
How and why I run my own DNS servers - zwischenzug
https://zwischenzugs.com/2018/01/26/how-and-why-i-run-my-own-dns-servers/
======
rsync
Responding to several comments in this thread RE: what is the point of doing
this ...

The point of running your own email and dns server is so that you are a _peer
on the network_.[1]

This is important and is becoming lost in the current era of Internet
adoption.

By many measures the Internet is the largest cultural and commercial force in
the world today and by an accident of history, the researchers at (D)ARPA gave
us a network that allowed normal citizens to be peers on the network.

Don't lose this.

[1] As opposed to, for instance, the telephone network. You can own your own
domain and perform the first level of network interaction on your Internet
systems, but the analogy on the phone network (owning your own phone number
and controlling the first touch from other networks) by creating a CLEC is
administratively and financially ($100k +) impossible.

~~~
Santosh83
I get where you're coming from but wouldn't being a proper peer on the
Internet imply that you would need some kind of backbone access and be an ISP
yourself?

~~~
zrm
Comcast has a huge network but none of their customers are only talking to
each other, they're talking to Verizon's customers and Google and Facebook and
Amazon. Everyone has to interconnect with everyone else regardless of how big
they are.

All it takes to be a proper peer on the internet is a public IP address.

~~~
bpicolo
My ISP rotates through ipv6 addresses now (and frequently, at least several
times a day). Makes that tough

~~~
takeda
That feels like assholish thing to do. The great thing about IPv6 was that
there's enough of them that everyone and everything could get one. If it
changes it defeats that purpose.

~~~
robocat
Browsing using a static IPv6 (or IPv4) that is unique to you is terrible for
your privacy.

Randomly reusing the same limited set of IPv6 addresses would help privacy a
little.

------
zrail
I used to do this as well, with tinydns. I even wrote an article with a
similar name[1]. Then I wrote another article with a similar name[2] when I
decided that I was being silly.

I use Route53 now with a little cron that periodically updates the record that
points at my home IP[3]. Route53 is bulletproof in a way that I'm unable to
accomplish on my own.

edit: Route53 is not actually cheaper than this person's setup. That said,
$0.50 per hosted zone is a bargain for what you get and there's a volume break
to $0.10 after 25 zones. We're talking about global 100% DNS uptime with an
SLA[4] for $0.50/mo.

[1]: [https://www.petekeen.net/how-i-run-my-own-
dns](https://www.petekeen.net/how-i-run-my-own-dns)

[2]: [https://www.petekeen.net/how-and-why-im-not-running-my-
own-d...](https://www.petekeen.net/how-and-why-im-not-running-my-own-dns)

[3]:
[https://github.com/peterkeen/route53_ddns](https://github.com/peterkeen/route53_ddns)

[4]:
[https://aws.amazon.com/route53/sla/](https://aws.amazon.com/route53/sla/)

~~~
pedrocr
I do it for free by using cloudfare as the dns provider and used to do it for
free by using the Linode DNS service that comes included with having a VM
there.

~~~
graton
+1 for using Cloudflare. That is what I use as my DNS provider.

~~~
jjeaff
I use cloudflare as well. And they are one of the most performant. Feels too
good to be true. I wonder if the offer and it performance will last...

------
conorrr
Good article on How, pretty bad at describing why

# It’s Cheap

There are plenty of cheap & free DNS hosts out there.

# More Control

Every DNS host I've ever used has offered full control of DNS records. If all
you've ever experienced is poor shared hosting maybe this looks is something
new.

A why not section would be good

* High latency for people who do not live near one of your servers.

* Time to set up

* Cost (lots of cheaper alternatives)

* Some overhead. Running any server that is public facing has some overhead even if it's just installing patches.

Interestingly zwischenzugs.com isn't hosted on authors own DNS (maybe a
restriction of wordpress.com?)

~~~
zzzcpan
> Every DNS host I've ever used has offered full control of DNS records.

That's not true. Typically most dns hosting solutions offer so little control
and it is so primitive, that they only treat records as static values, you
can't have something like a view{} in bind letting you serve different people
by different servers reducing latency and improving availability, say you have
one server in America and one in Europe.

> High latency for people who do not live near one of your servers.

See my point above. Dynamically chosen records are fundamental to cheap good
latency. And no, anycast is not a silver bullet, you can do pretty good with
just dynamic records, you can use them for nameservers too, you know.

