this post was submitted on 13 Nov 2023
39 points (97.6% liked)

Selfhosted

40359 readers
347 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I've been using Hetzner for some time, but now I want to host everything myself at home.

DNS was easy with Hetzner, just point the domain to Hetzner's nameservers, and from there to my server.

How are people doing this for home servers? When there's not access to something like Hetzner's nameservers.

Is there a free/cheap nameserver I can use to point at my home server's IP?

top 35 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 1 year ago* (last edited 1 year ago)

Do not host your own DNS nameserver if you don't know what you're doing. It can and will be abused into all kinds of DNS attacks.

See if your registrar offers a DDNS service. Alternatively if they offer an API you can update the record yourself with a script, or use a DDNS container app, or use a DDNS plugin for OpenWRT etc.

You can also separate the nameserver service from your registrar, like you've been doing with Hetzner, but you don't have to host it, there are ready-made DNS services.

One very good service which is free and has an API is deSEC.io. It's also been around for a while and is supported out of the box in most DDNS tools, and it's run by a German organization with a focus on privacy.

The catch with deSEC ID that they require you to enable DNSSEC, because their mission is similar to Let's Encrypt — to promote the use of secure DNS. It's not hard to enable DNSSEC, they generate and maintain all the records for you, naturally, but you'll have to enable it manually at the registrar, and remember to disable it temporarily during transfers.

Another good DNS service (with API) that comes down to $1/mo and also includes CDN services is bunny.net.

[–] [email protected] 8 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago

Nice, just learned about this, now I know where I'll get my next domains, been using Namecheap.

[–] [email protected] 7 points 1 year ago (1 children)

I have a pair of DO droplets doing nothing but primary/secondary chroot-bind. I have DDNS setup so my PFSense router updates the zone with the current IP address of my home setup and I handle all the DNS tasks (spf/dkim/dmarc/blah blah blah) there. I wrote a couple of scripts to handle zone signing and all that jazz so I don't have to log in often, if ever.

I'll be replacing those with a modern os shortly, and probably adding recursion to them so I can use them to resolve personal DNS requests for all the machines on my domain (external and internal hosts).

[–] [email protected] 7 points 1 year ago (3 children)

Fuck man, I consider myself relatively knowledgeable with this stuff and desperately want to get into self hosting more stuff, especially stuff like DNS. and your comment just shows me how much of an uphill battle I have ahead of me.

My old gaming PC running truenas core and a few jails make me seem like a wizard to my family and stuff but I'm just a hecking n00b that's good at following instructions.

Where's the guide for establishing a whole alternative Internet presence outside of the current reign of control?

Lol I'm proud of being the same species as you guys and glad there are people out there willing to share

[–] [email protected] 12 points 1 year ago (1 children)

DNS is complicated and takes some time to really absorb. Places like Cloudflare make things very straight forward. It's beat to think about what you want to accomplish, then start looking for guides on each of the individual pieces (authoritative server, master/slave replication, recursion, DNS over tls, dnssec, etc). Take it in baby steps and WRITE NOTES. The now taking will help you absorb the details and will leave you a paper trail of things when you get something running and then have to go deal with other life, then come back to it in a few months.

[–] [email protected] 3 points 1 year ago

+1 for writing notes.

Many a time I've had to reverse engineer and relearn something I did months / years ago

[–] [email protected] 4 points 1 year ago

Dude you made my day haha.

make me seem like a wizard to my family and stuff but I'm just a hecking n00b that's good at following instructions

Same here🤘

[–] [email protected] 3 points 1 year ago

I was in your shoes a few months ago when I decided to look into spreading my hosting needs around after using a hand-holding all-in-one provider for a decade. DNS is not that hard, and learning about it will be very good in this hobby.

Also, a good service provider will help you with most of the complexity, for example an email provider with all the MX and anti-spam records you need, you just need to import them into the DNS.

[–] [email protected] 7 points 1 year ago (1 children)

Bind9 is the industry standard [citation needed] nameserver. Takes a bit of time to get used to but it's very powerful. To make a nameserver authoritative for a domain name you would change the NS records with your domain provider, often they have an easy to change option in the web interface, and create a master zone with your desired records for that domain. NS records can only point to IPs though so if you have a dynamic home IP it will be difficult to stay reachable since TLD NS records usually have a long cache time. Some providers may also require you to provide at least 2 nameservers (for redundancy) as that's what's in the spec.

[–] [email protected] 7 points 1 year ago

Your comment is 100% true. Still I would not advise it, it is not worth the hassle for a home setup IMO.

However, if you have a larger setup and want a strict control of your zones, then bind or powerdns might be suitable.

[–] [email protected] 4 points 1 year ago (1 children)

Agree with the two so far, but to clarify how I use them.

Cloudflare for external/public services. (Like if you run Lemmy). Use the tunnels so random people's traffic aren't hitting your actual IP at all, and it remains proxied through them.

Dynamic DNS if you have an ISP that will change your IP on you randomly. Personally I use namecheap, and they have an API to update when the IP changes. I use pfsense which has a dynamic dns plugin which will update my IP if it changes.

[–] [email protected] 0 points 1 year ago* (last edited 11 months ago) (1 children)

I thought CloudFlare tunnels handled the non-static IP part, so DDNS shouldn't be necessary? I have a tunnel running on an RPi and I THINK it's going to update the IP that CF has if/when my ISP changes it..... I guess I'll find out! 😆

[–] [email protected] 2 points 1 year ago (1 children)

There might be a service in cloudflare that does that - but I'm not aware of it. DNS in cloudflare requires an IP to proxy to, and you would need something (hosted by cloudflare on your rpi theoretically) that then would notify cloudflare that your IP has changed - otherwise cloudflare won't know where it's proxying from.

