Agree. Title got me hoping for a description of reasonably-solved public zones self-hosting. The actual content is not interesting to me, and reads like an ad for something called AdGuard (I use unbound for most of this).
> reads like an ad for something called AdGuard (I use unbound for most of this).
Definitely not an AD - it's just the best option that I found, and have been super happy with it! There are lots of ways to do this (people have shared even more options in the comments here), and for a lot of people AdGuard/Pi-hole/... are the relatively easier options
Want to throw in blocky (https://github.com/0xERR0R/blocky). Supports modern protocols and easy to configure in one file. Migrated to this from pi-hole and never looked back.
Blocky is great! The maintainers are also really easy to get along with. I had a few features I needed to get off of pihole (cnames, defining DNS via zone files) and they worked with me to plan the feature and were very kind and responsive with reviews of my pull requests :)
Why forward requests to a DNS server like 1.1.1.1 at all? I used to use stuff like pi-hole/dnsmasq, but now I'm using unbound on my opnsense router which supports using blocklists and custom overrides (as well as automatic for DHCP clients). I found the default blocklists in pi-hole broke a few things but not had any problems with the lists I'm using now.
That would be a 'recursive resolver'[0], which recursively queries the DNS hierarchy from the top, returns the requested DNS record, and (unless you configure it not to do so) caches the results.
They're easy to set up and unless you're using it to support thousands of DNS requests per second, it's not appreciably (on human scales) slower than forwarding requests to your ISP's servers and/or 8.8.8.8 or 1.1.1.1.
More detail about recursive resolvers and how they work can be found here[1]
that's called a dns-resolver (iterator). essentially starting from the top (.) and asking for authorative nameservers that can answer the next level down until it reaches the hostname you are looking for. this usually takes multiple rtt's and is hence slower than asking some big cache.
I don't really see how this scales, on a global basis.
Sure, one or two of us running our own resolvers isn't going to hurt, but an extra hundred million or so resolvers would hurt -> at best just causes all the servers targeted by the resolver to add more layers of caching
Replying again as I did some research. It turns out there aren't actually only 13 root name servers, there are almost 2000. Also, the vast majority of queries to the root servers are from badly configured systems that aren't caching results properly or aren't even receiving the results. So running your own caching resolver, assuming it's working correctly, would contribute to the small drop in the ocean that is legitimate usage of the root servers. Presumably the same applies to the next levels up too.
It's a good point, I never really thought about it. In my case I'm reluctant to use my ISP servers because my country tries to practise censorship via DNS, but I also didn't really feel like using something like Google. I will do some research and experimentation with upstream caches like Quad-9 and Cloudflare to see what it's like.
My journey of DNS, including self-hosting with Pi-hole and AdGuard Home, using paid services like NextDNS and AdGuard DNS, and public privacy-respecting resolvers.
I also want to selfhost variosu servers like dns, email(just to send email to myself).....ldap, dhcp etc. Where do I get started with? I know linux command line.
Does anyone know of a good authoritative DNS server that supports Dynamic DNS updates? Preferably exclusively standardized stuff. I currently run CoreDNS on my network, but dynamic registration isn't supported and might never be.
I don't think calling the ISP was actually what they didn't feel like doing. It is more the call itself. Being put on queue with wait music, dealing with first line customer support who have no clue what you are asking, waiting to be connected to the right support, being connected to the wrong support, being put on hold again, suddenly being hung up on, rinse, repeat.
Which is a whole different type of mental challenge compared to figuring out the technical details of self hosting something ;)
> I don't think calling the ISP was actually what they didn't feel like doing. It is more the call itself. Being put on queue with wait music, dealing with first line customer support who have no clue what you are asking, waiting to be connected to the right support, being connected to the wrong support, being put on hold again, suddenly being hung up on, rinse, repeat.
Exactly this... we have enough issues with our internet I didn't want to add this into the mix - especially as if they decide to not really give me a static IP, then I have to change it everywhere :/
point your ns to CloudFlare and write a powershell script to update your AA records every 5 minutes, boom quasi static IP (from the PoV of the client anyway)
I recently switched from Pi-Hole to AdGuard Home, it was pretty straightforward to migrate my configuration and so far it's working great. I've actually got two servers running AGH + unbound (authoritative) so my internet keeps working if one setup breaks/reboots.
Really? Because what I got out from the article was a table that did a comparison then the rest of the was focused towards AdGuard. But I found a thread on r/selfhosted that was more about comparing these two.
I apologise that it wasn't as clear as it could've been! What I was trying to get at is that for my requirements Pi-hole simply can't do it all without faff (DoH being the main one).
Assuming I am looking at the right comment, you didn't really expand/explain all that much.
If I am correct, your argument boils down to blocking happening outside the direct control of the user. This technically is true, as you don't have an icon in your browser like you would have with an extension.
At the same time, it being outside the control of the user is not really true if the user is also the person in control of the blocking solution. I don't know how it works with AdGuard, although I assume it is the same. Pi Hole offers extensive insights in what requests are being blocked, from which client and when.
This can even be adjusted on a per client level. Making that argument a more theoretical rather than a practical one.
Sure, but that is not the context here. So I am still unsure about the "evil" aspect of it all.
Even if someone else has to use it. Certainly, when it is someone in their household who can access the administration for their client devices/applications as well.
Other people affected might be those who make use of the authors wifi. Where the author can also opt for guest wifi using regular DNS. Or not even do it on router basis and really a per-client basis.
The only context in which it is potentially "evil" or malicious is when people unknowingly get things blocked or redirected to the wrong things. But that is pretty far removed from the context of this article.
dns more or less was infrastructure for the last 30 years. nobody cared.
the fact that for-profit shops wanted a piece of the intelligence within made it surface and now the webheads are shitting on it like there is no tomorrow