Hosting your own authoritative DNS: yay or nay?
Due to me having to implement ACME dns-01 verification for my network, I now acquired a sense of how DNS works. I can now happily run an authoritative name server on my network.
It seems quite easy, so I wonder - is it a good idea to drop Cloudflare/Bunny/whatever to host my own servers? Ideally this would also make DNSSEC safer since the keys would only be in my possession, and i would be able to use whatever absurdly low TTL I wish as well as exotic record types without having to pay for more queries.
It's basically matter of putting a couple of zonefiles in a folder, and letting the domain point to the NS. If it feels so easy - why aren't more people doing so?
Comments
My Montenegrin roots prevent me from doing any extra work that is not absolutely necessary.
Veni, vidi, delegavi.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Risky at least for me
I believe in the good luck. Harder than I work luckier i get.
Why though?
All the stuff I see online is "it needs reliability", but if my websites are hosted in the same server anyway, why would I need to have my server available and pointing to services that are not working anyway?
Absolutely. Doing that for many years now, never looked back. I can just edit my zone files and push an update, rather than having to log in to some clunky web interface, which will BS and hassle me with their mandatory 2FA, upsell offers, advertising and such.
Definitely, using PowerDNS here.
I host my own hidden master and have BuddyNS/HE as slaves.
Putting all the eggs in the same basket
I believe in the good luck. Harder than I work luckier i get.
Hosting a status.yoursite.tld that points to for example a hetrixtools thing wont work if your main server is down then.
Hey teamacc. You're a dick. (c) Jon Biloh, 2020.
It can be, if you run 2-3 nameservers. That's the way to go in any case, at least 2. It is easy enough to get a cheap VPS and set up rsync and ssh to sync your DNS config, either from the main server to a couple more, or from some other central location to all the NSes.
Well, Cloudflare is the fastest DNS in the world according to the most websites and.. it's free! I am using it with no worries and I don't think I am gonna change that in the near future to be honest.
You can get DDoS'ed in your nameservers and any website associated with those nameservers will be down, that's another point though.
You probably know from this other thread that I manage my own, and I wouldn't discourage anyone from it. I think main reasons not to are (a) why bother? (b) reliability and (c) speed.
a) As others have said, there's a big "why bother?", there's a learning curve, and others provide the service for free or next to it. Self-hosting certainly isn't for everyone.
b) Say you self-host and have one VPS with both NS records pointing to it. Firstly that's naughty. If that one goes down, everything eventually stops working, including email (MX). You might say "I've got a long TTL for that", but if you're sending email then other sites still want to lookup SPF records etc. So let's assume you've got (at least) two VPS which are synced. That's much better, but all sorts of things can still go wrong - the syncing can break, you can screw up the zone files (when I was starting out I used a # instead of ; for a comment which got synced across 4 nameservers and took the whole zone down).
c) The bigger players offer anycast, which means fast lookups from anywhere in the world. Fast lookups can matter in overall web site performance. If you've just got a hobby site or something used in a particular geo, then this becomes less of a consideration. You're right that you can reduce the TTLs to near-nothing, but this impacts speed too - if the lookup has to wind its way to an authoritative server on some remote VPS for every second page the user visits.
That said, there's reasons in favor too, like the ability to get a combination of features which aren't offered by free/cheap providers and keeping away from big corporations.
Then we have same roots, cousin
Amadex • Hosting Forums • Wie ist meine IP-Adresse? • AS215325
Forum for System Administrators: sysadminforum.com
Summer Host edition
Sure, host your own primary and secondary DNS, in your own data center and your own ASN.
When your data center loses connectivity, your domain ceases to resolve, your website ceases to open, your email ceases to receive.
A drama thread appears on OGF about your deadpool, as there's no way for you to notify customers and no way for customers to contact you.
LowEnder edition
Sure, host your own primary and secondary DNS, in your VirmAche VPS.
Enable email-based 2FA on your domain registrar and VirmAche account.
Store your passwords in Dropbox, with email-based 2FA too.
One week before your domain expires, your VirmAche VPS goes down, your domain ceases to resolve, your email ceases to receive.
You cannot get back to your VirmAche account because you cannot receive email 2FA code from VirmAche.
You forgot the password too and you cannot retrieve the password because you cannot receive email 2FA code from Dropbox.
You try to unlock your VirmAche account by paying for advanced support, but that requires two weeks.
When it's time, your domain has expired and you cannot receive the emailed link.
A drama thread appears on NodeSeek where DaoLaos are bashing you for entrusting in VirmAche.
HostBrr aff best VPS; VirmAche aff worst VPS.
Unable to push-up due to shoulder injury 😣
Go with premium and ddos protected hosting providers only.
You don't want someone to ddos your authoritative nameservers and take you down entirely.
Selfhosting is a great idea, but yeah, as I mentioned above do not cheap out on hosting, you do not need big specs but what you need is good uptime and protection.
