycast roots is having problems it creates inconsistent errors for some users. This has led to the problem of when a user has a poorly configured anycast available to create their own root anycast. 

           The purpose of this project is to create a system of high quality dns roots. With them in place, an anycast resolver would only need to be a simple caching resolver that uses the roots to query.

				services/Original-DNS-(deprecated).md
			
          @@ -1,10 +1,9 @@

           # Original DNS (deprecated)

          -**The new anycast resolver for `.dn42` runs on `172.23.0.53` and `fd42:d42:d42:53::1`. Please see [[Old Hierarchical DNS]] for more information.**

          +This information is now **deprecated**. Please check [[New DNS]] for the current architecture.

          -**The information below is outdated.** 

           ***

          -*(tl;dr)* We have a TLD for dn42, which is `.dn42`. The anycast resolver for `.dn42` runs on `172.23.0.53` and `fd42:d42:d42:53::1`.

          +*(tl;dr)* We have a TLD for dn42, which is `.dn42`. The anycast resolver for `.dn42` runs on `172.20.0.53` and `fd42:d42:d42:54::1`.

           **DNS is build from [[whois database|services/Whois]]. So please edit your DNS-records there.**

          @@ -16,7 +15,7 @@ Below are several ways to use the `dn42` DNS service, from easiest to more chall

           Please be aware that this method sends **all** your DNS queries (e.g. `google.com`) to a random DNS server inside dn42. The server could fake the result and point you towards the russian mafia. They probably won't, but think about what you are doing. At the end of the day, your ISP could be evil as well, so it always boils down to a question of trust.

          -To do this, just use `172.23.0.53` or `fd42:d42:d42:53::1` as your resolver, for instance in `/etc/resolv.conf`.

          +To do this, just use `172.20.0.53` or `fd42:d42:d42:54::1` as your resolver, for instance in `/etc/resolv.conf`.

           ### Forwarding `.dn42` queries to the anycast resolver

				services/Shell.md
			
          @@ -1,8 +0,0 @@

          -# Shell

          -

          -Providers:

          -

          -| Person        | Hostname                             | Net              | Description | Contact       |

          -|:------------- |:------------------------------------ |:---------------- |:----------- |:------------- |

          -| mortzu        | shell.mortzu.dn42                    | dn42 only        | -           | -             |

          -| mc36          | telnet test.nop.dn42                  | dn42 only        |looking glass| -             |

				services/Telegram-Group.md
			
          @@ -0,0 +1,3 @@

          +Unofficial dn42 telegram group,learning and communication.

          +

          +* https://t.me/dn42dn42

				services/Telegram.md
			
          @@ -1,3 +0,0 @@

          -Unofficial dn42 telegram group,learning and communication.

          -

          -* https://t.me/dn42dn42

				services/Whois.md
			
          @@ -94,6 +94,8 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0

           | weiti      | whois.weiti.dn42             | 172.20.175.253 / fdf7:17d5:de49::43 |

           | Mic92      | whois.evenet.dn42 ([whois42d](https://git.dn42.us/dn42/whois42d)) | 172.23.75.1 / fd42:4992:6a6d::6 |

           | Fritz      | whois.flhb.de                | 172.22.70.69 / 2001:67c:708:102:5054:ff:fe57:9573 / fdd6:aff6:5f6f:102:5054:ff:fe57:9573 |

          +| NIA        | whois.nia.dn42               | 172.20.158.153 / fd00:1926:817:43::1 |

          +| Lan Tian   | whois.lantian.dn42           | 172.22.76.108 / fdbc:f9dc:67ad:2547::43 |

           ### Down?

				services/dns/Configuration.md
			
          @@ -1,6 +1,22 @@

           # Forwarder setup

          -Configuration of common resolver softwares, to forward DNS queries for `.dn42` (and reverse DNS) to `fd42:d42:d42:53::1` (or `172.23.0.53`).

          +Configuration of common resolver softwares to forward DNS queries for `.dn42` (and reverse DNS) IPv4 and IPv6 anycast services.

          +

          +You can use any *.recursive-servers.dn42 (where * is a letter) for resolving .dn42 domains. The current list is available at the [DN42 registry](https://git.dn42.us/dn42/registry/src/master/data/dns/recursive-servers.dn42) or through querying SRV records of recursive-servers.dn42:

          +

          +```sh

          +drill -D SRV _dns._udp.recursive-servers.dn42. @172.20.0.53

          +```

          +

          +Two independent anycast services are also provided:

          +

          +| Name | IPv4 | IPv6 |

          +|---|---|---|

          +| a0.recursive-servers.dn42 | 172.20.0.53 | fd42:d42:d42:54::1 |

          +| a3.recursive-servers.dn42 | 172.23.0.53 | fd42:d42:d42:53::1 |

          +

          +All the examples here list 172.20.0.53/fd42:d42:d42:54::1, but users are encouraged to configure

          +multiple services from *.recursive-servers.dn42 for redundancy. 

           ## BIND

          @@ -10,19 +26,19 @@ by adding the following to /etc/bind/named.conf.local

           ```

           zone "dn42" {

             type forward;

          -  forwarders { 172.23.0.53; };

          +  forwarders { 172.20.0.53; fd42:d42:d42:54::1; };

           };

           zone "20.172.in-addr.arpa" {

             type forward;

          -  forwarders { 172.23.0.53; };

          +  forwarders { 172.20.0.53; fd42:d42:d42:54::1; };

           };

           zone "22.172.in-addr.arpa" {

             type forward;

          -  forwarders { 172.23.0.53; };

          +  forwarders { 172.20.0.53; fd42:d42:d42:54::1; };

           };

           zone "23.172.in-addr.arpa" {

             type forward;

          -  forwarders { 172.23.0.53; };

          +  forwarders { 172.20.0.53; fd42:d42:d42:54::1; };

           };

           ```

          @@ -37,10 +53,13 @@ config dnsmasq

                   option boguspriv '0'

                   option rebind_protection '1'

                   list rebind_domain 'dn42'

          -        list server '/dn42/172.23.0.53'

          -        list server '/20.172.in-addr.arpa/172.23.0.53'

          -        list server '/22.172.in-addr.arpa/172.23.0.53'

          -        list server '/23.172.in-addr.arpa/172.23.0.53'

          +        list server '/dn42/172.20.0.53'

          +        list server '/20.172.in-addr.arpa/172.20.0.53'

          +        list server '/21.172.in-addr.arpa/172.20.0.53'

          +        list server '/22.172.in-addr.arpa/172.20.0.53'

          +        list server '/23.172.in-addr.arpa/172.20.0.53'

          +        list server '/d.f.ip6.arpa/fd42:d42:d42:54::1'

          +

           ```

           to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq restart`. After that you are able to resolve `.dn42` 

          @@ -51,10 +70,12 @@ Attention: If you go with the default config you'll have to disable "boguspriv" 

           For normal dnsmasq use

           ```

          -server=/dn42/172.23.0.53

          -server=/20.172.in-addr.arpa/172.23.0.53

          -server=/22.172.in-addr.arpa/172.23.0.53

          -server=/23.172.in-addr.arpa/172.23.0.53

          +server=/dn42/172.20.0.53

          +server=/20.172.in-addr.arpa/172.20.0.53

          +server=/21.172.in-addr.arpa/172.20.0.53

          +server=/22.172.in-addr.arpa/172.20.0.53

          +server=/23.172.in-addr.arpa/172.20.0.53

          +server=/d.f.ip6.arpa/fd42:d42:d42:54::1

           ```

           in `dnsmasq.conf`.

