Hosting your own authoritative DNS: yay or nay?

foxonefoxone OG
edited January 23 in General

Due to me having to implement ACME dns-01 verification for my network, I now acquired a sense of how DNS works. I can now happily run an authoritative name server on my network.

It seems quite easy, so I wonder - is it a good idea to drop Cloudflare/Bunny/whatever to host my own servers? Ideally this would also make DNSSEC safer since the keys would only be in my possession, and i would be able to use whatever absurdly low TTL I wish as well as exotic record types without having to pay for more queries.

It's basically matter of putting a couple of zonefiles in a folder, and letting the domain point to the NS. If it feels so easy - why aren't more people doing so?

«1

Comments

  • bikegremlinbikegremlin ModeratorOGContent Writer

    My Montenegrin roots prevent me from doing any extra work that is not absolutely necessary.

    Veni, vidi, delegavi.
    :)

    Thanked by (1)mfs

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @foxone said:
    Due to me having to implement ACME dns-01 verification for my network, I now acquired a sense of how DNS works. I can now happily run an authoritative name server on my network.

    It seems quite easy, so I wonder - is it a good idea to drop Cloudflare/Bunny/whatever to host my own servers? Ideally this would also make DNSSEC safer since the keys would only be in my possession, and i would be able to use whatever absurdly low TTL I wish as well as exotic record types without having to pay for more queries.

    It's basically matter of putting a couple of zonefiles in a folder, and letting the domain point to the NS. If it feels so easy - why aren't more people doing so?

    Risky at least for me

    I believe in the good luck. Harder than I work luckier i get.

  • @Chievo said:

    @foxone said:
    Due to me having to implement ACME dns-01 verification for my network, I now acquired a sense of how DNS works. I can now happily run an authoritative name server on my network.

    It seems quite easy, so I wonder - is it a good idea to drop Cloudflare/Bunny/whatever to host my own servers? Ideally this would also make DNSSEC safer since the keys would only be in my possession, and i would be able to use whatever absurdly low TTL I wish as well as exotic record types without having to pay for more queries.

    It's basically matter of putting a couple of zonefiles in a folder, and letting the domain point to the NS. If it feels so easy - why aren't more people doing so?

    Risky at least for me

    Why though?

    All the stuff I see online is "it needs reliability", but if my websites are hosted in the same server anyway, why would I need to have my server available and pointing to services that are not working anyway?

    Thanked by (2)root wankel
  • rm_rm_
    edited January 23

    Absolutely. Doing that for many years now, never looked back. I can just edit my zone files and push an update, rather than having to log in to some clunky web interface, which will BS and hassle me with their mandatory 2FA, upsell offers, advertising and such.

  • Definitely, using PowerDNS here.

  • I host my own hidden master and have BuddyNS/HE as slaves.

  • @foxone said:

    @Chievo said:

    @foxone said:
    Due to me having to implement ACME dns-01 verification for my network, I now acquired a sense of how DNS works. I can now happily run an authoritative name server on my network.

    It seems quite easy, so I wonder - is it a good idea to drop Cloudflare/Bunny/whatever to host my own servers? Ideally this would also make DNSSEC safer since the keys would only be in my possession, and i would be able to use whatever absurdly low TTL I wish as well as exotic record types without having to pay for more queries.

    It's basically matter of putting a couple of zonefiles in a folder, and letting the domain point to the NS. If it feels so easy - why aren't more people doing so?

    Risky at least for me

    Why though?

    All the stuff I see online is "it needs reliability", but if my websites are hosted in the same server anyway, why would I need to have my server available and pointing to services that are not working anyway?

    Putting all the eggs in the same basket

    I believe in the good luck. Harder than I work luckier i get.

  • Hosting a status.yoursite.tld that points to for example a hetrixtools thing wont work if your main server is down then.

    Hey teamacc. You're a dick. (c) Jon Biloh, 2020.

  • rm_rm_
    edited January 23

    @teamacc said:
    Hosting a status.yoursite.tld that points to for example a hetrixtools thing wont work if your main server is down then.

