Hi Christian ! Nice Bind opening clip. But more interesting will be to make a public/local DNS server and segregating trafic will be a nice continuations. Also a good tutorial, as you do, about MX records with DKIM, DMARK , SPF records ;-)
Bit of advice, never use the :latest tag, look up the latest version tag (eg 2.4.2) and use that one instead. Always use a specific version and update in a controlled manner. You do not want to be in a situation where you've accidentally pulled a new version and your config files no longer work with that version. It will save you a lot of headache when something goes wrong or you have to migrate to a new server. You can backup your configs and docker file, but it does not ensure you that those config files will work on another device as you've not defined a version tag in your docker file, you may pull a completely different version. (I'm bad at explaining, please do look up why you shouldn't use :latest to understand it better)
There is a middle ground in between the `latest` tag or a tag pointing to a specific release. The current stable nginx release is version `1.23.3`, this version can currently be referenced by multiple tags like `latest`, `stable`, `1.23.3` or even `1`. If the images maintainers are competent, these additional tags will be updated on every release. To always use the latest nginx release of version 1.x.x, but never accidentially use the releases of another major release (2.x.x), just use the tag `1`. In a corporate environment, where all changes to the infrastructure have to be managed in a certain way, you hopefully want to control the update process and also the whole image registry and image build process anyways and push new releases to the registry yourself.
I think it depends on how critical your application is going to be. So for something like your dns, dhcp etc etc. You want to use versioning. But for something less important like a slave for a application or a non critical web application you can use the latest tag with watchtower so you don't have to worry about updating them.
Wow, this is awesome. I was always frustrated with the number of changes needed to have proper DNS resolution in a small network without a proper DNS server. Had I only invested a few hours to understand and setup bind9, this would have saved me a ton of time. Thanks Christian.
Hi Christian, interesting video. Just an idea: you could install a second Bind9 server and use the VRRP Protocol to cover the fallout of the first one. I‘ve done that with 2 Piholes on different servers with 1 virtual DNS address. If the first DNS server fails, the second one automatically takes command of the name resolution until the first one recovers 🤷🏼♂️. Works flawlessly! LG aus Luxemburg 🇱🇺
Hey Christian! Nice video! I can see this fitting perfectly into my own lab :-). Just wondering if you'd consider a 2nd container (or K3S) orso as a secondary (Internal) DNS (to maintain HA). I'm not sure if you can configure that as well in your Sophos? (perhaps round robin). Maybe this is an overkill, but you keep mentioning that this is something you'd want to scale up to 'enterprise' levels. ;-).
Happy New Year Christian! Awesome video to start the year. I'm waiting on some new gear to change up my lab and will be implementing BIND for internal DNS as well. Are you going to explore setting up a DNS cluster in the future? That way your primary node doesn't resolve DNS queries and is only used for updating the record configuration and then pushing the config to the secondary nodes via zone transfers.
I almost switched my DNS to BIND, but decided to go with Unbound and NSD instead. Still, great video, configuring services like DNS and DHCP for your own network by hand is really a great learning experience
Fantastic! You explain it in a way that is so easy to understand. When I hade to learn Bind 30 years ago it took forever and was as theoretical as it could be. Thank you again for an excellent tutorial.
Don’t forget to add the docker networks to the internal ACL list, or you may end up like me wondering why portainer does not resolve 😅 BTW I use views to control who sees what. As a side note if you are privacy cautious do not use forwarders. Bind is capable to resolve on its own. You may need to setup a hint zone to speed things up a little.
@Christian, you’re an amazing teacher. You take some pretty complex subjects and make them not only understandable but exciting to try (at least for nerds like me). One question. You are using two different programs. One for terminal commands and one for text files. Both have some sort of auto-complete working on them. Can you share what two programs those are? I’m just curious. Thanks for another great video.
They are WARP termial and VS Code editor. Btw, if you not use macOS, and bash, zsh, or fish is your default shell, you could try oh-my-bash, oh-my-zsh, or oh-my-fish to enhance your default shell. The basic auto-complete script is included in enhancements, and you can also add your customize auto-complete scripts to the configuration file.
Hallo Christian, von mir und meiner Familie wünsche ich ein frohes neues, glückliches und erfolgreiches Jahr 2023! Meine Kinder stehen total auf deine IT Beiträge, wir schauen dieses Video gerade zusammen auf dem Beamer. Gruß aus Wiesbaden und vielen Dank für die Mühe : )
Your are far by the best KZclipr for this kind of content as you don't just explain how to do something, you explain why to do things and how they actually work and not just saying put this here and there and it'll work. Love it!!! Shows you have put a lot of time into understanding the concepts properly.
I liked the video! I'd definitely be interested in seeing you incorporate more advanced dns topics like adblocking. I've used pihole but I was never able to figure out how to have a secondary DNS with the way it blocks requests. I'm not sure if that's not feasible with pihole or I just could figure it out.
@Modzilla or just ignore this, because u need secondary dns only as fallback, so if it will not cut some ads - who cares :) i use 2 piholes in home lab, with manually wildcarded fake home domain, need to do it once. and all other settings just do only on main pihole.
I'm not sure whether I'd like to cover that topic, however, what would be a solution for your setup: set up bind, and in the "forwarders" section add the local IP of your PiHole instance.
Been using bind for about 6 years in one capacity or another. I do highly recommend you enable dnssec for a more secure experience. It'll check DNSSEC entries when they do exist for DNS Queries.
One thing you may want to look at for outside requests using an SSL DNS server. I have the outside request routing through STunnel. This will stop anyone from logging your DNS requests
Hi, thank you for this great video! I'm actually preparing to provide an own DNS server (also planned to use the Ubuntu/bind9 docker image) for my local network. You give many useful tips that will help. So again: thank you and you have a new follower now 😉. Cheers from Germany!
Thanks a lot, Christian and a blessed 2023. Do you planned a second part with explaining split horizon and things like TLS w/LE for our local labs (0:52)?
