# I want to run self-hosted DNS server as a learning project



## toorski (Dec 10, 2018)

Hi and Hello,

ATM, I run my wannabe_dot_net with 5 Static Public GW-IP(s). I utilize only one of those IP’s for my domain name with DNS provided by joker.com. It supports few of my TCP/IP services (HTTPD, SMTPD, and SSHD) running in jail with the Public IP. Tho, I have 4 more Public IPs left over to play with and want to utilize them to learn “howto DNS server.” I want to get new domain with few extensions and use *cheapname.com * (lol) "namecheap.com" as the registry. But, I also want to run my own DNS server, specifically “*NSD”* daemon - https://www.nlnetlabs.nl/documentation

With that in mind, I have few questions?

1) Should I use my static Public IPs in jails to run DNS server(s), or should I  use vnet(s) for the jails.
2) How do I deal with zones for different domain extensions, such as:  mydomain.net, mydomain.org, mydomain.com .. etc.

I’m an olden nerd with too much free time, so I want to learn new things to keep my mind busy RTFMs, which at times are too cryptic and don’t provide enough examples.
Any hints and suggestion regarding “How to Prefect DNS server setup in FreeBSD” will be greatly appreciated  Thank you.


----------



## SirDice (Dec 12, 2018)

If you want to host your own DNS domains on the internet you'll need at least two DNS servers preferably on two different networks. 

If you just want to play around with DNS you don't need to register anything at all (or attach them to the internet). Just set it up internally and pick a domain name and TLD that's not used on the internet (that will make it easier to see which requests should be handled internally and which requests should be forwarded). Point your clients to your internal DNS server(s) and go to town


----------



## johnblue (Dec 12, 2018)

Back when men were men and FreeBSD shipped with BIND .. 



.. named.conf was found in /etc/namedb.

Even though we now have a girly-man resolver out of the box (unlock, unravel, unbound, whatever) it will get you going but honestly you have two paths to choose from if you want to run legit old school DNS:  BIND from ports or packages.

One of the benefits from rolling your own via ports is that you could compile different versions and switch between them.  For the testing/self-education that you are wanting to accomplish I would recommend that you go with the BIND package.  It installs without issue and allows you to get to the good stuff right away.

Jails have their place and depending on your level of expertise you could start with one or not.

zoneedit.com allows you three zones for free so that can be your secondary server with your on premise server as primary.

I am a cloudflare.com since day one user and they now offer "at cost" domain registration.  I don't know if they opened up for the general public yet but I just paid $8.03 USD for a registration of a domain last week.  All other registrars can suck it.

What else .. oh yeah .. tcpdump.

Repeat after me:





> This is _my tcpdump_. There are many like it, but this one is mine. _tcpdump is my_ best _friend_. It is _my_ life. I must master it as I must master _my_ life.





You need tcpdump to be able to see what is on the wire especially when troubleshooting issues.  I prefer to use a command something like this to see general DNS traffic:

`tcpdump -n -i bge0 port domain`

-n keeps extra DNS lookups out of the troubleshooting session
-i is your ethernet adapter, use pflog0 if you are trying to troubleshoot packets traversing the pf firewall
port domain is show me only DNS traffic

If you want to look at traffic from a specific host use:

`tcpdump -n -i bge0 port domain and host 10.1.10.1`

Dont forget you can use tcpdump to capture the traffic to a pcap file and slice it up in wireshark.

As with everything in life, take your time and enjoy the journey!


----------



## ShelLuser (Dec 12, 2018)

toorski said:


> But, I also want to run my own DNS server, specifically “*NSD”* daemon - https://www.nlnetlabs.nl/documentation
> 
> With that in mind, I have few questions?


If you're new to how DNS works then I'd definitely recommend against using nsd for now and instead work your way up with Bind.

Nothing negative about nsd mind you, but there is a lot involved with DNS administration than merely setting up a server and populating it with your domain information. There are also security concerns for example: you don't want to allow 3rd parties to use your DNS for lookups beyond your own domain(s) because that could be abused. And there are also simpler issues to cope with: like a master/slave setup where you apply your changes on one server and they get propagated onto others.

See, the problem is that NSD's documentation is lacking. If you look here then all you basically get are manual pages. Those make great references, but fail miserably when you're trying to understand how something actually works.

