this post was submitted on 27 Nov 2023
9 points (80.0% liked)

Selfhosted

40347 readers
427 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello, Im trying to monitor & control my dns in my network. I like the idea & features of nextdns but all your traffic goes trough them right? I wanna host something simular. I currently have pi-hole installed but i feel like its not as advanced as something like nextdns. What service could i use for this? Thanks for your time!

all 14 comments
sorted by: hot top controversial new old
[–] friend_of_satan@lemmy.world 15 points 1 year ago (1 children)

all your traffic goes through them right?

Wrong. DNS just resolves hostnames to IP addresses and a few other small things. None of your web traffic will go through your DNS provider.

[–] chiisana@lemmy.chiisana.net 2 points 1 year ago (2 children)

It’s not so absolute; your DNS provider could resolve domains to their own server’s IP and MITM your traffic. This is how some of those DNS based region bypass work — by re-routing your traffic through their server in a supported region.

[–] lemmyvore@feddit.nl 1 points 1 year ago (1 children)

MITM your traffic

How exactly would that work? You would have to accept broken certificates or even no TLS at all for that to work.

[–] chiisana@lemmy.chiisana.net 1 points 1 year ago (1 children)

As the person I replied to mentioned, these kind of providers would often also get you to install a cert that they’d use to sign with. Once it is installed, the certificates wouldn’t appear broken anymore.

[–] lemmyvore@feddit.nl 1 points 1 year ago (1 children)

You'd have to install a cert for each domain. It's not likely to happen. The only provider where this works is Cloudflare but that's because they force you to use them as registrar and DNS so they can issue duplicate certs for any domain.

[–] chiisana@lemmy.chiisana.net 1 points 1 year ago* (last edited 1 year ago)

A CA cert is higher up can sign for any desired domain. Certificates are a chain of trust and as long as the entire chain can be validated (by the root level installed by the user), then the entire cert will appear valid. During installation, that’s what gets installed and then the provider signs for whatever domain you’re visiting that they’d need (or want) to MITM.

Cloudflare uses LetsEncrypt, Google and a few other CAs to sign their certs. You’re not forced to use them as registrar, and they could (though they will lose accreditation very quickly) in theory sign any domain without you using them to host your domain’s DNS.

[–] Engywuck@lemm.ee 6 points 1 year ago

AdGuard Home comes with a few more goodies vs. pihole. Last but not least, access control, DoT, DoH, custom DNS for selected clients and so on (you need a domain and a certificate for the DoT, DoH, though)

[–] ShellMonkey@lemmy.socdojo.com 6 points 1 year ago* (last edited 1 year ago)

I guess first I'd ask is why are you looking for your own DNS server? You can use most any server and host it yourself, things like bind or unbound are out there and baked into a lot of the home-server / domain controller type distro.

When you talk about all your traffic going ng through them, all your traffic won't go through the DNS provider. The DNS is only turning the name to a number, so they would know perhaps the intent to go there but not the actual traffic. You could just be doing a nslookup for fun for all they know. Even hosting your own, whoever is the next in line from your server will get requests for anything your box doesn't have an answer for, so it really only adds a mask to say 'someone asked me to ask you for this address'. That being the case, what's your goal in running one?

[–] chiisana@lemmy.chiisana.net 3 points 1 year ago

all your traffic goes through them right?

Depending on provider and intended purpose… strictly speaking, a DNS server tells your computer that example.com resolves to 169.254.169.254 and nothing more.

However, for example, if your DNS provider adds ad blocking, they may choose to change ads.example.com from 169.254.169.254 to 127.0.0.1 thereby preventing any advertiser JavaScripts from being requested. This is fine and all, but you’d have no way to be automatically alerted if they changed it to 123.234.123.234 and serve their own blank scripts.

If for example your DNS provider provides region bypass for streaming providers, they could resolve streaming.example.com from 169.254.169.254 to a server in another country with address 123.234.123.234; and route your request through that in order to circumvent the region lock.

These are all fine and well, but if the provider was compromised and/or sold to malicious actor, they could resolve your-bank.website to a phishing site, and then MITM all the traffic just like the region lock bypass example.

So… in theory, it shouldn’t do anything more than resolving, but in practice, it may be hard to detect, and they could be doing more than just resolving.

[–] johnnyfive@lemmy.world 2 points 1 year ago

I have been using Adguard Home in the cloud, limited by clients and using it only for DoH/TLS. Updates are made directly in the UI, it's really very light and practical.

Only DNS lookups go through them, the rest of your traffic is not affected.

Adguard Home is a good one to self host, lots of features.

[–] Decronym@lemmy.decronym.xyz 1 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL

3 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.

[Thread #306 for this sub, first seen 28th Nov 2023, 04:35] [FAQ] [Full list] [Contact] [Source code]