Self-Hosting DNS(ghostdev.xyz) |
Self-Hosting DNS(ghostdev.xyz) |
Definitely not an AD - it's just the best option that I found, and have been super happy with it! There are lots of ways to do this (people have shared even more options in the comments here), and for a lot of people AdGuard/Pi-hole/... are the relatively easier options
They're easy to set up and unless you're using it to support thousands of DNS requests per second, it's not appreciably (on human scales) slower than forwarding requests to your ISP's servers and/or 8.8.8.8 or 1.1.1.1.
More detail about recursive resolvers and how they work can be found here[1]
What am I missing by not using AdGuard, PiHole and similar?
DNS is very easy. Email is tough. Usually one would add a media server such as Plex and Nextcloud which is very useful.
I've been running bind9 on a computer under my desk for about 20 years.
The only subdscription required is an ISP contract that includes static IP.
Maybe I'll get a netflix acct (never had one), and "self-host" some videos...
I’d say exact opposite. Now you’re sharing data with multiple parties and each is potentially getting enough data to extrapolate the whole picture
It does look like PowerDNS supports it: https://doc.powerdns.com/authoritative/dnsupdate.html
Not "feeling like" calling your ISP to get a static IP, but also wanting to self-host?
Which is a whole different type of mental challenge compared to figuring out the technical details of self hosting something ;)
Exactly this... we have enough issues with our internet I didn't want to add this into the mix - especially as if they decide to not really give me a static IP, then I have to change it everywhere :/
I trust my VPS provider far more than my ISP
I tested with 2 ISPs I use and both have it as a prominent add on that you can add for extra cost per month in the UI.
Not 99.9999% uptime obviously but good enough.
But I would just use https://pi-hole.net/
dns-blocking is evil, no matter who does it.
stop lying to yourself and install contentblocker on your devices
You really ought to expand on that line of reasoning in order to get anyone to take this comment seriously.
more or less about trustworthy infrastructure
it's about the blocking occurring in reach of the user (client) or not (infrastructure quirk that has to be worked around)
Sure, one or two of us running our own resolvers isn't going to hurt, but an extra hundred million or so resolvers would hurt -> at best just causes all the servers targeted by the resolver to add more layers of caching
I doubt the current infra would have any problem handle the load even if all individual devices had a local resolver.
It's what I'm doing since we switched ISPs and now we are behind CGNAT (better connection otherwise though).
If I am correct, your argument boils down to blocking happening outside the direct control of the user. This technically is true, as you don't have an icon in your browser like you would have with an extension.
At the same time, it being outside the control of the user is not really true if the user is also the person in control of the blocking solution. I don't know how it works with AdGuard, although I assume it is the same. Pi Hole offers extensive insights in what requests are being blocked, from which client and when.
This can even be adjusted on a per client level. Making that argument a more theoretical rather than a practical one.
Even if someone else has to use it. Certainly, when it is someone in their household who can access the administration for their client devices/applications as well.
Other people affected might be those who make use of the authors wifi. Where the author can also opt for guest wifi using regular DNS. Or not even do it on router basis and really a per-client basis.
The only context in which it is potentially "evil" or malicious is when people unknowingly get things blocked or redirected to the wrong things. But that is pretty far removed from the context of this article.
the fact that for-profit shops wanted a piece of the intelligence within made it surface and now the webheads are shitting on it like there is no tomorrow
Run a better DNS server and see for yourself that there isn't any man behind that curtain.
that was kind of my point;
dns-infrastructure should not knowingly give wrong answers because that will make it less useful and more of a hassle down the road
If i as the network admin don't want you to access some site i will block it, and blocking it at DNS level is one of the ways i have to achieve this and if i catch you trying to circumvent it you will be booted from my network in no time.
That is what local DNS servers are for and what solutions like Pi-Hole and AdGuard Home were desinged to accomplish..
There are many legitimate user cases that require you to mess with DNS. example, you can force google safe search in your network to all devices, google own instructions are to create a cname redirecting www.google.com to safesearch.google.com at your local DNS server.
So no, block or redirecting stuff in my DNS not only is not evil, it is required in many cases.
If you are trying to do something that is being blocked in the local network either talk to the network admin and explain why you need to do that and check if he can fix it for you and if he cant\wont then go do it somewhere else..
Also, most, if not all, the large enterprises do dns level blocking, as they should.. Go try work around this and i bet you they will call you out, insist and you will be job hunting in no time..
just wanted to point out that dns-level blocking introduces a discrepancy to a shared truth, which creates problems and is hence more costly than it might appear.
You can't just say "it is this because it is this". Clearly the sole user of DNS finds it useful to block through DNS.
What sort of hassles do you even have in mind?
I have stuff that i can only access inside my home network, so here the truth is one.. Out in the internet those same addresses do not exist, so out there the truth is another..
This is also the same for most, if not all, enterprises, there is always stuff that can only be accessed either on the internal network or via VPN..
There are address that point to different endpoints depending on the network you are connected, and this is by design, again the network wide google safe search is an example.
Same thing for streaming services and CDN's, the same address will return a different endpoint depending on your location..
This happen even for direct IP address without using DNS, Quad9 for example have dozens of servers that provide service to the address 9.9.9.9 for their DNS Server, so depending on your location the same IP address will connect you to a different server that is located closer to you to ensure fast access.
DNS like anything in the network and in computing in general can cause problem if not done correctly.. But then the problem is how it was implemented not the dns blocking or redirecting functionalities on themselves..
redirection and managing your horizons aside, my objection lies with the use for content blocking, because it is the wrong tool for the job.
cheers
It is one tool that is available in our toolbox that we might use or not.. and it is one perfectly valid way of doing it.. It might not fit all workflows or all use cases but that does not make it bad or wrong..
Also, not every endpoint can have ad blocking done locally and having it at the DNS level is a great alternative for those cases..
I honestly use both, all my browsers have local ad blockers to prevent the DNS query from being done in the first place, yet i still have DNS level ad blocker to cover other devices, like TVs for example that now are filled with ads and do not have a method for blocking ads locally..
Also solutions like AdGuard do much more then just ad blocking, like i already mentioned about google safe search, you could just disable the ad blocker and it would still be a great tool to have and i personally consider a must have when you have young kids starting to use the web.
You are within your right to not like this type of solution and are free to not use it in your networks, but stop making BS claims that is the wrong tool for the job or that it is the wrong way of doing it..
What i like most about ad guard home is that almost all configurations can be customized per device.. So if you have some workflow or some device where dns blocking is causing problems you can just disable for that device and still have it for the other devices that need it..