How and why I run my own DNS servers

Responding to several comments in this thread RE: what is the point of doing this ...<p>The point of running your own email and dns server is so that you are a <i>peer on the network</i>.[1]<p>This is important and is becoming lost in the current era of Internet adoption.<p>By many measures the Internet is the largest cultural and commercial force in the world today and by an accident of history, the researchers at (D)ARPA gave us a network that allowed normal citizens to be peers on the network.<p>Don&#x27;t lose this.<p>[1] As opposed to, for instance, the telephone network. You can own your own domain and perform the first level of network interaction on your Internet systems, but the analogy on the phone network (owning your own phone number and controlling the first touch from other networks) by creating a CLEC is administratively and financially ($100k +) impossible.

I used to do this as well, with tinydns. I even wrote an article with a similar name[1]. Then I wrote another article with a similar name[2] when I decided that I was being silly.<p>I use Route53 now with a little cron that periodically updates the record that points at my home IP[3]. Route53 is bulletproof in a way that I&#x27;m unable to accomplish on my own.<p>edit: Route53 is not actually cheaper than this person&#x27;s setup. That said, $0.50 per hosted zone is a bargain for what you get and there&#x27;s a volume break to $0.10 after 25 zones. We&#x27;re talking about global 100% DNS uptime with an SLA[4] for $0.50&#x2F;mo.<p>[1]: <a href="https:&#x2F;&#x2F;www.petekeen.net&#x2F;how-i-run-my-own-dns" rel="nofollow">https:&#x2F;&#x2F;www.petekeen.net&#x2F;how-i-run-my-own-dns</a><p>[2]: <a href="https:&#x2F;&#x2F;www.petekeen.net&#x2F;how-and-why-im-not-running-my-own-dns" rel="nofollow">https:&#x2F;&#x2F;www.petekeen.net&#x2F;how-and-why-im-not-running-my-own-d...</a><p>[3]: <a href="https:&#x2F;&#x2F;github.com&#x2F;peterkeen&#x2F;route53_ddns" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;peterkeen&#x2F;route53_ddns</a><p>[4]: <a href="https:&#x2F;&#x2F;aws.amazon.com&#x2F;route53&#x2F;sla&#x2F;" rel="nofollow">https:&#x2F;&#x2F;aws.amazon.com&#x2F;route53&#x2F;sla&#x2F;</a>

Good article on How, pretty bad at describing why<p># It’s Cheap<p>There are plenty of cheap &amp; free DNS hosts out there.<p># More Control<p>Every DNS host I&#x27;ve ever used has offered full control of DNS records. If all you&#x27;ve ever experienced is poor shared hosting maybe this looks is something new.<p>A why not section would be good<p>* High latency for people who do not live near one of your servers.<p>* Time to set up<p>* Cost (lots of cheaper alternatives)<p>* Some overhead. Running any server that is public facing has some overhead even if it&#x27;s just installing patches.<p>Interestingly zwischenzugs.com isn&#x27;t hosted on authors own DNS (maybe a restriction of wordpress.com?)

Although the article does cover this, perhaps it doesn&#x27;t emphasize the point strongly enough:<p>The IP addresses for your authoritative servers are going to be stored in the glue record for your zone, which is physically held in the root servers (i.e. not your servers).<p>Those glue records can&#x27;t be changed quickly.<p>Therefore you need to be very sure that your servers&#x27; IP addresses are really static.<p>We run our own DNS (for mostly historical and paranoia about reliability reasons). One of our servers is on a subnet that we own, so that totally under our control. The other is at a provider where I have had a detailed back-and-forth with the support staff about the circumstances under which its IP might change, and how to ensure it won&#x27;t change, specifically mentioning that we are going to run an authoritative DNS server on their infrastructure (currently IBM&#x2F;Softlayer, moving to Packet.net soon). I am skeptical that a low-cost provider (DO, etc) can give a strong enough guarantee that the machine&#x27;s IP address won&#x27;t change.<p>Makes Route53 look very attractive for common&#x2F;garden purposes.

&gt;The YOUREMAIL.YOUREMAILDOMAIN. part must be replaced by your own email. For example, my email address: ian.miell@gmail.com becomes ianmiell.gmail.com.. Note also that the dot between first and last name is dropped. email ignores those anyway!<p>Isn&#x27;t that only the case for gmail (and maybe some others)?<p>As an aside I&#x27;m surprised someone setting up their own dns-server would still be using gmail. I&#x27;ve found running my own email-server to be very useful and satisfying. (0-configuration throwaway addresses, automatic sorting with sieve, personal and professional mail on the same account, etc. etc.)

I&#x27;ve been down this route but ultimately found much more stability running BIND as a hidden master and pushing NOTIFYs to secondary nameservers (I use DNSMadeEasy) whenever the zone is modified. Supports DNSSEC as well.<p>I wrote up my setup here: <a href="https:&#x2F;&#x2F;www.c0ffee.net&#x2F;blog&#x2F;dns-hidden-master" rel="nofollow">https:&#x2F;&#x2F;www.c0ffee.net&#x2F;blog&#x2F;dns-hidden-master</a><p>I host mostly static IPs, but I also use this setup with shared keys and PFSense&#x27;s RFC2136 feature to push dynamic DNS updates for my home network.

