tags : Networking, Selfhosting
FAQ
DNS 1:1?
DNS is not 1:1 you can have multiple domains pointing to the same ip. and can have multiple ips pointing to the same domain.
Does DNS use TCP of UDP?
- DNS uses both TCP(Zone Transfers) & UDP(Queries)
What are the DNS related organizations?
These organizations are largely related to two things: IP allocation, Domain registries.
Organizations
-
ICANN
- ICANN is the policy organization
- People for some reason don’t like ICANN
- Responsible for picking what TLDs should exist or not
- Deciding how the IPv4 space was to be handed out the RIRs
-
IANA
- Currently it is a function of ICANN
- The IANA is an organization that maintains assignments of various numbers.
- Assign IP addresses to the regional internet registries (RIRs)
- Assignment of Autonomous Systems numbers to those same RIRs
- Maintaining and publishing the root dns zone
- Maintaining registries of various parameters used in the internet protocols, on behalf of the IETF.
- Internet Architecture Board (IAB)
- Internet Engineering Task Force (IETF)
- Internet Society (ISOC)
IP allocation space
-
Regional Internet Registries (RIR)
- This is not any specific org, just a type of entity.
- They get their allocations from IANA.
- ISPs get theirs from the appropriate RIR
Domain space
This is a whole business and this is not uptodate info.
-
Registry Operators
These are also called Network Information Center (NIC). Role is to keep the master database of all domain names registered in each top-level domain (TLD) and generate the “zone file” that allows computers to route Internet traffic to and from TLDs anywhere in the world.
-
Registrar
Basically a middle-man.
- They’re approved by the registry to sell domains directly to consumers, and they pay the registry a set price (for examples, Verisign gets $7.85 per .com domain).
- The markup is often quite small on domain name sales, which is why retail registrars like GoDaddy tend to push value-added services.
- That’s where their major profits come from.
- How to Become a Registrar - ICANN
-
Registrant
The registrant is the owner of the domain name. They pay the registrar, who in turn pays the registry.
DNS Servers
Types
4 Types. These 4 DNS servers work together in harmony to complete the task of delivering the IP address for a specified domain to a client.
Resolvers
Essentially the middleman between a client and other DNS nameservers(root-tld-authoritative
). It usually will cache responses. Your ISP provides an recursive resolver but you can also use things like 1.1.1.1
- Recursive: This is usually meant when we say resolver
- Non-Recursive: You can run a resolver in non-recursive mode
- Stub Resolver: Your laptop runs a stub resolver
Root Nameservers
-
Official Root Nameservers
- The most widely used (and first) DNS root is administered by the ICANN
- There are 13 types DNS root nameservers are known to every recursive resolver. There are multiple copies of each one all over the world running in anycast, ~600 actual instances.
- These responds by directing the recursive resolver to a TLD nameserver.
- These are overseen by a nonprofit called ICANN.
- These are paid for by domain registration fees.
-
Alternative Root Nameservers
- These run their own root nameserver and typically include pointers to all of the TLD servers for domains delegated by ICANN, as well as name servers for other, custom TLDs that are not sanctioned by ICANN.
- Unless one specifically changes their DNS resolution settings, alternative DNS top level domains are generally unreachable
TLD Nameservers
This contains all the domains under that TLD. These are owned by registry operators.
- There are two kinds
- gTLD: Registry(pivate co(s)) pay ICANN a set amount fee. ICANN doesn’t make any money directly off a domain name sale.
- ccTLDs: Owned by respective countries, so countries get to keep all their money.
- Root Zone Database
- If a registry does not meet their contractually obligated SLAs, ICANN may invoke EBERO and transfer registry services over to one of the Emergency Back-end Registry Operator
Authoritative Nameservers
The authoritative nameserver is usually the resolver’s last step in the journey for an IP address. If you own a domain, you can run an authoritative nameserver for that domain.
-
Primary and Secondary
The thing about Authoritative nameservers is that there are primary and secondar(ies). Authoritative secondary replicas are common. Usually if people selfhost it, they tend to hide the primary.
- Have the authoritative server where you perform the updates not referenced in your domains NS records, and instead only list the secondary (replica) servers in your NS records.
