New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Advantages of having own DNS
If I want to query a DNS then I can use some public ones like Google, CloudFlare etc. But they apply rate limits if you cross a certain threshold. What I have seen that the threshold is very high but still what if I want to use my own DNS. My questions are:
- Does it require high RAM or CPU i.e. the more the queries the more resources required? Is there some number available regarding this?
- From where will my DNS get data? Will my DNS request data from another DNS or will it store all data locally? I mean if it will get it from another DNS then it doesn't really serve my purpose because you are just forwarding request to another DNS, right!?
Comments
TL;DR: My DNS amplification DDoS attack didn't work.
I wonder what that threshold is.
No, RAM and CPU don't actually do anything. They're just the facade. Computing power is actually provided by space aliens.
This is kinda how DNS works, yes.
Use Cloudflare Onion Hidden Service DNS resolver. They can't rate limit you if everybody has the same IP address.
Most Public Sites are good in terms of DNS query threshold.
You can use your own DNS though being custom DNS devices has to connect to your DNS to get benfit of those customizations. Those devices ( both end user devices and network devices ) have to be configured to use your DNS which may be restrictive in use case specially in distributed corporate implementations.
Resource usage can be optimized using standards for managing high volume traffic production site.
You can configure upstream DNS provider for resolution to resource location and add custom DNS list to your DNS server.Further cache upstream DNS query locally as requests are processed.
Who did you attack now?
Due to limit from your VPS Server and upstream ISP for server.
Server and network do have a limit on number of request that can be send using available ports on server and available active consistent streams from single IP in network configuration.
A project of mine involves consuming a stream of domain names and making hundreds of DNS resolutions per second, I can very well reach that limit after which Cloudflare and Google's public resolver would return SERVFAIL responses, and this is on a consumer grade ISP.
Since my use case isn't amplification but I still need that throughput, I just distribute the DNS resolution task over multiple public DNS resolvers and impose a maximum limit at which queries would be sent to any given resolver.
But to answer OP:
Yes, though you'd need to run your own resolver and perform your own load testing.
If you're running an authoritative nameserver, you would be responsible for configuring it with the correct DNS records. On the other hand, If you're running an open resolver, it should implement iterative resolution to get the correct DNS records.
So if I understood correctly, let's say I query lowendtalk.com so it will first query my DNS and if record available, fetch the record from there? And if record not available then it will connect to upstream DNS and fetch record from there? And from now on that record will be locally available on my DNS or do I have to make it happen?
It will be locally available for the TTL amount of seconds. This is what a DNS server should do by default
You would query whichever server(s) you have set up as your DNS servers. This might be your localhost, your router, your ISP, whatever has a DNS server running on it.
If the server your query happens to be authoritative for the domain (i.e. it is a primary or secondary server), it will give you the records you asked for.
There are 2 basic types of DNS servers, forwarding and non-forwarding, and this comes into play when the server you queried isn't authoritative for the domain.
A non-forwarding server, sends you an SOA record that tells you about some other server(s) you can query, which will either be a server it has cached that it knows can handle part of the domain name (e.g. the .com part or .co.uk etc), or it will tell you about the root servers instead, which will give you the top-level answers.
A forwarding server (such as your ISP probably provides), will instead ask those servers directly, cache the response and then reply to you. That way lots of people don't need querying the main DNS servers all the time.
Just thought I would share my experience especially when I built onddns in December last year (2021). This is based on my custom code and not standard dns software like bind or power dns etc. I was rather surprise to learn that queries are much more sporadic than one would imagine. You can't just count that people will know your domain and do a dns query but that there are crazy bots out there randomly calling your domain (especially if it's an old or known domain). Numbers are hard to say because of this. My experience so far is that dns servers generally use low cpu especially if you are using a personal one just for your domain alone). With just about 20 domains on onddns, I see between 1000 to 9000 requests per hour (x 10 servers) not all of which are equally balanced.
Ram/memory is quite negligible and inconsequential at these small domain counts.
It would be dumb and hilarious if I answer this wrongly considering I coded a dns service but I will attempt to answer this.
So if you host your own dns, this would 'assumably' mean you set your domain to point to your personal dns server(s) - at least 2 on different networks are preferable.
When someone looks up your domain, they lookup usually from a public dns server. This public dns server would query your dns server for lets say the A record. I think the public server checks the ttl for this record and tries to respect the ttl by keeping the answer it got for the ttl period. If the public dns sees that the ttl has expired, it re-queries your personal server again (think of it like a refresh). So you basically still need to rely on your personal dns server since it remains the source server. I hope I read and answered you correctly.
If you have a normal domain for a normal site, unless you need low ttls, not sure you really need to maintain your own dns, sounds more like an extra hassle just use your domain registrar one (they don't really have any noticeable limits as far as I have ever noticed) and you don't need to maintain infrastructure for your domains.
yes
Here are some advantages of having own DNS:
If ur country does domain bans u will bypass
Can you really bypass the thresholds set by public servers? Probably no. Your server has to get data from other servers, who often set their own limits. Consequently, you’ll still be hit by errors.
When you use public recursive names server then you send all DNS requests to a limited number of servers. But when you use your own recursive name server then you send requests to the root name servers, and other authoritative name servers on the internet. It should mean the requests are distributed over more name servers. Shouldn't that make a difference?
It's just another thing to manage. I run my own but I keep mirrors on public DNS systems so I can just swap when I get sick of it for whatever reason. Last time it was a powerful DDOS and I just wanted a nap.
Why? Seriously, why? I'm trying, but failing, to come up with any reasonable reasons to do this...
Depends on how many requests you make. If the amount is large, authoritative name servers will probably consider this as a DoS attack. I'm not sure about what is OP planning to do, maybe his own recursive server could solve his problem.
Discovering phishing and malware domains.