At VN PremLINK, we've been trying to set up BIND, Unbound, Active Directory for OpenNIC, VN's own domains, views, and filtering¹⁾ with the option to serve OpenNIC DNS publicly without the heavy handed filtering used in VN. Even Dnsmasq and Pi-Hole were part of the setup which will be replaced for Unbound+BIND.

It's confusing since we've never set up BIND from scratch or without some kind of GUI before, so while not yet there, we noticed OpenNIC needs a little help with the Windows side of things. /That/, we know. Quite well, in fact, due to Active Directory. So we took a five minute pause to create the screenshots OpenNIC needs, maybe a little more.

The instructions, linked here are 13 easy steps, part of it involves installing the DNS role;

1.  Open the server manager
2.  Choose add roles and features
3.  Choose role-based or feature-based installations
4.  Choose the server you are interested in.
5.  Choose DNS server
6.  Accept all of the other defaults and install
7.  When it is finished, go to the Start menu and choose DNS Manager
8.  In the DNS manager, right click on your server name and choose Properties
9.  In the properties dialogue, click Root Hints.
10. Delete ALL of the default servers.
11. At the bottom, click “Copy from Server” and input a T1 IP which you can find here.
12. Click apply and then test it here.
13. If all passes, you are free to add it to the Tier2 list!

We've gathered the missing pictures and at the end, there's a quick very basic PowerShell script that sets up secondary zones in a single step.

You only need either root hints or secondaries ²⁾ . OpenNIC recommends requires you to deploy secondary zones if your server is going to be publicly available. Therefore we'll be splitting this in two parts to mark the difference.

The first part/method, will be based on the original (with a few shortcuts).

The second is just the script to set up secondary zones.

This was done on Windows Server 2022, but it should all the way back to Windows Server 2012 R2. Where PowerShell was used, if the cmdlets don't work, you might need to upgrade PowerShell to version 5-ish, the same (major version) the latest Windows Server runs. PowerShell 7 is not necessary. It is not available even in the latest OS but as a separate download that doesn't replace the older version.

Search for Windows Management Framework 5.1 on Microsoft. Alternatively you may use my copy (you shouldn't though just trust ramdom packages from the Internet, though) in the event Microsoft removes the update. They're known to do that. It is only for Windows Server 2012 R2 64-bit (and its desktop counterpart, Windows 8.1). Other versions of Windows use other installers:

https://dmg.vitanetworks.link/Microsoft/Windows-Management-Framework-5.1-(PowerShell-Update)/W2K12-KB3191565-x64.msu

Newer versions of Windows don't need the update.

Note: the link appears to be triggering some protection. But if you paste it in the browser, a download manager or use wget or curl, it works correctly. In the case you need the file, you'll have to do that while we look into it. PowerShell itself can be used to get it. Use the Invoke-WebRequest <https://dmg…> -Outfile <somefilename…>cmdlet. For more information run: Get-Help Invoke-WebRequest -Online.

This might be a good time to tell you that…

1. Open the server manag— …on second thought, don't.

Steps 1 through 7 can be dealt with in a single command³⁾ .

• Open an Administrative PowerShell window using any way you know how to or one of the following:
  • In English versions of Windows⁴⁾ : WinKey+x then a
  • Bring up the context menu (i.e. the right-click menu) on the Windows Start Menu button and select the Windows PowerShell (Admin), about eight option from the bottom up; or as indicated above, the a key.
  • Locate a shortcut anywhere (A File Explorer windows, pinned, on the desktop or taskbar, etc) for PowerShell and right click it, then select to Run X as Administrator.
  • In a Run dialog(WinKey+x) type powershell and ⏎.

Once in PowerShell, install the DNS role and its supporting administration tools with the following cmdlet below. The -Restart option will make the system restart immediately if needed. The DNS role itself rarely needs a restart but some of the RSATs do⁶⁾ ); it's a quick installation, you might not have enough time to save and close open files so it's best to do it beforehand.

Install-WindowsFeature -Name DNS -IncludeAllSubfeature -IncludeManagementTools -Restart

This works as well (and may help newbies figure out PowerShell without trying):

Get-WindowsFeature *dns* | Install-WindowsFeature -IncludeAllSubfeature -IncludeManagementTools -Restart

Launch the DNS Management Console running the next command in PowerShell on in a Run dialog (WinKey+r):

dnsmgmt.msc

Note: the management tools are put on the Start menu in a directory named "Windows Administrative Tools". You can install them all in the same cmdlet listing them after DNS, comma+space-separated, e.g; -Name DNS, RSAT. In older Windows, installing the .NET Framework 3.5 (which is part of the RSATs) needs you to insert the original installation media for Windows⁷⁾ . You can also just mount an ISO from the network. What it's actually required is a file . Add somewhere in the s -Source zx0\Microsoft\Windows-Server\WindowsServer\ws2016\sources\sxs or -Source D:\sources\sxs

Continue to step 8.