          @@ -63,14 +84,14 @@ Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS), the **f

           ```

           dont-query=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10

          -forward-zones-recurse=dn42=172.23.0.53,hack=172.23.0.53,ffhh=172.23.0.53,ffac=172.23.0.53,020=172.23.0.53,adm=172.23.0.53,ffa=172.23.0.53,ffhb=172.23.0.53,ffc=172.23.0.53,ffda=172.23.0.53,ffdh=172.23.0.53,ff3l=172.23.0.53,fffl=172.23.0.53,ffffm=172.23.0.53,fffr=172.23.0.53,fffd=172.23.0.53,ffgl=172.23.0.53,fflln=172.23.0.53,ffbcd=172.23.0.53,ffbgl=172.23.0.53,ffgoe=172.23.0.53,ffgt=172.23.0.53,ffh=172.23.0.53,helgo=172.23.0.53,ffhef=172.23.0.53,ffj=172.23.0.53,ffka=172.23.0.53,ffki=172.23.0.53,ffhl=172.23.0.53,fflux=172.23.0.53,ffms=172.23.0.53,mueritz=172.23.0.53,ffnord=172.23.0.53,ffnw=172.23.0.53,ffoh=172.23.0.53,ffpb=172.23.0.53,ffpi=172.23.0.53,ffrade=172.23.0.53,ffrgb=172.23.0.53,ffrg=172.23.0.53,rzl=172.23.0.53,ffsaar=172.23.0.53,fftr=172.23.0.53,fftdf=172.23.0.53,ffwk=172.23.0.53,ffgro=172.23.0.53,ffwk=172.23.0.53,ffwp=172.23.0.53,ffw=172.23.0.53,20.172.in-addr.arpa=172.23.0.53,22.172.in-addr.arpa=172.23.0.53,23.172.in-addr.arpa=172.23.0.53,31.172.in-addr.arpa=172.23.0.53,c.f.ip6.arpa=172.23.0.53

          +forward-zones-recurse=dn42=172.20.0.53,hack=172.20.0.53,ffhh=172.20.0.53,ffac=172.20.0.53,020=172.20.0.53,adm=172.20.0.53,ffa=172.20.0.53,ffhb=172.20.0.53,ffc=172.20.0.53,ffda=172.20.0.53,ffdh=172.20.0.53,ff3l=172.20.0.53,fffl=172.20.0.53,ffffm=172.20.0.53,fffr=172.20.0.53,fffd=172.20.0.53,ffgl=172.20.0.53,fflln=172.20.0.53,ffbcd=172.20.0.53,ffbgl=172.20.0.53,ffgoe=172.20.0.53,ffgt=172.20.0.53,ffh=172.20.0.53,helgo=172.20.0.53,ffhef=172.20.0.53,ffj=172.20.0.53,ffka=172.20.0.53,ffki=172.20.0.53,ffhl=172.20.0.53,fflux=172.20.0.53,ffms=172.20.0.53,mueritz=172.20.0.53,ffnord=172.20.0.53,ffnw=172.20.0.53,ffoh=172.20.0.53,ffpb=172.20.0.53,ffpi=172.20.0.53,ffrade=172.20.0.53,ffrgb=172.20.0.53,ffrg=172.20.0.53,rzl=172.20.0.53,ffsaar=172.20.0.53,fftr=172.20.0.53,fftdf=172.20.0.53,ffwk=172.20.0.53,ffgro=172.20.0.53,ffwk=172.20.0.53,ffwp=172.20.0.53,ffw=172.20.0.53,20.172.in-addr.arpa=172.20.0.53,22.172.in-addr.arpa=172.20.0.53,23.172.in-addr.arpa=172.20.0.53,31.172.in-addr.arpa=172.20.0.53,c.f.ip6.arpa=172.20.0.53

           ```

           ## MaraDNS

           Put this in your mararc:

           ```

          -ipv4_alias["dn42_root"] = "172.23.0.53"

          +ipv4_alias["dn42_root"] = "172.20.0.53"

           root_servers["dn42."] = "dn42_root"

           root_servers["20.172.in-addr.arpa."] = "dn42_root"

           root_servers["22.172.in-addr.arpa."] = "dn42_root"

          @@ -79,8 +100,7 @@ root_servers["23.172.in-addr.arpa."] = "dn42_root"

           ## Unbound

          -`unbound.conf` for forwarding requests to `172.23.0.53`.

          -

          +Make sure DNSSEC is disabled (`auto-trust-anchor-file` is not set):

           ```

           server:

          @@ -98,33 +118,33 @@ server:

           forward-zone: 

                 name: "dn42"

          -      forward-addr: fd42:d42:d42:53::1

          -      forward-addr: 172.23.0.53

          +      forward-addr: fd42:d42:d42:54::1

          +      forward-addr: 172.20.0.53

           forward-zone: 

                 name: "20.172.in-addr.arpa"

          -      forward-addr: fd42:d42:d42:53::1

          -      forward-addr: 172.23.0.53

          +      forward-addr: fd42:d42:d42:54::1

          +      forward-addr: 172.20.0.53

           forward-zone: 

                 name: "21.172.in-addr.arpa"

          -      forward-addr: fd42:d42:d42:53::1

          -      forward-addr: 172.23.0.53

          +      forward-addr: fd42:d42:d42:54::1

          +      forward-addr: 172.20.0.53

           forward-zone: 

                 name: "22.172.in-addr.arpa"

          -      forward-addr: fd42:d42:d42:53::1

          -      forward-addr: 172.23.0.53

          +      forward-addr: fd42:d42:d42:54::1

          +      forward-addr: 172.20.0.53

           forward-zone: 

                 name: "23.172.in-addr.arpa"

          -      forward-addr: fd42:d42:d42:53::1

          -      forward-addr: 172.23.0.53

          +      forward-addr: fd42:d42:d42:54::1

          +      forward-addr: 172.20.0.53

           forward-zone:

                 name: "d.f.ip6.arpa"

          -      forward-addr: fd42:d42:d42:53::1

          -      forward-addr: 172.23.0.53

          +      forward-addr: fd42:d42:d42:54::1

          +      forward-addr: 172.20.0.53

           ```

           ## JunOS (SRX 12.1X46)

          @@ -143,29 +163,33 @@ system {

                       }

                   default-domain dn42 {

                      forwarders {

          -              172.23.0.53;

          +              172.20.0.53;

          +	      fd42:d42:d42:54::1;

                      }

                   }

                   default-domain 20.172.in-addr.arpa {

                          forwarders {

          -                  172.23.0.53;

          +                  172.20.0.53;

          +		  fd42:d42:d42:54::1;

                          }

                       }

                   default-domain 22.172.in-addr.arpa {

                          forwarders {

          -                  172.23.0.53;

          +                  172.20.0.53;

          +		  fd42:d42:d42:54::1;

                          }

                       }

                       default-domain 23.172.in-addr.arpa {

                          forwarders {

          -                  172.23.0.53;

          +                  172.20.0.53;

          +                  fd42:d42:d42:54::1;

                          }

                       }

          -     }

          +         }

                 }

              }

           }

           ```

           ## MS DNS

          -Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa" using 172.23.0.53 as forwarder. Ignore the error message that the server is not authoritative.

          \ No newline at end of file

          +Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.

          \ No newline at end of file

				services/dns/External-DNS.md
			
          @@ -27,4 +27,4 @@ The mkdns script currently supports the following setups:

           ## Configuration

          -See [[Recursive DNS resolver]] or [[DNS forwarding configuration|/services/dns/Configuration]].

          \ No newline at end of file

          +See [[DNS forwarding configuration|/services/dns/Configuration]].