    It can be, if you run 2-3 nameservers. That's the way to go in any case, at least 2. It is easy enough to get a cheap VPS and set up rsync and ssh to sync your DNS config, either from the main server to a couple more, or from some other central location to all the NSes.

  • edited January 23

    Well, Cloudflare is the fastest DNS in the world according to the most websites and.. it's free! I am using it with no worries and I don't think I am gonna change that in the near future to be honest.

    You can get DDoS'ed in your nameservers and any website associated with those nameservers will be down, that's another point though.

  • tetechtetech OG
    edited January 23

    @foxone said: It's basically matter of putting a couple of zonefiles in a folder, and letting the domain point to the NS. If it feels so easy - why aren't more people doing so?

    You probably know from this other thread that I manage my own, and I wouldn't discourage anyone from it. I think main reasons not to are (a) why bother? (b) reliability and (c) speed.

    a) As others have said, there's a big "why bother?", there's a learning curve, and others provide the service for free or next to it. Self-hosting certainly isn't for everyone.

    b) Say you self-host and have one VPS with both NS records pointing to it. Firstly that's naughty. If that one goes down, everything eventually stops working, including email (MX). You might say "I've got a long TTL for that", but if you're sending email then other sites still want to lookup SPF records etc. So let's assume you've got (at least) two VPS which are synced. That's much better, but all sorts of things can still go wrong - the syncing can break, you can screw up the zone files (when I was starting out I used a # instead of ; for a comment which got synced across 4 nameservers and took the whole zone down).

    c) The bigger players offer anycast, which means fast lookups from anywhere in the world. Fast lookups can matter in overall web site performance. If you've just got a hobby site or something used in a particular geo, then this becomes less of a consideration. You're right that you can reduce the TTLs to near-nothing, but this impacts speed too - if the lookup has to wind its way to an authoritative server on some remote VPS for every second page the user visits.

    That said, there's reasons in favor too, like the ability to get a combination of features which aren't offered by free/cheap providers and keeping away from big corporations.

  • @bikegremlin said:
    My Montenegrin roots prevent me from doing any extra work that is not absolutely necessary.

    Veni, vidi, delegavi.
    :)

    Then we have same roots, cousin

    Thanked by (1)bikegremlin

    AmadexHosting ForumsWie ist meine IP-Adresse? • AS215325
    Forum for System Administrators: sysadminforum.com

  • Summer Host edition

    Sure, host your own primary and secondary DNS, in your own data center and your own ASN.

    When your data center loses connectivity, your domain ceases to resolve, your website ceases to open, your email ceases to receive.
    A drama thread appears on OGF about your deadpool, as there's no way for you to notify customers and no way for customers to contact you.

    LowEnder edition

    Sure, host your own primary and secondary DNS, in your VirmAche VPS.
    Enable email-based 2FA on your domain registrar and VirmAche account.
    Store your passwords in Dropbox, with email-based 2FA too.

    One week before your domain expires, your VirmAche VPS goes down, your domain ceases to resolve, your email ceases to receive.
    You cannot get back to your VirmAche account because you cannot receive email 2FA code from VirmAche.
    You forgot the password too and you cannot retrieve the password because you cannot receive email 2FA code from Dropbox.
    You try to unlock your VirmAche account by paying for advanced support, but that requires two weeks.
    When it's time, your domain has expired and you cannot receive the emailed link.

    A drama thread appears on NodeSeek where DaoLaos are bashing you for entrusting in VirmAche.

    Thanked by (1)wankel

    HostBrr aff best VPS; VirmAche aff worst VPS.
    Unable to push-up due to shoulder injury 😣

  • edited January 24

    Go with premium and ddos protected hosting providers only.
    You don't want someone to ddos your authoritative nameservers and take you down entirely.

    Selfhosting is a great idea, but yeah, as I mentioned above do not cheap out on hosting, you do not need big specs but what you need is good uptime and protection.
    Also spread is across different providers as much as possible, different ddos protection vendors would also be nice in case one doesn't catch up with the attack.

  • @treesmokah said:
    Go with premium and ddos protected hosting providers only.

    Who around here do you view positively for DDoS protection? Assume for the moment that we're only talking about DNS and don't have other specific needs (DMCA, crypto payments, ... all those things that might often be tied together), so purely focusing on DDoS protection in a reasonable budget for the "self-hosting hobbyist".