I'm starting down this new Homelabbing trend, but I have been doing something with old computers and servers for years. DNS is the one thing that I really need to understand better. I have understood the theory of DNS since the beginning of my journey in networking, but I've never seen someone go under the hood in a way that really makes it seem like the applied knowledge was close enough to achieve. I thought I'd be doing a PiHole setup as DNS, but I now think I will be doing a real DNS server like Bind9. Can you point to a specific reason not use PiHole over Bind9 as a primary DNS?
Very cool. I was wondering though, would it make sense to have bind9 setup and also have teleport to access the infrastructure? To be clear, I haven't deployed teleport yet, however I thought that I would access all of my infrastructure through it, even when at home. This is mainly due to teleport handling dns for apps and servers
Nice video to kick-off 2023 and a great explanation how to set up a bind server. It's a long video, and I was only loosely interested, but finished it in one viewing. One of your best video's ever!
Hello Cristian, nice tutorial for me that wants become DevOps. I suggest to use phpipam that can assign to you a free ip so you can get it via api. After getting this IP you could deploy VM's
Interesting video! but on the self-signed certificate 'issue' my workaround has been to deploy a container with step-ca and work with my own CA as it also plays nice with Traefik using acme :)
Hi Christian! Excellent videos as always :) Only one thing I am getting confused is: The solution with internal DNS Lookup is fine, as long as all nodes are in the same local network. But what to do if you connect to your local network from outside via a VPN (Wireguard, Tailscale, etc.). In that case my traffic gets routed directly to my mobile provider or another gateway, where I have no control to DHCP. For instance: If I'd like to connect from outside with my Macbook, I would get a VPN connection, but once I want to resolve the local domain that is maintained by Bind9 DNS, I could not resolve it. Is that correct or did I miss something in my understanding?
Thank you! :) When you use a VPN you should configure the primary DNS server in your clients VPN config. There is a setting in wireguard to configure the DNS server's IP, once the client is connected to the VPN network, same is also true for SSL or IPSec.
Hey Christian! Sehr spannend. Ich habe mich vor 1/2 Jahr mal intensiver mit DNS beschäftigt. BIND9 fand ich irgendwie ein bisschen altbacken. Auch brauchte ich etwas mit API um das extern zu füttern. Ich bin damals auf PowerDNS gestoßen, das finde ich prima, vor allem mit der GUI. CoreDNS fand ich aber auch total spannend, da geht eine Menge mit. Vielleicht mal ein Vergleichsvideo?
Hi Christian , thanks for the video . I will look further also because 2 months ago , I 've tried the bind9 docker implementation of ISC and I got issue that the host on which the docker is running the DNS container can't access the DNS server which was mandatory for me as I'm using the host for other purposes as well .
I've had a BIND server running for 10 years on my LDAP/Kerberos server, I'm very interested in being able to update my zone file every time I add a new host to my Ansible config, this is really interesting stuff indeed. I've seen that you could use pi-hole with BIND as forwarder, it confuses me that you do it the other way around, what's the benefit of this?
Awesome video! I tried that for myself, and experimented a bit with allowing my DHCP updating the DNS configuration whenever it issues a new lease. However despite setting the BIND9_USER=root like in your example, bind9 was not able to create a journal in the config folder. Setting the permissions of that folder to 777 solved the issue. The newly created ".jnl" file that contains the DHCP update is however created using the root user. That's a bit strange, that root is not allowed to create files... have not found the reason for that yet.
i used BIND9_USER=bind - this sets user according to the group "bind" in the container path /run/named/ - by doing this bind9 was able to write the pid and session files...
Hi, Christian... Do you give a chance to powerdns? It's possible to save all the records/zone/SOA etc. in a MySQL DB and use a proper web interface to interact with DNS. Tnx anyway of this very very good tutorial, Bind remain the top choice in the enterprise arena.
@christianlempa a few notes: 7:26 Small nit-pick: it's "I. S. C." (Internet Systems Consortium) and not "I. C. S." You mentioned the incorrect acryonym a few times. 18:30 Try using dig (vs nslookup), since you're using BIND. IMHO (and as a former DNS admin for a large ISP), dig is more powerful and streamlined. For EL distros, you'll find it in the "bind-utils" package. Not sure about Mac or Debian-based distros like Ubuntu. 19:30 FYI, the reason why you can use .home, .corp, and .mail (but not .local) TLDs on your private network is because ICANN's board found they were already in prevalent use, and attempting to introduce them publicly would be "high-risk" due to potential name collisions. Originally, these TLDs were not listed in any standard (or RFC) and were technically off-limits (even though people still used them), at least until ICANN Resolution 2018.02.04.12 stated "the delegations of such high-risk strings would be deferred indefinitely." 21:15 Use named-checkconf and named-checkzone. There's probably a config option or extension in VScode to automate this, or you can just add a precommit githook. 31:30 I'm surprised you went with BIND over CoreDNS, since I know you're interested in Kubernetes and especially given your automation aspirations (check the ectd plugin for use outside of k8s).
I must be honest I have never seen a traffic storm from having a recursive DNS server on the internet. In theory it's possible and I agree it's best practise to only serve external clients records your server is authoritative for.
Great video, I might need to try this out. I like the idea of the split horizon. Anyway, more importantly, what terminal is that you are using? I like the auto complete and and sectioning.
I guess this is a good solution if you want some more control over your local dns, but personally all I see is an extra container I need to manage. You can do pretty everything the same with a reverse proxy manager, pihole and managing the record with your public dns resolver.
Damnn, this bring back memories. I have an class where we configured an linux machine from the ground up, and dns with bind9 was one of the configurations we have to do, sadly at the time I don't give much value to it and only remenbered now
I use NextDNS as I can use it to protect my kids from nasties on the Web, both on my LAN and when they roam. It's an easy package to install on OpenWRT. I ended up doing split horizon without even knowing what it was by putting my internal services in the hosts file on OpenWRT. It works so I don't want to mess with it but would really like to move away from OpenWRT. This has given me a lot to think about. Thank you for the guide 👍
Good morning Christian, happy new year. Thank you so much for your wonderful videos. I would like to ask you a few questions. Could we use docker compose instead of docker-compose? Or could we use podman instead of docker to "install" bind9. Is there any relationship between your custom configuration and the cloudflare tunnels I'm using? Finally I would like to ask as a newbie that I am, if you use port forwarding on your homelab. Greetings from Corfu (Greece)!!!
