Hey there, im looking into setting up a DNS Server in my Homelab, i would like something like this:

  1. Server in Docker on my Proxmox Server
  2. Server in Docker on my NAS and
  3. Server in my “Cloud” Network

Do you guys have any recommendations on how i could accomplish this? Otherwise i will just use PiHole with sync again or something like it :)

  • Omripresent@lemmy.ml
    0·
    21 hours ago

    I have a total of 4 (for now) DNS servers, 2 within the lab (AlmaLinux on Proxmox), 1 running on OpnSense and 1 on a VPS (AlmaLinux). All are running Unbound + dnscrypt-proxy for external resolution, the AlmaLinux ones also have unbound-exporter for telemetry.

    The pair in the lab also run Keepalived with 2 VIPs for active/active setup (VIP 1 active/backup for DNS1/2, VIP2 active/backup for DNS2/1). All servers target the VIP addresses for resolution with options timeout:1 attempts:3 rotate in the /etc/resolve.conf file.

    For internal DNS records I run FreeIPA (as well for server/ldap auth) with zone transfers to all Unbound instances, this way there’s no dependency on FreeIPA and the lab to be online for DNS resolution of internal records and it prevents the need for forwarding those queries to FreeIPA.

    All instances also have a scheduled service to download and apply a blocklist from https://github.com/StevenBlack/hosts

    I would like to look into Unbound views for the OpnSense instance to be able to resolve different records if the source it IOT/Untrusted zone vs LAN/Trusted zone, for now I have BIND tied to specific IPs used by IOT/Untrusted exclusively without access to resolve the lab zones.

  • ReversalHatchery@beehaw.orgEnglish
    0·
    2 days ago

    I use pihole for its good filtering, selective filtering, statistics and logging capabilities, and technitium dns as its upstream for it’s superior capability in defining dns records, and because I can use a DoH dns provider with it

      • ReversalHatchery@beehaw.orgEnglish
        0·
        2 days ago

        you don’t need to. but then for the sake of easier maintenance you want to containerize it (docker/podman), and be careful to not overload your pihole device, because then DNS service will go away or get large delays (especially if the device is overloaded with ram usage, and swaps a lot)

        besides, my experience has been that swapping to USB storage on a raspberry pi is unstable enough to cause a kernel panic every few months

  • biscuitswalrus@aussie.zone
    0·
    3 days ago

    Two pihole servers, one n VM vlan, one on device VLAN with OpnSense delivering them both via DHCP options. I sometimes update lists, like yearly… At best. They’ve been there over 7 years. Calling them robust is correct. The hypervisors are 3 proxmox servers in cluster using ceph. Intrl NUC 3rd Gen. Less than 80w combined with all vms. Also 8 years old no failures but tolerant for it.

      • arcayne@lemmy.today
        0·
        22 hours ago

        Solid choice. It’s been my go-to DNS+DHCP solution for over 5 years and has never let me down. Also a fan of DNSDist+PowerDNS, but for most environments (especially home/lab), Technitium wins by a mile.

  • leverage@lemdro.idEnglish
    0·
    3 days ago

    Unbound on my OPNsense firewall. I don’t have advice for you, do you have some specific goals besides just having a DNS?

      • leverage@lemdro.idEnglish
        0·
        2 days ago

        Look at reverse proxy instead. While you can do what you’re after with DNS, a bunch of the reverse proxy systems will automatically deal with SSL certificate, and there are even a couple that eliminate essentially all configuration outside of your docker file. Like, add a new docker and it automatically configures appName.domain.tld with SSL assigned. And if you ever decide to expose that address to the Internet, reverse proxy makes that simple and provides some security options as well.

        I use Caddy for my reverse proxy running from my OPNsense firewall, but if you want the automation with docker there are better options.