Add node-based DNS service

[Fohlen]

Hey folks. I've implemented a microservice called node-dns-service which you can see at https://github.com/inexorgame/node-dns-service

It is currently live with the following data:

• BASE_DOMAIN=inexortestnetwork.tk
• the alias config is at https://gist.github.com/Fohlen/9a0f106ab12a0cc4202ed87c6b18fae6
• API endpoint is at https://b881xr7vo3.execute-api.eu-central-1.amazonaws.com/dev/

So, what is it, and why do I want to add it to Inexor?

The brief summary is, it let's you register a random UUID-based node for a domain. It works as follows:

• hey API, got me a subdomain for node.inexor.network
• there it is, have fun. Please also take this revocationSecret in case you want to invalidate this domain
• Thank you very much!
• (some time later). I don't need this domain any more. Here is my node id and revocationSecret, can you revoke it for me?
• No problemo. Done

It also allows for creating alias domains with a .json file so that you can have a_teammate.node.inexor.network point to your node.

Why do we need it?

In the future, we want to make services such as

• public server list served over an API
• repositories served with git+http
• authentication based on OAuth
• (...)

All these services do not by default require https, but it merely makes sense to host them, without SSL. Since only a minority of system administrators is likely to

• have an own domain name
• configure SSL for it via Let's Encrypt

this would impose a major security issue in our system. That's why I wrote the dns-service, with the following workflow in mind

• SERVER instance of flex asks the service, hey there, got me a subdomain?
• API no problemo, here you go
• hey there Let's Encrypt, got me a SSL certificate for that domain ?
• Let's Encrypt here you go
• SERVER delivers content with valid SSL certificate
• CLIENT = happy

Why I would use a separate domain

I would suggest to use inexor.network or any other separate domain because of the following reasons:

• this is an anonymous service
• it will allow anybody to send stuff in our name
• this includes, e.g malicious mails
• this will very easily lead to inexor.network being blacklisted
• no problem for us but it is, once inexor.org pops from Google search (and potentially others) it's no fun any more

It also allows clear difference between what's auto-generated network and what actually belongs to us.

Last but not least, the money

Yup

• .network domains currently cost 19 dollar / year
• as I elaborated in the node-dns-service README, it's extremely unlikely that we will ever hit the limit, and even if, it would be very cheap
• this means that we currently only have the cost for the hosted zone
• makes 0.50 dollar month => 6 dollars / year
• total: 25 dollar / year

Also AWS has a pretty damn clever Burst algorithm for detecting potentially malicious use of API endpoints, which should make it really save from attacking.

[Fohlen]

I have archived the repo since this will be solved by the community workflow and since I no longer maintain the repo.