@Christian Lempa I am very happy for your prompt response.🤓 So I guess: no port-forwarding... I would like to see in your channel how to build container images from amd64 to arm64.(I have a raspberry pi😉) I would also like to see a guide yet for vscode and remote access. Anyway... Thanks again for your very informative tutorials!!!
Thank you :) to your question, you can use any container engine that works for you, doesn’t matter whether it’s podman, docker or other tools. I’m not using cloudflare tunnels but I’m using an access proxy that’s cloud based as a secure connection to my servers, which is only for me though.
Thanks.. always as interesting, this is how I drive with bind9 I've been running Bind for a few years now and am completely satisfied. I send the questions to the Nginx reverse proxy which puts on the ssl certificate before servers.
Nice introduction, thanks! Would like to implement something like this, but would miss the automatic DNS records that pfSense is providing via DHCP leases...
Hi David, this is exactly what I am trying to learn before switching from Unbound to Bind9. How to register dynamic and static DHCP leases and OpenVPN clients to the bind9 as DNS server. Have you ever got that done?
You could configure your DHCP server to use dynamic dns for automatic updates to bind. Each VLAN could correspond to a different sub-domain. I don't think you need terraform or ansible.
Could you please describe how to automatically update the dns from a DHCP server? Been looking all over, but searching for dynamic dns just gives hits on using external dyndns...
@Christian Lempa I think a clean method here would be calling an ansible playbook with TF. Looks like there are a few ansible roles out on galaxy for managing Bind9. And you should be able to take the output from TF as an input in the ansible playbook
Thank you! However, I'm not sure whether this would work in my case. I'd like to create a DNS record automatically with the same tool I'm using to create VMs (which is terraform).
Hi Christian, really like you video and passion about technology. Just wonder do you have a tutorial on a quick ways to spin up new Ubuntu server 22.04.1 LTS from cloned image with sysprep so all the UUID/MAC address will be unique for each machine?
I use BIND9 on two raspberry pi3 for my public domains and a pihole on kubernetes for local ip's. my local domain is named the same as my public domain. in the past I've used bind9 with views for local and public resolution but it was much more comfortable to use pihole on my local net.
It would be great if you checked out Pfsense, it has been proven in the small business / enterprise space for years and packed with plugins along with all the features you showcased in this video.
Hey, just a tip. If you want to show console input/output, maybe move the window up a little, because if you watch the video with subtitles, you can't at all see what's going on.
While bind9 will certainly do the job more than well, another lighter alternative is unbound (by NLnet Labs), which is also very flexible. Most people can actually do with a DNS resolver instead of a full DNS server. 👍
This is a great introduction to Bind9. Only question I have is do you show how to set up the split traffic thing you mention towards the beginning? Also you kinda gloss over this, but are you exposing this dns server publicly to be used by you to resolve local servers when you’re “out and about”? Or is it only for local traffic?
I'd use bind9 only for internal traffic, for public traffic you can set up a second instance, but honestly, I'd prefer using my provider's DNS server for that (e.g. the public Cloudflare DNS)
Thanks Chistian! How about your SSL certs? Now i'm using NGINX Proxy manager with an subdomain wildcard to my home dns entry. Are you still facing something public? Or are you using wildcard certs with Letsencrypt with an dns challenge?
Hi Christian! Danke für das klasse Video. Ich habe auch bind9 in meinem homelab laufen. Habe das ganze sogar noch etwas auf die "Spitze" getrieben. Ich benutze kein Docker sondern LXC, zudem habe ich einen Primary DNS bzw. Master aufgesetzt. Dieser macht nur die Zone Managment und updates. Die Secondary DNS bzw. slaves bekommen die Zone Updates vom Primary und alle Clients senden die DNS Anfragen an die Secondary DNS. Als forwarder habe ich einen Adguard klaufen damit ich Filterlisten für Werbung und den ganzen Kram habe. Die Secondary DNS schicken also alle Anfragen die sie selbst nicht auflösen können an adguard und dieser wiederum befragt quad9. Ich habe meine DNS Server und Adguard in einem separaten Netzwerk laufen damit ich über meine OPNsense. Sollte man seine DNS Infrastruktur separieren oder nicht bzw. in jedes Netz das man betreibt einen slave DNS? Ich denke da auch schon weiter bezüglich des dual stack Betriebs (IPv4+IPv6) in meiner lokalen Infrastruktur.
Hi Christian, I use pihole as dns server atm but would like to move to bind9 that seems more efficient. At the same time still need an adblocker. What should be placed before? Pihole and then set in its custom dns the bind9 IP address or put bind9 as first point of contact and then use pihole as forwarder in bind9?
Both should be fine, don’t know if pihole has something similar to the requestroute in the firewall then it would make sense to use PC -> pihole-> bind9 -> forwarders
The mystery of bind lifted, this video made me subscribe to your channel! ☺ I'd be very gratefull if you would followup on this, showing the let's encrypt certificate process? Thanks for this demo example, very helpfull!!
This is great, but in the corporate world most companies (all companies I've worked for) use Windows ADDS as their DNS management. Even for mac and linux devices. Still great for learning about DNS though.
Hi Chris... thank you so much for this video... you gave us entire knowledge about DNS setup for home lab .. i am using pi hole now i will try this as we.. i have watching your video and follow you since last couple of year.... Just one question.. i am using Linux ubuntu machine however i have to change my default terminal look i have seen in video your terminal is looking great can you suggest me the list of packages which i can install on my ubuntu machines for terminal.
Thanks! I'm glad you enjoyed the video :) I'm not sure how to make these terminal customizations on Ubuntu, it's currently only available for macOS. But it will come for Linux as the devs said.
Since you ask I have been running local bind, dhcp and smtp sevices for about 15 years. Originally I used an HP-UX system later moving to Centos and recently to Almalinux. I have owned a number of domains and master 'home.' variants for local use. Originally, when Internet connections were slower, it cut dns chatter on the Internet link by caching. The DHCP allows me to assign consistent IP's to my local devices and distribute DNS, gateway, NTP and other configuration. The DCHP on most ISP routers is pretty lame.
