We may be a bit late to the party.
But we decided to investigate OpenNIC which appeared on Webrings early when I joined some of them in 2022. What is OpenNIC you ask? Well, regular top-level domain (TLD) names such as .COM/.NET/.ORG used to be run by the US government but eventually, ICANN took over. OpenNIC gives people the possibility of running their top-level domain and access to people wanting to get domains within those top-level domains. It's like a training/sandbox ground for people who want to try their hand at running a top-level domain without spending a shit-ton of money to go through the bureaucratic process of introducing it officially.
We have enough in our lives to NOT want to run a top-level domain. But out of interest in blogging about technology and USING that technology. I did make myself a domain on one of the primary openNIC TLDs.
Kindly note the link WILL NOT WORK work unless you use an OpenNIC DNS server which we will explain later in this article.
We feel like this is a good space to learn/understand how DNS works. But don't think it's really going to go much further than that.
Would you like to know more? Read on!
This is another one of those Onion/Tor/I2P thingies right?
No, OpenNIC exists on the ClearNet. It doesn't have any fancy-pants point-to-point encryption systems like Tor or I2P. By going through TLD providers that do not have as strict requirements for registration (ICANN requires your legal name to be on file) the level of registration is very low to the point of being borderline anonymous. On top of this. Since the project is volunteer-run and open-source. Registration is free versus the normal providers where it could start at $1 for the first year and move up to $10 and up per year afterward.
WHY OpenNIC?!?
This question can be answered in two parts here.
First part: The (Supposedly) private DNS servers.
One of the things that OpenNIC makes the argument for is that by default a lot of your ISPs will host a local DNS server not necessarily out of the goodness of their hearts. It's to track the sites you visit and sell that information to the highest bidder.
The screenshot above is a common thing ISPs in America do to subscribers which is known as DNS-HighJacking. That if you type in an address that their DNS servers do not understand. It will redirect you to their ultra-shit search engine which will be almost guaranteed to never find what you were looking for in the first place while at the same time trying to infect you with malware/ads/tracking software as our U-Block is going nuts on AT&Ts piss poor attempt of a website.
We will call it how we see it. This is HighJacking. The job of a DNS is to resolve the address that you typed into the address bar. In this case "HTTP://s-config.geek". Either 200 OK it or 404 NOT FOUND. What AT&T is doing isn't "Added value" or whatever bullshit term they call this. Any level of deviation should be considered a security threat to your computer and those that exist on your network. How's that for CyberSecurity awareness month AT&T?
Also, if you're on a corporate network they would have the capability of censoring the sites you could visit by simply blocking it at the DNS level.
Now, DNS can be overridden from your ISP by simply replacing the entries you receive via DHCP either at the computer level or at the router level (provided you have access) and replacing them with a different DNS provider. Such as Quad9 or Google. Depending on your level of trust you are under the understanding that by using their servers for DNS the data goes towards them instead of your ISP.
Example listing of US servers on OpenNICs website.
Which I guess is the rub with OpenNIC. Yes, they have a lot of DNS servers that one could easily go through. Those DNS servers can access TLDs that the regular ones cannot such as .libre/.indy/.geek and so on. But it's up to you the end-user if you really trust those DNS servers to remain privacy-conscious.
One of the things about OpenNIC from a DNS perspective is it layers itself on top of the normal DNS. So if you want to go to a .com site or get linked to a .com site from a .geek site like this one. No big deal the volunteer DNS's will happily accept.
Second Part: Free Domain Registrations.
For those who simply want to try out OpenNICs DNS and visit some weird TLD websites you can stop right here.
Once your DNS is pointed to an OpenNIC box you can scroll down on OpenNICs website and click on the domain you want. Before clicking on any of those buttons you might want to register yourself as a member of OpenNIC as the credentials you generate on this website will be required to register a domain. (at the very least the TLDs that are in OpenNIC are in control of. Each provider has their own set of rules as to how they operate so it's probably best to read about the TLDs in their Wiki section.)
One of the problems we encountered after smashing that 'register' button was that we used a disposable GMail address which OpenNIC didn't send anything. We ultimately had to re-route to a protonmail address in order to finally receive our confirmation code..
However, once registered and confirmed THEN you can click on one of the TLD buttons
One of the major downsides of OpenNIC (and quite possibly why it will never be taken seriously as a standard) is there's no SSL. Because for SSL to occur there must be some kind of root authority to chain to. Sure, you could self-sign your website within OpenNIC but you will (Rightfully) get warnings from your browser that even though an SSL is in place it cannot be trusted as anyone can make and self-sign their own certificate.
As a result, you get the picture you see above a website asking for a username and password in plain text, which is possibly the most insecure way to conduct something as sensitive as creating a domain. Fuck!