          \ No newline at end of file

...	...	@@ -0,0 +1,63 @@
	1	+Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
	2	+
	3	+```
	4	+@echo off
	5	+REM fill in YOUR network information
	6	+REM right click and RUN AS ADMIN
	7	+
	8	+REM our entire private network address space
	9	+set networkv4=172.20.0.0
	10	+set networkv4mask=255.252.0.0
	11	+set networkv6=fd00::/8
	12	+
	13	+REM our IPv4 subnet info
	14	+set subnetv4=172.20.184.240
	15	+set subnetv4mask=255.255.255.248
	16	+set gateway4=172.20.184.241
	17	+
	18	+REM our IPv6 subnet info
	19	+set subnetv6=fd43:6d1:3ee2::/48
	20	+set gateway6=fd43:6d1:3ee2:1000::1
	21	+
	22	+REM our address for this machine
	23	+set yournetaddr=172.20.184.242
	24	+set yournetaddr6=fd43:6d1:3ee2:1000::2/128
	25	+
	26	+REM add IPs
	27	+REM if different change wlan0 to YOUR interface name
	28	+REM first line here is for my LAN. Ignore it.
	29	+netsh interface ipv4 add address "wlan0" 192.168.2.254 255.255.255.0
	30	+netsh interface ipv4 add address "wlan0" %yournetaddr% %subnetv4mask%
	31	+netsh interface ipv6 add address "wlan0" %yournetaddr6%
	32	+
	33	+REM add IPv4 routes
	34	+route -4 add %subnetv4% mask %subnetv4mask% %gateway4%
	35	+route -4 add %networkv4% mask %networkv4mask% %gateway4%
	36	+
	37	+REM add IPv6 routes
	38	+route -6 add %gateway6% ::
	39	+route -6 add %subnetv6% %gateway6%
	40	+REM this last route wasn't working without manually filling in the info.
	41	+REM I don't know why.. Broken line commented out.
	42	+REM route -6 add %networkv6% %gateway6%
	43	+route -6 add fd00::/8 fd43:6d1:3ee2:1000::1
	44	+
	45	+echo Press enter to check your IPv4 routing table
	46	+echo Do not forget to add static routes to this computer on your BGP router!
	47	+echo Example: "root@router:~# ip route add 172.20.184.242 dev wlan0"
	48	+echo Example: "root@router:~# ip route add fd43:6d1:3ee2:1000::2/128 dev wlan0"
	49	+pause
	50	+cls
	51	+route -4 print
	52	+echo Press enter to check your IPv6 routing table
	53	+pause
	54	+cls
	55	+route -6 print
	56	+echo Press enter to try to ping gateway
	57	+pause
	58	+cls
	59	+ping %gateway4%
	60	+pause
	61	+ping %gateway6%
	62	+pause
	63	+```
...	...	\ No newline at end of file

...	...	@@ -2,6 +2,8 @@
2	2
3	3	* [[Home]]
4	4	* [[Getting started]]
	5	+ * [[Registry Authentication]]
	6	+ * [[Address Space]]
5	7	* [[FAQ]]
6	8
7	9	* [[How-to\|/pages/howto/]]
...	...	@@ -15,6 +17,7 @@
15	17	* [[OpenBGPD\|OpenBGPD]]
16	18	* [[Mikrotik RouterOS\|mikrotik]]
17	19	* [[EdgeRouter\|EdgeOS Config]]
	20	+ * [[Static routes on Windows]]
18	21
19	22	* [[Services\|/pages/services/]]
20	23	* [[IRC]]

...	...	@@ -41,7 +41,7 @@ The [[Getting started]] page helps you to get your first node inside the network
41	41	* [Lecture on GPN8](http://entropia.de/wiki/GPN8:dn42)
42	42	* [soup.io group](http://dn42.soup.io/)
43	43	* [nobody about dn42](http://nowhere.ws/guides/dn42/)
44		- * [Lecture on mrmcd0x8](http://mrmcd0x8.metarheinmain.de/fahrplan/events/3321.de.html)
	44	+ * [Lecture on mrmcd0x8](http://web.archive.org/web/20090831211324/http://mrmcd0x8.metarheinmain.de/fahrplan/events/3321.de.html)
45	45	* [dn42-category in hackerspaces.org wiki](https://hackerspaces.org/wiki/Category:DN42)
46	46	* [pentaradio24 – german podcast](https://www.c3d2.de/news/pentaradio24-20150428.html)
47	47	* [dn42 in your browser](http://freerouter.nop.hu/online.html)

...	...	@@ -0,0 +1,57 @@
	1	+DN42 uses network addresses in the [rfc1918](https://tools.ietf.org/html/rfc1918) and [ULA](https://tools.ietf.org/html/rfc4193) ranges. These are described in detail within the sections below.
	2	+
	3	+The [DN42 registry](https://git.dn42.us/dn42/registry) is the authoritative source of information on address space assignment. Within the registry, the DN42 address space is divided in to blocks based on _policies_ that define how the addresses may be used. Policies are defined in `inetnum` and `inet6num` objects and can be:
	4	+
	5	+ - open - users may request prefixes in this range, subject to any constraints that are described in the `remark` attributes
	6	+ - closed - these ranges cannot be assigned
	7	+ - reserved - these ranges are reserved for future use
	8	+ - ask - these ranges are for specific uses, please ask on the mailing list before requesting assignments
	9	+
	10	+A simple way to see all the active policies in the registry is to search the registry content for policy attributes:
	11	+
	12	+```sh
	13	+grep -r ^policy data/inet{,6}num/
	14	+```
	15	+
	16	+The [filter.txt](https://git.dn42.us/dn42/registry/src/master/data/filter.txt) and [filter6.txt](https://git.dn42.us/dn42/registry/src/master/data/filter6.txt) files within the registry detail the network wide constraints on what address ranges are in use together with the global limits on what can be announced.
	17	+
	18	+`inetnum` and `inet6num` objects within the registry are used to describe the allocation of address space to users. `route` and `route6` objects in the registry are used to validate routing announcements through [ROA](https://wiki.dn42/howto/Bird#route-origin-authorization).
	19	+
	20	+In addition to the native DN42 address ranges, the registry also contains allocations for the address space used by affiliate networks. These are updated by a regular [sync script](https://git.dn42.us/dn42/registry-sync).
	21	+
	22	+Globally routable prefixes are not supported in DN42; they are denied via the registry filter{6,}.txt files and many networks will filter both announcements and traffic for prefixes that are outside of the allowable ranges.
	23	+
	24	+# IPv6 Address Space
	25	+
	26	+DN42 uses the fd00::/8 ULA range for IPv6 addresses. Apart from a block of addresses reserved for anycast (fd42:d42:d42::/48), the whole fd00::/8 block has an open policy and users are free to request any prefix in this range, that is not already allocated.
	27	+
	28	+The DN42 registry is not authoritative for the fd00::/8 range
	29	+
	30	+DN42 is interconnected with other networks, like icvpn, which also use the same ULA range and many users will also use this range for their own networks. A registration in the dn42 registry cannot prevent IPv6 conflicts, so a fully random prefix (see [RFC4193](https://tools.ietf.org/html/rfc4193)) is strongly recommended. If an address conflict is found, then needing to renumber your network is no fun.
	31	+
	32	+# IPv4 Address Space
	33	+
	34	+DN42 uses the 172.20.0.0/14 range for IPv4 addresses. As with the public internet, IPv4 space is more limited and users are encouraged to conserve space where possible. A typical assignment in DN42 is a /27 and any requests for assignments larger than /24 must provide justification.
	35	+
	36	+Unlike the IPv6 address space, the DN42 IPv4 space is not fully open for assignment to users; some ranges are intended for specific uses and other ranges are reserved. See the policy section, below. Users should always check the policy in the registry before requesting a prefix to be assigned.
	37	+
	38	+There are other IPv4 ranges in use within DN42 related to the affiliate networks, see the [filter.txt](https://git.dn42.us/dn42/registry/src/master/data/filter.txt) file in the registry.
	39	+
	40	+## IPv4 Policies
	41	+
	42	+The diagram below shows the allocation policies for the DN42 address space.
	43	+
	44	+![Policy Map Image](images/PolicyMap.png)
	45	+
	46	+Specific policy restrictions:
	47	+
	48	+\| Prefix \| Usage \|
	49	+\|--------\|-------\|
	50	+\| 172.20.0.0/24<br/>172.21.0.0/24<br/>172.22.0.0/24<br/>172.23.0.0/24 \| Reserved for anycast addresses \|
	51	+\| 172.20.240.0/20<br/>172.22.240.0/20 \| Reserved for transfer networks \|
	52	+\| 172.20.64.0/18 \| Reserved for allocations larger than /23, up to /21 \|
	53	+\| 172.22.0.0/18 \| Reserved for allocations of /24 or larger, up to /21 \|
	54	+\| 172.23.16.0/21 \| Closed to new allocations \|
	55	+\| 172.21.0.0/18<br/>172.21.128.0/17<br/>172.22.192.0/18 \| Reserved for future use \|
	56	+
	57	+