I use a similar setup, but am looking for an easy way to have PTR/reverse record for every A record, so the IP can also resolve back to the hostname. I assume it would need some kind of GUI management tool for the bind instance, or a scripted cron job of sorts? What are the options really for automating the bind server configuration or are the config files really managed by hand like this, even for larger production servers? This is something I'm interested in. How bigger enterprise deployments smoothly and successfully scale this type of legacy software and give it an easier front-end for managing with fewer clicks and less chance of missing a semicolon in a config file, lol
Can you show how configure a DNS resolver with bind9 when it is possible? (I don't know what you know, but it is that way where you use a local DNS Server/Resolver with a file where are the root DNS servers listed in instead of Cloudflare or Google DNS)
I personally use a windows server for my DNS with AD (win DNS -->nginx proxy manager)with pihole as the forwarder of my win server, it works without a problem, and I'm thinking of using an active directory in my home so I have a single login for all my services or devices.
AddOn Question. When using nginx (for example to avoid maintaining all those certifiates on each system individually), all DNS Names would point to the proxy. if I ssh into the target like ssh DNSName, target is the nginx server, not the real server. Are you solving this issue somehow?
Yesterday I came up with the idea, to just put my local IP-Address (192.168.178.X) into the public DNS Record. So I can get trusted wildcard certificates over the domain, which is pointing to my homelab server. I‘m not sure, if this is any security issue for DNS-Rebind. What do you think?
Hey Christian good vid Many ways to do it, cloudflare, your method, Here’s how I do it… 1. buy a Synology+ model 8gb pref (you won’t regret it) 2. Synology comes with your own free ddns for life (Must own a Synology) also has quick connect reverse tunnel as well 3. Create let’s encrypt cert free inc wildcard cert on Synology 4. install docker in Synology 5. Create wildcards based on your ddns in Synology (nginx) reverse proxy section“or” can use nginx proxy manager on docker in your Synology 6. If you have behind a Pfsense firewall in which I do create firewall rules also create firewall rules in Synology 7 job Done
A great solution imo, but I miss an API to integrate the dns records to my personal homelab Dashboard. That would be nice. Found nothing that seems to work good with Bind9
Did you talk about needing to run the bind Docker container on the Host network? Can’t remember but you need the container to listen on the host IP address to be externally accessible.
I hate manually specifying DNS in a config, so I've got my DHCP telling my devices to use Consul which points at my Pi Hole which points back to my DHCP. Consul lets me inject anything special, pi hole blocks, and the DHCP server resolves hostnames local to my network. I hate it, but it works.
Curious but would this method work for running a DNS server to play old gaming consoles online?. I am currently trying to take on one of my biggest pc projects yet and that would be getting a DNS server up and running to play playstation2 with some palls but I would also have to learn how to get the DHCP request and how to bypass the DNAS authentication but with videos on the last two topics being hard to find I am in the dark a little bit on how to get my own DNS server to bypass DHCP and DNAS authentication.
Someone already mention PowerDNS (with UI PowerDNS Admin) is one option, but this mybe difficult for beginners. But much more lightweight than bind is CoreDNS (which I use in home (own docker build)). But consider to use Univention UCS, which reslove much more problems at once (dns, dhcp, ldap (users/groups), cifs/smb, email, etc (primary/secondary services) ).
![[MV] 마마무+ '나쁜놈 (Aniri ver.) (Feat. 김준수)'](http://i.ytimg.com/vi/bHW_k6bIUeU/mqdefault.jpg)
Hi Christian ! Nice Bind opening clip. But more interesting will be to make a public/local DNS server and segregating trafic will be a nice continuations. Also a good tutorial, as you do, about MX records with DKIM, DMARK , SPF records ;-)
Bit of advice, never use the :latest tag, look up the latest version tag (eg 2.4.2) and use that one instead. Always use a specific version and update in a controlled manner. You do not want to be in a situation where you've accidentally pulled a new version and your config files no longer work with that version. It will save you a lot of headache when something goes wrong or you have to migrate to a new server. You can backup your configs and docker file, but it does not ensure you that those config files will work on another device as you've not defined a version tag in your docker file, you may pull a completely different version. (I'm bad at explaining, please do look up why you shouldn't use :latest to understand it better)
This image is named bind9 not just bind, so it's implied that the major version is 9, so no breaking changes for you
🙃🙃🙃🙃
🙃🙂
There is a middle ground in between the `latest` tag or a tag pointing to a specific release. The current stable nginx release is version `1.23.3`, this version can currently be referenced by multiple tags like `latest`, `stable`, `1.23.3` or even `1`.
If the images maintainers are competent, these additional tags will be updated on every release. To always use the latest nginx release of version 1.x.x, but never accidentially use the releases of another major release (2.x.x), just use the tag `1`.
In a corporate environment, where all changes to the infrastructure have to be managed in a certain way, you hopefully want to control the update process and also the whole image registry and image build process anyways and push new releases to the registry yourself.
I think it depends on how critical your application is going to be. So for something like your dns, dhcp etc etc. You want to use versioning. But for something less important like a slave for a application or a non critical web application you can use the latest tag with watchtower so you don't have to worry about updating them.
Wow, this is awesome. I was always frustrated with the number of changes needed to have proper DNS resolution in a small network without a proper DNS server. Had I only invested a few hours to understand and setup bind9, this would have saved me a ton of time. Thanks Christian.
Hi Christian, interesting video. Just an idea: you could install a second Bind9 server and use the VRRP Protocol to cover the fallout of the first one. I‘ve done that with 2 Piholes on different servers with 1 virtual DNS address. If the first DNS server fails, the second one automatically takes command of the name resolution until the first one recovers 🤷🏼♂️. Works flawlessly!
LG aus Luxemburg 🇱🇺
Hey Christian! Nice video! I can see this fitting perfectly into my own lab :-). Just wondering if you'd consider a 2nd container (or K3S) orso as a secondary (Internal) DNS (to maintain HA). I'm not sure if you can configure that as well in your Sophos? (perhaps round robin). Maybe this is an overkill, but you keep mentioning that this is something you'd want to scale up to 'enterprise' levels. ;-).