~~~
Torgo
I guess he did say full, but views are a pretty specialized function (I say,
as I am using them internally where I work.)

------
dboreham
Although the article does cover this, perhaps it doesn't emphasize the point
strongly enough:

The IP addresses for your authoritative servers are going to be stored in the
glue record for your zone, which is physically held in the root servers (i.e.
not your servers).

Those glue records can't be changed quickly.

Therefore you need to be very sure that your servers' IP addresses are really
static.

We run our own DNS (for mostly historical and paranoia about reliability
reasons). One of our servers is on a subnet that we own, so that totally under
our control. The other is at a provider where I have had a detailed back-and-
forth with the support staff about the circumstances under which its IP might
change, and how to ensure it won't change, specifically mentioning that we are
going to run an authoritative DNS server on their infrastructure (currently
IBM/Softlayer, moving to Packet.net soon). I am skeptical that a low-cost
provider (DO, etc) can give a strong enough guarantee that the machine's IP
address won't change.

Makes Route53 look very attractive for common/garden purposes.

~~~
takeda
DNS doesn't require you to use a glue records though you can just provide name
and the resolver will another query to figure the IP.

It's of course less efficient and probably you shouldn't do it, but DNS itself
doesn't stop you from that.

As for authoritative servers what I did in the past is essentially working
together with friends, I was backup name server for their domains and they
were backup for mine.

There are also some free public DNS servers as well.

~~~
dboreham
True. I didn't mention that because as you say you shouldn't do it.

A big problem with free/cheap DNS services is that (as far as I have seen)
they do not support either secondaries off their network, nor being a
secondary to some other primary. So you end up in an all-or-nothing situation
where you either rely entirely on one provider, or you have to host yourself.

------
Coding_Cat
>The YOUREMAIL.YOUREMAILDOMAIN. part must be replaced by your own email. For
example, my email address: ian.miell@gmail.com becomes ianmiell.gmail.com..
Note also that the dot between first and last name is dropped. email ignores
those anyway!

Isn't that only the case for gmail (and maybe some others)?

As an aside I'm surprised someone setting up their own dns-server would still
be using gmail. I've found running my own email-server to be very useful and
satisfying. (0-configuration throwaway addresses, automatic sorting with
sieve, personal and professional mail on the same account, etc. etc.)

~~~
zwischenzug
I haven't ever got comfortable with running mail. Interested in any good
guides I haven't already read.

~~~
perlgod
I've spent years tweaking my mail server setup (Postfix, Dovecot, RSPAMD,
LDAP...) and did a full writeup a few months ago. I've used other guides
online but found most of the rest lacking on details.

[https://www.c0ffee.net/blog/mail-server-
guide](https://www.c0ffee.net/blog/mail-server-guide)

~~~
herbst
Curious why you settled for Postfix?

I know its basically the standard but its a pain to configure and modify. I
recently started to work with Haraka and its so much more of a plessure (even
thought i am no JS fan, i prefer JS to cryptic/ancient config files)

Just curious if you went through a evaluation process

~~~
icedchai
If you want "pain to configure and modify", take a look at sendmail, which was
the standard for decades.

Postfix is a breeze to work with in comparison.

~~~
__david__
I don't agree. Sendmail definitely has the weirder config file syntax, but
(having set both up multiple times) both have the exact same setup
technique—reading through the manual looking at the config options and
copying/pasting the lines into the config.

~~~
icedchai
That same technique can be applied to basically anything.

I've setup both multiple times, and have worked with Sendmail since 1994.
Postfix config files are much simpler.

To configure sendmail, you have to do extra layers of weirdness, like deal
with "m4". That's mental overhead you just don't have with Postfix.

~~~
__david__
There's not really any extra layers of weirdness unless you're digging down
into the nasty .cf files (which you probably never ever need to do). The m4 is
just a detail (so you end up commenting with "dnl").

The relative complexity of the files is about the same—my postfix server
config is roughly the same number of lines as my sendmail server config. And
each line is just a single conf thing. Sendmail isn't really more complicated
at all. It's just ugly.

------
perlgod
I've been down this route but ultimately found much more stability running
BIND as a hidden master and pushing NOTIFYs to secondary nameservers (I use
DNSMadeEasy) whenever the zone is modified. Supports DNSSEC as well.

I wrote up my setup here: [https://www.c0ffee.net/blog/dns-hidden-
master](https://www.c0ffee.net/blog/dns-hidden-master)

I host mostly static IPs, but I also use this setup with shared keys and
PFSense's RFC2136 feature to push dynamic DNS updates for my home network.

