DIY DNS
2021 to Present • https://github.com/jb3/dnsMy DIY DNS project replaced the nameservers for jb3.dev with self-hosted BIND nameservers deployed using Ansible. It implements advanced DNS features like DNSSEC, including (fairly secure!) automatic key generation.
I’ll eventually be writing a full blog post on how I set up this project, from having Ansible install BIND to generating DNSSEC keys and signing the zone.
core.host.jb3.dev
and rt1.host.jb3.dev
are the two authorative nameservers for jb3.dev
, you can try them for yourself using dig
.
I run these servers in a primary/secondary setup which allows for RFC2136 dynamic updates. This allows tools like certbot to create DNS records that are replicated to both DNS servers, which allows for the issuance of wildcard certificates with my custom DNS setup.
As an example, a DNS query for this domain, jb3.dev, will start at the DNS roots, progress to the dev.
TLD nameservers and end up at one of the nameservers that serves the jb3.dev.
zone. A nicer visualisation of the below dig command can be found here.
Note: DNSSEC has been omitted here for brevity, but you can see a visualisation of the DNSSEC zones here.