Dns /

BindResolver

All servers need a way to resolve ip addresses to and from hostnames. In the good old days of the internet you could point your /etc/resolv.conf file at any valid nameserver and things would Just Work(tm). Not anymore.

Unfortunately the bad guys have figured out that by spoofing millions of dns requests and setting the fake origin address to your ip they could get thousands of nameservers to flood you with millions of dns responses. Since those responses are usually 10-100 times bigger than the request this makes for a very nice dns amplification attack.

This is why most nameservers on the internet stopped offering anonymous resolver services. So most people let some horrible company do it for them "for free". This is known as surveillance capitalism. But we care about freedom and defending our user's privacy so we are going to rely on systems that we build and maintain ourselves.

To quickly install and configure your own dns resolver that is available only for your clients you can do this:

# pkg_add isc-bind
quirks-4.54 signed on 2022-02-09T17:55:10Z
Ambiguous: choose package for isc-bind
a       0: <None>
        1: isc-bind-9.16.23v3
        2: isc-bind-9.16.23v3-geoip
Your choice: 
1
isc-bind-9.16.23v3:libuv-1.40.0: ok
isc-bind-9.16.23v3:json-c-0.13.1p0: ok
isc-bind-9.16.23v3: ok
The following new rcscripts were installed: /etc/rc.d/isc_named
See rcctl(8) for details.

Then do this:

cd /var/named/etc

ftp https://www.internic.net/domain/named.root

Now you just need to configure the named.conf file. For your convenience you can cut and paste this to overwrite the existing file:

'''cat <<EOF > named.conf'''
// $OpenBSD: named.conf,v 1.3 2020/05/29 20:05:37 sthen Exp $
//
// Example file for a simple configuration of BIND, processing only
// recursive queries.  Consult BIND's Administration and Reference Manual
// for more information.

acl clients {
	localnets;
	::1;
};

options {
	directory "/tmp";	// working directory, inside the /var/named chroot
				// - must be writable by _bind
	version "";		// remove this to allow version queries

	listen-on    { any; };
	listen-on-v6 { any; };

	empty-zones-enable yes;

	allow-recursion { 127.0.0.0/8; 38.81.163.0/24; 38.87.162.0/24; 2602:fccf:1::/48; };
};

zone "." {
	type hint;
	file "/etc/named.root";
};
EOF

Or you can download this version instead: Attach:named.conf

Now all you need to do is edit your server's /etc/resolv.conf and add a line like this:

nameserver 127.0.0.1

And on every other client you would put your new nameserver's ip address in there instead:

nameserver 38.87.162.999