Self-Hosting DNS (opens in new tab)

(ghostdev.xyz)

55 pointsonlyspaceghost1y ago69 comments

69 comments

DNS resolver, which it is deeply silly to not include in the title.

Agree. Title got me hoping for a description of reasonably-solved public zones self-hosting. The actual content is not interesting to me, and reads like an ad for something called AdGuard (I use unbound for most of this).

onlyspaceghostOP1y ago

> reads like an ad for something called AdGuard (I use unbound for most of this).

Definitely not an AD - it's just the best option that I found, and have been super happy with it! There are lots of ways to do this (people have shared even more options in the comments here), and for a lot of people AdGuard/Pi-hole/... are the relatively easier options

endre1y ago

same here, bait title as it is

onlyspaceghostOP1y ago

I haven't gotten this deep into it yet, but I hope to! It's very interesting - will try to be clearer next time :D /gen

sulandor1y ago

technically it's a stub forwarder. so i'll let it pass

1 more reply

Schwobaland1y ago

Want to throw in blocky (https://github.com/0xERR0R/blocky). Supports modern protocols and easy to configure in one file. Migrated to this from pi-hole and never looked back.

tycoon1771y ago

Blocky is great! The maintainers are also really easy to get along with. I had a few features I needed to get off of pihole (cnames, defining DNS via zone files) and they worked with me to plan the feature and were very kind and responsive with reviews of my pull requests :)

onlyspaceghostOP1y ago

This looks super cool! Will try to find some to compare it to the setup I'm on now

globular-toast1y ago

Why forward requests to a DNS server like 1.1.1.1 at all? I used to use stuff like pi-hole/dnsmasq, but now I'm using unbound on my opnsense router which supports using blocklists and custom overrides (as well as automatic for DHCP clients). I found the default blocklists in pi-hole broke a few things but not had any problems with the lists I'm using now.

swiftcoder1y ago

You have to forward requests that aren't in your cache, surely? I don't see how you would resolve public domain names otherwise

nobody99991y ago

That would be a 'recursive resolver'[0], which recursively queries the DNS hierarchy from the top, returns the requested DNS record, and (unless you configure it not to do so) caches the results.

They're easy to set up and unless you're using it to support thousands of DNS requests per second, it's not appreciably (on human scales) slower than forwarding requests to your ISP's servers and/or 8.8.8.8 or 1.1.1.1.

More detail about recursive resolvers and how they work can be found here[1]

[0] https://notes.networklessons.com/dns-recursive-resolver

[1] https://www.akamai.com/glossary/what-is-recursive-dns

sulandor1y ago

that's called a dns-resolver (iterator). essentially starting from the top (.) and asking for authorative nameservers that can answer the next level down until it reaches the hostname you are looking for. this usually takes multiple rtt's and is hence slower than asking some big cache.

mavhc1y ago

Use the root servers to find the dns entries yourself, just like the upstream provider does

globular-toast1y ago

Yes but to the root servers, not to someone else's cache.

swiftcoder1y ago

I don't really see how this scales, on a global basis.

Sure, one or two of us running our own resolvers isn't going to hurt, but an extra hundred million or so resolvers would hurt -> at best just causes all the servers targeted by the resolver to add more layers of caching

3 more replies

gbrindisi1y ago

I run coredns with a blocklist, the config is like 4 lines.

What am I missing by not using AdGuard, PiHole and similar?

_joel1y ago

A funky UI, I suppose and blocklist updating etc. But functionally, nothing, they're doing the same thing.

onlyspaceghostOP1y ago

My journey of DNS, including self-hosting with Pi-hole and AdGuard Home, using paid services like NextDNS and AdGuard DNS, and public privacy-respecting resolvers.

shivajikobardan1y ago

I also want to selfhost variosu servers like dns, email(just to send email to myself).....ldap, dhcp etc. Where do I get started with? I know linux command line.

thbb1231y ago

r/selfhosted on reddit has a very helpful community.

DNS is very easy. Email is tough. Usually one would add a media server such as Plex and Nextcloud which is very useful.

johnea1y ago

Aparently signing up for a subscription service now qualifies as "self-hosting" 8-)

I've been running bind9 on a computer under my desk for about 20 years.

The only subdscription required is an ISP contract that includes static IP.

Maybe I'll get a netflix acct (never had one), and "self-host" some videos...

onlyspaceghostOP1y ago

The post was about self-hosting, not about the subscription. I do think the subscription is a good way to do it though!

Havoc1y ago

> By using multiple different resolvers, operated by different companies, no single one gets the whole picture.

I’d say exact opposite. Now you’re sharing data with multiple parties and each is potentially getting enough data to extrapolate the whole picture

packetlost1y ago

Does anyone know of a good authoritative DNS server that supports Dynamic DNS updates? Preferably exclusively standardized stuff. I currently run CoreDNS on my network, but dynamic registration isn't supported and might never be.

zuntaruk1y ago

Depending on your definition of "Dynamic DNS", you could check out PowerDNS.

packetlost1y ago

I mean specifically in the RFC2136 (https://datatracker.ietf.org/doc/html/rfc2136) sense.