Happy New Year Christian! Awesome video to start the year. I'm waiting on some new gear to change up my lab and will be implementing BIND for internal DNS as well. Are you going to explore setting up a DNS cluster in the future? That way your primary node doesn't resolve DNS queries and is only used for updating the record configuration and then pushing the config to the secondary nodes via zone transfers.
I almost switched my DNS to BIND, but decided to go with Unbound and NSD instead.
Still, great video, configuring services like DNS and DHCP for your own network by hand is really a great learning experience
Glad it helped!
Fantastic! You explain it in a way that is so easy to understand. When I hade to learn Bind 30 years ago it took forever and was as theoretical as it could be. Thank you again for an excellent tutorial.
Thank you so much, that’s a great compliment :)
Don’t forget to add the docker networks to the internal ACL list, or you may end up like me wondering why portainer does not resolve 😅 BTW I use views to control who sees what. As a side note if you are privacy cautious do not use forwarders. Bind is capable to resolve on its own. You may need to setup a hint zone to speed things up a little.
Good tip xD
@Christian, you’re an amazing teacher. You take some pretty complex subjects and make them not only understandable but exciting to try (at least for nerds like me). One question. You are using two different programs. One for terminal commands and one for text files. Both have some sort of auto-complete working on them. Can you share what two programs those are? I’m just curious.
Thanks for another great video.
Thank you so much! And yeah Shawn actually explained the tools perfectly :)
They are WARP termial and VS Code editor. Btw, if you not use macOS, and bash, zsh, or fish is your default shell, you could try oh-my-bash, oh-my-zsh, or oh-my-fish to enhance your default shell. The basic auto-complete script is included in enhancements, and you can also add your customize auto-complete scripts to the configuration file.
Hallo Christian, von mir und meiner Familie wünsche ich ein frohes neues, glückliches und erfolgreiches Jahr 2023! Meine Kinder stehen total auf deine IT Beiträge, wir schauen dieses Video gerade zusammen auf dem Beamer. Gruß aus Wiesbaden und vielen Dank für die Mühe : )
Hey, vielen Dank! Ich wünsche euch auch ein frohes Neues, richtig cool, dass ihr so Spaß an den Videos habt :D
Your are far by the best KZclipr for this kind of content as you don't just explain how to do something, you explain why to do things and how they actually work and not just saying put this here and there and it'll work.
Love it!!! Shows you have put a lot of time into understanding the concepts properly.
I liked the video! I'd definitely be interested in seeing you incorporate more advanced dns topics like adblocking. I've used pihole but I was never able to figure out how to have a secondary DNS with the way it blocks requests. I'm not sure if that's not feasible with pihole or I just could figure it out.
@Alexander A 2nd DNS gets used regularly by clients, not just as fallback.
You need multiple AGH/Pihole instances which get synced.
@Modzilla or just ignore this, because u need secondary dns only as fallback, so if it will not cut some ads - who cares :)
i use 2 piholes in home lab, with manually wildcarded fake home domain, need to do it once. and all other settings just do only on main pihole.
You could just setup gravity sync. That will sync 2 PiHole instances.
I'm not sure whether I'd like to cover that topic, however, what would be a solution for your setup: set up bind, and in the "forwarders" section add the local IP of your PiHole instance.
Great video! Very interesting stuff to learn 😊 thanks for your time to explain it into detail. Also happy newyear 🎉
Happy new year to you too! :)
Been using bind for about 6 years in one capacity or another. I do highly recommend you enable dnssec for a more secure experience. It'll check DNSSEC entries when they do exist for DNS Queries.
One thing you may want to look at for outside requests using an SSL DNS server. I have the outside request routing through STunnel. This will stop anyone from logging your DNS requests
One of the reasons why I use unbound in pfsense.
Hi, thank you for this great video! I'm actually preparing to provide an own DNS server (also planned to use the Ubuntu/bind9 docker image) for my local network.
You give many useful tips that will help.
So again: thank you and you have a new follower now 😉.
Cheers from Germany!
Okay, it seem's that dnsmasq is blocking port 53 (I need to use piVCCU)....
Video muito bem explicado 👏👏
Thanks a lot, Christian and a blessed 2023. Do you planned a second part with explaining split horizon and things like TLS w/LE for our local labs (0:52)?
uhm, my mistake... with the public domain and a subdomain (like home. or demo.), TLS works after setting this up, I guess^^
I'm starting down this new Homelabbing trend, but I have been doing something with old computers and servers for years.
DNS is the one thing that I really need to understand better. I have understood the theory of DNS since the beginning of my journey in networking, but I've never seen someone go under the hood in a way that really makes it seem like the applied knowledge was close enough to achieve.
I thought I'd be doing a PiHole setup as DNS, but I now think I will be doing a real DNS server like Bind9. Can you point to a specific reason not use PiHole over Bind9 as a primary DNS?
Very cool. I was wondering though, would it make sense to have bind9 setup and also have teleport to access the infrastructure? To be clear, I haven't deployed teleport yet, however I thought that I would access all of my infrastructure through it, even when at home. This is mainly due to teleport handling dns for apps and servers
Nice video to kick-off 2023 and a great explanation how to set up a bind server.
It's a long video, and I was only loosely interested, but finished it in one viewing.
One of your best video's ever!
Thank you so much for the kind words! That’s a huge compliment :)
Hello Cristian, nice tutorial for me that wants become DevOps. I suggest to use phpipam that can assign to you a free ip so you can get it via api. After getting this IP you could deploy VM's
Interesting video! but on the self-signed certificate 'issue' my workaround has been to deploy a container with step-ca and work with my own CA as it also plays nice with Traefik using acme :)
Hi Christian! Excellent videos as always :)
Only one thing I am getting confused is:
The solution with internal DNS Lookup is fine, as long as all nodes are in the same local network.
But what to do if you connect to your local network from outside via a VPN (Wireguard, Tailscale, etc.). In that case my traffic gets routed directly to my mobile provider or another gateway, where I have no control to DHCP.
For instance: If I'd like to connect from outside with my Macbook, I would get a VPN connection, but once I want to resolve the local domain that is maintained by Bind9 DNS, I could not resolve it.