...	...	@@ -87,7 +87,7 @@ template bgp dnpeers {
87	87	reject;
88	88	};
89	89	export filter {
90		- if is_valid_network() then {
	90	+ if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {
91	91	accept;
92	92	}
93	93	reject;
...	...	@@ -195,7 +195,7 @@ template bgp dnpeers {
195	195	};
196	196	export filter {
197	197	# here we export the whole net
198		- if is_valid_network() then {
	198	+ if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {
199	199	accept;
200	200	}
201	201	reject;

...	...	@@ -2,6 +2,8 @@
2	2	## Setup
3	3	### Installation hints
4	4	For IPsec with Public Keys you'll need the package _strongswan-plugin-pubkey_ installed.
	5	+
	6	+Don't forget to disable selinux :)
5	7	### Generate an RSA keypair
6	8
7	9	root@debian:~# mkdir /etc/ipsec.d/public

...	...	@@ -12,7 +12,7 @@ The goal is to have a small, yet complete setup for all peers with ROA validatio
12	12
13	13	As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on.
14	14
15		-By default, [`bgpd(8)`](http://man.openbsd.org/bgpd.8) listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.
	15	+By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.
16	16
17	17	## local host
18	18	Information such as ASN, router ID and allocated networks are required:
...	...	@@ -40,7 +40,7 @@ network prefix-set mynetworks set large-community $ASN:1:1
40	40
41	41	## neighbors
42	42	For each neighbor its ASN and transfer ULA is required.
43		-An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
	43	+An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
44	44	```
45	45	# peer A, transport over IPSec/GRE
46	46	$A_local="fd00:12:34:A::1"
...	...	@@ -99,17 +99,11 @@ match from ebgp set { large-community delete $ASN:: }
99	99	match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
100	100	```
101	101
102		-Misbehaving peers can be adjusted; for example Bird on FreeBSD is known to sometimes announce routes with incorrect `nexthop` attributes:
103		-```
104		-# XXX otherwise routes are installed with ::/128 nexthop
105		-match from AS $A_ASN set { nexthop $A_remote }
106		-```
107		-
108	102	# ROA
109		-OpenBSD ships with [rpki-client(8)](http://man.openbsd.org/rpki-client.8) which nicely integrates with bgpd.
	103	+OpenBSD ships with [rpki-client(8)](http://man.openbsd.org/rpki-client.8) which nicely integrates with bgpd.
110	104	Since DN42 emulates an IRR WHOIS service through the registry repository instead of providing an RPKI repository, this tool cannot be used.
111	105
112		-Instead, a shell script parses route objects from the registry repository and generates a `roa-set {...}` block that is to be included in the main configuration file.
	106	+Instead, [a shell script](https://t4-2.high5.nl/pub/dn42/generate_roa-set.sh) parses route objects from the registry repository and generates a `roa-set {...}` block that is to be included in the main configuration file.
113	107
114	108	One single `roa-set` may be defined, against which bgpd will validate the origin of each prefix; this allows filter rules to use the `ovs` keyword as demonstrated above.
115	109
...	...	@@ -128,4 +122,8 @@ Include it in `/etc/bgpd.conf`:
128	122	include "/etc/dn42.roa-set"
129	123	```
130	124
131		-# Looking glass
...	...	\ No newline at end of file
	0	+# Looking glass
	1	+This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.
	2	+The bgplg manual contains the few steps and example [httpd.conf(5)](http://man.openbsd.org/httpd.conf.5) required to enable the looking glass.
	3	+
	4	+See https://t4-2.high5.nl/bgplg for a running instance operating within DN42.
...	...	\ No newline at end of file

...	...	@@ -0,0 +1,46 @@
	1	+# systemd-networkd configuration example
	2	+This is the config that is used on ZOTAN Networks (AS4242422341). Full network configuration available on [my Git](https://git.zotan.dn42/zotan/dn42) (dn42) or alternatively [my Git](https://git.prod.zotan.network/zotan/dn42) (clear)
	3	+
	4	+
	5	+# Configuration
	6	+
	7	+## loopback device (lo.network)
	8	+```
	9	+[Match]
	10	+Name=lo
	11	+
	12	+[Network]
	13	+Address=fdff:b02d:2ef7::2/128
	14	+```
	15	+
	16	+## wireguard netdev (dn42p1.netdev)
	17	+```
	18	+[NetDev]
	19	+Name = dn42p1
	20	+Kind = wireguard
	21	+Description = WireGuard
	22	+
	23	+[WireGuard]
	24	+ListenPort = 42421
	25	+PrivateKeyFile = /etc/wireguard/private.key
	26	+
	27	+[WireGuardPeer]
	28	+PublicKey = <peer wg pubkey>
	29	+Endpoint = <peer wg endpoint>:<peer wg port>
	30	+AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
	31	+```
	32	+
	33	+## wireguard network (dn42p1.network)
	34	+```
	35	+[Match]
	36	+Name = dn42p1
	37	+
	38	+[Address]
	39	+Address = fe80::2342/128 # arbitrary, doesn't need to be unique for each interface
	40	+Peer = <peer tunnel linklocal address>/128
	41	+
	42	+[Address]
	43	+Address = <your DN42 ipv4>/32
	44	+Peer = <peer DN42 ipv4>/32
	45	+
	46	+```
...	...	\ No newline at end of file

...	...	@@ -59,7 +59,7 @@ An alternative is available at https://ip.naive.network, which displays your cle
59	59	\| _Configuring Yacy Network settings:_ \|[YaCy Network Configuration](http://yacy.dn42/yacy.network.dn42.unit) \|
60	60
61	61
62		-## File sharing
	62	+## File Sharing
63	63
64	64	### Tahoe LAFS
65	65	Some people runs [Tahoe LAFS](/services/Tahoe-LAFS) nodes to provide a secure decentralized crypted file storage but in dn42.

