DNS fail

Just a quick note. I was trying to run my own authoritative DNS server for the homelab, got pretty far along with setting up nsd in a VM and all the glue records etc. Stuff was looking good but then I tried to resolve things from outside my network. And it just wouldn’t work. I checked and double-checked firewall and server configurations to no avail.

After running tcpdump and realizing that the packets are just not getting to my network I finally googled if there is some ISP level restriction. Lo and behold, apparently Traficom has issued guidance¹ that all residential/consumer internet connections should block incoming UDP port 53. The official reasoning is to prevent DNS reflection attacks, which I suppose is fair enough, but it is annoying.

So I had to scrap the idea of running my own DNS for now. So now I’m just relying on he.net DNS service and manually clicking through the UI to edit the zones which is bit annoying. I’ll have to see if there are any DNS providers that allow me to just upload zone files through an API or something like that.

I’ll probably still want to eventually run some DNS server even just for internal use, but that will have to wait.

First impressions of nsd are that it is bit archaic and klunky, and it has tons of knobs that could be tuned. But on the other hand (I hope) it can run with pretty much defaults and work decently well, so it might be one of those workhorses that can just quietly sit in corner.