0

In reference to this question, last updated five years ago.

I'm interested in setting up a public DNS server as a personal project, but I'm aware that open resolvers make it extremely easy to amplify requests and DDoS other resolvers. I sought advice from StackExchange and found the above answer.

The original question asks how to set up an open DNS resolver securely, a-la Google DNS, and the original reply explains why it is infeasible for people without a lot of money and a legal team, and encourages the OP (if they still wished to continue) to ask more questions on the topic.

The above question is listed as a Canonical Question, and has a total of two replies, with the latest update in 2015.

But it's 2020 now, and things appear to have changed. We have PiHole now, and so many people have their own (private, closed) DNS resolver. We have Cloudflare DNS and NextDNS and other open professional DNS resolvers, but we also have various public PiHole DNS resolvers. DNS over TLS and DNS over HTTPS are becoming commonplace as well, which (I assume) should be able to prevent the spoofing necessary for amplification attacks.

So, my questions: Should the answer to the above question be changed? Is it now plausible for one to securely set up an open DNS resolver? Or is it still a foolish idea for a personal project?

lynn
  • 101
  • 1
    Clearly nothing relevant has changed since then. – Michael Hampton Aug 25 '20 at 18:25
  • 2
    Does this answer your question? [How do I set up a "secure" open resolver?](https://serverfault.com/questions/634793/how-do-i-set-up-a-secure-open-resolver) – Michael Hampton Aug 25 '20 at 18:25
  • 1
    "I'm interested in setting up a public DNS server as a personal project" But what outcomes do you expect from that? Learning? Gathering DNS data? Etc. Is it "permanently" or just a period of time? Which clients do you expect to use it and what differences would you have from all existing ones (so what are the reasons for anyone to use your servers?). As for the threats, they are mostly the same so past answers apply as well. People have more choices for their DNS resolution (DoT, DoH, etc.) but if your servers exist and serve attackers, it will be used by them and results are on you. – Patrick Mevzek Aug 25 '20 at 18:54
  • @ MichaelHampton, alas no. I actually link that in the first line of the post, and it's the question I refer to throughout the post. I'm wondering if anything has changed. Can you explain in more detail why/how nothing has changed since then, esp. w.r.t. DoT/DoH? It's not clear to me how nothing has changed then. @ PatrickMevzek Mainly learning, but secondarily as a DNS server I can use on any of my personal devices. Dynamic IP makes it difficult to use a whitelist-based approach. – lynn Aug 25 '20 at 20:25
  • 2
    @lynn If you only want to provide DoT/DoH service, entirely skipping Do53, then something has indeed changed. – Håkan Lindqvist Aug 25 '20 at 20:27

0 Answers0