Also spread is across different providers as much as possible, different ddos protection vendors would also be nice in case one doesn't catch up with the attack.
Who around here do you view positively for DDoS protection? Assume for the moment that we're only talking about DNS and don't have other specific needs (DMCA, crypto payments, ... all those things that might often be tied together), so purely focusing on DDoS protection in a reasonable budget for the "self-hosting hobbyist".
Do not forget the "hybrid" path, you can run a master that you control and have the slaves hosted elsewhere, like HE.net.
That way you can edit zonefiles or whatever it is that you want to do, but your infrastructure is still redundant and not hosted only by you.
If it's low stake -ish then hell yeah. Don't buy into all the "best industry practices" telling you that your servers have to be online all the time with multiple layers of failovers. DNS is easy enough to host it yourself, and it's fun (your mileage might vary) to debug DNS problems, because it's always DNS.
Can you force the slaves to update all zones "right now"? Or have to wait until they re-fetch zones on their own? Also, comes to mind that it's wrong to say this in the modern world, we need to invent some awkward contrived non-offensive term to replace the word "slaves"
Speaking of he.net btw, it was actually a major outage at he.net's DNS service some years ago, that pushed me to switch to self-hosting. It was down for a few hours, and it didn't appear like anyone is in a great hurry to fix up that side-project hobby service of theirs, and you couldn't even complain much, since it is provided for free.
Spamhaus goes after nameservers as well, but lets assume you are 100% a good boy and your only threat are skids on Discord.
Path- avoid them and all hosts using them, path is composed of proven pedophiles and convicted criminals(scammers, swatters, etc), they also used to launch ddos attacks from their own infra(retards) and extort companies. they wont last long on the market, some of their transit was already cut for not paying bills, they are pretty much insolvent.
GSL- https://royalehosting.net/(NL/US), they had their own issues(because of hiring path people) but should be fine. https://www.hybula.com/, I believe they tank bigger attacks with CDN77/Datacamp and finish the job with Cosmic.
Cosmic- https://secured.gg/(US/NL), https://terabit.io/(US) both ran by Cosmic employees.
Voxility- https://ginernet.com/(ES) great people and solid infra, https://vsys.host/(NL/UA) one of my favorites.
Stormwall- https://www.vps.bg/(BG), amazing people to work with, not cheap.
DDOS-GUARD- https://zomro.com/(NL).
Cloudflare- https://bloom.host/(US).
Combahton- https://hostslick.com/(NL) amazing people.
RETN- https://serveroffer.lt/.
Custom- https://terrahost.com/(US/NO/NL), https://hosteam.pl/(PL), https://zetservers.com/, https://gcore.com/.
There are many more, but these are just from my head. I cannot vouch for all of the companies listed above.
Generally speaking, "just for the sake of it", nope.
It is certainly possible to self-host those nameservers and I can think of quite a few ✨enterprise grade✨ Italian providers who would definitely be outclassed by a couple of VPSs with pdns, without even bothering to host the nameservers at least partially on a different domain name registered with a different registrar and without even bothering to diversify IP ranges and datacenters.
For a personal domain name self-hosting can be a good experiment and can help you to better understand complex dynamics such as those mentioned: synchronisation, eventual geodns etc
In the absence of adequate infrastructure or at least a back-up/fallback option for each NS, the existing free platforms are extremely convenient, especially in the ✨enterprise grade✨ sphere (logging, separate accesses with separate credentials for business-grade non-cooperating teams ready to sh!t on each other if there's an incident, anycast, instantaneous propagation, etc)
What you're describing is a
NOTIFY
. The when the zone is changed at the primary it should send aNOTIFY
which prompts the secondary (that's your officially non-offensive term, although "slave" is baked in to APIs, config files, etc. so don't expect it to go away in a hurry) to do anAXFR
. If there's anAXFR
whitelist (there's another "offensive" term for you) then theNOTIFY
messages are typically sent both to those plus an "also-notify" list.https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-notify
notify
There already is - primary and secondary - it's just not as immediately obvious what they do. :-/
Cancel your Internet subscription with your ISP and never come back, snowflake.
You have no idea how much I want to drop entire table of "offensive" terms at you right now, but I will keep it to myself.
People like You are the problem. People like You make this world shit.
You and they together are the opposites sides of the same problem.
Tell me how I am the problem.
If you're way too thick to see my emoticon in that message or the words like "contrived" or "awkward" that it included, I can clarify just for you that I was mocking that tendency, not supporting it.
All I wanted to know, appreciate your clarification and I retract my "mean" words towards You.
In IT circles which are dominated by "such people" its hard to tell if its a joke or not.
This could not have been posted at a better time. I’m also considering this. I’m looking at this:
https://technitium.com/dns/
Here is a great guide:
https://blog.technitium.com/2022/06/how-to-self-host-your-own-domain-name.html