...	...	@@ -8,11 +8,17 @@ You are asked to show some creativity in terms of network usage and content. ;)
8	8
9	9	xuu is maintaining an [[certificate authority]] for internal services.
10	10
	11	+zotan is maintaining an (experimental, but working) [ACME server](https://acme.dn42) (with accompanying CA), compatible with any LetsEncrypt client like Certbot, Dehydrated or Caddy.
	12	+
11	13	## Network-related
12	14	* See [[Looking Glasses]] for more network diagnostic tools
13	15	* Map of the network: [map.nixnodes.net](http://map.nixnodes.net)
14	16	* An alternate network map: [map.dn42](http://map.dn42/) (Note: Currently DN42 only, will be public available after testing, this is a direct copy of nixnodes map with some fixes and new functions since original map is no longer maintained)
15	17	* DN42 IP address lookup tool: [dn42.g-load.eu/ip](https://dn42.g-load.eu/ip/)
	18	+ * New DNS System monitoring: [grafana.burble.com/d/E4iCaHoWk/dn42-dns-status](https://grafana.burble.com/d/E4iCaHoWk/dn42-dns-status?orgId=1&refresh=1m)
	19	+ * DN42 Toplevel domain DNS monitoring: [gatuno.dn42/dns](http://gatuno.dn42/dns)
	20	+ * Free DNS Hosting. You can host any toplevel or subdomain from dn42: [gatuno.dn42/managed](http://gatuno.dn42/managed/)
	21	+ * What is my IP: [whatismyip.dn42](http://whatismyip.dn42/), [ip4.dn42](http://ip4.dn42/), [ip6.dn42](http://ip6.dn42/)
16	22
17	23	### Proving ASN ownership
18	24	Through this automated service you prove your ASN ownership to KIOUBIT-MNT who then automatically creates a "ownership verification signature".
...	...	@@ -49,12 +55,15 @@ API: https://dn42.g-load.eu/verify/documentation.txt
49	55	\|:------------------------------------------------- \|:-------------------------------------------------------- \|
50	56	\| http://img.dn42 \| Imagehoster \|
51	57	\| http://chan.dn42 \| DN42-Chan, an imageboard \|
	58	+\| http://j.munsternet.dn42 \| Jellyfin instance with movies and TV shows (test)
	59	+\|
52	60
53	61	## Radio and Video Streaming
54	62
55	63	\| Hostname / IP \| Remarks \|
56	64	\|:------------------------------------------------- \|:-------------------------------------------------------- \|
57	65	\| http://stream.media.dn42/ \| icecast-relay, contact toBee for more streams \|
	66	+\| https://invidious.doxz.dn42/ \| Invidious instance with proxy (Youtube) \|
58	67
59	68	### Direct Connect
60	69	Some [Advanced Direct Connect](https://en.wikipedia.org/wiki/Advanced_Direct_Connect) Hubs are being run DN42 internally. Choose a [client](https://en.wikipedia.org/wiki/Comparison_of_ADC_software#Client_software) and connect to exchange files.
...	...	@@ -79,11 +88,6 @@ Some [Advanced Direct Connect](https://en.wikipedia.org/wiki/Advanced_Direct_Con
79	88
80	89	- https://magnetic.dn42 (DHT Search Engine)
81	90
82		-### BitTorrent tracker
83		-- http://172.20.184.241/ (IPv4)
84		-- http://[fd43:6d1:3ee2:1000:1]/ (IPv6)
85		-- http://tracker.dn42/ (info page)
86		-
87	91	## Proxies
88	92
89	93	See http://wiki.hamburg.ccc.de/ChaosVPN:Proxy
...	...	@@ -115,6 +119,15 @@ Repository Mirrors are listed on another page: [Repository Mirrors](/services/Re
115	119	\| Hostname / IP \| Game \| Remarks \|
116	120	\|:------------------------------------------------- \|:---------------------- \|:-------------------------- \|
117	121	\| hulk.mhm.dn42 (172.23.67.1) \| Tetrinet \| \|
	122	+\| mc.nia.dn42 (172.20.168.131) \| Minecraft \| 1.15.2, Optimized for CN \|
	123	+
	124	+## Shell
	125	+
	126	+Providers of shell access:
	127	+
	128	+\| Person \| Hostname \| Net \| Description \| Contact \|
	129	+\|:------------- \|:------------------------------------ \|:---------------- \|:----------- \|:------------- \|
	130	+\| mc36 \| telnet test.nop.dn42 \| dn42 only \|looking glass\| - \|
118	131
119	132	## Misc
120	133
...	...	@@ -130,6 +143,7 @@ Repository Mirrors are listed on another page: [Repository Mirrors](/services/Re
130	143	\| https://git.dn42[.us]/pubkeys/[username] \| Get ssh public keys from Git Users of git.dn42. \|
131	144	\| http://wiki.dn42, http://internal.dn42, [dn42.i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/) (i2p), jsptropkiix3ki5u.onion \| This wiki! Web Hosted by [xuu](https://xuu.dn42). Git Repo hosted on git.dn42 \|
132	145	\| http://jack.pyropeter.eu/dn42/routecount/ \| Statistics about the number of v4/v6 routes seen by AS76115 (Since Aug. 2014) \|
	146	+\| https://git.zotan.dn42 \| Git Repository Hosting, open signup (Powered by gitea)\|
133	147
134	148	### Usenet Servers / News
135	149	There are some News Servers available [here](/services/News)

...	...	@@ -1,15 +1,67 @@
1		-# DN42 Public DNS
2		-* IPv4:172.20.0.53
3		-* IPv6:fd42:d42:d42:54::1
	1	+# DN42 DNS
4	2
5		-Tips:old DNS 172.23.0.53 and fd42:d42:d42:53::1 already stop updated.
	3	+This page covers guidance and examples on using DNS within DN42.
6	4
7		-* [[dns/Configuration\|Configuration]] - DN42 DNS forward configuration for openwrt and bind......
8		-* [[dns/External-DNS\|External-DNS]] - external DNS zones from interconnected networks
	5	+## Quick Start
	6	+
	7	+It is recommended to run your own DNS resolver as this provides you with the most security and privacy.
	8	+However, to get started, or if running your own resolver isn't desirable an anycast service
	9	+is available. The anycast service supports DNSSEC and will resolve public DNS names together with all the
	10	+relevant DN42 and affiliated networks' names.
	11	+
	12	+### Using the DNS Anycast Service
	13	+
	14	+The DNS anycast service is provided by multiple operators, with each operator contributing to one of the two separate
	15	+anycast services. By configuring both services, users get additional resiliency from having two, independent, resolvers.
	16	+
	17	+\| Name \| IPv4 \| IPv6 \|
	18	+\|---\|---\|---\|
	19	+\| a0.recursive-servers.dn42 \| 172.20.0.53 \| fd42:d42:d42:54::1 \|
	20	+\| a3.recursive-servers.dn42 \| 172.23.0.53 \| fd42:d42:d42:53::1 \|
	21	+
	22	+To configure the service, ping both sets of addresses then set your primary nameserver to the lowest latency
	23	+service and configure the other service as the secondary or backup nameserver.
	24	+
	25	+Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
	26	+
	27	+```text
	28	+nameserver 172.20.0.53
	29	+nameserver 172.23.0.53
	30	+nameserver fd42:d42:d42:54::1
	31	+nameserver fd42:d42:d42:53::1
	32	+search dn42
	33	+```
9	34
	35	+Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
10	36
11		-# DN42 DNS Architecture
	37	+```text
	38	+nameserver fd42:d42:d42:53::1
	39	+nameserver fd42:d42:d42:54::1
	40	+nameserver 172.23.0.53
	41	+nameserver 172.20.0.53
	42	+search dn42
	43	+```
12	44
	45	+## Advanced Configuration
	46	+
	47	+There are multiple top level domains (TLDs) associated with DN42, its affiliated networks and for reverse DNS that must
	48	+be configured in order to run your own resolver. The registry is the authoritative source of active TLDs, but see also
	49	+this page [[dns/External-DNS\|External-DNS]] in the wiki.
	50	+
	51	+### Split horizon DNS
	52	+
	53	+In this configuration, you run your own, caching resolver but forward DN42 related queries (with recursion bit set)
	54	+to the anycast service. Example configurations for different recursor implementations are included in the [[dns/Configuration\|Configuration]] page.
	55	+
	56	+### Full recursion
	57	+
	58	+Authoritative DNS for DN42 is provided by the *.delegation-servers.dn42 servers, see the DNS architecture here
	59	+[[New DNS]] Delegations servers have full support for DNSSEC.
	60	+
	61	+## Further Information
	62	+
	63	+* [[dns/Configuration\|Configuration]] - Forwarder configuration examples
13	64	* [[New DNS]] - current architecture
	65	+* [[dns/External-DNS\|External-DNS]] - external DNS zones from interconnected networks
14	66	* [[Old Hierarchical DNS]] - deprecated
15		-* [[Original DNS (deprecated)]] - deprecated
...	...	\ No newline at end of file
	0	+* [[Original DNS (deprecated)]] - deprecated

