DIY DNS

2021 to Present • https://github.com/jb3/dns

My DIY DNS project replaced the nameservers for jb3.dev with self-hosted BIND nameservers deployed using Ansible. It implements advanced DNS features like DNSSEC, including (fairly secure!) automatic key generation.

I’ll eventually be writing a full blog post on how I set up this project, from having Ansible install BIND to generating DNSSEC keys and signing the zone.

core.host.jb3.dev and rt1.host.jb3.dev are the two authorative nameservers for jb3.dev, you can try them for yourself using dig.

I run these servers in a primary/secondary setup which allows for RFC2136 dynamic updates. This allows tools like certbot to create DNS records that are replicated to both DNS servers, which allows for the issuance of wildcard certificates with my custom DNS setup.

As an example, a DNS query for this domain, jb3.dev, will start at the DNS roots, progress to the dev. TLD nameservers and end up at one of the nameservers that serves the jb3.dev. zone. A nicer visualisation of the below dig command can be found here.

jb3.zone
$ dig +trace +nodnssec jb3.dev
; <<>> DiG 9.18.27 <<>> +trace +nodnssec jb3.dev
;; global options: +cmd
. 87203 IN NS m.root-servers.net.
. 87203 IN NS e.root-servers.net.
. 87203 IN NS a.root-servers.net.
. 87203 IN NS j.root-servers.net.
. 87203 IN NS c.root-servers.net.
. 87203 IN NS i.root-servers.net.
. 87203 IN NS k.root-servers.net.
. 87203 IN NS d.root-servers.net.
. 87203 IN NS l.root-servers.net.
. 87203 IN NS f.root-servers.net.
. 87203 IN NS g.root-servers.net.
. 87203 IN NS h.root-servers.net.
. 87203 IN NS b.root-servers.net.
;; Received 239 bytes from 8.8.8.8#53(8.8.8.8) in 26 ms
dev. 172800 IN NS ns-tld1.charlestonroadregistry.com.
dev. 172800 IN NS ns-tld2.charlestonroadregistry.com.
dev. 172800 IN NS ns-tld3.charlestonroadregistry.com.
dev. 172800 IN NS ns-tld4.charlestonroadregistry.com.
dev. 172800 IN NS ns-tld5.charlestonroadregistry.com.
;; Received 392 bytes from 2001:503:c27::2:30#53(j.root-servers.net) in 23 ms
jb3.dev. 10800 IN NS rt1.host.jb3.dev.
jb3.dev. 10800 IN NS core.host.jb3.dev.
;; Received 143 bytes from 216.239.34.105#53(ns-tld2.charlestonroadregistry.com) in 30 ms
jb3.dev. 3600 IN A 202.61.228.148
jb3.dev. 3600 IN NS rt1.host.jb3.dev.
jb3.dev. 3600 IN NS core.host.jb3.dev.
;; Received 161 bytes from 66.245.193.219#53(rt1.host.jb3.dev) in 16 ms

Note: DNSSEC has been omitted here for brevity, but you can see a visualisation of the DNSSEC zones here.