I’ve been using Hetzner for some time, but now I want to host everything myself at home.
DNS was easy with Hetzner, just point the domain to Hetzner’s nameservers, and from there to my server.
How are people doing this for home servers? When there’s not access to something like Hetzner’s nameservers.
Is there a free/cheap nameserver I can use to point at my home server’s IP?
Do not host your own DNS nameserver if you don’t know what you’re doing. It can and will be abused into all kinds of DNS attacks.
See if your registrar offers a DDNS service. Alternatively if they offer an API you can update the record yourself with a script, or use a DDNS container app, or use a DDNS plugin for OpenWRT etc.
You can also separate the nameserver service from your registrar, like you’ve been doing with Hetzner, but you don’t have to host it, there are ready-made DNS services.
One very good service which is free and has an API is deSEC.io. It’s also been around for a while and is supported out of the box in most DDNS tools, and it’s run by a German organization with a focus on privacy.
The catch with deSEC ID that they require you to enable DNSSEC, because their mission is similar to Let’s Encrypt — to promote the use of secure DNS. It’s not hard to enable DNSSEC, they generate and maintain all the records for you, naturally, but you’ll have to enable it manually at the registrar, and remember to disable it temporarily during transfers.
Another good DNS service (with API) that comes down to $1/mo and also includes CDN services is bunny.net.
Porkbun
Nice, just learned about this, now I know where I’ll get my next domains, been using Namecheap.
I have a pair of DO droplets doing nothing but primary/secondary chroot-bind. I have DDNS setup so my PFSense router updates the zone with the current IP address of my home setup and I handle all the DNS tasks (spf/dkim/dmarc/blah blah blah) there. I wrote a couple of scripts to handle zone signing and all that jazz so I don’t have to log in often, if ever.
I’ll be replacing those with a modern os shortly, and probably adding recursion to them so I can use them to resolve personal DNS requests for all the machines on my domain (external and internal hosts).
Fuck man, I consider myself relatively knowledgeable with this stuff and desperately want to get into self hosting more stuff, especially stuff like DNS. and your comment just shows me how much of an uphill battle I have ahead of me.
My old gaming PC running truenas core and a few jails make me seem like a wizard to my family and stuff but I’m just a hecking n00b that’s good at following instructions.
Where’s the guide for establishing a whole alternative Internet presence outside of the current reign of control?
Lol I’m proud of being the same species as you guys and glad there are people out there willing to share
DNS is complicated and takes some time to really absorb. Places like Cloudflare make things very straight forward. It’s beat to think about what you want to accomplish, then start looking for guides on each of the individual pieces (authoritative server, master/slave replication, recursion, DNS over tls, dnssec, etc). Take it in baby steps and WRITE NOTES. The now taking will help you absorb the details and will leave you a paper trail of things when you get something running and then have to go deal with other life, then come back to it in a few months.
+1 for writing notes.
Many a time I’ve had to reverse engineer and relearn something I did months / years ago
Dude you made my day haha.
make me seem like a wizard to my family and stuff but I’m just a hecking n00b that’s good at following instructions
Same here🤘
I was in your shoes a few months ago when I decided to look into spreading my hosting needs around after using a hand-holding all-in-one provider for a decade. DNS is not that hard, and learning about it will be very good in this hobby.
Also, a good service provider will help you with most of the complexity, for example an email provider with all the MX and anti-spam records you need, you just need to import them into the DNS.
Bind9 is the industry standard [citation needed] nameserver. Takes a bit of time to get used to but it’s very powerful. To make a nameserver authoritative for a domain name you would change the NS records with your domain provider, often they have an easy to change option in the web interface, and create a master zone with your desired records for that domain. NS records can only point to IPs though so if you have a dynamic home IP it will be difficult to stay reachable since TLD NS records usually have a long cache time. Some providers may also require you to provide at least 2 nameservers (for redundancy) as that’s what’s in the spec.
Your comment is 100% true. Still I would not advise it, it is not worth the hassle for a home setup IMO.
However, if you have a larger setup and want a strict control of your zones, then bind or powerdns might be suitable.
Agree with the two so far, but to clarify how I use them.
Cloudflare for external/public services. (Like if you run Lemmy). Use the tunnels so random people’s traffic aren’t hitting your actual IP at all, and it remains proxied through them.
Dynamic DNS if you have an ISP that will change your IP on you randomly. Personally I use namecheap, and they have an API to update when the IP changes. I use pfsense which has a dynamic dns plugin which will update my IP if it changes.
I thought CloudFlare tunnels handled the non-static IP part, so DDNS shouldn’t be necessary? I have a tunnel running on an RPi and I THINK it’s going to update the IP that CF has if/when my ISP changes it… I guess I’ll find out! 😆
There might be a service in cloudflare that does that - but I’m not aware of it. DNS in cloudflare requires an IP to proxy to, and you would need something (hosted by cloudflare on your rpi theoretically) that then would notify cloudflare that your IP has changed - otherwise cloudflare won’t know where it’s proxying from.