  • Do not forget the "hybrid" path, you can run a master that you control and have the slaves hosted elsewhere, like HE.net.
    That way you can edit zonefiles or whatever it is that you want to do, but your infrastructure is still redundant and not hosted only by you.

  • edited January 24

    If it's low stake -ish then hell yeah. Don't buy into all the "best industry practices" telling you that your servers have to be online all the time with multiple layers of failovers. DNS is easy enough to host it yourself, and it's fun (your mileage might vary) to debug DNS problems, because it's always DNS.

  • rm_rm_
    edited January 24

    @rcy026 said: a master that you control and have the slaves hosted elsewhere, like HE.net.

    Can you force the slaves to update all zones "right now"? Or have to wait until they re-fetch zones on their own? Also, comes to mind that it's wrong to say this in the modern world, we need to invent some awkward contrived non-offensive term to replace the word "slaves" =)

    Speaking of he.net btw, it was actually a major outage at he.net's DNS service some years ago, that pushed me to switch to self-hosting. It was down for a few hours, and it didn't appear like anyone is in a great hurry to fix up that side-project hobby service of theirs, and you couldn't even complain much, since it is provided for free.

  • edited January 24

    @tetech said:

    @treesmokah said:
    Go with premium and ddos protected hosting providers only.

    Who around here do you view positively for DDoS protection? Assume for the moment that we're only talking about DNS and don't have other specific needs (DMCA, crypto payments, ... all those things that might often be tied together), so purely focusing on DDoS protection in a reasonable budget for the "self-hosting hobbyist".

    Spamhaus goes after nameservers as well, but lets assume you are 100% a good boy and your only threat are skids on Discord.

    Path- avoid them and all hosts using them, path is composed of proven pedophiles and convicted criminals(scammers, swatters, etc), they also used to launch ddos attacks from their own infra(retards) and extort companies. they wont last long on the market, some of their transit was already cut for not paying bills, they are pretty much insolvent.
    GSL- https://royalehosting.net/(NL/US), they had their own issues(because of hiring path people) but should be fine. https://www.hybula.com/, I believe they tank bigger attacks with CDN77/Datacamp and finish the job with Cosmic.
    Cosmic- https://secured.gg/(US/NL), https://terabit.io/(US) both ran by Cosmic employees.
    Voxility- https://ginernet.com/(ES) great people and solid infra, https://vsys.host/(NL/UA) one of my favorites.
    Stormwall- https://www.vps.bg/(BG), amazing people to work with, not cheap.
    DDOS-GUARD- https://zomro.com/(NL).
    Cloudflare- https://bloom.host/(US).
    Combahton- https://hostslick.com/(NL) amazing people.
    RETN- https://serveroffer.lt/.
    Custom- https://terrahost.com/(US/NO/NL), https://hosteam.pl/(PL), https://zetservers.com/, https://gcore.com/.

    There are many more, but these are just from my head. I cannot vouch for all of the companies listed above.

    Thanked by (3)tetech wankel Hybula
  • @foxone said: is it a good idea to drop Cloudflare/Bunny/whatever to host my own servers?

    Generally speaking, "just for the sake of it", nope.

    It is certainly possible to self-host those nameservers and I can think of quite a few ✨enterprise grade✨ Italian providers who would definitely be outclassed by a couple of VPSs with pdns, without even bothering to host the nameservers at least partially on a different domain name registered with a different registrar and without even bothering to diversify IP ranges and datacenters.

    For a personal domain name self-hosting can be a good experiment and can help you to better understand complex dynamics such as those mentioned: synchronisation, eventual geodns etc
    In the absence of adequate infrastructure or at least a back-up/fallback option for each NS, the existing free platforms are extremely convenient, especially in the ✨enterprise grade✨ sphere (logging, separate accesses with separate credentials for business-grade non-cooperating teams ready to sh!t on each other if there's an incident, anycast, instantaneous propagation, etc)

  • @rm_ said:

    @rcy026 said: a master that you control and have the slaves hosted elsewhere, like HE.net.