- This way they maintain control and any attack based on NS records is on the replicas, and they refetch the record from the authoritative server periodically (based on SOA record settings).
Running DNS Servers
You can run the whole DNS stack on you own if you want but not recommended ofcourse, but running authoritative and resolvers are popular choices.
Locally
-
Authoritative Nameserver
You usually do not need to run authorative ns locally unless you have a local zone or something
-
Resolver
- Pi-Hole + Unbound Recursive DNS. (Popular combination for local resolver setup)
- Why run a local resolver? Basically, it’s the difference between asking your mother for her phone number, and asking your father, for your mothers phone number. By going direct to the source, there is less chance of error, malicious intent, or someone reporting your “request” to someone else.
- Good discussion
-
Security Concerns
- Ask HN: How does my school block DoH? | Hacker News
- https://dnsprivacy.org/
- OPNSense custom i5 16GB router. Only the Pi’s can make DNS calls (DoT, DoH, DNS) to outside. Any other device is blocked by firewall to call DNS on their own and instead, forward to Pi-Hole.
- Cluster, Part 3: Laying groundwork with Unbound as a DNS server | Stardust | …
- I’m using Stubby as a shim to my Pi-Hole.
- Like this explanation but might be incorrect (there is wrong use of terms for sure)
- ISPs can see all the apps and traffic to and from you, regardless of what DNS you use. They cannot see content of encrypted connections, but can see the time, amount of data and hosts you’re talking to.
- A VPN will get around that, but your ISP can see the traffic volume to the VPN, and the VPN provider can of course see all your traffic.
- As far as DNS goes, if you run Unbound and let it query the root servers, your ISP can still see the unencrypted lookups. You’ll be querying the authoritative servers for each domain directly, but it’s still unencrypted.
- Using DOH, your DNS queries are encrypted, but your ISP can see what DNS servers you are talking to over DOH.
- The operators of those DNS servers could of course also see what your DNS queries are.
- for the possibility of DNS leakage but if the ISP somehow uses the IP-blocking approach then there’s no other way but to either use a VPN, a proxy, or Tor.
- DNS leaks happen when your DNS requests hit your ISP rather than getting handled by the VPN server.
Publicly
-
Authoritative Nameserver
- You can also run a publicly available authorative server from home like this person.
- The general rule we recommend is at least 3 nameservers preferably on multiple continents.
- Consider using cloudflare unless absolutely necessary
- It is not usually recommended to run an authoritative nameserver as you can just use one that is hosted by someone.
- I would advise against running your own nameserver unless you have confidence in your ability to operate it correctly
- Maybe you like the syntax of nsd, maybe you like the zone file interface, maybe you dislike the UI of the autohorative server
- advantages of bind by running a “hidden primary” server which stores the records, but serve all of the actual DNS queries from a “secondary” server.
- And once the zone is setup and the secondary working, you only need to modify things in the primary.
- Having multiple secondary is good because if things fail that means mails lost, that may be worse than losing connectivity with your website for a while
- Secondary DNS — A faster, more resilient way to serve your DNS records
- https://www.reddit.com/r/selfhosted/comments/asd08x/do_you_selfhost_authoritative_name_server/
- https://www.reddit.com/r/dns/comments/ihhfqk/how_to_host_own_ns_servers/
- https://www.reddit.com/r/dns/comments/lnrzvh/how_to_host_nameserver_for_a_domaine_name/
-
Security Concerns
- The Unfriendly Internet - Turning Off Cleartext Lookups in September - uncens…
- Shutting down our unencrypted public DNS service - Blog | Mullvad VPN
- Make sure you do not allow recursive queries to the rest of the world (Bind) and make sure you turn on the rate limiting to be safe.
- All DNS server operators have to deal with spoofed UDP traffic, doubly so for open recursive server operators.
