Conversation

Notices

1. Embed this notice
   sahilister (sahil@toots.sahilister.in)'s status on Wednesday, 22-Jan-2025 02:14:08 JST sahilister

   How good (or a bad) idea is to run ones own authoritative nameservers?

   Any tips/tricks/suggestions or gotyas to remember?

   #dns #authoritative #nameservers

   • Embed this notice
     John Kristoff (jtk@infosec.exchange)'s status on Wednesday, 22-Jan-2025 12:45:35 JST John Kristoff

     in reply to

     @sahil If you want to see details about who and what is issuing queries for your names, it's a good idea.

     If your name(s) are prone to attack, it might be a bad idea unless you partner with a provider who can host and help mitigate large floods.

     If your zone(s) don't change very often and have few records, it is relatively easy to setup and run a couple of authoritative name servers, ideally on at least a couple of diverse networks using bind, unbound, or whatever you're comfortable with.

     Don't provide answers (recursion) you're not authoritative for.

     Don't forget to update your SOA serial every time you make a zone change.

     Do run your zone through various zone checking online tools (e.g., zonemaster.fr).

     Do use a provider who won't arbitrarily block networks/addresses or source ports.

     Don't run anything else on your name server, but maybe just SSH and NTP - and protect those from unsolicted access.

     You may not have a need for all their guidance, but see IETF RFCs 2870 ad 9199 for other ideas.

   • Embed this notice
     sahilister (sahil@toots.sahilister.in)'s status on Wednesday, 22-Jan-2025 12:46:07 JST sahilister

     in reply to

     • John Kristoff

     @jtk what're your thoughts on having a hidden primary? Is that a common occurrence in the wild?

     I'm thinking of adding some secondaries (off net, not managed by me as well), so in case my systems go down, updates can still be pushed via this "hidden" primary to everywhere as well.

   • Embed this notice
     sahilister (sahil@toots.sahilister.in)'s status on Wednesday, 22-Jan-2025 12:50:54 JST sahilister

     in reply to

     • Patrick Mevzek

     @pmevzek I'm strongly leaning on PowerDNS (with BIND backend) because of some experience with that.

     > ... different OS and nameservers software
     for security reasons that is? Can you elaborate a bit here.

     Also, If I understand correctly IXFR/AXFR should flow fine across different name server software primary-secondary combinations (?)

   • Embed this notice
     Patrick Mevzek (pmevzek@framapiaf.org)'s status on Wednesday, 22-Jan-2025 12:50:56 JST Patrick Mevzek

     in reply to

     @sahil Depends authoritative on what kind of zones :-) If "critical" and you need 99.9999% reliability, then no. Otherwise, maybe. Theoretically, you need either solid anycast, OR at least 2 separate IP blocks in separate AS in separate datacenters with separate routing (+ ideally different OS and nameservers software). Plus the usual (power source, monitoring, etc.). But to do it at home on some toy zones, absolutely, to learn things!