...	...	@@ -12,7 +12,7 @@ Remember, if you announce an anycast /64, then you need to provide all servi
12	12
13	13	\| Name \| Service address \| Protocol/port \| Comment \|
14	14	\| ---------------------- \| ------------------------- \| ----------------- \| ----------------------------- \|
15		-\| Recursive DNS resolver \| `fd42:d42:d42:53::1/64` \| UDP/53 \| `.` and `dn42.` [Providers][] \|
	15	+\| Recursive DNS resolver \| `fd42:d42:d42:54::1/64` \| UDP/53 \| `.` and `dn42.` [Providers][] \|
16	16	\| Whois Database \| `fd42:d42:d42:43::1/64` \| TCP/43 \| \|
17	17	\| TOR SOCKS5 Proxy \| `fd42:d42:d42:9050::1/64` \| TCP/9050 \| \|
18	18	\| internal Wiki \| `fd42:d42:d42:80::1/64` \| TCP/80, TCP/443 \| \|

...	...	@@ -1,9 +1,8 @@
1	1	# IRC
2	2	> TLDR: irc.hackint.dn42, #dn42
3	3
4		-We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is reachable from within DN42, ChaosVPN and the public internet. While a plain text connection is possible it is recommended to connect via TLS on port 9999.
	4	+We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is reachable from within DN42, ChaosVPN and the public internet. A connection is only possible via TLS on port 9999.
5	5
6		-There's a little [statistic script](https://dev.0l.dn42/stats/) running hourly.
7	6
8	7	## hackint.org
9	8

...	...	@@ -17,15 +17,20 @@ Please sort by AS number.
17	17	\| 4242421588 \| dn42: http://lg.tech9computers.dn42 <br> Interactive (traceroute, BGP-map) \| UP \|
18	18	\| 4242421926 \| dn42: https://lg.zhaofeng.dn42 <br> ext: https://lg.naive.network \| UP \|
19	19	\| 4242421955 \| dn42: http://lg.nop.dn42/ <br> telnet:test.nop.dn42 <br> ext: http://freerouter.nop.hu/online.html\| UP \|
	20	+\| 4242422547 \| ext: https://lg.lantian.pub or https://lg-alt.lantian.pub <br> dn42: http://lg.lantian.dn42 or http://lg-alt.lantian.dn42 \| UP \|
20	21	\| 4242422601 \| dn42: http://lg.burble.dn42 <br> ext: https://lg.burble.com/ \| UP \|
21	22	\| 4242422700 \| dn42: http://lg.gotroot.dn42 <br> ext: http://dn42.gotroot.ca/ \| UP \|
	23	+\| 4242422904 \| ext: https://lg.doxz.net/ \| UP \|
22	24	\| 4242423905 \| ext: https://dn42-svc.weiti.org/ulg/ <br> dn42: https://lg.weiti.dn42/ \| UP \|
23		-\| 4242423088 \| ext: http://lg.dn42.6700.cc <br> dn42: http://lg.sun.dn42/ \| UP \|
	25	+\| 4242423088 \| ext: https://lg.dn42.6700.cc <br> dn42: http://lg.sun.dn42/ \| UP \|
24	26	\| 4242421722 \| ext: https://lg42.tchekda.fr <br> dn42: http://lg42.tchekda.dn42/ \| UP \|
25	27	\| 4242422237 \| ext: https://lg.dn42.munsternet.eu \| UP \|
26	28	\| 4242420181 \| ext: https://lg.dn42.miegl.cz <br> dn42: http://lg.mgl.dn42 \| UP \|
27	29	\| 4242421331 \| ext: https://net-lg.nia.ac.cn <br> dn42: http://lg.nia.dn42 \| UP \|
28		-\| 4242422189 \| dn42: http://lg.iedon.dn42/ \| UP \|
	30	+\| 4242422189 \| dn42: http://lg.iedon.dn42 \| UP \|
	31	+\| 4242422341 \| ext: https://lg.dn42.zotan.network <br> dn42: https://lg.zotan.dn42 \| UP \|
	32	+\| 4242423078 \| dn42: http://lg.hex.dn42 <br> Interactive (traceroute, BGP-map) <br> IPv6 only \| UP \|
	33	+\| 4242421050 \| ext: https://lg.dn42.napshome.net <br> dn42: http://lg.napshome.dn42 \| UP \|
29	34
30	35	## Down
31	36

...	...	@@ -4,7 +4,7 @@ After frequent issues with the [[Old Hierarchical DNS]] system in early 2018, wo
4	4	* Proper DNSSEC support for everything.
5	5
6	6	# End Users
7		-It is strongly recommended to run your own resolver for security and privacy reasons. Setting it up and maintaining it should be easy, see [Running your own instances](#running-your-own-instances).
	7	+It is strongly recommended to run your own resolver for security and privacy reasons. Setting it up and maintaining it should be easy, see [[dns/Configuration\|Configuration]].
8	8
9	9	If running your own resolver is not possible or undesirable, you can choose one or more instances from [dns/recursive-servers.dn42 in the registry](https://git.dn42.us/dn42/registry/src/master/data/dns/recursive-servers.dn42). Please make sure you fully understand the consequences and fully trust these operators.
10	10
...	...	@@ -38,6 +38,8 @@ These instances do not serve any clients. They poll the registry regularly and r
38	38	# [Monitoring](https://grafana.burble.com/d/E4iCaHoWk/dn42-dns-status?orgId=1&refresh=1m)
39	39	burble is providing monitoring for the new DNS system. It does simple checks on all instances every minute and also logs all changes into #dn42-dns@hackint.
40	40
	41	+Also, gatuno provides another simple [dns checker for all the top level domains](http://gatuno.dn42/dns/) in the registry. If you want to check whatever a domain is resolving or not, this tool may be useful. The tool gets in sync with the registry every 12 hours. You can schedule checks for any domain.
	42	+
41	43	# DNSSEC
42	44	There are currently two KSKs managed by BURBLE-MNT and JRB0001-MNT. They are used once per quarter to sign the DNSKEY RRset. Each master operator has one ZSK which is used to sign the zones (except for the DNSKEY RRset). This setup leads to bigger responses but allows each KSK holder to solve emergencies independently. The signatures of the DNSKEY RRset are valid until the end of the first month of the next quarter to give enough time for coordinating the next siging. All other signatures are valid for 3 days and replaced at least once per day.
43	45

...	...	@@ -1,3 +1,7 @@
	1	+This information is now deprecated. Please check [[New DNS]] for the current architecture.
	2	+
	3	+***
	4	+
1	5	DNS in the global internet is designed as a tree starting from "." and traveling outward in layers. Currently in DN42 dns is flat. This leads to issues when trying to debug problems and makes it difficult to delegate to subnets smaller than /24. Another problem that arises is having the root dns setup as an anycast. If one of the anycast roots is having problems it creates inconsistent errors for some users. This has led to the problem of when a user has a poorly configured anycast available to create their own root anycast.
2	6
3	7	The purpose of this project is to create a system of high quality dns roots. With them in place, an anycast resolver would only need to be a simple caching resolver that uses the roots to query.