Cloudflare isn't DNS, it's a proxy that sits in the middle. (Okay it also does DNS, but I mean it's not just routing traffic). Essentiall all cloudflare does is

  • User queries DNS for yourdomain.com
  • DNS returns cloudflare's IP address
  • Cloudflare sees the request, and then asks your server's IP address for the data
  • Once cloudflare receives the data from your server, it will pass it up to the user.

I'm simplifying a lot but that's the gist. But if your IP changes then cloudflare doesn't know where to get your data.

[–] [email protected] 3 points 1 year ago* (last edited 11 months ago)

something that then would notify CloudFlare that your IP has changed

Right, it's called CloudFlared: https://github.com/cloudflare/cloudflared

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

If this is for DynamicDNS, I host my DNS at cpiudflare for my domain and use a script which performs a lookup every 15 mins. It uses CF's API to then update the record if it changes.

For DNS resolution, I use pi hole quad9 resolvers

Edit: sorry, just re-read and realised your talking about DNS hosting for a domain. honestly I use my Cloudflare or my domain provider. Given a single IP is a point of failure, it makes sense to have multiple NS on different networks/IPs. You also have to take into account Glue records and while not required, reverse DNS is also good. If you have Dynamic IPs it's not worth it since glue records will need changing and those are manual each time

[–] [email protected] 1 points 1 year ago (3 children)

I have a dynamic IP, and it’s being a pain in the @$$ for me. I simply cannot use my domain to access my home server because of this.

Is your script available on GitHub or similar platforms?

[–] [email protected] 2 points 1 year ago

I manage my domain's DNS with Cloudflare and then have cf-ddns running on my home server. It checks my IP regularly and updates the DNS record

[–] [email protected] 1 points 1 year ago

Because I don't care to roll my own Perl DOCKERFILE, I use a LinuxServer.io Container running ddclient.

It handles the scripting, you set up the config (with a supported DNS provider).

[–] [email protected] 3 points 1 year ago

Either use something like Cloudflare (free DNS service) or https://freedns.afraid.org/

[–] krayj 2 points 1 year ago (1 children)

Are you just talking about dynamic DNS services for one or a few home servers?

There's always DynDNS, but that's a paid service. I actually discovered that dynamic IP address service was provided free by Google when using Google Domains as the registrar, so I moved a few of my private domains over to Google several years ago to save myself $55 a year.

Unfortunately, Google Domains is shutting down and all registrar services and existing customer domains are getting moved to squarespace and I've not yet been able to determine if squarespace is going to be offering the free dynamic DNS service or not.

[–] [email protected] 3 points 1 year ago

Porkbun. Depending on the domain, less than $10 a year, and that includes renewals

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
RPi Raspberry Pi brand of SBC
SBC Single-Board Computer
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

9 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.

[Thread #280 for this sub, first seen 13th Nov 2023, 21:05] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 1 year ago (1 children)

Cloudflare is popular, as they also provide something called Tunnels.
Essentially, your domain points to their public IP, and your server connects to their server. This way, you aren't opening ports on your home network, you aren't leaking your home IP, and they provide various protections against DDOS and stuff.
Only issue is it's for HTTP(s) traffic, and it's cloudflare that terminates SSL so they could inspect your traffic if they wanted to (indeed this is how their various security systems work).

Tailscale offer something similar, I believe.
Some people run their own Reverse Proxy over VPN (RPoVPN), using a VPS as the entry/exit point.

These have the benefit of letting you essentially run a separate network from your home network, more security options with little initial configuration to do, not having to publish your home IP address.

The old school way is to use a Dynamic DNS provider, and open/forward the relevant port(s) on your router.
Most DNS providers have this ability.
You would then run a service on your server(s) that updates the DNS with your IP address incase of a dynamic IP address. Or you can rent a static IP address from your ISP.
There are many DNS providers. I use CloudNS, but it's a bit clunky. Cloudflare provide DNS. I'm sure there are loads of others.

[–] [email protected] 1 points 1 year ago (1 children)

You could also get the cheapest VPS, put all your services at home together with the VPS to the same Tailscale network and install a service such as Nginx Proxy Manager to terminate the HTTP traffic and proxy your home services.

[–] [email protected] 2 points 1 year ago

Whether it's using tailscale, wireguard, SSH tunnels, any other VPN, it's all RPoVPN

[–] [email protected] 1 points 1 year ago

I use this https://github.com/TechnitiumSoftware/DnsServer

Works great so far. Have it running on a PI with DHCP too. Multi vlan/subnet support through single NIC. Solid.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

For my dyn IP at home and selfhosted stuff I use cloudflare ddns because my router was too annoying at some point.
Well enough documented on how to set it up.

For the DNS entries on my domain:
selfhost domain: Cloudflare
E-Mail domain: IONOS.

For at home:
I tried to use OPNsense + unbound but had some issues getting the closer DNS servers from google and got further away ones.
Right now I use piHole with Google, CF and some other DNS provider.

[–] [email protected] 1 points 1 year ago (1 children)

Cloudflare for DNS, use a different domain registrar than where you point the NS. They should be split up for failback, don't host them together.

[–] [email protected] 1 points 1 year ago

Yeah think this will be the way I'll do it, thanks.

[–] [email protected] 1 points 1 year ago

Yes - I like bind9 with views so I can serve external and internal from same instance. As I only have services for my own use 1 ns on my dynamic ip is enough for my home subdomain.

Bind9 has ok scripting possibilities with rndc and nsupdate.

[–] [email protected] -2 points 1 year ago

Ddns thru unifi with a Google API.