When you purchase a domain, the seller of the domain usually offers the possibility to manage the DNS records of this domain from a web interface. In this case you are using their nameservers. However it is also possible to manage your domains yourself, and it is not too difficult. In this presentation I will show a way of doing it.

1. SFScon 2022
Manage your own DNS
Dashamir Hoxha
dashohoxha@gmail.com

2. How to manage your own DNS
When you purchase a domain, the seller of the domain usually
offers the possibility to manage the DNS records of this domain
from a web interface. In this case you are using their nameservers.
However it is also possible to manage your domains yourself, and it
is not too difficult. In this presentation I will show how I do it.

3. How DNS works
Let’s see how a client (browser) finds the IP for cloud.example.org
➢ Contact a root nameserver and ask it which servers are
responsible for managing the top-level domain .org
➢ From the query on the first step the client gets a list of the
servers responsible for the domain .org, it can ask any of
them for the servers that are responsible for the
subdomain example.org
➢ From the query on the previous step it will get a list of
nameservers for the domain example.org, for example:
○ ns1.example.org
○ ns2.example.org
➢ Ask any of these nameservers for the IP of the server
cloud.example.org

4. How DNS works
Let’s try these steps manually for the domain ocw.fs.al
1. Get the root nameservers:
dig NS .
dig NS . +short
m.root-servers.net.
b.root-servers.net.
c.root-servers.net.
. . . . .
2. Get the nameservers of .al:
dig NS al @m.root-servers.net.
dig NS al +short
rip.psg.com.
nsx.nic.al.
ns1.nic.al.
munnari.oz.au.
3. Get the nameservers of .fs.al:
dig NS fs.al @nsx.nic.al.
dig NS fs.al +short
puck.nether.net.
ns0.1984.is.
ns2.afraid.org.
4. Get the address of ocw.fs.al:
dig A ocw.fs.al +short
5.45.111.246

5. Keeping nameservers synchronized
★ All the public nameservers get their
records from the primary NS, which is
hidden behind a firewall.
★ Only secondary NSs answer queries
from the clients, not the primary.
★ When there are any changes on the
records of the primary NS, it sends a
notification to the secondary ones.
★ Secondary nameservers send a
synchronization request (AXFR) to the
primary one
★ Upon receiving the list of new records,
they replace the old list of records with
the new one.

6. DNS Setup: Find secondary NS services
Instead of building and maintaining our own secondary nameservers, we
can use services that are available either for free or for a small price.
● https://www.buddyns.com/activation/
● https://1984hosting.com/product/freedns/
● https://puck.nether.net/dns/
● https://freedns.afraid.org/
Note: The "primary/secondary" nameservers are also called
"master/slave".

7. DNS Setup: Install the primary nameserver
The primary nameserver will be installed in an NSD container.
1. Install docker-scripts:
apt install git make m4 highlight
git clone https://gitlab.com/docker-scripts/ds
/opt/docker-scripts/ds
cd /opt/docker-scripts/ds/
make install
2. Install an NSD container:
ds pull nsd
ds init nsd @nsd
cd /var/ds/nsd/
vim settings.sh
ds make

8. DNS Setup: Make sure that port 53 is free
The NSD container needs access to the port 53 of the host: lsof -i :53
We should prevent systemd-resolved from using port 53:
1. Edit /etc/systemd/resolved.conf:
[Resolve]
DNS=8.8.8.8
DNSStubListener=no
. . . . .
2. Create a symbolic link:
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
3. Reboot the system
4. Check that port 53 is now free: lsof -i :53
5. Try again: ds make

9. DNS Setup: Customize secondary nameservers
On settings.sh, edit the constants SECONDARY_NS and AXFR_SERVERS.
Then run again: ds make
SECONDARY_NS="
ns0.1984.is
puck.nether.net
ns2.afraid.org
"
AXFR_SERVERS="
93.95.224.6
204.42.254.5
69.65.50.192
108.61.224.67
116.203.6.3
. . . . .
“

10. Manage domains: Add a domain
Let’s say that we have purchased the domain example.org
1. Set the nameservers of the domain (what is on SECONDARY_NS):
ns0.1984.is
puck.nether.net
ns2.afraid.org
2. Add the domain to each secondary NS service
https://www.buddyns.com/
https://1984.hosting/product/freedns/
https://puck.nether.net/dns
https://freedns.afraid.org/secondary/
3. Add a zone on the primary nameserver:
cd /var/ds/nsd/
ds zone add example.org

11. Manage domains: Modify DNS records
1. Edit zones/example.org.db and modify the records:
cd /var/ds/nsd/
vim zones/example.org.db
2. Don’t forget to change the serial number too:
2022061901 ; serial
3. Notify the secondary nameservers that there are some updates:
ds notify
Alternatively, a ds restart will also reload the zones and send
notifications to the secondary nameservers.

12. Manage domains: Remove a domain
1. Remove it from each secondary nameserver service.
2. Remove its configuration on the primary server:
cd /var/ds/nsd/
ds zone rm example.org
3. Alternatively, disable its configuration:
ds zone dis example.org

13. Troubleshooting
1. We can make some simple checks and tests like this:
ds check --config
ds check --zones
2. To check the AXFR response for a domain:
ds zone test example.org
It will actually list all the records that will be sent to a secondary nameserver.
3. For further troubleshooting, we can get a shell inside the container and try
commands like these:
systemctl restart nsd
systemctl status nsd
tail /var/log/syslog -n 30
dig @localhost AXFR example.org
ufw status

14. Maintenance: Migrate the primary nameserver
To migrate the container of the primary nameserver to another host:
1. Transfer (with scp or rsync) the content of /var/ds/nsd/ from the old host
to the new one.
2. On the new host, rebuild the container:
ds pull nsd
cd /var/ds/nsd/
ds make
3. The public IP of the master nameserver has been changed (to the IP of the new
host), so we should update it on the configuration of each secondary
nameserver, for each domain.
4. Replace the old IP with the new one on each zone file as well, then update the
serial numbers and notify the secondary nameservers.

15. Maintenance: Modify secondary nameservers
If you need to modify the list of secondary nameservers, for example add
ns1.1984.is on the list, or remove one from the list, you should also make sure to
update these things:
1. For each domain that you manage, go to the website of the provider of the
domain and update the list of the nameservers.
2. If you are adding a new secondary nameserver, go to the website of the
nameserver and make sure that you add there all the domains that you manage,
along with the public IP of the primary nameserver.
3. On the primary nameserver, update settings.sh accordingly and then run
ds make
to update the configuration files.

16. Thank you for your attention!
Any questions or comments?
➔ Dashamir Hoxha (dashohoxha@gmail.com)
➔ https://docker-scripts.gitlab.io/dns.html (Tutorial)
➔ https://events.fs.al/event/8/registrations/ (Workshop)
Tutorial: Workshop: