New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Not sure a less reliable clone of Google’s public DNS is really a useful service...but here’s a quick howto.
Read the BIND manual.
Install PowerDNS Recursor, read the manual, setup rate limiting/anti-spoofing.
A DNS recursor open to world == invitation for DDOS
Do you have the resources like Google, Cloudflare etc to sail through those attacks? Do yourself the favor and forget about it. If you still can't control the urge:
Put the following in /etc/powerdns/recursor.conf
service pdns-recursor restart
And you are done. You have been warned though
It would be good if you add DNSCrypt to your DNS server.
There are already many public DNS services. 1.1.1.1 (CloudFlare), 8.8.4.4, 8.8.8.8 (Google), 9.9.9.9 (Quad9) etc. Why do you feel it's necessary to create one yourself?
An alternate, more useful project would be to set yourself up a redundant ad-blocking dns, like running pi-hole on a vps. You still need to limit access.
Set up dnsmasq with some blocklists and use ufw to block all ips but yours. Lots of tutorials around for accomplishing this.
Pihole won't work on openvz with micro resources from my experience
As long as the server meets the minimum hardware requirements, then it should be fine.
A useful public DNS server is totally doable. Yes, you will be inviting DDoS, but that can be mitigated to a great extent. I do admit that it's a bit of an uphill climb at times but lots of us do this and have for years. So, don't believe the naysayers. They either don't know what they're talking about, or they have different criteria for what's acceptable. The latter is of course fair enough, but this is not a black and white issue.
From what I have experienced, if you are doing this for yourself or a small group and the IPs of your open recursors aren't publicized much on the web, then you might not face any issues. But if you intend to launch it as a service with the intention of advertising the IPs on web as much as possible then be assured that attacks gonna come (later if not sooner).
I had developed a DNS based filtration module for a antivirus firm and all was fine till the time it was under development and testing (still open to the world). DDOS kicked in as soon as they started offering it as a service. You might be able to mitigate it to some extent by putting in limits/rules etc but DNS essentially is all UDP and that is where you will feel helpless. The amplification attacks (most common type) rely on UDP spoofing which can only be controlled at the edge routers. If mitigation at the daemon and iptables level fails then you will be needing some DDOS protection in front of your DNS which is able to filter out the spoofed packets. It may affect the DNS server's latency depending on what kind of protection it is.
From what I have experienced people vigorously scan for open resolvers. It doesn't need go be advertised and if rate limits aren't in place will end up burning a lot of bandwidth in attacks.
tl;dr don't it's not worth it.
Yep. That's how it works. Just being there will attract attacks.
Many people disagree. There are lots of good reasons to do this despite the problems you mention. In many cases it is totally worth it.
The easiest one is just install pi-hole
Another amplification DDoS origin inbound...
Block 53 from all and allow ips you trust is the only way to do it
That's a very effective way. We use whitelisting on some of our OpenNIC servers.
That makes it a not-so-public dns service.
Block all countries and allow China and Russia.
In best case, you will get some experience.
i did this a few years ago, some here on LET may remenber me,
My Public DNS Server had ad blocking, i may do it again for friend and family only....
did you every get this going, i am playing around with pi-hole
try AdGuardHome. That has been the easiest for me and you can block other IPs and use DNS over HTTPS and TLS
Uhm, No, I don't think such a server would be flooded by DDOS attacks. Reason: The problem with those server was the fact that they responded to all requests which could the be abused for amplification. So be sure to know well what you are doing as well as the server software you use.
That said I agree with @raindog308 and others that there is hardly a need for yet another publich DNS server unless you are an ISP or similar.
You could use your idling VPSs to create a DNS service though for your own and some friends domains.