Should I Have My Own DNS Server?

I was provoked to action by Apple’s public decision to become an arm of the state (more than it was already, surreptitiously) by scanning all photos - not only those stored in its cloud, but also on its devices. I have no photos which could possibly be cause for concern. However, the way large organizations work - especially those acting on behalf of the ever-benevolent state - mission creep and errors are inevitable. Actually, regardless of the practical issues, the whole idea is intrusive and revolting. If they can scan photos, they can surely scan documents and I hav no doubt my writings would be deemed “dangerous”, notwithstanding the fact I never call for violence.

So, I decided it was time to remove all my materials from Apple’s cloud and limit their residence on Apple devices. The only convenient way of doing that is by creating network attached storage (NAS); I have done it in the form of a Synology 220+ NAS with two HDD’s arranged in Synology’s flexible form of RAID. As well, I will soon subscribe to Synology’s C2 service, which backs up my NAS to their cloud. I am deep in the woods of considering and implementing some of the many possibilities available on the very flexible system. I want to accomplish privacy and control of my own data, but not at too high a cost of complexity or clunkiness, requiring lots of troubleshooting and/or maintenance. So far, I have successfully implemented Time Machine backups of my laptop (with all the most important ‘management of my life’ stuff on it) and have downloaded all the photos from our 2 iPhones, with automatic downloading of all new ones.

Among the selection of software pre-loaded with Synology’s Disk Station Manager software (DSM) are options to implement SSL/HTTPS (I will do this asap), a VPN for the server (soon as well, though I’m not sure it is very important, since I really do not need to access this data from outside my home network so won’t enable this function), and a server-based DNS. I am busy learning about all of these and realize I don’t understand what setting up DNS on my server accomplishes and whether or not I should do it. My searches have not proved very enlightening, so I would like advice from those of you who are knowledgeable. What do you think?

Incidentally, in learning about the DNS, I also came across something called Pi Hole, which is said to block 90% of all ads. Any thoughts on this?

If you have a Linux, BSD, or equivalent server, there is no particular problem running your own DNS server, but I don’t see any real advantage in doing so. A DNS server does two things (although many are configured to do only one of the two). The first is to respond to DNS queries from other machines and respond to them with lookups, either from its own local databases or by querying other DNS servers on the Internet. Servers cache data from the Internet so they don’t have to go out to the network for repeated queries of frequently accessed sites. A local server can reduce the latency time for DNS lookups if it has cached the sites you access frequently, but since it is only responding to your own requests, the odds are that it will see many (for example, items embedded in Web pages the fetch content from other sites) which it has not cached and will have to make remote requests for them. In practice, it is almost always faster to use a free public DNS service such as OpenDNS (now operated by Cisco) or Google Public DNS, as their cache contains billions of lookups they can serve instantly rather than delegating the query to remote servers as your local one would. They also have worldwide presence and backbone connections for fast response and very high uptime. All of my machines use OpenDNS and have for more than a decade with no problems.

The second function of a DNS server is to serve information for domains you own, such as my fourmilab.ch. When you register a domain, for services under it to be accessible, you must supply the registrar a list of two or more DNS servers which respond to queries for that domain. If you run your own server, you must arrange for a secondary server that either has a copy of your domain information or automatically mirrors the information on your primary server. This should be in a different location on a different Internet connection in the interest of reliability. While it’s pretty easy to set up a DNS server, most people today use one of the big cloud DNS servers such as Amazon Route 53, which I believe is the largest. I moved all of my DNS hosting from local hosting on my own servers to Route 53 in January 2016. It costs US$ 0.50/month for each of the first 25 hosted domains and US$ 0.10/month for each additional domain. Route 53 provides four DNS endpoints distributed around the world for fast resolution and redundancy for 100% uptime.

Some people may worry about their DNS being canceled out of political motivations. While this can happen, and has on occasions in the past, I wouldn’t worry about it because it’s not a very effective way to shut down a Web site. If Route 53 were to terminate my DNS service, I could move it to DNS Made Easy or another cloud service in about 30 minutes. There are a multitude of DNS hosting services around the world, some of them free. And if all of them shut you down, then you just run your own server.

In canceling a Web site, the real fear is them getting to your domain registrar and having them cancel or redirect your domain name. If somebody prevailed on Swisscom to terminate my registration of fourmilab.ch, that name would be lost to me. I would have to communicate with everybody who wishes to access it to use one of the alias domains such as fourmilab.to or fourmilab.org, and the change would break millions of links to fourmilab.ch embedded in documents on the Web and archives of communications. There is no protection against this except to register domains with registrars you believe unlikely to bow to mob pressure. I consider .ch pretty good in this respect, although not as good as .to (I was a co-founder of the .to domain registry in 1997). Fourmilab.to has been active since 1997, and used to be directed to a physical mirror site in the U.S. It is now an alias that redirects to my server on AWS.

Here is more information on Pi-hole. It is a local look-up only DNS server which you install locally and then direct your machines to use. It blocks DNS queries to known bad actor (advertising and tracing) domains, causing browsers to fail when a page embeds them. Using this will slow down your browser performance compared to a large caching public DNS server, but you may make up the time by not downloading and displaying all of the garbage it blocks.

@johnwalker - Thank you very much. This is very helpful.

Oh dear.

AWS pricing remains impenetrable to non-pros like me.

For example, on the Route 53 pricing page, my browser’s search function counts twenty-nine instances of the ‘$’ character that precedes prices for various services across many different categories. Which of these service categories will I need?:

• hosted zones
• queries (4 different categories?)
• traffic flow
• health checks
• resolver endpoints (3 categories?)
• resolver firewall
• application recovery

I’ve love to get away from my current registrar & DNS service provider (which apparently are two different things), but the embarassment of AWS riches maintains a 100% success rate in keeping me away. I suspect they don’t want the business of small-time customers. At their scale, who can blame them? Is there such a thing as a non-evil and easy-to-use DNS registrar+service provider who’d be happy to take my small-time cash?

AWS pricing can be daunting to understand because it is based on a rigorous cost-recovery model in which anything in your use pattern which can go over the top and cause them to lose money is charged for separately. However, for most services, the basic price comes with a tier of these items which you have to exceed in order to incur additional charges. Most “small time operators” will stay below these levels and pay only the basic price. Here is my Route 53 bill for August 2022.

awsr53_2022-09-26700×335 30.4 KB

The overwhelming contributor to cost is the basic fee for DNS service for domains—I have DNS for 31 domains hosted at AWS (many aliases of Fourmilab with different registrars, plus sites I host for other people on the Fourmilab server), so I pay US$ 0.50 for each of the first 25 plus a dime a pop for the next six. My domains got a tad more than 3 million queries in that month, which cost US$ 1.24. The only other charge was the US$2 I paid for the optional health-check monitoring by various AWS probe sites around the world, verifying DNS connectivity. If I had not explicitly enabled this, I would not have paid this fee.

DNS Made Easy (which I used to use before moving to AWS) has simpler and easier to understand pricing plans, but they’re substantially more expensive than AWS for many people. Their basic service, DNS-5, supports 5 domains and 5 million queries per month for US$14.50 per month, which is much more than AWS would charge you for that. If I moved back to DNS Made Easy, I would have to use their DNS-50 service for up to 50 domains, which costs US$ 145 a month, or more than ten times what I’m paying at AWS.

Namecheap.com has a FreeDNS level of service for lightweight sites, and a PremiumDNS service for US$10/year (with a first year discount price of US$5) that allows 2 million queries per month. I have never used this service and don’t know how good it is.