Somebody pointed out to me that you can get a free DNS service here:<p><a href="https:&#x2F;&#x2F;dns.he.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;dns.he.net&#x2F;</a>

Came here because of this advice:<p>&gt; setup a strong root password<p>You should ideally disable root login over SSH and only allow key-based login. Checkout &#x2F;etc&#x2F;ssh&#x2F;sshd_config for more info on that. I don&#x27;t think this has been suggested yet.

Modern alternatives to BIND that I have had good (though limited) experience with:<p>- unbound (recursive resolver) <a href="https:&#x2F;&#x2F;www.unbound.net" rel="nofollow">https:&#x2F;&#x2F;www.unbound.net</a><p>- nsd (authoritative server) <a href="https:&#x2F;&#x2F;www.nlnetlabs.nl&#x2F;projects&#x2F;nsd" rel="nofollow">https:&#x2F;&#x2F;www.nlnetlabs.nl&#x2F;projects&#x2F;nsd</a>

On the other side: I run my own DNS recursive resolver on my laptop&#x2F;desktop, and it&#x27;s one of the things I really miss on the ChromeBook. I&#x27;ve done this for a long time, originally starting with BIND, then switching to powerdns, but lately I&#x27;ve used dnsmasq and it works great. It has a really nice way to set up multiple resolution zones, so I can have my work IPs resolve using the private DNS servers over the VPN.<p>The down side is sometimes wireless hotspots will block all traffic until you hit their portal, including DNS resolution, and some captive portals don&#x27;t work when you can&#x27;t resolve the name. I&#x27;ve worked around this by letting NetworkManager poke the DNS settings in, and then my VPN will update the resolv.conf once the VPN is up.<p>Means I don&#x27;t end up getting weird DNS responses from clever hotspots or ISPs.

Thinking about all the servers I&#x27;ve run over the years, I think DNS is one that was most satisfying in a weird way. Incredibly handy also for making amendments to a bunch of records.

I&#x27;ve got a little script that runs on my home router that makes zone updates to CloudFlare over its API. Cost per month: $0, infrastructure to manage: $0.

I&#x27;ve done this for my domain parking company too. For my need, it&#x27;s (probably) a must, since you want to make sure you have a reliable DNS server which you can fully control.<p>I&#x27;ve used PowerDNS, which was a breeze for me. It&#x27;s super efficient too. So I set up my DNS on a very cheap VPS on Vultr ($5&#x2F;month) and everything has been running well.<p>I do wish PowerDNS had a better web interface, but hey it does the job.

I know it is not the point of the article, but it is possible to do this with one VPS if the provider offers an API to update DNS records. I have this working with Digital Ocean: <a href="https:&#x2F;&#x2F;developers.digitalocean.com&#x2F;documentation&#x2F;v2&#x2F;#update-a-domain-record" rel="nofollow">https:&#x2F;&#x2F;developers.digitalocean.com&#x2F;documentation&#x2F;v2&#x2F;#update...</a>

I&#x27;ve run my own DNS servers since the mid 90&#x27;s. Anyone doing this should check out the &quot;DNS and BIND&quot; O&#x27;Reilly book.

Lately, I&#x27;ve been feeling the urge to rent colo space for my own servers. I used to have my own colo space &amp; servers, but like everyone else was &quot;sold&quot; on the benefits of moving to the cloud.<p>Now, I have a different perspective and believe more people should be owning their own data and servers.

I have a similar problem, but there&#x27;s just no way I&#x27;m running a DNS server in the open (amplification attacks, etc.). I was thinking of using <a href="https:&#x2F;&#x2F;icanhazip.com" rel="nofollow">https:&#x2F;&#x2F;icanhazip.com</a> + OVH&#x27;s API to regularly update my A records.<p>However, I still didn&#x27;t get around to finding (or writing) a CLI for their DNS offering (it is possible, because acme.sh does it [0] -- maybe I&#x27;ll just use this as a base?)<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;Neilpang&#x2F;acme.sh&#x2F;tree&#x2F;master&#x2F;dnsapi" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Neilpang&#x2F;acme.sh&#x2F;tree&#x2F;master&#x2F;dnsapi</a>

While this is an entertaining read - i.e. all the technical details, it can be made so much less work. If you register a domain or transfer it to a registrar that supports dynamic DNS updates you just run a daemon inside your network and forget about it. I have several domains on Namecheap with a dynamic IP at home and do this [1].<p>[1] <a href="https:&#x2F;&#x2F;www.namecheap.com&#x2F;support&#x2F;knowledgebase&#x2F;article.aspx&#x2F;36&#x2F;11&#x2F;how-do-i-start-using-dynamic-dns" rel="nofollow">https:&#x2F;&#x2F;www.namecheap.com&#x2F;support&#x2F;knowledgebase&#x2F;article.aspx...</a>

Anybody knows why he uses ssh to update the records and not nsupdate?

I use Route53 for two reasons:<p>1. $$$<p>2. certbot certonly --dns-route53 [...]

Does anyone have experience with using dot.tk domains as described in the article?

tl,dr:<p>1. host them on the cheapest dodgy vps provider you can find 2. host primary and secondary on the same provider 3. use a free throwaway domain registrar 4. use the dns server software with the worst security track record

This is not really a great idea. It&#x27;s just adding more brittleness to your system. Leave DNS to people with distributed DNS networks and redundancy.<p>I mean obviously you can do it if you want to, I&#x27;m not stopping you, but to me it&#x27;s silly.

How does this compare to pi-hole?

This is pretty simple stuff, and the two ads for your book make this look like an ad rather than something not otherwise posted on tens of other blogs.