Cloudflare isn’t DNS, it’s a proxy that sits in the middle. (Okay it also does DNS, but I mean it’s not just routing traffic). Essentiall all cloudflare does is
- User queries DNS for yourdomain.com
- DNS returns cloudflare’s IP address
- Cloudflare sees the request, and then asks your server’s IP address for the data
- Once cloudflare receives the data from your server, it will pass it up to the user.
I’m simplifying a lot but that’s the gist. But if your IP changes then cloudflare doesn’t know where to get your data.
something that then would notify CloudFlare that your IP has changed
Right, it’s called CloudFlared: https://github.com/cloudflare/cloudflared
Either use something like Cloudflare (free DNS service) or https://freedns.afraid.org/
If this is for DynamicDNS, I host my DNS at cpiudflare for my domain and use a script which performs a lookup every 15 mins. It uses CF’s API to then update the record if it changes.
For DNS resolution, I use pi hole quad9 resolvers
Edit: sorry, just re-read and realised your talking about DNS hosting for a domain. honestly I use my Cloudflare or my domain provider. Given a single IP is a point of failure, it makes sense to have multiple NS on different networks/IPs. You also have to take into account Glue records and while not required, reverse DNS is also good. If you have Dynamic IPs it’s not worth it since glue records will need changing and those are manual each time
I have a dynamic IP, and it’s being a pain in the @$$ for me. I simply cannot use my domain to access my home server because of this.
Is your script available on GitHub or similar platforms?
I manage my domain’s DNS with Cloudflare and then have cf-ddns running on my home server. It checks my IP regularly and updates the DNS record
Great job! Thanks for sharing
Thanks!
Because I don’t care to roll my own Perl DOCKERFILE, I use a LinuxServer.io Container running ddclient.
It handles the scripting, you set up the config (with a supported DNS provider).
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol RPi Raspberry Pi brand of SBC SBC Single-Board Computer SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
9 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.
[Thread #280 for this sub, first seen 13th Nov 2023, 21:05] [FAQ] [Full list] [Contact] [Source code]
Are you just talking about dynamic DNS services for one or a few home servers?
There’s always DynDNS, but that’s a paid service. I actually discovered that dynamic IP address service was provided free by Google when using Google Domains as the registrar, so I moved a few of my private domains over to Google several years ago to save myself $55 a year.
Unfortunately, Google Domains is shutting down and all registrar services and existing customer domains are getting moved to squarespace and I’ve not yet been able to determine if squarespace is going to be offering the free dynamic DNS service or not.
Porkbun. Depending on the domain, less than $10 a year, and that includes renewals
I use this https://github.com/TechnitiumSoftware/DnsServer
Works great so far. Have it running on a PI with DHCP too. Multi vlan/subnet support through single NIC. Solid.
Yes - I like bind9 with views so I can serve external and internal from same instance. As I only have services for my own use 1 ns on my dynamic ip is enough for my home subdomain.
Bind9 has ok scripting possibilities with rndc and nsupdate.
Cloudflare is popular, as they also provide something called Tunnels.
Essentially, your domain points to their public IP, and your server connects to their server. This way, you aren’t opening ports on your home network, you aren’t leaking your home IP, and they provide various protections against DDOS and stuff.
Only issue is it’s for HTTP(s) traffic, and it’s cloudflare that terminates SSL so they could inspect your traffic if they wanted to (indeed this is how their various security systems work).Tailscale offer something similar, I believe.
Some people run their own Reverse Proxy over VPN (RPoVPN), using a VPS as the entry/exit point.These have the benefit of letting you essentially run a separate network from your home network, more security options with little initial configuration to do, not having to publish your home IP address.
The old school way is to use a Dynamic DNS provider, and open/forward the relevant port(s) on your router.
Most DNS providers have this ability.
You would then run a service on your server(s) that updates the DNS with your IP address incase of a dynamic IP address. Or you can rent a static IP address from your ISP.
There are many DNS providers. I use CloudNS, but it’s a bit clunky. Cloudflare provide DNS. I’m sure there are loads of others.You could also get the cheapest VPS, put all your services at home together with the VPS to the same Tailscale network and install a service such as Nginx Proxy Manager to terminate the HTTP traffic and proxy your home services.
Whether it’s using tailscale, wireguard, SSH tunnels, any other VPN, it’s all RPoVPN
Cloudflare for DNS, use a different domain registrar than where you point the NS. They should be split up for failback, don’t host them together.
Yeah think this will be the way I’ll do it, thanks.
For my dyn IP at home and selfhosted stuff I use cloudflare ddns because my router was too annoying at some point.
Well enough documented on how to set it up.For the DNS entries on my domain:
selfhost domain: Cloudflare
E-Mail domain: IONOS.For at home:
I tried to use OPNsense + unbound but had some issues getting the closer DNS servers from google and got further away ones.
Right now I use piHole with Google, CF and some other DNS provider.Ddns thru unifi with a Google API.