Experimented with an external DNS as a possible way of gaining greater control.
DNS protocol runs on port 53. My internet supplier doesn’t block this. Some do. So I decided to run my own external DNS
DNSs come in two flavours.
It is important to know the difference as exposing a recursive DNS to the internet leaves you open to a lot more possible hacks including cache poisoning.
I believe a lot of these are more hypothetical, and certainly not worth trying on my site as I am only a small site with no real monetary value.
So for external facing DNS turn of recursion and make an authoritative DNS.
As I have a dynamic ip address I need to some hackery to ensure that my dos is authoritative and referenced by other DNSs.
I followed the example here:
This works quite nicely.
The bugger is in the details here. Each DNS record takes time to propagate, but more importantly each record has a serial number, by convention a date and 2 digit extension. This number however must always be incremeted for each record change or the change will not propagate.
Running your own DNS unless you have two external ips also means you now have a single point of failure. Also you are running a critical piece of architecture on one box, which might get accidentally switched off or fail. It is better to put the DNS records up at the registrar and let them worry about resilience.
Why bother! Running own DNS is single point of failure, exposing a possible backing point.