NS-Global is an anycast secondary DNS service. This means that there is a dedicated block of IP addresses for the ns-global.kjsl.com host which is announced by each identical server world-wide. Anycast means that the NS-Global DNS server seems to break the speed of light because queries are routed to the closest copy of the server globally.

NS-Global was originally built by Javier in 2009 using FreeBSD with copious amounts of duct tape and rsync. In 2020, Javier and Kenneth rebuilt the system using Ansible to make it easier to keep the entire constellation in service and in-sync.

How Does it Work

NS-Global is based on a “hidden collector” model, where all primary DNS servers transfer their DNS zones to a single host at,2607:7c80:54:6::53. This isn’t the global ns-global.kjsl.com address, but a single unicast host which collects all the zones and then pushes them to the full array of anycast endpoints. This architecture means that as NS-Global adds/removes anycast sites, users aren’t required to modify any settings on their servers to allow transfers or send notifies to new sites.

On the orchestration side, every public anycast endpoint is managed by Ansible, and has a relatively short DNS BIND configuration which sets global options and configures the endpoints as secondaries for a single “catalog” DNS zone. Catalog zones are a feature supported by BIND, where the dynamic list of zones served by NS-Global is transfered from the hidden collector to the end points using the standard DNS NOTIFY/AXFR mechanism, and then each anycaster parses this zone to dynamically add other zones to also transfer from the collector host and serve publically as an authoritative DNS server.

When a new zone is added to NS-Global by a user, this triggers a custom script on the hidden collector to regenerate the catalog zone, and then send a DNS notify to all of the anycaster hosts. They each update their copy of the catalog zone, parse it, add/remove zones as required, then transfer those from the collector host as well.

When an existing zone is updated on the original host’s server, they need to explicitly configure their DNS server to also send a notify to the NS-Global hidden collector, which will perform the typical SOA query and AXFR/IXFR from the original primary, then send notifies to all of the NS-Global endpoints, so it’s expected that DNS updates will become visible globally on NSG within a few seconds.

How Do I Sign Up?

To start using NS-Global, ensure that you have a valid RNAME record in your zone’s SOA, which is the email address for the zone’s admin. We rely on this to verify that you control the DNS zone, for when you fill out our signup form, we send a single verification email to the listed RNAME address.

Once you click on the verification link emailed to you, your zone will be added to the NS-Global database and immediately start being served worldwide.