Is that correct or did I miss something in my understanding?
Thank you! :) When you use a VPN you should configure the primary DNS server in your clients VPN config. There is a setting in wireguard to configure the DNS server's IP, once the client is connected to the VPN network, same is also true for SSL or IPSec.
Great video! This is something I have been wanting to do for my home network. Thank you for creating this tutorial!
Thank you! Glad you enjoyed it :)
Hey Christian! Sehr spannend. Ich habe mich vor 1/2 Jahr mal intensiver mit DNS beschäftigt. BIND9 fand ich irgendwie ein bisschen altbacken. Auch brauchte ich etwas mit API um das extern zu füttern. Ich bin damals auf PowerDNS gestoßen, das finde ich prima, vor allem mit der GUI. CoreDNS fand ich aber auch total spannend, da geht eine Menge mit. Vielleicht mal ein Vergleichsvideo?
PowerDNS ist auch die bevorzugte Lösung. HA fähig, Docker-fähig, GUI und API.. alles was man braucht.
Hi Christian , thanks for the video . I will look further also because 2 months ago , I 've tried the bind9 docker implementation of ISC and I got issue that the host on which the docker is running the DNS container can't access the DNS server which was mandatory for me as I'm using the host for other purposes as well .
I've had a BIND server running for 10 years on my LDAP/Kerberos server, I'm very interested in being able to update my zone file every time I add a new host to my Ansible config, this is really interesting stuff indeed. I've seen that you could use pi-hole with BIND as forwarder, it confuses me that you do it the other way around, what's the benefit of this?
Please do a full home lab tour video with this included :) Everything thats running in your homelab!
Awesome video! I tried that for myself, and experimented a bit with allowing my DHCP updating the DNS configuration whenever it issues a new lease. However despite setting the BIND9_USER=root like in your example, bind9 was not able to create a journal in the config folder. Setting the permissions of that folder to 777 solved the issue. The newly created ".jnl" file that contains the DHCP update is however created using the root user. That's a bit strange, that root is not allowed to create files... have not found the reason for that yet.
i used BIND9_USER=bind - this sets user according to the group "bind" in the container path /run/named/ - by doing this bind9 was able to write the pid and session files...
I don't know that bind9 is configured so easy before! Thanks for the video
Hi, Christian... Do you give a chance to powerdns? It's possible to save all the records/zone/SOA etc. in a MySQL DB and use a proper web interface to interact with DNS.
Tnx anyway of this very very good tutorial, Bind remain the top choice in the enterprise arena.
@christianlempa a few notes:
7:26 Small nit-pick: it's "I. S. C." (Internet Systems Consortium) and not "I. C. S." You mentioned the incorrect acryonym a few times.
18:30 Try using dig (vs nslookup), since you're using BIND. IMHO (and as a former DNS admin for a large ISP), dig is more powerful and streamlined. For EL distros, you'll find it in the "bind-utils" package. Not sure about Mac or Debian-based distros like Ubuntu.
19:30 FYI, the reason why you can use .home, .corp, and .mail (but not .local) TLDs on your private network is because ICANN's board found they were already in prevalent use, and attempting to introduce them publicly would be "high-risk" due to potential name collisions. Originally, these TLDs were not listed in any standard (or RFC) and were technically off-limits (even though people still used them), at least until ICANN Resolution 2018.02.04.12 stated "the delegations of such high-risk strings would be deferred indefinitely."
21:15 Use named-checkconf and named-checkzone. There's probably a config option or extension in VScode to automate this, or you can just add a precommit githook.
31:30 I'm surprised you went with BIND over CoreDNS, since I know you're interested in Kubernetes and especially given your automation aspirations (check the ectd plugin for use outside of k8s).
I must be honest I have never seen a traffic storm from having a recursive DNS server on the internet. In theory it's possible and I agree it's best practise to only serve external clients records your server is authoritative for.
This setup looks neat, think I'll be setting up my own DNS resolver this weekend! 🌟😍
Awesome! Tell us how it goes (discord) :D
Great video, I might need to try this out. I like the idea of the split horizon. Anyway, more importantly, what terminal is that you are using? I like the auto complete and and sectioning.
nevermind, I found warp which I'm pretty sure it is.
I love this channel, for more tutorials of this style, thank you very much.
Thank you so much :)
I guess this is a good solution if you want some more control over your local dns, but personally all I see is an extra container I need to manage. You can do pretty everything the same with a reverse proxy manager, pihole and managing the record with your public dns resolver.
Damnn, this bring back memories. I have an class where we configured an linux machine from the ground up, and dns with bind9 was one of the configurations we have to do, sadly at the time I don't give much value to it and only remenbered now
I use NextDNS as I can use it to protect my kids from nasties on the Web, both on my LAN and when they roam.
It's an easy package to install on OpenWRT. I ended up doing split horizon without even knowing what it was by putting my internal services in the hosts file on OpenWRT.
It works so I don't want to mess with it but would really like to move away from OpenWRT.
This has given me a lot to think about. Thank you for the guide 👍
You’re welcome! Hope it helps to optimize your setup :)
Good morning Christian, happy new year. Thank you so much for your wonderful videos.
I would like to ask you a few questions.
Could we use docker compose instead of docker-compose?
Or could we use podman instead of docker to "install" bind9.
Is there any relationship between your custom configuration and the cloudflare tunnels I'm using?
Finally I would like to ask as a newbie that I am, if you use port forwarding on your homelab.
Greetings from Corfu (Greece)!!!
@Christian Lempa I am very happy for your prompt response.🤓
So I guess: no port-forwarding...
I would like to see in your channel how to build container images from amd64 to arm64.(I have a raspberry pi😉)
I would also like to see a guide yet for vscode and remote access.
Anyway...
Thanks again for your very informative tutorials!!!
Thank you :) to your question, you can use any container engine that works for you, doesn’t matter whether it’s podman, docker or other tools. I’m not using cloudflare tunnels but I’m using an access proxy that’s cloud based as a secure connection to my servers, which is only for me though.
It is a very comprehensive setup guide. I have a question how to connect and run a spring docker container to a external standalone Oracle database?