~~~
JeanMarcS
I’m stuck on the DNSSEC part with OVH as a registar, as they won’t let you add
DNSSEC records if you don’t use their DNS. Not cool.

But your post gave me an idea to try, so anyway, thank you, either it will
work or not.

~~~
psz
Enable DNS zone, you don't even need to use it. Then, you'll be able to set
custom DS records on a domain.

I asked them. It's not a bug, it's a feature!

------
zwischenzug
Somebody pointed out to me that you can get a free DNS service here:

[https://dns.he.net/](https://dns.he.net/)

~~~
alex_hitchins
Still good to go through the process of setting this up and making yourself
less reliant on third parties.

~~~
gruez
You're "less reliant", but chances are, you'll end up having worse
reliability.

~~~
alex_hitchins
Why do you think that? There is nothing to prevent one from running two, three
or four DNS servers each with different providers. The internet was designed
to be decentralised and run in such a manor, no?

------
alexellisuk
Came here because of this advice:

> setup a strong root password

You should ideally disable root login over SSH and only allow key-based login.
Checkout /etc/ssh/sshd_config for more info on that. I don't think this has
been suggested yet.

------
sidhu1f
Modern alternatives to BIND that I have had good (though limited) experience
with:

\- unbound (recursive resolver)
[https://www.unbound.net](https://www.unbound.net)

\- nsd (authoritative server)
[https://www.nlnetlabs.nl/projects/nsd](https://www.nlnetlabs.nl/projects/nsd)

~~~
DrPhish
You can also run NSD as an authoratative frontend to your BIND servers, and
unbound as a caching resolver with forward-zone entries to your BIND server
for your domains.

This is what I do, which allows me the full gamut of BIND features without
exposing those servers directly to any networks (there is a non-routed vlan
that nsd/unbound/bind servers use). This is using split-horizon, DDNS from ISC
DHCP and DNSSEC, so not a non-trivial setup, but it is also my home network
setup so not so heavy duty as to be particularly hard to set up and automate.

I also have a round-robin DNSCRYPT setup hooked into the whole thing for semi-
anonymity of queries.

------
linsomniac
On the other side: I run my own DNS recursive resolver on my laptop/desktop,
and it's one of the things I really miss on the ChromeBook. I've done this for
a long time, originally starting with BIND, then switching to powerdns, but
lately I've used dnsmasq and it works great. It has a really nice way to set
up multiple resolution zones, so I can have my work IPs resolve using the
private DNS servers over the VPN.

The down side is sometimes wireless hotspots will block all traffic until you
hit their portal, including DNS resolution, and some captive portals don't
work when you can't resolve the name. I've worked around this by letting
NetworkManager poke the DNS settings in, and then my VPN will update the
resolv.conf once the VPN is up.

Means I don't end up getting weird DNS responses from clever hotspots or ISPs.

~~~
sliken
Unbound is pretty slick as well. Not sure if dnsmasq supports DNSSEC, but
unbound does.

------
alex_hitchins
Thinking about all the servers I've run over the years, I think DNS is one
that was most satisfying in a weird way. Incredibly handy also for making
amendments to a bunch of records.

------
belthesar
I've got a little script that runs on my home router that makes zone updates
to CloudFlare over its API. Cost per month: $0, infrastructure to manage: $0.

------
sideproject
I've done this for my domain parking company too. For my need, it's (probably)
a must, since you want to make sure you have a reliable DNS server which you
can fully control.

I've used PowerDNS, which was a breeze for me. It's super efficient too. So I
set up my DNS on a very cheap VPS on Vultr ($5/month) and everything has been
running well.

I do wish PowerDNS had a better web interface, but hey it does the job.

------
crims0n
I know it is not the point of the article, but it is possible to do this with
one VPS if the provider offers an API to update DNS records. I have this
working with Digital Ocean:
[https://developers.digitalocean.com/documentation/v2/#update...](https://developers.digitalocean.com/documentation/v2/#update-
a-domain-record)

------
icedchai
I've run my own DNS servers since the mid 90's. Anyone doing this should check
out the "DNS and BIND" O'Reilly book.

