Check on self-hosted authoritative nameservers

edited June 2020 in Help

Let's try out this LES :-) I am learning on self-hosting my own nameservers. Using powerdns and powerdns-admin. Seems to be working good so far including DNSSEC. https://dnsviz.net is also happy.
My question was on reliability. This is what I have:

  • NS1 with provider A, location 1, master, not exposed as NS record, firewall to accept only AXFR to slaves
  • NS2 with provider A, location 2, slave
  • NS3 with provider A, location 3, slave
  • NS4 with provider B, location 4, slave, also where I host most of my services and websites, but on a separate IP
  • NS4 with ns2.he.net, location 5, slave

These are 4 publicly exposed nameservers in 4 different locations and 3 different providers.
I added the HE server so that I have something out of my potential destructive control. Adding the other 3 HE servers seems a bit too much. Or is it not?

Comments

  • I have implemented a similar setup and I'd say that you're pretty well covered with the 4 you have now.

    There is such a thing as too many authoritative nameservers, though. See https://tools.ietf.org/html/rfc2182#section-5 and https://serverfault.com/a/726414 : the risk is that the SOA reply would cross the 512 byte threshold for UDP responses and that resolvers would need to issue a 2nd query over TCP, which would be slower.

    Additionally, some registrars may not allow you to delegate a domain to more than 4 nameservers: I know from experience that sav.com doesn't allow it, and I might have seen others as well.

    Thanked by (1)sgheghele
  • My setup for personal domains is similar, but I diversify the providers a bit more and am confident enough not to use a HE slave. After all, the most likely screw-up is on the master zone files and that gets pushed to all slaves including HE anyway. Additionally I'd list the slave IPs as allowed for AXFR within the master DNS so that I don't only rely on the firewall.

    I'm personally a bit wary of putting the NS on a public-facing web server, especially if it runs anything like WordPress. Maybe if you ran the web site in a container (like docker) then OK.

    I also use monitoring to check the serials on the slaves and alert me if they differ from the serial on the master.

    Reliability and security wise this is fine, the main issue is performance. Because it is not anycast, you cannot predict which NS will be used or whether they will all be tried at once, and therefore the closest NS may not be used which increases lookup time. This is generally not hugely important, especially with reasonable TTL, and I couldn't find "cheap enough" anycast services which I could justify to myself for DNS use. To put it in context, some commercial providers don't offer anycast either.

    Overall though your setup seems good, and I say good on you for learning to do it yourself.

    Thanked by (1)sgheghele
  • @quicksilver03 said:
    There is such a thing as too many authoritative nameservers, though. See https://tools.ietf.org/html/rfc2182#section-5 and https://serverfault.com/a/726414 : the risk is that the SOA reply would cross the 512 byte threshold for UDP responses and that resolvers would need to issue a 2nd query over TCP, which would be slower.

    Thanks, that is good to know and interesting.

    @tetech said:
    Additionally I'd list the slave IPs as allowed for AXFR within the master DNS so that I don't only rely on the firewall.

    I'm personally a bit wary of putting the NS on a public-facing web server, especially if it runs anything like WordPress. Maybe if you ran the web site in a container (like docker) then OK.

    Positive to both AXFR and Docker! Just curious, why Wordpress specifically? Too easy to exploit?

    I also use monitoring to check the serials on the slaves and alert me if they differ from the serial on the master.

    Good tip, will see how to implement this. Thanks!

    Reliability and security wise this is fine, the main issue is performance. Because it is not anycast, you cannot predict which NS will be used or whether they will all be tried at once, and therefore the closest NS may not be used which increases lookup time. This is generally not hugely important, especially with reasonable TTL, and I couldn't find "cheap enough" anycast services which I could justify to myself for DNS use. To put it in context, some commercial providers don't offer anycast either.

    Yeah, right now I have a TTL of 300 as I was trying things out, but I will definitely raise it excluding a DynDNS entry.

    Overall though your setup seems good, and I say good on you for learning to do it yourself.

    To think that services like EntryDNS do this for $10/year and take care of everything themselves, I am wasting time and money. But a cool learning experience, and I have yet one more thing that I control.

    Thanks both for your answers!

  • @sgheghele said: Positive to both AXFR and Docker! Just curious, why Wordpress specifically? Too easy to exploit?

    Without opening up a can of worms, WordPress is more of a security risk than a plain static site. Given the damage that a hacked NS could do, I'm inclined to leave it away from such sites unless I put them in a chroot jail or container or whatever. My current approach is to physically separate public-facing sites from backends and additionally use cgroups on everything to separate privileges. That's at least my view, not to say it is "right".

    @sgheghele said: To think that services like EntryDNS do this for $10/year and take care of everything themselves, I am wasting time and money. But a cool learning experience, and I have yet one more thing that I control.

    Good attitude!

    Thanked by (1)sgheghele
  • @tetech said:
    Without opening up a can of worms, WordPress is more of a security risk than a plain static site. Given the damage that a hacked NS could do, I'm inclined to leave it away from such sites unless I put them in a chroot jail or container or whatever. My current approach is to physically separate public-facing sites from backends and additionally use cgroups on everything to separate privileges. That's at least my view, not to say it is "right".

    SELinux would help in this scenario. The webserver wouldn't have access to the NS files.

Sign In or Register to comment.