Thanks.. always as interesting, this is how I drive with bind9
I've been running Bind for a few years now and am completely satisfied. I send the questions to the Nginx reverse proxy which puts on the ssl certificate before servers.
Awesome! Sounds like a great solution :)
Nice introduction, thanks! Would like to implement something like this, but would miss the automatic DNS records that pfSense is providing via DHCP leases...
Hi David, this is exactly what I am trying to learn before switching from Unbound to Bind9. How to register dynamic and static DHCP leases and OpenVPN clients to the bind9 as DNS server. Have you ever got that done?
You could configure your DHCP server to use dynamic dns for automatic updates to bind. Each VLAN could correspond to a different sub-domain. I don't think you need terraform or ansible.
Could you please describe how to automatically update the dns from a DHCP server?
Been looking all over, but searching for dynamic dns just gives hits on using external dyndns...
@Christian Lempa I think a clean method here would be calling an ansible playbook with TF. Looks like there are a few ansible roles out on galaxy for managing Bind9. And you should be able to take the output from TF as an input in the ansible playbook
Thank you! However, I'm not sure whether this would work in my case. I'd like to create a DNS record automatically with the same tool I'm using to create VMs (which is terraform).
Hey Christian! Nice video! I'm using Pfsense which supports wildcard certificates.
Hi Christian, happy new year! A great follow up to this video would be how to generate certs for the internal hosts using letsencrypt.
Hi Christian, really like you video and passion about technology. Just wonder do you have a tutorial on a quick ways to spin up new Ubuntu server 22.04.1 LTS from cloned image with sysprep so all the UUID/MAC address will be unique for each machine?
I use BIND9 on two raspberry pi3 for my public domains and a pihole on kubernetes for local ip's. my local domain is named the same as my public domain. in the past I've used bind9 with views for local and public resolution but it was much more comfortable to use pihole on my local net.
Great video Chris ! , yet may be implementing our own Local DIY CDN is a good perspective to avoid using cloudflare for full privacy.
@Christian Lempa All right! Think of that in a future... Best regards.
Thank you! Currently no plans to do that
It would be great if you checked out Pfsense, it has been proven in the small business / enterprise space for years and packed with plugins along with all the features you showcased in this video.
I've tested it once, but for various reasons I'm still going with Sophos XG ;)
Great video, I use pihole’s local dns features. Works great :)
Hey, just a tip. If you want to show console input/output, maybe move the window up a little, because if you watch the video with subtitles, you can't at all see what's going on.
While bind9 will certainly do the job more than well, another lighter alternative is unbound (by NLnet Labs), which is also very flexible. Most people can actually do with a DNS resolver instead of a full DNS server. 👍
@slick heisenberg Yeah I'm running Unbound myself! 👍
Unbound would be the less involved an sufficient solution for most homelabs.
You can use external-dns on k8s to auto sync dns records for ingress/services
I'm looking forward to watch ansible coming into play. Actually I'll try to automate the whole Bind deployment. Thanks for this great video.
Christian, how do I join my Bind9 DNS server to Active Directory? Excellent video as always :)
Love the Instructions. Why not run your own recursive server? The bind9 configuration is now a forwarder
I agree.
Hi Christian, did you do a video about DHCPD? Tried to see if I could find. Is it possible to do one using either the old ISC dhcpd or the new KEA?
You fell from heaven with this video. I planning to local DNS for my devices :) Thank you :)
Haha thanks :) glad it was helpful!
This is a great introduction to Bind9. Only question I have is do you show how to set up the split traffic thing you mention towards the beginning?
Also you kinda gloss over this, but are you exposing this dns server publicly to be used by you to resolve local servers when you’re “out and about”? Or is it only for local traffic?
I'd use bind9 only for internal traffic, for public traffic you can set up a second instance, but honestly, I'd prefer using my provider's DNS server for that (e.g. the public Cloudflare DNS)
Thanks Chistian!
How about your SSL certs? Now i'm using NGINX Proxy manager with an subdomain wildcard to my home dns entry. Are you still facing something public? Or are you using wildcard certs with Letsencrypt with an dns challenge?
Hi Christian! Danke für das klasse Video. Ich habe auch bind9 in meinem homelab laufen. Habe das ganze sogar noch etwas auf die "Spitze" getrieben. Ich benutze kein Docker sondern LXC, zudem habe ich einen Primary DNS bzw. Master aufgesetzt. Dieser macht nur die Zone Managment und updates. Die Secondary DNS bzw. slaves bekommen die Zone Updates vom Primary und alle Clients senden die DNS Anfragen an die Secondary DNS. Als forwarder habe ich einen Adguard klaufen damit ich Filterlisten für Werbung und den ganzen Kram habe. Die Secondary DNS schicken also alle Anfragen die sie selbst nicht auflösen können an adguard und dieser wiederum befragt quad9.
Ich habe meine DNS Server und Adguard in einem separaten Netzwerk laufen damit ich über meine OPNsense. Sollte man seine DNS Infrastruktur separieren oder nicht bzw. in jedes Netz das man betreibt einen slave DNS? Ich denke da auch schon weiter bezüglich des dual stack Betriebs (IPv4+IPv6) in meiner lokalen Infrastruktur.
I like your videos. I watch them.Thank you! Just one thing about audio, I can improve it just for free. It's no problems for me, I can help.
Hi Christian, I use pihole as dns server atm but would like to move to bind9 that seems more efficient. At the same time still need an adblocker. What should be placed before? Pihole and then set in its custom dns the bind9 IP address or put bind9 as first point of contact and then use pihole as forwarder in bind9?
Both should be fine, don’t know if pihole has something similar to the requestroute in the firewall then it would make sense to use PC -> pihole-> bind9 -> forwarders
I have been waiting for this for so long! Thank you.
Hope you like it!
Happy new year and great start with your awesome video and wealth of info as usual.
Happy new year to you too! And thanks :)
The mystery of bind lifted, this video made me subscribe to your channel! ☺ I'd be very gratefull if you would followup on this, showing the let's encrypt certificate process? Thanks for this demo example, very helpfull!!
