I set up authoritative nameservers at home using unbound, which appears to be considerably easier than configuring BIND, but I still can't say that I fully understand it. DNS (and networking in general) is a bit of a dark art.

If you decide not to use a forwarder, the DNS server will be truly independent.

The DNS server will contact the Root servers for the TLD namesevers of a domain, the TLD nameservers and then the actual authoritative nameserver for the particular domain.

No forwarder needed.

This means you bypass any DNS based filtering any DNS ‘forwarder’ may have in place.

One interesting aspect of this is how using BIND puts focus upon serial numbers.

Serial numbers were a bane 3 decades ago. When Daniel J. Bernstein invented djbdns, xe made the software (tinydns-data) auto-generate the serial numbers from the last modification timestamp of the source file, and made several observations on the subject of serial numbers that are well known, or at least easy to work out for onesself with a modicum of thought.

This article warns the reader thrice, in all-capitals, about remembering to manually increment serial numbers. That's still after all these years reasonable advice for BIND users and a still habit to form if one uses BIND. The numbering scheme used here will only allow 100 changes per day, of course.

But nothing in the article, nor the planned parts 2 and 3 described in the ensuing FediVerse discussion, actually needs zone serial numbers to be incremented at all, as there's no replication of any kind, let alone "zone transfer", here and parts 2 and 3 (if they end up as stated, they not having been published yet) will not encompass replication either. It's heavily stressed because it has been a common pitfall for BIND users for decades; but ironically the article series does not actually need it.

It's a shame, really, because the things that should be emphasized as much if not more here, are reduced in comparison. internal. still not being an IANA special-use domain name is one. (See RFC 8375 for home.arpa., which is a special-use domain name.) The way that this setup will leak 192.168.0.0/16 reverse lookups outwith 192.168.1.0/24 to the world at large, and 172.16.0.0/12 lookups outwith 172.16.0.0/16, is another. (named.rfc1912.zones does not cover any of the requisite domain apices, RFC 1912 not being RFC 1918, and is in any case a RedHatism that one cannot rely upon on even, say, Debian, let alone on a non-Linux-based operating system.) The pitfalls of using a superdomain that one does not own, e.g. homelab.jhw. here, is a third that is glossed over. (Anyone who has tried to set up an organization's domain naming will know of the pitfalls that this entails; this is as much of a bad habit to avoid gaining in the first place as updating BIND's serial numbers is a habit to learn.)

Furthermore, making "everything at home just work, even with no internet connection" involves something further, missing from this and from the described forthcoming parts 2 and 3: a private root content DNS server. There's a surprising amount of stuff that relies on at minimum getting negative answers from the . content DNS servers for top-level domains that do not exist, and various blackholed domains.

I personally find Bind to be such an awful DNS server to configure. It's a bit like setting up Arch or Gentoo; tons of configuration so you can get down to the details and learn about every single part of the system, but ultimately there are only a few fields that you generally need to touch.

My DNS server of choice remains PowerDNS. I also find the API easier to use with certbot and the available web UIs.

Is there really a setup burden a reason to explicitly switch dnssec from the default implied "auto" to "no"?

> I really should use the official .internal TLD (Top Level Domain) for my homelab network, but I decided against it. This introduces the risk of name resolution problems, should someone offer a public .jhw TLD in future. It’s a risk I am willing to accept in exchange for using a 3 letter TLD at home. Don’t be like me! Use .internal instead. With that out of the way, let’s continue.

Why not .lan? The key word is official?

I host my own name servers and have a custom dynamic DNS script with email notifications and everything. Honestly, wish I could replace the domain registrar as well and just have my own public TLD. For 50 million USD though (give or take) and the .sh TLD could be mine

Have you had issues with the .jhw TLD on Apple devices? I have my own DNS for my homelab with CoreDNS with house.hill as my domain. My house is on a hill. But .hill is not a TLD, and both my macbook and iphone stopped resolving it quite a while ago.

Doesn't the use of .internal and the likes preclude the use of ACME/certbot for your internal https services? Unless you want the pain of running your own internal CA but then some OSes complain about internal CAs these days.

Because ISC DHCP was discontinued, I switched to dnsmasq, which also caused me to switch my home DNS server from unbound to dnsmasq so that local dhcp hostname registration would continue to work.

I always thought of dnsmasq as a bit of a toy, but I have to admit I've been impressed. So far it's worked flawlessly, and I'm especially impressed that you can reconfigure it without restarting the process.

My only complaint is not specific to dnsmasq, and that's with ipv6. Devices assign themselves essentially random addresses, so it's impossible to correlate DNS lookups from those addresses with what actual device is making the request. The obvious solution to this, a fully managed DHCP6 setup, does not seem to be well supported by dnsmasq, but it wouldn't matter even if it was because so many devices don't support DHCP6, only slaac. So the whole thing is a bit of a mess.

I tried BIND, Dnsmasq, unbound, adguard. At the end I picked CoreDNS outside kubernetes. It can do everything (including wildcards and ACL), requires few resources and easy to configure.

I liked djbdns. But the development seems stucked. What I liked is the separation of name resolver (dnscache) and authoritative name server (tinydns).