Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


I want to configure public DNS server. Google DNS-like, how do I do it?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

I want to configure public DNS server. Google DNS-like, how do I do it?

parca_neparca_ne Member

There are 6 virtual server that are idle. I want to evaluate it. I want to configure public DNS server. Google DNS-like, how do I do it? If possible, get DNSSEC support. You can help me because I want to provide a useful service for internet users. :)

Comments

  • raindog308raindog308 Administrator, Veteran

    @parca_ne said:
    There are 6 virtual server that are idle. I want to evaluate it. I want to configure public DNS server. Google DNS-like, how do I do it? If possible, get DNSSEC support. You can help me because I want to provide a useful service for internet users. :)

    Not sure a less reliable clone of Google’s public DNS is really a useful service...but here’s a quick howto.

    Read the BIND manual.

  • FHRFHR Member, Host Rep

    Install PowerDNS Recursor, read the manual, setup rate limiting/anti-spoofing.

  • akbakb Member
    edited May 2018

    @parca_ne said: There are 6 virtual server that are idle. I want to evaluate it. I want to configure public DNS server. Google DNS-like, how do I do it? If possible, get DNSSEC support. You can help me because I want to provide a useful service for internet users. :)

    A DNS recursor open to world == invitation for DDOS

    Do you have the resources like Google, Cloudflare etc to sail through those attacks? Do yourself the favor and forget about it. If you still can't control the urge:

    1. Install Debian
    2. apt-get install pdns-recursor
    3. Put the following in /etc/powerdns/recursor.conf

      allow-from=0.0.0.0
      local-address=0.0.0.0
      quiet=yes
      daemon=yes
      setgid=pdns
      setuid=pdns
      security-poll-suffix=
      
    4. service pdns-recursor restart

    And you are done. You have been warned though :)

    Thanked by 2ehab pechspilz
  • ralphralph Member

    It would be good if you add DNSCrypt to your DNS server.

  • FHRFHR Member, Host Rep

    There are already many public DNS services. 1.1.1.1 (CloudFlare), 8.8.4.4, 8.8.8.8 (Google), 9.9.9.9 (Quad9) etc. Why do you feel it's necessary to create one yourself?

  • raindog308raindog308 Administrator, Veteran

    An alternate, more useful project would be to set yourself up a redundant ad-blocking dns, like running pi-hole on a vps. You still need to limit access.

  • sidewindersidewinder Member
    edited May 2018

    Set up dnsmasq with some blocklists and use ufw to block all ips but yours. Lots of tutorials around for accomplishing this.

    Pihole won't work on openvz with micro resources from my experience

  • @sidewinder said:
    Set up dnsmasq with some blocklists and use ufw to block all ips but yours. Lots of tutorials around for accomplishing this.

    Pihole won't work on openvz with micro resources from my experience

    As long as the server meets the minimum hardware requirements, then it should be fine.

  • A useful public DNS server is totally doable. Yes, you will be inviting DDoS, but that can be mitigated to a great extent. I do admit that it's a bit of an uphill climb at times but lots of us do this and have for years. So, don't believe the naysayers. They either don't know what they're talking about, or they have different criteria for what's acceptable. The latter is of course fair enough, but this is not a black and white issue.

  • akbakb Member

    @Ole_Juul said: A useful public DNS server is totally doable. Yes, you will be inviting DDoS, but that can be mitigated to a great extent. I do admit that it's a bit of an uphill climb at times but lots of us do this and have for years. So, don't believe the naysayers. They either don't know what they're talking about, or they have different criteria for what's acceptable. The latter is of course fair enough, but this is not a black and white issue.

    From what I have experienced, if you are doing this for yourself or a small group and the IPs of your open recursors aren't publicized much on the web, then you might not face any issues. But if you intend to launch it as a service with the intention of advertising the IPs on web as much as possible then be assured that attacks gonna come (later if not sooner).

    I had developed a DNS based filtration module for a antivirus firm and all was fine till the time it was under development and testing (still open to the world). DDOS kicked in as soon as they started offering it as a service. You might be able to mitigate it to some extent by putting in limits/rules etc but DNS essentially is all UDP and that is where you will feel helpless. The amplification attacks (most common type) rely on UDP spoofing which can only be controlled at the edge routers. If mitigation at the daemon and iptables level fails then you will be needing some DDOS protection in front of your DNS which is able to filter out the spoofed packets. It may affect the DNS server's latency depending on what kind of protection it is.

  • jackbjackb Member, Host Rep
    edited May 2018

    @akb said:
    From what I have experienced, if you are doing this for yourself or a small group and the IPs of your open recursors aren't publicized much on the web, then you might not face any issues. But if you intend to launch it as a service with the intention of advertising the IPs on web as much as possible then be assured that attacks gonna come (later if not sooner).

    From what I have experienced people vigorously scan for open resolvers. It doesn't need go be advertised and if rate limits aren't in place will end up burning a lot of bandwidth in attacks.

    tl;dr don't it's not worth it.

  • jackb said: From what I have experienced people vigorously scan for open resolvers. It doesn't need go be advertised and if rate limits aren't in place will end up burning a lot of bandwidth in attacks.

    Yep. That's how it works. Just being there will attract attacks.

    tl;dr don't it's not worth it.

    Many people disagree. There are lots of good reasons to do this despite the problems you mention. In many cases it is totally worth it.

  • NanoG6NanoG6 Member

    The easiest one is just install pi-hole

  • ClouviderClouvider Member, Patron Provider

    Another amplification DDoS origin inbound...

  • Block 53 from all and allow ips you trust is the only way to do it

    @jackb said:

    @akb said:
    From what I have experienced, if you are doing this for yourself or a small group and the IPs of your open recursors aren't publicized much on the web, then you might not face any issues. But if you intend to launch it as a service with the intention of advertising the IPs on web as much as possible then be assured that attacks gonna come (later if not sooner).

    From what I have experienced people vigorously scan for open resolvers. It doesn't need go be advertised and if rate limits aren't in place will end up burning a lot of bandwidth in attacks.

    tl;dr don't it's not worth it.

  • sidewinder said: Block 53 from all and allow ips you trust is the only way to do it

    That's a very effective way. We use whitelisting on some of our OpenNIC servers.

  • erkinerkin Member

    @sidewinder said:
    Block 53 from all and allow ips you trust is the only way to do it

    That makes it a not-so-public dns service.

    Thanked by 2Aidan akb
  • AuroraZAuroraZ Barred

  • NomadNomad Member

    Block all countries and allow China and Russia.
    In best case, you will get some experience.

  • painfreepcpainfreepc Member
    edited May 2018

    i did this a few years ago, some here on LET may remenber me,
    My Public DNS Server had ad blocking, i may do it again for friend and family only....

  • @parca_ne said:
    There are 6 virtual server that are idle. I want to evaluate it. I want to configure public DNS server. Google DNS-like, how do I do it? If possible, get DNSSEC support. You can help me because I want to provide a useful service for internet users. :)

    did you every get this going, i am playing around with pi-hole

  • try AdGuardHome. That has been the easiest for me and you can block other IPs and use DNS over HTTPS and TLS

  • jsgjsg Member, Resident Benchmarker

    Uhm, No, I don't think such a server would be flooded by DDOS attacks. Reason: The problem with those server was the fact that they responded to all requests which could the be abused for amplification. So be sure to know well what you are doing as well as the server software you use.

    That said I agree with @raindog308 and others that there is hardly a need for yet another publich DNS server unless you are an ISP or similar.

    You could use your idling VPSs to create a DNS service though for your own and some friends domains.

Sign In or Register to comment.