It's a single cmdlet (sort of); after completing this, you may skip to step 12 in the original guide, testing.

• 8A.1Get and pipe the list of the current root hints to the remove cmdlet, confirm one by one.
• 8A.2 ";" queues up commands similar to Bash.
• 8A.3 Use the address of one of the tier 1 servers to get the list of the root hints.

Get-DnsServerRootHint | Remove-DnsServerRootHint ; Import-DnsServerRootHint -NameServer "163.172.168.171" -PassThru

Breakdown:

1. Get-DnsServerRootHint gets all the root hints which are piped/passed (|) to the Remove-DnsServerRootHint cmdlet, this in turn removes the objects received. You will be asked to confirm each one by pressing y on the keyboard.
2. Import-DnsServerRootHint copies the root hints from -NameServer "163.172.168.171", -PassThru is just a required option, just think of it as Microsoft's baseline nonsense.

• 8B.1 Removing root hints:

• 8B.2 Adding root hints:

This was the status of the tier 1 servers on 20230307T 14:24:00 GMT-7

┌─────────────                        ┬            ─────────         ─   ─ ─                                ──────────────┐
│ HOSTNAME          ; IPv4            ; IPv6                          ; OWNER(S)              ; ADDED           ; STATUS  │
├───────────────────┼─────────────────┼───────────────────────────────┼───────────────────────┼───────────────────────────┤
  ns2.opennic.glue  ; 161.97.219.84   ; 2001:470:4212:10:0:100:53:10  ; shdwdrgn              ; 2015-Feb-27     ; Offline │
  ns4.opennic.glue  ; 163.172.168.171 ;                               ; ph3-der-loewestephanj ; 2015-Feb-27     ; Pass    │
│ ns5.opennic.glue  ; 94.103.153.176  ; 2a02:990:219:1:ba:1337:cafe:3 ; verax                 ; 2015-Oct-27     ; Pass    │
│ ns6.opennic.glue  ; 207.192.71.13   ;                               ; texnofobix            ; 2015-Feb-27     ; Pass    │
│ ns8.opennic.glue  ; 178.63.116.152  ; 2a01:4f8:141:4281::999        ; stephanj              ; 2015-Feb-27     ; Pass    │
│ ns9.opennic.glue  ; 209.141.36.19   ;                               ; jonaharagon           ; 2015-Feb-27     ; Offline │
  ns10.opennic.glue ; 188.226.146.136 ; 2a03:b0c0:0:1010::13f:6001    ; mars                  ; 2015-Feb-27     ; Pass    │
  ns11.opennic.glue ; 198.98.51.33    ;                               ; jonaharagon           ; 2016-Nov-29     ; Offline │
│ ns12.opennic.glue ; 79.124.7.81     ;                               ; sy albino             ; 2017-Jul-31     ; Offline │
│ ns13.opennic.glue ; 144.76.103.143  ; 2a01:4f8:192:43a5::2          ; okashi_o              ; 2019-Sep-03     ; Offline │
└──────────                         ──┴────                   ────────┴────                                     ──────────┘

• 12.1 With nslookup
  • Interactive
    • Enter nslookup in interactive mode (just enter the command alone)
    • Set the server e.g; server 10.11.11.36
    • Enter your query e.g; be.libre. ⁸⁾
  • Non-interactive
    • Use the syntax command +host +nameserver e.g; nslookup be.libre. 10.11.11.36
• 12.2 With the Resolve-DnsName PowerShell cmdlet
  • The -Name option is inferred from whatever text that is not following an option of its own, e.g; Resolve-DnsName -Server 10.11.11.36 be.libre..
  • Use the -Type option to specify record type e.g; Resolve-DnsName -Server 10.11.11.36 -Type NS -Name be.libre..

Once again we turn to PowerShell, the best and worst that happened to Windows before Windows 11.

