你可以运行一个DNS服务器 (2025)

你可以运行一个DNS服务器 (2025)
You can run a DNS server (2025)

原始链接: https://simonsafar.com/2025/running_dns/

这篇帖子推荐 **PowerDNS** 作为一款运行起来出乎意料地简单的 DNS 服务器，尤其适合那些对像 BIND 9 这样复杂的区域文件语法感到畏惧的人。PowerDNS 的关键特性是从数据库中直接提取 DNS 记录——在这个例子中，一个简单的 `SELECT` 查询可以检索 CNAME 和 A 记录等。作者建议设置一个子域名（例如“your.example.com”）并将它的 NS 记录指向新的 PowerDNS 服务器。这允许在不破坏域名注册商处理的现有关键 DNS 服务（例如电子邮件）的情况下进行实验。这种数据库驱动的方法为手动通过 Web 界面更新记录提供了一种便捷的替代方案，只需进行简单的数据库插入即可快速添加记录（例如新服务的 CNAME）。它还可以在现有的 DNS 基础设施之外提供冗余。

## 运行你自己的DNS服务器 - Hacker News讨论最近Hacker News的讨论强调了自建DNS服务器的好处，这得益于轻松获取域名和子域名的能力。用户分享了使用BIND和PowerDNS的经验，强调了通过完全域名控制所获得的强大能力。讨论的关键优势是启用ACME（Let's Encrypt/ZeroSSL）以获取免费SSL证书，即使在动态IP地址下（使用RFC 2136）。然而，标准`certbot`因可用性问题和安装限制（特别是依赖Snap包）而不被推荐。相反，用户强烈推荐`acme.sh`（适用于Unix系统）和`simple-acme`（适用于Windows）作为健壮且良好支持的ACME证书管理替代方案，尤其是在处理CNAME重定向时。PowerDNS auth服务器因其动态DNS支持和IP过滤、TSIG-KEY访问控制等安全特性而受到关注。本质上，运行你自己的DNS服务器可以解锁更大的控制权和灵活性，从而实现安全、自我管理的互联网服务。

原文

2025/05/03

In fact, it's not especially even hard to run a DNS server.

In case you were wondering whether this would mean... writing zone files with some arcane syntax that BIND 9 is apparently famous of, I hereby present the main point of this post a recommendation for which DNS server to choose.

As it happens, PowerDNS does support querying a database for DNS records. Based on some earlier posts, readers might guess which one we'll be using.

pdns=> select * from records order by id desc;
 id | domain_id |                   name                | type  |                                               content                                          | ttl | prio | change_date | disabled | ordername | auth
----+-----------+---------------------------------------+-------+------------------------------------------------------------------------------------------------+-----+------+-------------+----------+-----------+------
 43 |         1 | some-service.your.example.com          | CNAME | your-server.your.example.com                                                                  |  10 |      |             | f        |           | t
 42 |         1 | webhooks.your.example.com              | CNAME | your-other-server.your.example.com                                                            |  10 |      |             | f        |           | t
 41 |         1 | calendars.your.example.com             | CNAME | your-server.your.example.com                                                                  |  10 |      |             | f        |           | t
 40 |         1 | whisper.your.example.com               | CNAME | your-server.your.example.com                                                                  |  10 |      |             | f        |           | t
 39 |         1 | your-server.your.example.com           | A     | 100.99.98.97                                                                                  |  10 |      |             | f        |           | t

As for how anyone is going to see these DNS records... the simplest solution is likely just making a subdomain of your actual domain ("your" in our case) and having the NS record of this point to your (publicly accessible) DNS server.

This way, your top-level domain and those subdomains that are of some importance can still be served by whoever is providing your domain name, with two distinct, redundant name servers, that provide some more resilience than your single experimental PowerDNS one. Example being: e.g. email is pretty resilient, if the target server goes down, it will try re-sending several times... on the other hand, if the target email address is under a domain that (for the time being) doesn't even exist, weirder things might happen.

On the other hand, you no longer have to log into e.g. the Namecheap website to add a few CNAME records for some extra services you brought up; it's just an insert away to add them.

你可以运行一个DNS服务器 (2025) You can run a DNS server (2025)

你可以运行一个DNS服务器 (2025)
You can run a DNS server (2025)