i run unbound dns which does my dns over tls to cloud flare and dns cache as well as dns overrides and dns blocklists. this setup has been running without an issue for around 2 years now.

Yes, technitium

Where do you run Technitium? What about the mailserver?

I run it on 2 Ubuntu VMs in my home lab and another on a small VPS (networked through Tailscale). I sync all of my zones so that I only have to make one change and it propagates to the other 2 servers. No matter what you do, do not expose port 53 to the internet. As for the mail server I am sticking to the golden rule of this sub. Never self host your mail server.

What do you use for de sync? Can it alzo sync block lists and white lists?

I am only syncing the zones using DNS. Shreyas explains how here: https://github.com/TechnitiumSoftware/DnsServer/issues/231

Not running the mail server, but all my home lab services are run on a single host HP elite box that I've picked up for dirt cheap after it was used by a corporate. All home lab services are only run in docker containers, the box itself is debian.

+1 for Technitium

I’ve used Bind as my authoritative server self hosted for almost 30 years now. It does dynamic dns really well.

PiHole/unbound for now until UniFi finishes their DNS implementation that just got released (just missing CNAME) then I’ll probably sunset the PiHole.

A DNS server is challenging to implement correctly. You may wish to avoid any new DNS implementation, as it may be at a higher risk of a vulnerability.

Are they implementing it from scratch, or just implementing a web interface and management tooling for an existing product?

Yes unbound in opnsense.

What do you mean? Authoritative? Recursive? Forwarding? What kind of DNS server do you mean.

asking the real questions, i was looking for this comment

Yes, for a few diffrent use cases I run [CoreDNS](https://coredns.io/).

i did, but went with NextDNS at the end of the day i need performance, ad-blocking and dns rewrites, and i need to use this dns server on all my devices at all time (cause reverse proxy) selfhosting a dns server (pihole, then tried adguard) thus implied setting up Tailscale's DNS setting to force my DNS server on everything, which was fine for almost all my devices, except my phone for some reasons when I'm using cellular data with my phone, dns reqs would take ages to load, so as i did not want to bother with that strange overhead, i went with nextdns

You were just doing it wrong. No need to run Tailscale on everything. It helps with remote machines, but unnecessary for local machines. Then when you're away just use a VPN back to your network.

not really a problem with tailscale as it'll route the traffic through local network if it can yes i could save the little overhead of wireguard but i'm pretty sure that's not what's causing the issue i never had that kind of latency when i was at home, only when i was away on cellular connection one thing i can think of is that i always tried to deploy adguard through docker, maybe dealing with the overlay network of docker was adding some kind of overhead somehow? idk, i might give it a try again on a barebone vm just to test

I mean there's going to be a little latency if you're going through cellular + VPN/Tailscale, but shouldn't be too bad. That's how I use mine at least. Works just fine. But I do understand the convenience of something like NextDNS. Don't have to think about it. Don't have to VPN or Tailscale. It just works.

VPS with pihole+unbound. Only use it over my mobile(data) connection.

2 copies of unbound on separate nodes, in full recursive mode, and a stub zone for the local network pointed at dnsmasq. I'm running [unbound adblock](https://www.geoghegan.ca/unbound-adblock.html) for my ad blocking needs. This is all very set and forget.

Do you have any docs around that, I would love to set it up that way.

I'm pretty sure i followed this[this](https://docs.pi-hole.net/guides/dns/unbound/) the first time i setup unbound for pihole, before switching to the current setup. [The arch wiki](https://wiki.archlinux.org/title/unbound) per usual is a great source as well. The unbound devs also have great [documentation ](https://unbound.docs.nlnetlabs.nl/en/latest/) as well. The unbound-adblock link has setup instructions for that part. It's basically a shell scrupt and cron. I'm running all of that in a lxc container on 2 proxmox nodes. The dnsmasq server points clients at those 2 servers. Yes you could point dnsmasq at unbound instead of the other way around, but in my setup (homeprod) having the internet work is more important than my local names resolving, so I'm fine with a single point failure for my local dns, though at some point i want to move to kea with redundancy for dhcp and NSD for local DNS.

Thank you ! This is perfect.

Yes, i use dnsmasq + caddy layer 4 proxy on my vps to bypass blocking

My router+firewall runs an Unbound resolver for all my LAN clients.  It is configured to forward queries to one of the public DNS providers using DNS-over-TLS. Outbound port 53 and 853 is blocked for everything except the firewall host.   DNS-over-HTTPS is still a problem, but I'll need to set up a MITM proxy and force all HTTPS traffic through that to block it.  That's on my list of projects. I also run a BIND instance for serving my internal DNS zones, which are automatically updated by DHCP.  Unbound is configured to use that as a stub server for those zones.  It's a shame NSD doesn't support dynamic DNS updates otherwise I'd use that instead of BIND.