- Only the UDP version of DNS is open to amplification attacks. The TCP version of DNS (which has been supported for 30+ years) should work fine, but some shitty firewalls block it, so people have not relied upon it, and as a result it’s not very reliable to use TCP DNS everywhere but this lacks encryption
DNS servers list
Selfhostable servers
This is a very small list with things that interest me. See feature matrix here in wikipedia and in the arch wiki
Name | Remark |
---|---|
CoreDNS | Modern, Written in Go, Focused for SD in containerized environments but can work generally |
PowerDNS | Has a DB backend, more suitable for larger environments |
Pi-Hole | Cute and powerful |
0xERR0R/blocky | Fast and lightweight DNS proxy as ad-blocker for local network with many features |
AdGuard Home | Some people use it |
djbdns | |
Unbound | Recursive DNS |
dnsmasq | Simple, suitable for homelab. Does both DHCP and DNS. |
Knot | Authoritative only |
Knot Resolver | Resolver only. 1.1.1.1 uses it. |
NSD | Authoritative only |
Bind | Been around in some incarnation since the 1980s and supports just about every DNS standard written. Both Authoritative and resolver. |
https://dns.he.net/ |
Other stuff
Services
Name | Remark |
---|---|
NextDNS/DNS0 | I mean if I don’t have time NextDNS summary |
Quad9 | |
OpenDNS | Service |
Wildcard DNS Services like xip.io
Basically this saves you from editing your own hosts
file/ editing your DNS records.
-
Virtual Hosts
- Even though the name VH mostly refers to Apache VH, here I am refering all of
Caddyfile site block
,Nginx Server block
,Apache Virtual Host
etc. i.e the idea of a virtual host. I feel they are similar to Reverse Proxies in a way. - Suppose you have a server hosting two different sites as virtual hosts.
apple.com
andorange.com
and you have virtual hosts setup for them. To access what them you’d need to add the DNS records now! - Here comes xip.io and friends, you can just set
apple.10.0.0.1
andorange.10.0.0.1
. And then you add them to your virtual hosts file as alternative domains for the server block and you’re good to go! No need to edit DNS records now. Since both will direct to10.0.0.1
and will have their respectiveorigins
in the request. - On top of that, this will be accessible not only to your development machines, other devices in the local network will also be able to do the same provided they can connect to
xip.io
- Alternatively, if you do the following in
/etc/hosts
, even though they’ll point to10.0.0.1
it’ll only be accessible to your host and not elsewhere. - With TLS we get SNI
10.1.1.1 doop.apple.com 10.1.1.1 poop.apple.com
- Even though the name VH mostly refers to Apache VH, here I am refering all of
-
Subdomains
- Since you’d get the
origin
, if you application behaves differently based on subdomain. in.google.com, us.google.com
can bein.10.1.1.1.xip.io
andus.10.1.1.1.xip.io
- Your application should work as expected, if it checks the subdomain
in/us
and behaves differently.
- Since you’d get the
DNS Records (Resource Records)
- IANA has a lot of record types specified Domain Name System (DNS) Parameters. Some are reserved, expeerimental, less used etc.
- See (All) DNS Resource Records
A Records
- Multiple A records can distribute traffic among several servers, helping to balance the load.
- When a client queries the DNS for the domain name, it may receive multiple IP addresses. The client typically connects to one of these IPs,
- But this can be problematic if the two servers hold local state that’s used for the session with the user as no guarantee on which ip it returns etc.
CNAME
- A CNAME record is used for referencing a domain’s alias instead of its actual name.
- CNAME records typically point to an A record (in IPv4) or AAAA record (in IPv6) for that domain.
Mail related records
See Email
DNS security
DNSSEC
- DNSSEC is Unnecessary, all secure crypto on the Internet assumes that the DNS lookup from names to IP addresses are insecure. Securing those DNS lookups
- dnssec/ntp dependency loop is absurd
- DNSSEC can be bypassed by using a resolver that doesn’t care about it.
- DNSSEC is the publisher’s responsibility.: that your responses are as the publisher intended.
- Against DNSSEC — Quarrelsome
Encrypted DNS
- Comparison: https://dnscrypt.info/faq/
- DNSCrypt/DNSCryptv2/DoH/DoT are alternatives. They can be combined but doesn’t make a lot of sense to combine.
- Encrypted DNS (between resolver and nameserver) is a modern replacement for regular cleartext DNS lookups.
- DoH is the easiest to start w, ppl tend toward DoH for devices that frequently travel with, and DNSCrypt or DoT for devices that rarely leave their home.