If you compare that to the official Bind documentation then you'll quickly spot a difference. It's not merely manual pages but also includes FAQ's, administrative guides, specifications, 'best practice' guides (which can also be applied on other DNS installations), and so on.

And because Bind is heavily used throughout the Net you'll also find plenty of guides and information online. And once you grasped Bind then you're basically home free.

Last year I moved away from Bind due to some personal annoyances and ended up with PowerDNS. Although the environment and workflow was completely different (a separate resolver & server process) it still didn't take me long to set it up because I was already familiar with the way things worked.



toorski said:


> 1) Should I use my static Public IPs in jails to run DNS server(s), or should I  use vnet(s) for the jails.
> 2) How do I deal with zones for different domain extensions, such as:  mydomain.net, mydomain.org, mydomain.com .. etc.


1) This is basically personal preference, 2) Those would all end up being new zones.

Depending on the DNS software you use it can be very easy to set up "shadow zones" (as I like to call them). So for example making 'mydomain.org' a master zone and then having the .org, .com and .whatever variants copying its contents.

This is very easy with Bind: in your zone definition (in named.conf) you'd refer the zone to a file in which you _only_ set the $TTL, $ORIGIN and then you use an $INCLUDE statement to point to a separate file which contains the actual SOA record (utilizing @) and the record entries which you want to use.

For example:

```
zone mydomain.org {
  type master;
  file "master/mydomain.org";
}

zone mydomain.com {
  type master;
  file "master/mydomain.com";
}
```
Then looking at ./master/mydomain.com:

```
$TTL 24h
$ORIGIN mydomain.com
$INCLUDE /usr/local/etc/namedb/master/mydomain.zone
```
And ./master/mydomain.org would roughly have the same contents, other than the different extension of course. The file ./master/mydomain.zone would contain the actual SOA record (using @ instead of the domain name) and it sets up all the different record which you want to use.

The advantage should be obvious: all your different domains would still share the same records, so if you need to make a change you'd only have to do that once after which they'd get applied to all your different zones.

This flexibility is also one of the many reasons why I eventually moved back to Bind again and haven't moved since


----------



## toorski (Dec 15, 2018)

johnblue ShelLuser 

Thank you both for excellent replies with concise write-ups. I will keep this topic and threads in my bookmarks to use as the reference in my DNS experiments. Sometimes I read too much, thus the more I read the less I understand why yet another utility which does the same job as the first one. I guess, I was trying to find new species of fish in the ocean full of exotic creatures   I think that I used BIND, many-many years ago on Linux with Livingston router, in College. But since then, I got much older, bolder and  forgot "howto" DNS server(s)     Plus, FreeBSD and FreeBSD jails are new to me.  I'm a kind of latecomer, with my TCP/IP hobbies , tasting the latest and greatest offerings from The Free and Open Source worlds. I'm just trying to keep my mind working, since I  put rest of my being into retirement  
Thanx again!


----------



## rootbert (Dec 15, 2018)

You should have at least 2 nameservers, and both in different public subnets/ under different AS.

I highly recommend NSD for your public facing nameservers. I have installed powerdns since it is very nice to administer - its acting as primary where I edit domains by hand (vim like editing with syntax-check) or scripted. Via notification the changes are transmitted to both of my nsd instances.

So on one hardware has a jailed nsd where I am redirecting port 53 to this jail. The other hardware has one jailed nsd and also port 53 redirected to this jail. Also, a jailed powerdns instance which notifies both nsd instances - quite easy to setup, secure, easy ro maintain and to edit.


----------



## toorski (Dec 16, 2018)

rootbert said:


> You should have at least 2 nameservers, and both in different public subnets/ under different AS.



I don't  have 2 different public subnets 

I’m trying to clear my DNS brainwash and get fresh mind wrap around my dotnet  and TCP/IP.