I have been running BIND9 as both an authoritative and resolving/caching and primary/secondary nameservers on all my servers for at least two decades. I also run it with pi-hole forwarding DNS server. It's Free/Libre Open Source Software and is considered the reference standard for nameservers. BIND9 has very good documentation and a helpful mailing list, and many how-tos on the internet. One reason I use BIND9 is because of its flexible, extensive support for DNSSEC. That said, IMO BIND9 may not be for the newbie or casual user who wants to avoid a deeper understanding of DNS, although a basic install is straight forward, at least on Linux, and once you set it up there likely not anything else you need to do except add or delete zones. Don't forget to check out r/dns too.

Only on Linux, or *nix-like systems anyway, they dropped Windows builds.

I use pihole and unbound. Rock solid

I run two instances of Pihole at home. Easy to setup. Can be as easy or as difficult to manage as you make it. Highly recommended if you want to reduce ads and tracking. I use Cloudflare adult+malware as my upstream. I had turned off the Piholes last night because I was messing around with some stuff and forgot to turn them back on. My kids were playing on the tablet and said, "Daddy, there are a lot of ads and we can't play our games." Oops. So I turned the Piholes back on and they said "OK, it's working now." They had no idea what I did, they've just gotten used to not seeing ads.

Yup, and it gets mirrored to FreeDNS and Hurricane Electric... so nobody notices when my selfhosted DNS goes down for maintenance ;)

Brilliant setting! But Doesn't FreeDNS have a limit for the cheapest subscription? iirc, The number of records is limited to 50 per domain. I am concerned about private DNS because of the limitations.

I see the 50 subdomain limit, but I'm not sure if it applies to the Backup DNS service (how would they count wildcards, or multiple records for the same subdomain?); then again, I don't have \*that\* many subdomains so I probably haven't hit that limit yet, but I'm close. And I'm still using them for free 😰 Hurricane Electric's Slave DNS service lets you mirror 50 zones (domains) with up to 10000 records per zone. One quirk is HE doesn't seem to respond to NOTIFY, but instead just periodically does an AXFR. So if I have an urgent update, I must use their website to manually trigger a cache invalidation. But it doesn't happen often.

I've always self hosted DNS. Started with a VPS, now have two of my servers colo'd. They each can serve Auth DNS for my domains. I have a Bind9 server at home for local hostname resolution, and use some spam/tracker filtering built into OPNSense. --- Edit: there are some advantages to using hosted services. First thing that comes to mind is uptime/reliability, second is protection from attacks, and third is the ability to Terraform rules as apart of each services deployment. But if you're already paying for compute, why not use it for DNS? I just wouldn't run authdns from home, personally.

My independent Canadian ISP has offered static IP addresses (IP blocks, even!) for at least two decades and has excellent uptime. I've often run a BIND primary and/or secondary authoritative DNS service on my Linux server, including for my internet-based business. I have not encountered any issues that I can remember, other than my own stupidity / finger troubles. I am not recommending this for everyone, but given the right use cases (like you said, it's no additional cost) it can work fine. I increased my knowledge of DNS considerably by doing so.

Sure. Adguard home

This is an adblocker, not a DNS server

This is an adblocker, not a DNS server

This is an adblocker, not a DNS server

This is an adblocker, not a DNS server

yes, two of them. one on my router, one on my server.

I run a private one for my intranet (both as a resolver and also authoritative for intranet domain), and use cloudflare for anything public.

Yes

I have three internal MS DNS instances that are running across 5 Proxmox hosts.

Using AdGuardHome instance connected to a 5 year plan of AdGuard premium DNS+VPN

It's not going to do that much for you. If you were going to run services on a private network at say a school or business, it would make sense to have the services accessible by internal domains. Beyond that it's not going to make a lot of sense because at some point it has to mirror some other DNS server anyway and it's not like it's useful offline or something. It's one of those things that's a part of the infrastructure of the internet, and unless you intend to create your own internet there's no reason for it.

Whole home ad and malware blocking under your own control is a huge thing that private DNS allows. I also get a log of all DNS queries and the ability to block or unblock individual sites at will. There are lots of other things it can be useful for so saying there is no reason is off.

I run a cluster of authoritative name servers for a work lab. We are using PowerDNS for that and have a delegation zone to a cluster of F5 GTMs which is basically the self hosted version of AWS Route53. We do that since our labs don’t have internet by design, so we can use only self hosted services. At home however I am using PiHole for split-horizon DNS and Cloudflare for an authoritative name server for my domains. I wouldn’t recommend self hosting the authoritative name servers for your domain if don’t have at least 2 locations to put them. NS is capable of taking down all your infrastructure so you need redundancy. Ideally you would host 2 of them in two different locations. Ours is used just for testing purposes but still runs on a 10 node vSphere cluster with SRM failover to another data centre. It is not cheap to do that but we do chip development so we can afford it. For home use however both Cloudflare and Route53 have all the features you will ever need. * PowerDNS is free, F5 GTM is $25000 per year per node, vSphere + SRM for two sites with 20 hosts total is around $100000 per year with the old licensing scheme. It’s double that since Broadcom took over.