    Can you force the slaves to update all zones "right now"? Or have to wait until they re-fetch zones on their own? Also, comes to mind that it's wrong to say this in the modern world, we need to invent some awkward contrived non-offensive term to replace the word "slaves" =)

    What you're describing is a NOTIFY. The when the zone is changed at the primary it should send a NOTIFY which prompts the secondary (that's your officially non-offensive term, although "slave" is baked in to APIs, config files, etc. so don't expect it to go away in a hurry) to do an AXFR. If there's an AXFR whitelist (there's another "offensive" term for you) then the NOTIFY messages are typically sent both to those plus an "also-notify" list.

    Thanked by (2)skorous wankel
  • @rm_ said:

    Can you force the slaves to update all zones "right now"? Or have to wait until they re-fetch zones on their own?

    https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-notify

    notify

    Grammar: notify ( explicit | master-only | primary-only | <boolean> );
    
    Blocks: options, view, zone (mirror, primary, secondary)
    
    Tags: transfer
    
    Controls whether NOTIFY messages are sent on zone changes.
    
    If set to yes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes; see using notify. The messages are sent to the servers listed in the zone’s NS records (except the primary server identified in the SOA MNAME field), and to any servers listed in the also-notify option.
    
    If set to primary-only (or the older keyword master-only), notifies are only sent for primary zones. If set to explicit, notifies are sent only to servers explicitly listed using also-notify. If set to no, no notifies are sent.
    
    The notify option may also be specified in the zone statement, in which case it overrides the options notify statement. It would only be necessary to turn off this option if it caused secondary zones to crash.
    
  • @rm_ said:

    @rcy026 said: a master that you control and have the slaves hosted elsewhere, like HE.net.

    Can you force the slaves to update all zones "right now"? Or have to wait until they re-fetch zones on their own? Also, comes to mind that it's wrong to say this in the modern world, we need to invent some awkward contrived non-offensive term to replace the word "slaves" =)

    There already is - primary and secondary - it's just not as immediately obvious what they do. :-/

  • edited January 24

    @rm_ said: Also, comes to mind that it's wrong to say this in the modern world, we need to invent some awkward contrived non-offensive term to replace the word "slaves" =)

    Cancel your Internet subscription with your ISP and never come back, snowflake.
    You have no idea how much I want to drop entire table of "offensive" terms at you right now, but I will keep it to myself.

    People like You are the problem. People like You make this world shit.

  • @treesmokah said:

    @rm_ said: Also, comes to mind that it's wrong to say this in the modern world, we need to invent some awkward contrived non-offensive term to replace the word "slaves" =)

    Cancel your Internet subscription with your ISP and never come back, snowflake.
    You have no idea how much I want to drop entire table of "offensive" terms at you right now, but I will keep it to myself.

    People like You are the problem. People like You make this world shit.

    You and they together are the opposites sides of the same problem.

  • @skorous said:

    @treesmokah said:

    @rm_ said: Also, comes to mind that it's wrong to say this in the modern world, we need to invent some awkward contrived non-offensive term to replace the word "slaves" =)

    Cancel your Internet subscription with your ISP and never come back, snowflake.
    You have no idea how much I want to drop entire table of "offensive" terms at you right now, but I will keep it to myself.

    People like You are the problem. People like You make this world shit.

    You and they together are the opposites sides of the same problem.

    Tell me how I am the problem.

  • rm_rm_
    edited January 24

    @treesmokah said:
    People like You are the problem. People like You make this world shit.

    If you're way too thick to see my emoticon in that message or the words like "contrived" or "awkward" that it included, I can clarify just for you that I was mocking that tendency, not supporting it.

    Thanked by (2)treesmokah bikegremlin
  • edited January 24

    @rm_ said: I can clarify just for you that I was mocking that tendency, not supporting it.

    All I wanted to know, appreciate your clarification and I retract my "mean" words towards You.
    In IT circles which are dominated by "such people" its hard to tell if its a joke or not.

    Thanked by (1)bikegremlin
  • This could not have been posted at a better time. I’m also considering this. I’m looking at this:

    https://technitium.com/dns/

Sign In or Register to comment.