------
adreamingsoul
Lately, I've been feeling the urge to rent colo space for my own servers. I
used to have my own colo space & servers, but like everyone else was "sold" on
the benefits of moving to the cloud.

Now, I have a different perspective and believe more people should be owning
their own data and servers.

------
moviuro
I have a similar problem, but there's just no way I'm running a DNS server in
the open (amplification attacks, etc.). I was thinking of using
[https://icanhazip.com](https://icanhazip.com) \+ OVH's API to regularly
update my A records.

However, I still didn't get around to finding (or writing) a CLI for their DNS
offering (it is possible, because acme.sh does it [0] -- maybe I'll just use
this as a base?)

[0]
[https://github.com/Neilpang/acme.sh/tree/master/dnsapi](https://github.com/Neilpang/acme.sh/tree/master/dnsapi)

~~~
herbst
Just a random input. I use Cloudflare for this. Mostly because changes are
more or less instant. I've used Namecheap and OVH before and both could end up
with longer delays (~1h)

------
alexellisuk
While this is an entertaining read - i.e. all the technical details, it can be
made so much less work. If you register a domain or transfer it to a registrar
that supports dynamic DNS updates you just run a daemon inside your network
and forget about it. I have several domains on Namecheap with a dynamic IP at
home and do this [1].

[1]
[https://www.namecheap.com/support/knowledgebase/article.aspx...](https://www.namecheap.com/support/knowledgebase/article.aspx/36/11/how-
do-i-start-using-dynamic-dns)

------
JepZ
Anybody knows why he uses ssh to update the records and not nsupdate?

~~~
millettjon
Not sure in his case, but I keep my dns configuration in git and deploy over
ssh git pull followed by a dns server restart. I prefer ssh as I know better
how to secure that and it seems like less attack surface.

------
0x7f800000
I use Route53 for two reasons:

1\. $$$

2\. certbot certonly --dns-route53 [...]

------
wohlergehen
Does anyone have experience with using dot.tk domains as described in the
article?

~~~
takeda
I used them since early 2000. They were much better before FreeNOM started
managing the TLD.

As long as you don't need to change or don't have any issue they are ok as any
other domain.

Their interface is horrible, it took me a while until I figured out the right
step order to properly set up glue records.

If you have an issue, their support can be hit or miss, I have feeling that
they just ignore whenever a ticket is opened and only respond when you follow
up. It also doesn't send notification by email when they respond so often it
might take days to resolve a simple issue. This is especially bad if they
block the service and domain no longer resolves.

TK also doesn't support DNSSEC.

The nice thing is that it is free, but you need to make sure you have a
working web server that returns some content otherwise they will block the
service.

This restriction doesn't apply if you pay for the domain.

To summarize, it's ok for free service, but if you pay you might as well just
use better managed registrar, their price is not better compared to other
registrars that have better support and better interface.

------
mouthfullofbees
tl,dr:

1\. host them on the cheapest dodgy vps provider you can find 2\. host primary
and secondary on the same provider 3\. use a free throwaway domain registrar
4\. use the dns server software with the worst security track record

------
ebbv
This is not really a great idea. It's just adding more brittleness to your
system. Leave DNS to people with distributed DNS networks and redundancy.

I mean obviously you can do it if you want to, I'm not stopping you, but to me
it's silly.

~~~
zzzcpan
DNS is only distributed if you run it yourself, not when you rely on a
centralized service.

~~~
zrail
That's... that's not what "distributed" means. DNS is distributed because it's
arranged as a tree, with the root nodes delegating to the TLDs delegating to
individual name servers for each zone. Just because someone chooses to use a
service instead of running a nameserver themselves doesn't make DNS
centralized.

~~~
sp332
I pretty sure that's not what eebv meant. They're talking about redundancy for
high-availability.

~~~
zzzcpan
Redundancy and high-availability is something DNS has by design. DNS providers
are incentivized to highlight those things as if they were unique to them, but
actually the only thing they can offer is anycast for lower latency.
Incidentally anycast also makes them less reliable, not more.

------
craig1f
How does this compare to pi-hole?

~~~
moviuro
That's really not the point of the article. He updates the A records for his
home machine that doesn't have a static IP.

~~~
yorby
the title is pretty bad for that article... I would never have guessed

------
nrki
This is pretty simple stuff, and the two ads for your book make this look like
an ad rather than something not otherwise posted on tens of other blogs.

~~~
lisper
Everything is simple once you know how.

