| ▲ | thedanbob 4 days ago |
| I set up authoritative nameservers at home using unbound, which appears to be considerably easier than configuring BIND, but I still can't say that I fully understand it. DNS (and networking in general) is a bit of a dark art. |
|
| ▲ | gerdesj 4 days ago | parent | next [-] |
| You can't go too far wrong with unbound and it is seriously fast and light. Real men cry into their text editors with BIND and PowerDNS but you do get the whole toy box with these beasties. I've whizzed up many BIND daemons. I once ran a pair of PDNS servers with a MySQL replicated back end. I currently have an internet exposed and rather locked down PDNS for ACME DNS-01 (Lets Encrypt). The CA consortium are insisting on SSL certs going down to 40 odd day lifetimes within about three years. I look after quite a few SSL certs for my customers. Anyway. For home labbers, you might consider a Pi Hole (doesn't have to run on a Pi - a VM will do) or, a bit more hard core: https://technitium.com/dns/ (web GUI - yay!) pfSense has Unbound built in and I think OPNSense does too - both are fine choices of router. OpenWRT probably has unbound in it. When I say, you can't go too far wrong with unbound, I mean it. If it works then it is almost certainly configured correctly. |
| |
| ▲ | sgc 4 days ago | parent | next [-] | | I am just using adguard home as my dns server (installed as a plugin in opnsense). Am I naively doing something wrong, or is that a relatively decent choice as well? | | |
| ▲ | gerdesj 2 days ago | parent | next [-] | | Great choice mate. I really must get around to looking into opnsense again. I look after 50 odd pfSense boxes (about half on Netgate gear) across the UK but I am a believer in choice and I remember when opensense sort of split from pfSense. Its great to see the project thriving. When you deploy a well respected alternative to your ISP provided equipment and get it to work, you generally get it right. They (pfSense, opnsense, openwrt and all the rest) will not do an insecure config out of the box. You do have to try quite hard to get it wrong! Adguard, pfBlocker, pi-hole and co. all largely do a similar job and that is keeping your devices away from the seamier parts of the internet and the seamier sides of the internet away from your network. They are not perfect but are really good at it. Think steel bound three inch thick front door, with really good hinges and a lock that would give a professional a hard time, rather than PVC or wooden panel with a mortice lock. Do keep an eye on the windows though ... 8) Keep it and everything else reasonably up to date and you are probably golden. | | |
| ▲ | sgc 19 hours ago | parent [-] | | That sounds like it would be a fun challenge - with the occasional extremely hairy day. Do you manage people's home networks, or small business, etc? I understand if that is not info for hn of course. |
| |
| ▲ | LilBytes 3 days ago | parent | prev | next [-] | | Not doing anything wrong, different flavours for different folks. I tried Adguard Home but, found myself liking PiHole a little more. They're both excellent, and both are open source. I'd suggest, anyone that says AdGuard Home or PiHole is betterm, is as objective as saying "starberry is the most superior flavour of ice cream". :) That said! I haven't used AdGuard Home in a very long time, might be time for me to revisit. | |
| ▲ | joshbetz 4 days ago | parent | prev [-] | | I prefer AdGuard home as well |
| |
| ▲ | humanfromearth9 3 days ago | parent | prev [-] | | "Real men..."