This is great, but in the corporate world most companies (all companies I've worked for) use Windows ADDS as their DNS management. Even for mac and linux devices. Still great for learning about DNS though.
Hi Chris... thank you so much for this video... you gave us entire knowledge about DNS setup for home lab .. i am using pi hole now i will try this as we.. i have watching your video and follow you since last couple of year.... Just one question.. i am using Linux ubuntu machine however i have to change my default terminal look i have seen in video your terminal is looking great can you suggest me the list of packages which i can install on my ubuntu machines for terminal.
Thanks! I'm glad you enjoyed the video :) I'm not sure how to make these terminal customizations on Ubuntu, it's currently only available for macOS. But it will come for Linux as the devs said.
Since you ask I have been running local bind, dhcp and smtp sevices for about 15 years. Originally I used an HP-UX system later moving to Centos and recently to Almalinux. I have owned a number of domains and master 'home.' variants for local use. Originally, when Internet connections were slower, it cut dns chatter on the Internet link by caching. The DHCP allows me to assign consistent IP's to my local devices and distribute DNS, gateway, NTP and other configuration. The DCHP on most ISP routers is pretty lame.
It should be mentioned Windows DNS for a homeland where you play around with AD is an alternative and a good unix alternative to bind is powerdns.
I use a similar setup, but am looking for an easy way to have PTR/reverse record for every A record, so the IP can also resolve back to the hostname. I assume it would need some kind of GUI management tool for the bind instance, or a scripted cron job of sorts? What are the options really for automating the bind server configuration or are the config files really managed by hand like this, even for larger production servers? This is something I'm interested in. How bigger enterprise deployments smoothly and successfully scale this type of legacy software and give it an easier front-end for managing with fewer clicks and less chance of missing a semicolon in a config file, lol
You can use a reverse lookup zone in bind, I’m going to include that in my next tutorial
Great video as always. Could you make a video about how you feel about moving to Mac now after a couple of months? P.S.: Gutes Neues! 🎉
Frohes Neues dir auch :D Würde gerne noch den Mac mit einer Docking Station testen und dann kommt ein Windows vs macOS video ;)
Can you show how configure a DNS resolver with bind9 when it is possible? (I don't know what you know, but it is that way where you use a local DNS Server/Resolver with a file where are the root DNS servers listed in instead of Cloudflare or Google DNS)
Why not use Ansible to create your Docker deployments? It can create the directories, configuration and deploy the containers.
I personally use a windows server for my DNS with AD (win DNS -->nginx proxy manager)with pihole as the forwarder of my win server, it works without a problem, and I'm thinking of using an active directory in my home so I have a single login for all my services or devices.
AddOn Question. When using nginx (for example to avoid maintaining all those certifiates on each system individually), all DNS Names would point to the proxy. if I ssh into the target like ssh DNSName, target is the nginx server, not the real server. Are you solving this issue somehow?
Yesterday I came up with the idea, to just put my local IP-Address (192.168.178.X) into the public DNS Record. So I can get trusted wildcard certificates over the domain, which is pointing to my homelab server.
I‘m not sure, if this is any security issue for DNS-Rebind. What do you think?
Hi Christian, do you have any video on setting up a local server at home using Raspberry Pi and Docker that is published to the internet?🤔
Not yet, maybe I'll do a RPi video at some point, but it's not planned currently.
Perfect hit - i was looking for that currently. Thank you 🎉
You’re welcome 😊
Hey Christian good vid
Many ways to do it, cloudflare, your method, Here’s how I do it…
1. buy a Synology+ model 8gb pref (you won’t regret it)
2. Synology comes with your own free ddns for life (Must own a Synology) also has quick connect reverse tunnel as well
3. Create let’s encrypt cert free inc wildcard cert on Synology
4. install docker in Synology
5. Create wildcards based on your ddns in Synology (nginx) reverse proxy section“or” can use nginx proxy manager on docker in your Synology
6. If you have behind a Pfsense firewall in which I do create firewall rules also create firewall rules in Synology
7 job Done
A great solution imo, but I miss an API to integrate the dns records to my personal homelab Dashboard. That would be nice. Found nothing that seems to work good with Bind9
I’ll do a video on automation soon ;)
Hi Christian ! Thanks for video.
Could you tell what terminal you use and you install zsh(or another bash) on all your servers?
Thanks! I’m using warp terminal and zsh with starship on my Mac and servers as well
Fantastic video. Thanks much.
Great tutorial!
thank you for taking the time to make this video. it helped me
Did you talk about needing to run the bind Docker container on the Host network? Can’t remember but you need the container to listen on the host IP address to be externally accessible.
Great video, I use Adguard as home DNS
Honestly if you're just going to run this as authoritative DNS I'd use CoreDNS over Bind, it's much lighter, simple config, etc.
What vscode theme are you using in the video ?
I hate manually specifying DNS in a config, so I've got my DHCP telling my devices to use Consul which points at my Pi Hole which points back to my DHCP.
Consul lets me inject anything special, pi hole blocks, and the DHCP server resolves hostnames local to my network.
I hate it, but it works.
But you must edit the config all times when you need new DNS Records 😮
Curious but would this method work for running a DNS server to play old gaming consoles online?.
I am currently trying to take on one of my biggest pc projects yet and that would be getting a DNS server up and running to play playstation2 with some palls
but I would also have to learn how to get the DHCP request and how to bypass the DNAS authentication but with videos on the last two topics being hard to find I am in the dark a little bit on how to get my own DNS server to bypass DHCP and DNAS authentication.
Someone already mention PowerDNS (with UI PowerDNS Admin) is one option, but this mybe difficult for beginners. But much more lightweight than bind is CoreDNS (which I use in home (own docker build)). But consider to use Univention UCS, which reslove much more problems at once (dns, dhcp, ldap (users/groups), cifs/smb, email, etc (primary/secondary services) ).
Great video! Thank you!
Glad you liked it!
Hi. Nice video!
What's the name of MacOs application that your are using to create the conf files?
Thanks! It’s vscode :)
9:30 what SSH Extension you use in VS Code?
I've been using Technitium DNS, I definitely prefer it over BIND
Why? I have played with Technitium DNS too and I like it feature set! Do you use it's Dhcp, too?