
Ask HN: Is it feasible to run your own DNS name servers nowadays? - jamieweb
I&#x27;m talking for a small operation (personal blog, startup, etc).<p>Currently my DNS is hosted by Cloudflare, however I would like to have more fine-grain control over the zones, including DNS failover and GeoDNS.<p>I am looking into running a resilient pair of BIND servers. They will detect when one of my web servers goes down (e.g. for reboot) and pull the record (which will have a low TTL to avoid excessive caching). I also want to use GeoDNS to point users towards the nearest web server.<p>It seems to be very rare these days for people to run their own name servers. What are some of the common pitfalls and issues related to this?
======
zzzcpan
Pitfalls off the top of my head: Detecting servers going down is not very
simple. They don't just go down and become completely unresponsive. Sometimes
they become slow, overloaded, generate incorrect responses, sometimes there
are connectivity issues, packets get dropped. Sometimes connectivity issues
are not globally visible, but affect only some of your users. The number of
affected users might increase over time too without you detecting anything.
All of the problems apply to monitoring nodes too.

The simplest approach that more or less works is to use a single monitoring
node close to your users and only make decisions when majority of servers are
responsive. Once some server has more than one problem over a few tries, pull
its record. Then put it back once it's been free of problems for some time.

When updating DNS records automatically increase serial number of the zone.
Make sure monitoring node retrieves that serial number from DNS servers on
start, to survive own crashes.

------
LinuxBender
Yes.

I've run my own servers for my own hobby domains as long as the internet has
existed. No issues there. I think people just like the convenience of
something they don't have to maintain. Unless you expect your blogs to be
controversial enough for a DDoS, there is no need for a commercial DNS
provider.

~~~
jamieweb
Not sure how I missed out the "Ask HN", thanks for reminding me.

Regarding the DNS, have you run into any issues with people using your DNS
server for DoS amplification attacks?

Also would you be able to share which DNS server software you are running?

~~~
LinuxBender
For a while, I ran bind. Then for quite a while, I used a modified version of
rbldnsd, which is not really meant to be used that way, but it was very good
at absorbing abuse and didn't even implement most record types. It just had
what I required.

When I eventually needed a proper DNS servers again so that I could have CAA
records, I switched to NSD [1]. NSD is stricly authoritative, vs. its counter-
part Unbound [2] for recursive. It is a little faster than bind and has not
had quite as many CVE's associated with it as bind. That said, bind was there
for a long time and they learned along the way. You can find sites that
compare the features and benefits of NSD vs. bind.

I have not been used for amplification attacks. That said, people have tried
enumerating many things over the years. There are some things you can do both
in the DNS config and in iptables to reduce some noise. You would want to look
on serverfault [3] for ideas. I set really high TTL records, so DDoS would
only affect people that have not used my site in a while.

[1] - NSD:
[https://www.nlnetlabs.nl/projects/nsd/about/](https://www.nlnetlabs.nl/projects/nsd/about/)

[2] - Unbound:
[https://nlnetlabs.nl/projects/unbound/about/](https://nlnetlabs.nl/projects/unbound/about/)

[3] - Serverfault: [https://serverfault.com/](https://serverfault.com/)

~~~
jamieweb
Thanks for the info, this will be really useful. :)

------
icedchai
I’ve been running my own nameservers since 1994. It’s one of the simplest
services to run. I use BIND.