The fastest way to populate zones, is doing it on a disposable spreadsheet and IDE combination, or just an IDE. For each zone you'll need:

• The name of the zone, of course; "oz"
• A name for the zone's filename; "oz.dns"
• Its master nameserver(s); "103.4.16.80"

Add-DnsServerSecondaryZone -Name "oz" -ZoneFile "oz.dns" -MasterServers "103.4.16.80"

Or, since both values are likely to be basically the same and to avoid going all the way to the beginning and end over and over, do some basic scripting

$z="opennic.glue"     $ns="168.119.153.26" ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="dns.opennic.glue" $ns="168.119.153.26" ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="geek"             $ns="202.83.95.229"  ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="free"             $ns="202.83.95.229"  ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="indy"             $ns="202.83.95.229"  ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="parody"           $ns="216.87.84.210"  ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="bbs"              $ns="207.192.71.13"  ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="null"             $ns="202.83.95.229"  ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="oss"              $ns="216.87.84.210"  ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="ing"              $ns="128.177.28.254" ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="dyn"              $ns="207.192.71.13"  ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="gopher"           $ns="66.244.95.11"   ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="micro"            $ns="128.177.28.254" ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="neo"              $ns="199.30.58.57"   ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="pirate"           $ns="209.141.35.9"   ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"
$z="oz"               $ns="103.4.16.80"    ; Add-DnsServerSecondaryZone -Name "$z" -ZoneFile "$z.dns" -MasterServers "$ns"

Above, the $z and $ns variables are (re)set each time before running the cmdlet. The zone file gets the zone's name with the extension .dns appended to it. You can save it in a .ps1 file and run it in PowerShell⁹⁾ or just copy and paste it directly. Edit it in an IDE.

Note: the data use above is just for the example, it's unlikely to be correct. It was not checked.

As of 2023-03-07, the following file/code will clean up old data (you'll need to confirm each one) and add them again with the correct nameservers. You may download it or just copy and paste it in a PowerShell window. It can be pasted via PowerShell remoting as well (e.g; Enter-PSSession <remote-dns-server-machinename>).

deploy-opennic-zones.ps1

Get-DnsServerZone -Name "bbs"              | Remove-DnsServerZone
Get-DnsServerZone -Name "chan"             | Remove-DnsServerZone
Get-DnsServerZone -Name "cyb"              | Remove-DnsServerZone
Get-DnsServerZone -Name "dns.opennic.glue" | Remove-DnsServerZone
Get-DnsServerZone -Name "dyn"              | Remove-DnsServerZone
Get-DnsServerZone -Name "epic"             | Remove-DnsServerZone
Get-DnsServerZone -Name "geek"             | Remove-DnsServerZone
Get-DnsServerZone -Name "gopher"           | Remove-DnsServerZone
Get-DnsServerZone -Name "indy"             | Remove-DnsServerZone
Get-DnsServerZone -Name "libre"            | Remove-DnsServerZone
Get-DnsServerZone -Name "neo"              | Remove-DnsServerZone
Get-DnsServerZone -Name "null"             | Remove-DnsServerZone
Get-DnsServerZone -Name "o"                | Remove-DnsServerZone
Get-DnsServerZone -Name "opennic.glue"     | Remove-DnsServerZone
Get-DnsServerZone -Name "oss"              | Remove-DnsServerZone
Get-DnsServerZone -Name "oz"               | Remove-DnsServerZone
Get-DnsServerZone -Name "parody"           | Remove-DnsServerZone
Get-DnsServerZone -Name "pirate"           | Remove-DnsServerZone
 
Add-DnsServerSecondaryZone -Name "bbs"              -ZoneFile "bbs.dns"              -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "chan"             -ZoneFile "chan.dns"             -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "cyb"              -ZoneFile "cyb.dns"              -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "dns.opennic.glue" -ZoneFile "dns.opennic.glue.dns" -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "dyn"              -ZoneFile "dyn.dns"              -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "epic"             -ZoneFile "epic.dns"             -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "geek"             -ZoneFile "geek.dns"             -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "gopher"           -ZoneFile "gopher.dns"           -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "indy"             -ZoneFile "indy.dns"             -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "libre"            -ZoneFile "libre.dns"            -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "neo"              -ZoneFile "neo.dns"              -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "null"             -ZoneFile "null.dns"             -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "o"                -ZoneFile "o.dns"                -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "opennic.glue"     -ZoneFile "opennic.glue.dns"     -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "oss"              -ZoneFile "oss.dns"              -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "oz"               -ZoneFile "oz.dns"               -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "parody"           -ZoneFile "parody.dns"           -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::
Add-DnsServerSecondaryZone -Name "pirate"           -ZoneFile "pirate.dns"           -MasterServers 168.119.153.26, 195.201.99.61, 2a01:4f8:c17:fa94::, 2a01:4f8:c2c:e789::

''