Ask HN: Is it feasible to run your own DNS name servers nowadays?

5 points by jamieweb ↗ HN
I'm talking for a small operation (personal blog, startup, etc).

Currently my DNS is hosted by Cloudflare, however I would like to have more fine-grain control over the zones, including DNS failover and GeoDNS.

I am looking into running a resilient pair of BIND servers. They will detect when one of my web servers goes down (e.g. for reboot) and pull the record (which will have a low TTL to avoid excessive caching). I also want to use GeoDNS to point users towards the nearest web server.

It seems to be very rare these days for people to run their own name servers. What are some of the common pitfalls and issues related to this?

8 comments

[ 3.2 ms ] story [ 30.5 ms ] thread
Yes.

I've run my own servers for my own hobby domains as long as the internet has existed. No issues there. I think people just like the convenience of something they don't have to maintain. Unless you expect your blogs to be controversial enough for a DDoS, there is no need for a commercial DNS provider.

Not sure how I missed out the "Ask HN", thanks for reminding me.

Regarding the DNS, have you run into any issues with people using your DNS server for DoS amplification attacks?

Also would you be able to share which DNS server software you are running?

For a while, I ran bind. Then for quite a while, I used a modified version of rbldnsd, which is not really meant to be used that way, but it was very good at absorbing abuse and didn't even implement most record types. It just had what I required.

When I eventually needed a proper DNS servers again so that I could have CAA records, I switched to NSD [1]. NSD is stricly authoritative, vs. its counter-part Unbound [2] for recursive. It is a little faster than bind and has not had quite as many CVE's associated with it as bind. That said, bind was there for a long time and they learned along the way. You can find sites that compare the features and benefits of NSD vs. bind.

I have not been used for amplification attacks. That said, people have tried enumerating many things over the years. There are some things you can do both in the DNS config and in iptables to reduce some noise. You would want to look on serverfault [3] for ideas. I set really high TTL records, so DDoS would only affect people that have not used my site in a while.

[1] - NSD: https://www.nlnetlabs.nl/projects/nsd/about/

[2] - Unbound: https://nlnetlabs.nl/projects/unbound/about/

[3] - Serverfault: https://serverfault.com/

Thanks for the info, this will be really useful. :)
I forgot to add that NSD lacks query logging. If you need query logging, stick with bind, or you would have to use one of the packet capture daemons that passively records DNS and those tend to increase CPU load.
Thanks for pointing that out - it's something I wouldn't need in production but logging is always useful for debugging.
I’ve been running my own nameservers since 1994. It’s one of the simplest services to run. I use BIND.
Pitfalls off the top of my head: Detecting servers going down is not very simple. They don't just go down and become completely unresponsive. Sometimes they become slow, overloaded, generate incorrect responses, sometimes there are connectivity issues, packets get dropped. Sometimes connectivity issues are not globally visible, but affect only some of your users. The number of affected users might increase over time too without you detecting anything. All of the problems apply to monitoring nodes too.

The simplest approach that more or less works is to use a single monitoring node close to your users and only make decisions when majority of servers are responsive. Once some server has more than one problem over a few tries, pull its record. Then put it back once it's been free of problems for some time.

When updating DNS records automatically increase serial number of the zone. Make sure monitoring node retrieves that serial number from DNS servers on start, to survive own crashes.