Alright, what you see above is how we configured our domain. You'll note that I do not follow the standard configuration of "A" Records (IPV4) and "AAAA" records (IPV6)
for example:
$ORIGIN . IN A - 144.202.56.235 IN AAAA - 2001:19f0:5c01:187a:5400:1ff:fe73:3396 $ORIGIN www.s-config.geek. IN A - 144.202.56.235 IN AAAA - 2001:19f0:5c01:187a:5400:1ff:fe73:3396
This configuration would be completely fine if I didn't run my DNS and we pointed our server to the DNS of OpenNIC instead of the DNS provided by our data center. But we didn't want to change the DNS on our Server.
If you don't change your server's DNS. This will 'partially' work. What we mean by this is it will resolve and Apache/Nginx will pick up your request routing to the IP address. But would have no idea what to do with it as "www.s-config.geek" does not exist on any normal DNS server. Thus, it would wildcard your request and put it in whatever default folder you have setup on Apache/Nginx. Which is especially bad if you run multiple websites within your server. You may have seen YouTubers that explain OpenNIC where they type in their address and it immediately bounces to their.COM address. That's because their webserver is configured to take anything that hits the IP and re-direct it to the primary site. Which is wrong.
This is why we configured our Bind DNS server to accept "www.s-config.geek" and point the domain to OUR DNS nameserver in a traditional sense. For those who never ran a website. One of the things that need to be done is after you secured server space and a name-server to handle your requests is pointing the domain to said nameserver. This way, DNS is localized to that server and the server does not rely on OpenNICs resources. If any request for "www.s-config.geek" will be handled internally it means NGinx will understand where the traffic is coming from and won't wildcard the site. A regular DNS will never ask for "www.s-config.geek" unless something bizarre happens like .geek migrating to a public TLD.
In our nginx/sites-available we made a text file and this is how the start of it looks.
server { listen 80; listen [::]:80; server_name www.s-config.geek s-config.geek; root /path/to/www/s/;
Of course, there are lots more such as directory definitions and redirects. but since we defined a server_name in nginx and the DNS is now localized to the server. When you go to www.s-config.geek you shall STAY on www.s-config.geek.
Finally, I had to press the 'update' button again so it doesn't give me a domain for 30 days. But instead a domain for a year.
No SSL, isolated DNS servers, why even give a shit about this project?
It's a fair question. One that we were asking ourselves as we were going through the instructions.
As for 'use-case' scenarios. openNIC might be good for retro computing. Similar to our oldskool subdomain we setup a while back.
- With a lot of the 8-bit network cards sometimes its better to set up a static IP instead of relying on DHCP. Entering an OpenNIC DNS allows your retro computer to resolve these free TLD domains. From there, you could design a hyper-minimalistic website for 8-bit computers that would happily resolve those addresses. Effectively a free website on the super-cheap.
- This could be the motivation behind the .gopher TLD which is a text-only protocol for searching information on a particular server. Doesn't need to be fancy and doesn't need SSL . Just has to work.
Criticism.
Now let's be honest about the OpenNIC project. It's not that useful. Here's why:
- Your average user will not be playing around in their network settings. The advanced user base would question the morals of those running the DNS servers and would probably choose to install the proxy service instead. Only those who KNOW OpenNIC will visit you on OpenNIC. Perhaps the developers had this grand idea that ISPs would adopt their DNS servers which would then open up these domains to their users. But where's the incentive in doing so? Especially when your choice for ISP (at least in America) is dwindling to 1-2 per city. And why should they stop DNS-HiJacking when it is making them money? What site(s) on these alternate TLDs are so important that they could otherwise not be reached via the normal avenues of ICANN/Clear-Net registration? In the current state of the project from a business perspective, it's simply not worth it to adopt for mainstream usage.
- The reason why Tor in particular gets the userbase it has is one part Hollywood infamy and one part encryption. Some users jumped on Tor to visit the 'spooky-web' we guess. Others simply want to be anonymous. OpenNIC has neither. This is a blessing and curse because it leads to the next problem.
- As we've seen with .tk domains. If you make something free. The internet WILL fuck with it. When you have a high concentration of malware/honeypot/scam sites that are designed for the sole purpose of making money from nothing. Many networks have banned .tk and occasionally even ban .xyz domains as well. If OpenNIC was highly popular they to could easily fall into the same trap without eternal vigilance from the volunteer TLD holders. There's nothing stopping someone from domain squatting everything s-config in a vain attempt to mimic my site cash prizes? We guess? It's been tried before
Final thoughts.
Do you know what the absolute worst-case scenario is for making a domain name on OpenNIC and pointing it to the rest of the domain names such as Tor/I2P?
We get no viewers and we lost a few hours of our lives.
But despite all of OpenNICs faults. All Criticisms aside. It works, it's free it's open source and it's rather easy to install. Which is a hell of a lot more than what we could say about cypto domains like forever domains. Seriously fuck Web3.
Anyhow, because it has applications towards retro computing. We'll be keeping the .geek domain for a while.
That's what server said
+++END OF LINE