DNSCrypt
- Runs on port 443, hard for ISPs to block. Now comes w anon dns.
- It provides payload encryption and server authentication, within the context of otherwise-normal DNS queries.
- DNDcrypt-proxy: Implementation of dnscrypt
- Acts as an intermediary between client devices and DNS resolvers.
DoH
- Runs on port 443, hard for ISPs to block.
- DNS over HTTPS is one good answer here - this is the best scenario for it. Hypothetically indistinguishable from normal HTTPS traffic to the given website
- However, from a privacy perspective, DoH is arguably preferable. With DoH, DNS queries are hidden within the larger flow of HTTPS traffic. This gives network administrators less visibility but provides users with more privacy.
DoT
- Runs on a known port, easier for ISPs to block
- DoT and DoH are traditionally available over TCP (or reworked versions of TCP like QUIC), which have built in protections against address spoofing.
- DNS over TLS/HTTPS is probably a sufficient solution for you (as I commented on another comment). It sounds like your ISP is doing DNS hijacking. DNSCrypt won’t protect you from this as it only provides integrity/tamper evidence, not privacy.
Things to read about encrypted DNS
- DNS Security: Threat Modeling DNSSEC, DoT, and DoH
- dnsprivacy.org]]
- Improving DNS Privacy with Oblivious DoH in 1.1.1.1
Issues
- Even if using DOH/DoT SNI can be leaked, The snooping ISP will still see your plaintext SNI request to the destination web server, even if your DNS lookups are encrypted. This gives the ISP the hostname you’re trying to hit. Solution is Good-bye ESNI, hello ECH!
- A number of ISPs (e.g. sky, virgin media) are turning to forwarding all UDP/TCP port 53 DNS traffic to their own DNS servers irrespective of the destination marked on the packet.
- These encrypted DNS services are usually blocked here in Iran. The unencrypted ones are compromised, too. I use self-hosted dnscrypt.
Maintenance and Practices
DNS tips for SysAdmins
- Separate Registrar from the source of the DNS records
- Multiple NS records on the registrar
- Multiple vendors for DNS records with Terraform sync between the two vendors 🌟
- Limit A records or point A Records to CNAMES
- Low TTL times for NS records, risky if you are hacked though or make a bad change
TTLs
Makes sense about increasing the TTL of anything that’s static and constant, like MX records. That TTL value buys time when there are issues before it is propagated to hosts that need to query your records as it’s not cached at their end.
- Those times will say to resolvers for much time they could cache that information, and give a time for propagation of a change in that information.
- You can have them frequent but have some margin to have meaningful caches in remote resolvers to speed up access to your sites.
- The higher TTL will help as it won’t be querying them
- Note that ISPs may round your TTL to 10mins or something if they see DNS cache abuse
- Choice of resolver (e.g. 1.1.1.1, 8.8.4.4) is out of your control when you’re not running your own nameserver (??)
- Assuming that your clients’ resolvers are well-behaved and respect TTLs
- See A survey of DNS caching and TTL in end-user client software | Ctrl blog
EDNS0
- Note: if there are more than 8 IPs behind one name, the DNS backend must support the EDNS0 protocol.
Resources and Links
How to and Whys
- Why might you run your own DNS server?
- DNS server types | Cloudflare
- How to run a split DNS server | blog.kronis.dev
DynamicDNS
Dynamic DNS requires a small piece of software on the server that every now and then tells the DNS Server its current IP for it to broadcast to end users and other DNS Servers. If your server changes IP Address the DNS Servers will automatically update to the servers new IP.
- DynamicDNS - Community Help Wiki
- Configuring a dynamic DNS for a domain name | OVH Guides
- Reddit - Dive into anything
- Dynamic DNS | Cloudflare
- GitHub - ddclient/ddclient: This is the new home for ddclient.
Other Fun DNS tools
- https://github.com/octodns/octodns
- https://github.com/knadh/dns.toys
- https://github.com/yarrick/iodine
- DNS over Wikipedia | Hacker News
- Show HN: Use DNS TXT to share information | Hacker News
- https://github.com/paulc/dnslib
- 2020 | DNS flag day