It does look like PowerDNS supports it: https://doc.powerdns.com/authoritative/dnsupdate.html

zuntaruk1y ago

TIL more about Dynamic DNS Update. Thanks!

ThePowerOfFuet1y ago

>I wanted to be able to access it with a static IP, and I don’t feel like calling my ISP to get one.

Not "feeling like" calling your ISP to get a static IP, but also wanting to self-host?

creesch1y ago

I don't think calling the ISP was actually what they didn't feel like doing. It is more the call itself. Being put on queue with wait music, dealing with first line customer support who have no clue what you are asking, waiting to be connected to the right support, being connected to the wrong support, being put on hold again, suddenly being hung up on, rinse, repeat.

Which is a whole different type of mental challenge compared to figuring out the technical details of self hosting something ;)

onlyspaceghostOP1y ago

> I don't think calling the ISP was actually what they didn't feel like doing. It is more the call itself. Being put on queue with wait music, dealing with first line customer support who have no clue what you are asking, waiting to be connected to the right support, being connected to the wrong support, being put on hold again, suddenly being hung up on, rinse, repeat.

Exactly this... we have enough issues with our internet I didn't want to add this into the mix - especially as if they decide to not really give me a static IP, then I have to change it everywhere :/

I trust my VPS provider far more than my ISP

mewpmewp21y ago

Although it is a fairly standard ask. It is something which the ISPs I know would have configurable in the web portal.

I tested with 2 ISPs I use and both have it as a prominent add on that you can add for extra cost per month in the UI.

endre1y ago

especially challenging for introverts

vachina1y ago

point your ns to CloudFlare and write a powershell script to update your AA records every 5 minutes, boom quasi static IP (from the PoV of the client anyway)

Not 99.9999% uptime obviously but good enough.

sulandor1y ago

dyndns solves some applications of static addressing but not most

senectus11y ago

I really resent having to pay $120 a year for a static IP :-|

sulandor1y ago

vps with static ip will go for half of that

mftrhu1y ago

Make it a tenth. I have two small VPS with two different providers, and I am paying a total of $25/year for them.

1 more reply

thedanbob1y ago

I recently switched from Pi-Hole to AdGuard Home, it was pretty straightforward to migrate my configuration and so far it's working great. I've actually got two servers running AGH + unbound (authoritative) so my internet keeps working if one setup breaks/reboots.

jakobjs1y ago

Fun project.

But I would just use https://pi-hole.net/

Havoc1y ago

Have used both for years - AGH is the better experience imo. eg DoH works out of the box

Alifatisk1y ago

I’d like to see a comparison

progbits1y ago

Half of the article is literally a comparison between pihole and adguard...

1 more reply

sulandor1y ago

this seems like a massively overcomplicated exercise.

dns-blocking is evil, no matter who does it.

stop lying to yourself and install contentblocker on your devices

creesch1y ago

> dns-blocking is evil, no matter who does it.

You really ought to expand on that line of reasoning in order to get anyone to take this comment seriously.

sulandor1y ago

see my other comment itt

more or less about trustworthy infrastructure

creesch1y ago

Assuming I am looking at the right comment, you didn't really expand/explain all that much.

If I am correct, your argument boils down to blocking happening outside the direct control of the user. This technically is true, as you don't have an icon in your browser like you would have with an extension.

At the same time, it being outside the control of the user is not really true if the user is also the person in control of the blocking solution. I don't know how it works with AdGuard, although I assume it is the same. Pi Hole offers extensive insights in what requests are being blocked, from which client and when.

This can even be adjusted on a per client level. Making that argument a more theoretical rather than a practical one.

1 more reply

otabdeveloper41y ago

DNS is a kind of content. You seem to be quibbling over semantic technicalities.

sulandor1y ago

not really.

it's about the blocking occurring in reach of the user (client) or not (infrastructure quirk that has to be worked around)

otabdeveloper41y ago

DNS isn't "infrastructure". It's just a simple key-value store, like Redis or something.

1 more reply

j / k navigate · click thread line to collapse

69 comments

bananapub1y ago

DNS resolver, which it is deeply silly to not include in the title.

voytec1y ago

onlyspaceghostOP1y ago

> reads like an ad for something called AdGuard (I use unbound for most of this).

endre1y ago

same here, bait title as it is

onlyspaceghostOP1y ago

I haven't gotten this deep into it yet, but I hope to! It's very interesting - will try to be clearer next time :D /gen

sulandor1y ago

technically it's a stub forwarder. so i'll let it pass

1 more reply

Schwobaland1y ago

Want to throw in blocky (https://github.com/0xERR0R/blocky). Supports modern protocols and easy to configure in one file. Migrated to this from pi-hole and never looked back.

tycoon1771y ago

onlyspaceghostOP1y ago

This looks super cool! Will try to find some to compare it to the setup I'm on now

globular-toast1y ago

swiftcoder1y ago

You have to forward requests that aren't in your cache, surely? I don't see how you would resolve public domain names otherwise

nobody99991y ago

That would be a 'recursive resolver'[0], which recursively queries the DNS hierarchy from the top, returns the requested DNS record, and (unless you configure it not to do so) caches the results.

