Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

I want to configure public DNS server. Google DNS-like, how do I do it?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

I want to configure public DNS server. Google DNS-like, how do I do it?

parca_neparca_ne Member

There are 6 virtual server that are idle. I want to evaluate it. I want to configure public DNS server. Google DNS-like, how do I do it? If possible, get DNSSEC support. You can help me because I want to provide a useful service for internet users. :)

Comments

  • raindog308raindog308 Moderator

    @parca_ne said: There are 6 virtual server that are idle. I want to evaluate it. I want to configure public DNS server. Google DNS-like, how do I do it? If possible, get DNSSEC support. You can help me because I want to provide a useful service for internet users. :)

    Not sure a less reliable clone of Google’s public DNS is really a useful service...but here’s a quick howto.

    Read the BIND manual.

    My Advice: VPS Advice

    For LET support, please click here.

  • FHRFHR Member, Provider

    Install PowerDNS Recursor, read the manual, setup rate limiting/anti-spoofing.

  • akbakb Member
    edited May 13

    @parca_ne said: There are 6 virtual server that are idle. I want to evaluate it. I want to configure public DNS server. Google DNS-like, how do I do it? If possible, get DNSSEC support. You can help me because I want to provide a useful service for internet users. :)

    A DNS recursor open to world == invitation for DDOS

    Do you have the resources like Google, Cloudflare etc to sail through those attacks? Do yourself the favor and forget about it. If you still can't control the urge:

    1. Install Debian
    2. apt-get install pdns-recursor
    3. Put the following in /etc/powerdns/recursor.conf

      allow-from=0.0.0.0
      local-address=0.0.0.0
      quiet=yes
      daemon=yes
      setgid=pdns
      setuid=pdns
      security-poll-suffix=
      
    4. service pdns-recursor restart

    And you are done. You have been warned though :)

    Thanked by 2ehab pechspilz
  • ralphralph Member, Provider

    It would be good if you add DNSCrypt to your DNS server.

    https://uanode.net - affordable virtual/dedicated servers in Ukraine. Accepting crypto.

  • FHRFHR Member, Provider

    There are already many public DNS services. 1.1.1.1 (CloudFlare), 8.8.4.4, 8.8.8.8 (Google), 9.9.9.9 (Quad9) etc. Why do you feel it's necessary to create one yourself?

  • raindog308raindog308 Moderator

    An alternate, more useful project would be to set yourself up a redundant ad-blocking dns, like running pi-hole on a vps. You still need to limit access.

    My Advice: VPS Advice

    For LET support, please click here.

  • sidewindersidewinder Member
    edited May 13

    Set up dnsmasq with some blocklists and use ufw to block all ips but yours. Lots of tutorials around for accomplishing this.

    Pihole won't work on openvz with micro resources from my experience

  • @sidewinder said: Set up dnsmasq with some blocklists and use ufw to block all ips but yours. Lots of tutorials around for accomplishing this.

    Pihole won't work on openvz with micro resources from my experience

    As long as the server meets the minimum hardware requirements, then it should be fine.

  • Ole_JuulOle_Juul Member

    A useful public DNS server is totally doable. Yes, you will be inviting DDoS, but that can be mitigated to a great extent. I do admit that it's a bit of an uphill climb at times but lots of us do this and have for years. So, don't believe the naysayers. They either don't know what they're talking about, or they have different criteria for what's acceptable. The latter is of course fair enough, but this is not a black and white issue.

  • akbakb Member

    @Ole_Juul said: A useful public DNS server is totally doable. Yes, you will be inviting DDoS, but that can be mitigated to a great extent. I do admit that it's a bit of an uphill climb at times but lots of us do this and have for years. So, don't believe the naysayers. They either don't know what they're talking about, or they have different criteria for what's acceptable. The latter is of course fair enough, but this is not a black and white issue.

    From what I have experienced, if you are doing this for yourself or a small group and the IPs of your open recursors aren't publicized much on the web, then you might not face any issues. But if you intend to launch it as a service with the intention of advertising the IPs on web as much as possible then be assured that attacks gonna come (later if not sooner).

    I had developed a DNS based filtration module for a antivirus firm and all was fine till the time it was under development and testing (still open to the world). DDOS kicked in as soon as they started offering it as a service. You might be able to mitigate it to some extent by putting in limits/rules etc but DNS essentially is all UDP and that is where you will feel helpless. The amplification attacks (most common type) rely on UDP spoofing which can only be controlled at the edge routers. If mitigation at the daemon and iptables level fails then you will be needing some DDOS protection in front of your DNS which is able to filter out the spoofed packets. It may affect the DNS server's latency depending on what kind of protection it is.

  • jackbjackb Member, Provider
    edited May 14

    @akb said: From what I have experienced, if you are doing this for yourself or a small group and the IPs of your open recursors aren't publicized much on the web, then you might not face any issues. But if you intend to launch it as a service with the intention of advertising the IPs on web as much as possible then be assured that attacks gonna come (later if not sooner).

    From what I have experienced people vigorously scan for open resolvers. It doesn't need go be advertised and if rate limits aren't in place will end up burning a lot of bandwidth in attacks.

    tl;dr don't it's not worth it.

    Afterburst - Awesome OpenVZ&KVM VPS in US+EU

  • Ole_JuulOle_Juul Member

    jackb said: From what I have experienced people vigorously scan for open resolvers. It doesn't need go be advertised and if rate limits aren't in place will end up burning a lot of bandwidth in attacks.

    Yep. That's how it works. Just being there will attract attacks.

    tl;dr don't it's not worth it.

    Many people disagree. There are lots of good reasons to do this despite the problems you mention. In many cases it is totally worth it.

  • NanoG6NanoG6 Member

    The easiest one is just install pi-hole

  • ClouviderClouvider Member, Provider

    Another amplification DDoS origin inbound...

    Clouvider Leading UK Cloud Hosting solution provider || UK Dedicated Servers Sale || Tasty KVM Slices || Latest LET Offer

    Web hosting in Cloud | SSD & SAS True Cloud VPS on OnApp | Private Cloud | Dedicated Servers | Colocation | Managed Services

  • Block 53 from all and allow ips you trust is the only way to do it

    @jackb said:

    @akb said: From what I have experienced, if you are doing this for yourself or a small group and the IPs of your open recursors aren't publicized much on the web, then you might not face any issues. But if you intend to launch it as a service with the intention of advertising the IPs on web as much as possible then be assured that attacks gonna come (later if not sooner).

    From what I have experienced people vigorously scan for open resolvers. It doesn't need go be advertised and if rate limits aren't in place will end up burning a lot of bandwidth in attacks.

    tl;dr don't it's not worth it.

  • Ole_JuulOle_Juul Member

    sidewinder said: Block 53 from all and allow ips you trust is the only way to do it

    That's a very effective way. We use whitelisting on some of our OpenNIC servers.

  • erkinerkin Member

    @sidewinder said: Block 53 from all and allow ips you trust is the only way to do it

    That makes it a not-so-public dns service.

    0% chance of trolling in posts.

    Thanked by 2Aidan akb
  • AuroraZAuroraZ Member

    Dont'TalkAboutLetClub @WSS stole my IP Address.

    upto32.com Retro at it's best

  • NomadNomad Member

    Block all countries and allow China and Russia. In best case, you will get some experience.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • painfreepcpainfreepc Member
    edited May 17

    i did this a few years ago, some here on LET may remenber me, My Public DNS Server had ad blocking, i may do it again for friend and family only....

Sign In or Register to comment.