Hello all, I’m looking for a second set of eyes before I potentially screw up all my self hosted services. I’ll be the first to admit I’m not an IT expert and am getting a wee bit lost in all of the reading I’ve been doing so please go easy on me.
I’m currently working to get my domain (already registered) to be used for internal addresses as well as get a working SSL certificate. I am following wolfgangs instructions with the exception that I already have my domain registered with BlueHost. BlueHost does not appear to be directly supported by nginx and wants to charge me $90/year for an SSL certificate which is far more than I’m willing to pay for my little self-hosting hobby.
Fundamentally I believe I need to point my domain to new nameservers which provide support for ‘Let’s Encrypt’. If there were a vendor that offered that as a service I think I could leave the domain with bluehost and simply point the nameservers elsewhere. I “think” cloudflare offers this but its the only one and I’ve heard mixed things about using it from the standpoint of privacy. Does anyone have suggestions?
The other option I see, which seems more broadly supported, is to transfer my domain from bluehost to another vendor. Does anyone have suggestions? I’ve struggled to see the renewal costs when looking at these transfers.
Before fully borking my setup, would appreciate some input on if I’m on the right track or not. Thank you!
I just self-host my own DNS server. Works like a charm. Setting up DNSSEC was a tad fiddly tho.
Long story short:
digcan use a specific server)Doesn’t that break DNS64?
I’m fortunate to get native IPv6, so I’m not very familiar, tho I think I have basic understanding.
Did you mean you need to pick just one of {authoritative DNS server, DNS64} to listen on port 53? No, because the authoritative DNS only needs to be accessible from the outside. Run it on another machine or nonstandard port, then expose via port forwarding. Machines in LAN don’t need direct access to the authoritative DNS server, they can just as well resolve via the regular system.
DNS translates IPv4 addresses to IPv6 NAT64 addresses for networks that are IPv6 only
I believe that DNSSEC breaks it since the IP addresses will be different.
Oh, now I see. I guess then the DNS64 server needs to do the dnssec verification on behalf of the user, then drop the RRSIG records for the v4->v6 translated names.
Oh, and now I realize I confused the direction. DNS64 makes v4 into v6.
What is the security benefit of DNSSEC?
It made more sense when everything was http now https is the norm is is less useful as far as I can tell.
How could a hijacked DNS entry harm you?
You can leverage the trust in DNSSEC to distribute TLS and SSH fingerprints too, look up DANE.
You can’t easy man in the middle authenticated protocols like SSH or HTTPS. If that was easy to do it would defeat the entire purpose of the TLS layer. Don’t take this the wrong way but this feels like a dated way of thinking. I think in the future it will way less of a problem since http and other unencrypted/unauthenticated protocols are on their death bed.
I do appreciate the response but it is important to keep in mind tech changes rapidly. I personally don’t care for DNSSEC as it breaks the TCP/IP model. The layers should be independent to allow for maximum flexibility.