More detail about recursive resolvers and how they work can be found here[1]

[0] https://notes.networklessons.com/dns-recursive-resolver

[1] https://www.akamai.com/glossary/what-is-recursive-dns

sulandor1y ago

mavhc1y ago

Use the root servers to find the dns entries yourself, just like the upstream provider does

globular-toast1y ago

Yes but to the root servers, not to someone else's cache.

swiftcoder1y ago

I don't really see how this scales, on a global basis.

3 more replies

gbrindisi1y ago

I run coredns with a blocklist, the config is like 4 lines.

What am I missing by not using AdGuard, PiHole and similar?

_joel1y ago

A funky UI, I suppose and blocklist updating etc. But functionally, nothing, they're doing the same thing.

onlyspaceghostOP1y ago

My journey of DNS, including self-hosting with Pi-hole and AdGuard Home, using paid services like NextDNS and AdGuard DNS, and public privacy-respecting resolvers.

shivajikobardan1y ago

I also want to selfhost variosu servers like dns, email(just to send email to myself).....ldap, dhcp etc. Where do I get started with? I know linux command line.

thbb1231y ago

r/selfhosted on reddit has a very helpful community.

DNS is very easy. Email is tough. Usually one would add a media server such as Plex and Nextcloud which is very useful.

johnea1y ago

Aparently signing up for a subscription service now qualifies as "self-hosting" 8-)

I've been running bind9 on a computer under my desk for about 20 years.

The only subdscription required is an ISP contract that includes static IP.

Maybe I'll get a netflix acct (never had one), and "self-host" some videos...

onlyspaceghostOP1y ago

The post was about self-hosting, not about the subscription. I do think the subscription is a good way to do it though!

Havoc1y ago

> By using multiple different resolvers, operated by different companies, no single one gets the whole picture.

I’d say exact opposite. Now you’re sharing data with multiple parties and each is potentially getting enough data to extrapolate the whole picture

packetlost1y ago

zuntaruk1y ago

Depending on your definition of "Dynamic DNS", you could check out PowerDNS.

packetlost1y ago

I mean specifically in the RFC2136 (https://datatracker.ietf.org/doc/html/rfc2136) sense.

It does look like PowerDNS supports it: https://doc.powerdns.com/authoritative/dnsupdate.html

zuntaruk1y ago

TIL more about Dynamic DNS Update. Thanks!

ThePowerOfFuet1y ago

>I wanted to be able to access it with a static IP, and I don’t feel like calling my ISP to get one.

Not "feeling like" calling your ISP to get a static IP, but also wanting to self-host?

creesch1y ago

Which is a whole different type of mental challenge compared to figuring out the technical details of self hosting something ;)

onlyspaceghostOP1y ago

Exactly this... we have enough issues with our internet I didn't want to add this into the mix - especially as if they decide to not really give me a static IP, then I have to change it everywhere :/

I trust my VPS provider far more than my ISP

mewpmewp21y ago

Although it is a fairly standard ask. It is something which the ISPs I know would have configurable in the web portal.

I tested with 2 ISPs I use and both have it as a prominent add on that you can add for extra cost per month in the UI.

endre1y ago

especially challenging for introverts

vachina1y ago

point your ns to CloudFlare and write a powershell script to update your AA records every 5 minutes, boom quasi static IP (from the PoV of the client anyway)

Not 99.9999% uptime obviously but good enough.

sulandor1y ago

dyndns solves some applications of static addressing but not most

senectus11y ago

I really resent having to pay $120 a year for a static IP :-|

sulandor1y ago

vps with static ip will go for half of that

mftrhu1y ago

Make it a tenth. I have two small VPS with two different providers, and I am paying a total of $25/year for them.

1 more reply

thedanbob1y ago

jakobjs1y ago

Fun project.

But I would just use https://pi-hole.net/

Havoc1y ago

Have used both for years - AGH is the better experience imo. eg DoH works out of the box

Alifatisk1y ago

I’d like to see a comparison

progbits1y ago

Half of the article is literally a comparison between pihole and adguard...

1 more reply

sulandor1y ago

this seems like a massively overcomplicated exercise.

dns-blocking is evil, no matter who does it.

stop lying to yourself and install contentblocker on your devices

creesch1y ago

> dns-blocking is evil, no matter who does it.

You really ought to expand on that line of reasoning in order to get anyone to take this comment seriously.

sulandor1y ago

see my other comment itt

more or less about trustworthy infrastructure

creesch1y ago

Assuming I am looking at the right comment, you didn't really expand/explain all that much.

This can even be adjusted on a per client level. Making that argument a more theoretical rather than a practical one.

1 more reply

otabdeveloper41y ago

DNS is a kind of content. You seem to be quibbling over semantic technicalities.

sulandor1y ago

not really.

it's about the blocking occurring in reach of the user (client) or not (infrastructure quirk that has to be worked around)

otabdeveloper41y ago

DNS isn't "infrastructure". It's just a simple key-value store, like Redis or something.

1 more reply

j / k navigate · click thread line to collapse