Really? It's 2025, shouldn't we be past such misogynist expressions? | | |
| ▲ | gerdesj 2 days ago | parent [-] | | It's a silly old meme from the days before Mr Dawkins invented the word meme. We were sadly not past expressions like that in say the 70s or 80s but by the 90s, that phrase was definitely considered ironic (in the modern sense). Back then irony was merely one metallic mouth feel, along with steely, coppery and brassic. |
|
|
|
| ▲ | bigstrat2003 4 days ago | parent | prev | next [-] |
| DNS really is pretty easy. The problem is that Bind zone files are an absolutely godawful interface which makes it seem 10x harder than it actually is. I'm not too upset about it (because it's free software and I figure I can't complain too much), but compare to other DNS solutions and it's night and day how easy they are. For example, running a Windows DNS server (while not something you'd do at home) is dead simple because Microsoft has polished up the user experience. I'm sure some more polished alternatives exist for Linux too, I'm just not familiar enough with what's out there to point to one as an example. |
|
| ▲ | daneel_w 4 days ago | parent | prev | next [-] |
| Try NSD. Unlike unbound, NSD is the actual authoritative name server in the project. |
| |
| ▲ | seiferteric 4 days ago | parent [-] | | I’m setting up NSD for authoratative and Unbound for recursive layer at my company and they are a breeze to work with. | | |
| ▲ | DrPhish 4 days ago | parent [-] | | I have this as well, but run a heavily locked down and isolated BIND server with NSD and Unbound for external authoritative and internal caching DNS respectively. Its easy to feed an RBL to unbound to do pi-hole type work, I use pf to transparently redirect all external DNS requests to my local unbound server but I get the bind automation around things like DNSSEC, DHCP ddns and ACME cert renewals. I'm surprised this isn't a more common stack. |
|
|
|
| ▲ | icedchai 4 days ago | parent | prev | next [-] |
| I've been running BIND at home since the mid 90's when I had ISDN. The O'Reilly "DNS and BIND" book was my go-to guide when I got started. |
| |
| ▲ | gerdesj 4 days ago | parent [-] | | It Still Does Nothing. The sheer luxury of two B channels at 64kBps each and if you were cunning, the D channel at 16k (I wasn't cunning and didn't bother)! Yay, double phone charges if you raised the second channel. That was a BRI. A PRI was lots of channels (30) and an even more eye watering bill. A customer dumped their BRI that was acting as a backup to SIP n that about six months ago. That's the last one I know of. | | |
| ▲ | icedchai 4 days ago | parent [-] | | A trick some ISPs used in the 90's was a "data over voice" call, which ran at 56K but was charged voice rates instead of data rates. That meant the call was generally free. The improved latency of ISDN made a huge difference compared to a 56K modem. | | |
| ▲ | slow_typist 3 days ago | parent [-] | | True, the nominal 8 k weren’t much of a change but the cut down on latency made a big difference especially while „surfing the web“. |
|
|
|
|
| ▲ | bullen 3 days ago | parent | prev | next [-] |
| I coded my own with dns4j. It's 10 rows of code for only providing my own domains. The trouble starts when you want to provide ALL domains I guess. I wonder what database would be best for that; just MySQL with int to name table? The trouble with DNS is that you need a fixed external IP that has port 53 open. Not easy to get at home cheaply. |
|
| ▲ | ai-christianson 4 days ago | parent | prev | next [-] |
| > DNS (and networking in general) is a bit of a dark art. Dynamic routing is fun :) |
|
| ▲ | kQq9oHeAz6wLLS 4 days ago | parent | prev | next [-] |
| Same, with ad blocking to boot. |
| |
| ▲ | webdevver 4 days ago | parent [-] | | had to turn my dns adblocking off after it would break certain (admittedly shoddily-written) web apps | | |
| ▲ | ThePowerOfFuet 4 days ago | parent [-] | | Why not just whitelist certain hostnames? | | |
| ▲ | gentooflux 3 days ago | parent [-] | | It can be tricky with certain sites to track down the correct domains to whitelist without giving a whole swath of ad domains the keys to the kingdom. Getting weather.com working was a bit of a bear in this regard (I know the information they present is available elsewhere ad-free, but I find the way they package that information convenient and I'm nothing if not lazy). |
|
|
|
|
| ▲ | TacticalCoder 4 days ago | parent | prev [-] |
| I run unbound at home too. To me a huge benefit of unbound is that it allows to return whatever you want for wildcards. Including TLD wildcards. Seychelles DNS has been hijacked as a whole and only serves malware? Null route the entire .sc. .ru ? Nah, that won't resolve at my place. etc. Then unbound is at ease, even on an old Raspberry Pi, with blocklists made of hundreds of thousands of lines. |