...	...	@@ -1,10 +1,9 @@
1	1	# Original DNS (deprecated)
2		-The new anycast resolver for `.dn42` runs on `172.23.0.53` and `fd42:d42:d42:53::1`. Please see [[Old Hierarchical DNS]] for more information.
	2	+This information is now deprecated. Please check [[New DNS]] for the current architecture.
3	3
4		-The information below is outdated.
5	4	***
6	5
7		-(tl;dr) We have a TLD for dn42, which is `.dn42`. The anycast resolver for `.dn42` runs on `172.23.0.53` and `fd42:d42:d42:53::1`.
	6	+(tl;dr) We have a TLD for dn42, which is `.dn42`. The anycast resolver for `.dn42` runs on `172.20.0.53` and `fd42:d42:d42:54::1`.
8	7
9	8	DNS is build from [[whois database\|services/Whois]]. So please edit your DNS-records there.
10	9
...	...	@@ -16,7 +15,7 @@ Below are several ways to use the `dn42` DNS service, from easiest to more chall
16	15
17	16	Please be aware that this method sends all your DNS queries (e.g. `google.com`) to a random DNS server inside dn42. The server could fake the result and point you towards the russian mafia. They probably won't, but think about what you are doing. At the end of the day, your ISP could be evil as well, so it always boils down to a question of trust.
18	17
19		-To do this, just use `172.23.0.53` or `fd42:d42:d42:53::1` as your resolver, for instance in `/etc/resolv.conf`.
	18	+To do this, just use `172.20.0.53` or `fd42:d42:d42:54::1` as your resolver, for instance in `/etc/resolv.conf`.
20	19
21	20	### Forwarding `.dn42` queries to the anycast resolver
22	21

...	...	@@ -1,8 +0,0 @@
1		-# Shell
2		-
3		-Providers:
4		-
5		-\| Person \| Hostname \| Net \| Description \| Contact \|
6		-\|:------------- \|:------------------------------------ \|:---------------- \|:----------- \|:------------- \|
7		-\| mortzu \| shell.mortzu.dn42 \| dn42 only \| - \| - \|
8		-\| mc36 \| telnet test.nop.dn42 \| dn42 only \|looking glass\| - \|

...	...	@@ -0,0 +1,3 @@
	1	+Unofficial dn42 telegram group,learning and communication.
	2	+
	3	+* https://t.me/dn42dn42

...	...	@@ -1,3 +0,0 @@
1		-Unofficial dn42 telegram group,learning and communication.
2		-
3		-* https://t.me/dn42dn42

...	...	@@ -94,6 +94,8 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0
94	94	\| weiti \| whois.weiti.dn42 \| 172.20.175.253 / fdf7:17d5:de49::43 \|
95	95	\| Mic92 \| whois.evenet.dn42 ([whois42d](https://git.dn42.us/dn42/whois42d)) \| 172.23.75.1 / fd42:4992:6a6d::6 \|
96	96	\| Fritz \| whois.flhb.de \| 172.22.70.69 / 2001:67c:708:102:5054:ff:fe57:9573 / fdd6:aff6:5f6f:102:5054:ff:fe57:9573 \|
	97	+\| NIA \| whois.nia.dn42 \| 172.20.158.153 / fd00:1926:817:43::1 \|
	98	+\| Lan Tian \| whois.lantian.dn42 \| 172.22.76.108 / fdbc:f9dc:67ad:2547::43 \|
97	99
98	100	### Down?
99	101