*This is my scenario:*
I operate  3 routers with 5 Static Public IP(s)
The 5 Public Static IPs from my ISP are in the same C class subnet:  XXX.XXX.XXX.*
One of those Public IP’s is used as the GW-IP for all my LAN(s)
*Routers:*
1) From ISP wired only “Pass Through” router - C-class/LAN 10.1.*.*  with 5 Public "pass through" GW-IPs to the world.
2) My own wired/wireless router (connected to ISP’s router) with one of my Public IP’s as the GW/IP for my LAN – 192.168.1.* (for 4 wired/wireless computers running M$OS)
3) My own wired/wireless router (connected to my ISP’s router)  with  one of my Public IP’s as the GW/IP for my other LAN – 172.20.1.* (for my wireless fones running Android OS and Linux-OpenSUSE/Tumbleweed machine)

*My servers:*
1) FreeBSD-11.2 RELEASE connected directly to my ISP’s  router with 10.1.10. */IP and 1 jail that utilizes Public IP to run  HTTPD, SMTPD, IMAP4 and SSHD inside the jail.
2) FreeBSD-12.0 RELEASE connected directly to my ISP’s  router with 10.1.10. */IP and waiting to be used for anything that I can install inside jail(s)

Bottom line is that I don’t have 2 Public IPs, in 2 different C class subnets to play with and use them as 2 different WAN-GW/IPs , within my LANs, as an *autonomous systems* (*AS*).

So at this point, I don’t know if can run self-hosted DNS, or I don’t know what I’m thinking or talking about.

Tho, I do have another Internet connection from my other residence with 1 Static Public IP , but I have to check if  I can play DNS server from there. If I can,  then that would make another AS for my DNS


----------



## toorski (Dec 17, 2018)

rootbert said:


> You should have at least 2 nameservers, and both in different public subnets/ under different AS.



This is what caught my attention:
`forward-addr: 208.67.222.220 # OpenDNS
forward-addr: 208.67.222.222 # OpenDNS`

Moreover my ISP provides similar set of DNS IPs
`DNS1 - 75.75.75.75
DNS2 - 75.75.75.76`

In the above, both DNS providers utilise IPs from within the same C-class Public subnet(s)


----------



## User1946 (Dec 17, 2018)

Here is something that may be helpful. Also this is a nice guide to configuring a hidden master.


----------



## ShelLuser (Dec 17, 2018)

Some domain registrants also provide options to back up your registration. So they'll allow you to run your own (single) domain server and then provide the slave themselves.

Still, I'd definitely suggest that you start with setting up a local domain structure and once you got that running you can then use those experiences for the real thing.


----------



## gkontos (Dec 17, 2018)

toorski said:


> This is what caught my attention:
> `forward-addr: 208.67.222.220 # OpenDNS
> forward-addr: 208.67.222.222 # OpenDNS`
> 
> ...



Many large ISP's use anycast BGP for DNS services. So, utilising IP addresses from the same class C network makes sense.


----------



## ronaldlees (Dec 17, 2018)

ShelLuser said:


> Some domain registrants also provide options to back up your registration. So they'll allow you to run your own (single) domain server and then provide the slave themselves.
> 
> Still, I'd definitely suggest that you start with setting up a local domain structure and once you got that running you can then use those experiences for the real thing.



Right.  At one time I ran a setup like that - just for giggles.  It works OK, but of course the root servers tend to split the DNS traffic via the listing order (a good thing), so it will only be possible to analyze half of the DNS queries.


----------



## toorski (Dec 20, 2018)

According to my DNS experiments, within my LAN(s) *with NSD* servers running as part of the core OS, in 2 FreeBSD systems along with *unbound(s)*, all seem to function as intended, where NSD(s) are my master/primary(s) and secondary/salve(s)  - each behind my LAN routers. 

I can find and connect to all my LAN nodes by name(s) and IP(S) from behind each of my LAN routers (and from router to router/LAN2LAN)  with help of NSD. Thus, I consider that part solved. Moreover, I don't need or want to resolve or query my dumb-ass M$OS nodes, smart-ass fones or a workstations that don't provide  any TCP/IP services. Tha'ts why I use 2 of my own LAN routers. So, my next step is just for nodes that shall provide TPC/IP service as follow:

I'm going to place the 2 FreeBSD machines, behind my ISP Router (as I had them before)  with 2 static public IPs and NSD in jails, both within the same C class subnet, in each of the FreeBSD servers. Rest are zones. master, secondary, forward and reverse configurations of my public IPs and my poor-ass domain. When and if I break the DNS root servers, yo'll will know it  - LOL
Thank you!


----------