...	...	@@ -1,6 +1,22 @@
1	1	# Forwarder setup
2	2
3		-Configuration of common resolver softwares, to forward DNS queries for `.dn42` (and reverse DNS) to `fd42:d42:d42:53::1` (or `172.23.0.53`).
	3	+Configuration of common resolver softwares to forward DNS queries for `.dn42` (and reverse DNS) IPv4 and IPv6 anycast services.
	4	+
	5	+You can use any .recursive-servers.dn42 (where is a letter) for resolving .dn42 domains. The current list is available at the [DN42 registry](https://git.dn42.us/dn42/registry/src/master/data/dns/recursive-servers.dn42) or through querying SRV records of recursive-servers.dn42:
	6	+
	7	+```sh
	8	+drill -D SRV _dns._udp.recursive-servers.dn42. @172.20.0.53
	9	+```
	10	+
	11	+Two independent anycast services are also provided:
	12	+
	13	+\| Name \| IPv4 \| IPv6 \|
	14	+\|---\|---\|---\|
	15	+\| a0.recursive-servers.dn42 \| 172.20.0.53 \| fd42:d42:d42:54::1 \|
	16	+\| a3.recursive-servers.dn42 \| 172.23.0.53 \| fd42:d42:d42:53::1 \|
	17	+
	18	+All the examples here list 172.20.0.53/fd42:d42:d42:54::1, but users are encouraged to configure
	19	+multiple services from *.recursive-servers.dn42 for redundancy.
4	20
5	21	## BIND
6	22
...	...	@@ -10,19 +26,19 @@ by adding the following to /etc/bind/named.conf.local
10	26	```
11	27	zone "dn42" {
12	28	type forward;
13		- forwarders { 172.23.0.53; };
	29	+ forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
14	30	};
15	31	zone "20.172.in-addr.arpa" {
16	32	type forward;
17		- forwarders { 172.23.0.53; };
	33	+ forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
18	34	};
19	35	zone "22.172.in-addr.arpa" {
20	36	type forward;
21		- forwarders { 172.23.0.53; };
	37	+ forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
22	38	};
23	39	zone "23.172.in-addr.arpa" {
24	40	type forward;
25		- forwarders { 172.23.0.53; };
	41	+ forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
26	42	};
27	43	```
28	44
...	...	@@ -37,10 +53,13 @@ config dnsmasq
37	53	option boguspriv '0'
38	54	option rebind_protection '1'
39	55	list rebind_domain 'dn42'
40		- list server '/dn42/172.23.0.53'
41		- list server '/20.172.in-addr.arpa/172.23.0.53'
42		- list server '/22.172.in-addr.arpa/172.23.0.53'
43		- list server '/23.172.in-addr.arpa/172.23.0.53'
	56	+ list server '/dn42/172.20.0.53'
	57	+ list server '/20.172.in-addr.arpa/172.20.0.53'
	58	+ list server '/21.172.in-addr.arpa/172.20.0.53'
	59	+ list server '/22.172.in-addr.arpa/172.20.0.53'
	60	+ list server '/23.172.in-addr.arpa/172.20.0.53'
	61	+ list server '/d.f.ip6.arpa/fd42:d42:d42:54::1'
	62	+
44	63	```
45	64
46	65	to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq restart`. After that you are able to resolve `.dn42`
...	...	@@ -51,10 +70,12 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
51	70	For normal dnsmasq use
52	71
53	72	```
54		-server=/dn42/172.23.0.53
55		-server=/20.172.in-addr.arpa/172.23.0.53
56		-server=/22.172.in-addr.arpa/172.23.0.53
57		-server=/23.172.in-addr.arpa/172.23.0.53
	73	+server=/dn42/172.20.0.53
	74	+server=/20.172.in-addr.arpa/172.20.0.53
	75	+server=/21.172.in-addr.arpa/172.20.0.53
	76	+server=/22.172.in-addr.arpa/172.20.0.53
	77	+server=/23.172.in-addr.arpa/172.20.0.53
	78	+server=/d.f.ip6.arpa/fd42:d42:d42:54::1
58	79	```
59	80	in `dnsmasq.conf`.
60	81
...	...	@@ -63,14 +84,14 @@ Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS), the **f
63	84
64	85	```
65	86	dont-query=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
66		-forward-zones-recurse=dn42=172.23.0.53,hack=172.23.0.53,ffhh=172.23.0.53,ffac=172.23.0.53,020=172.23.0.53,adm=172.23.0.53,ffa=172.23.0.53,ffhb=172.23.0.53,ffc=172.23.0.53,ffda=172.23.0.53,ffdh=172.23.0.53,ff3l=172.23.0.53,fffl=172.23.0.53,ffffm=172.23.0.53,fffr=172.23.0.53,fffd=172.23.0.53,ffgl=172.23.0.53,fflln=172.23.0.53,ffbcd=172.23.0.53,ffbgl=172.23.0.53,ffgoe=172.23.0.53,ffgt=172.23.0.53,ffh=172.23.0.53,helgo=172.23.0.53,ffhef=172.23.0.53,ffj=172.23.0.53,ffka=172.23.0.53,ffki=172.23.0.53,ffhl=172.23.0.53,fflux=172.23.0.53,ffms=172.23.0.53,mueritz=172.23.0.53,ffnord=172.23.0.53,ffnw=172.23.0.53,ffoh=172.23.0.53,ffpb=172.23.0.53,ffpi=172.23.0.53,ffrade=172.23.0.53,ffrgb=172.23.0.53,ffrg=172.23.0.53,rzl=172.23.0.53,ffsaar=172.23.0.53,fftr=172.23.0.53,fftdf=172.23.0.53,ffwk=172.23.0.53,ffgro=172.23.0.53,ffwk=172.23.0.53,ffwp=172.23.0.53,ffw=172.23.0.53,20.172.in-addr.arpa=172.23.0.53,22.172.in-addr.arpa=172.23.0.53,23.172.in-addr.arpa=172.23.0.53,31.172.in-addr.arpa=172.23.0.53,c.f.ip6.arpa=172.23.0.53
	87	+forward-zones-recurse=dn42=172.20.0.53,hack=172.20.0.53,ffhh=172.20.0.53,ffac=172.20.0.53,020=172.20.0.53,adm=172.20.0.53,ffa=172.20.0.53,ffhb=172.20.0.53,ffc=172.20.0.53,ffda=172.20.0.53,ffdh=172.20.0.53,ff3l=172.20.0.53,fffl=172.20.0.53,ffffm=172.20.0.53,fffr=172.20.0.53,fffd=172.20.0.53,ffgl=172.20.0.53,fflln=172.20.0.53,ffbcd=172.20.0.53,ffbgl=172.20.0.53,ffgoe=172.20.0.53,ffgt=172.20.0.53,ffh=172.20.0.53,helgo=172.20.0.53,ffhef=172.20.0.53,ffj=172.20.0.53,ffka=172.20.0.53,ffki=172.20.0.53,ffhl=172.20.0.53,fflux=172.20.0.53,ffms=172.20.0.53,mueritz=172.20.0.53,ffnord=172.20.0.53,ffnw=172.20.0.53,ffoh=172.20.0.53,ffpb=172.20.0.53,ffpi=172.20.0.53,ffrade=172.20.0.53,ffrgb=172.20.0.53,ffrg=172.20.0.53,rzl=172.20.0.53,ffsaar=172.20.0.53,fftr=172.20.0.53,fftdf=172.20.0.53,ffwk=172.20.0.53,ffgro=172.20.0.53,ffwk=172.20.0.53,ffwp=172.20.0.53,ffw=172.20.0.53,20.172.in-addr.arpa=172.20.0.53,22.172.in-addr.arpa=172.20.0.53,23.172.in-addr.arpa=172.20.0.53,31.172.in-addr.arpa=172.20.0.53,c.f.ip6.arpa=172.20.0.53
67	88	```
68	89
69	90	## MaraDNS
70	91	Put this in your mararc:
71	92
72	93	```
73		-ipv4_alias["dn42_root"] = "172.23.0.53"
	94	+ipv4_alias["dn42_root"] = "172.20.0.53"
74	95	root_servers["dn42."] = "dn42_root"
75	96	root_servers["20.172.in-addr.arpa."] = "dn42_root"
76	97	root_servers["22.172.in-addr.arpa."] = "dn42_root"
...	...	@@ -79,8 +100,7 @@ root_servers["23.172.in-addr.arpa."] = "dn42_root"
79	100
80	101	## Unbound
81	102
82		-`unbound.conf` for forwarding requests to `172.23.0.53`.
83		-
	103	+Make sure DNSSEC is disabled (`auto-trust-anchor-file` is not set):
84	104
85	105	```
86	106	server:
...	...	@@ -98,33 +118,33 @@ server:
98	118
99	119	forward-zone:
100	120	name: "dn42"
101		- forward-addr: fd42:d42:d42:53::1
102		- forward-addr: 172.23.0.53
	121	+ forward-addr: fd42:d42:d42:54::1
	122	+ forward-addr: 172.20.0.53
103	123
104	124	forward-zone:
105	125	name: "20.172.in-addr.arpa"
106		- forward-addr: fd42:d42:d42:53::1
107		- forward-addr: 172.23.0.53
	126	+ forward-addr: fd42:d42:d42:54::1
	127	+ forward-addr: 172.20.0.53
108	128
109	129	forward-zone:
110	130	name: "21.172.in-addr.arpa"
111		- forward-addr: fd42:d42:d42:53::1
112		- forward-addr: 172.23.0.53
	131	+ forward-addr: fd42:d42:d42:54::1
	132	+ forward-addr: 172.20.0.53
113	133
114	134	forward-zone:
115	135	name: "22.172.in-addr.arpa"
116		- forward-addr: fd42:d42:d42:53::1
117		- forward-addr: 172.23.0.53
	136	+ forward-addr: fd42:d42:d42:54::1
	137	+ forward-addr: 172.20.0.53
118	138
119	139	forward-zone:
120	140	name: "23.172.in-addr.arpa"
121		- forward-addr: fd42:d42:d42:53::1
122		- forward-addr: 172.23.0.53
	141	+ forward-addr: fd42:d42:d42:54::1
	142	+ forward-addr: 172.20.0.53
123	143
124	144	forward-zone:
125	145	name: "d.f.ip6.arpa"
126		- forward-addr: fd42:d42:d42:53::1
127		- forward-addr: 172.23.0.53
	146	+ forward-addr: fd42:d42:d42:54::1
	147	+ forward-addr: 172.20.0.53
128	148	```
129	149
130	150	## JunOS (SRX 12.1X46)
...	...	@@ -143,29 +163,33 @@ system {
143	163	}
144	164	default-domain dn42 {
145	165	forwarders {
146		- 172.23.0.53;
	166	+ 172.20.0.53;
	167	+ fd42:d42:d42:54::1;
147	168	}
148	169	}
149	170	default-domain 20.172.in-addr.arpa {
150	171	forwarders {
151		- 172.23.0.53;
	172	+ 172.20.0.53;
	173	+ fd42:d42:d42:54::1;
152	174	}
153	175	}
154	176	default-domain 22.172.in-addr.arpa {
155	177	forwarders {
156		- 172.23.0.53;
	178	+ 172.20.0.53;
	179	+ fd42:d42:d42:54::1;
157	180	}
158	181	}
159	182	default-domain 23.172.in-addr.arpa {
160	183	forwarders {
161		- 172.23.0.53;
	184	+ 172.20.0.53;
	185	+ fd42:d42:d42:54::1;
162	186	}
163	187	}
164		- }
	188	+ }
165	189	}
166	190	}
167	191	}
168	192	```
169	193
170	194	## MS DNS
171		-Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa" using 172.23.0.53 as forwarder. Ignore the error message that the server is not authoritative.
...	...	\ No newline at end of file
	0	+Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.
...	...	\ No newline at end of file

...	...	@@ -27,4 +27,4 @@ The mkdns script currently supports the following setups:
27	27
28	28	## Configuration
29	29
30		-See [[Recursive DNS resolver]] or [[DNS forwarding configuration\|/services/dns/Configuration]].
...	...	\ No newline at end of file
	0	+See [[DNS forwarding configuration\|/services/dns/Configuration]].
...	...	\ No newline at end of file