Hello all, I’m looking for a second set of eyes before I potentially screw up all my self hosted services. I’ll be the first to admit I’m not an IT expert and am getting a wee bit lost in all of the reading I’ve been doing so please go easy on me.

I’m currently working to get my domain (already registered) to be used for internal addresses as well as get a working SSL certificate. I am following wolfgangs instructions with the exception that I already have my domain registered with BlueHost. BlueHost does not appear to be directly supported by nginx and wants to charge me $90/year for an SSL certificate which is far more than I’m willing to pay for my little self-hosting hobby.

Fundamentally I believe I need to point my domain to new nameservers which provide support for ‘Let’s Encrypt’. If there were a vendor that offered that as a service I think I could leave the domain with bluehost and simply point the nameservers elsewhere. I “think” cloudflare offers this but its the only one and I’ve heard mixed things about using it from the standpoint of privacy. Does anyone have suggestions?

The other option I see, which seems more broadly supported, is to transfer my domain from bluehost to another vendor. Does anyone have suggestions? I’ve struggled to see the renewal costs when looking at these transfers.

Before fully borking my setup, would appreciate some input on if I’m on the right track or not. Thank you!

  • dihutenosa@piefed.social
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago

    I just self-host my own DNS server. Works like a charm. Setting up DNSSEC was a tad fiddly tho.

    Long story short:

    1. Set up Knot, teach it to serve your zone
    2. Test via resolving names in your server (dig can use a specific server)
    3. Disable DNSSEC
    4. Tell your registrar to “use my own DNS server”
    5. Generate the DNSSEC keys, upload only the pubkey to registrar, reenable
      • dihutenosa@piefed.social
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        I’m fortunate to get native IPv6, so I’m not very familiar, tho I think I have basic understanding.

        Did you mean you need to pick just one of {authoritative DNS server, DNS64} to listen on port 53? No, because the authoritative DNS only needs to be accessible from the outside. Run it on another machine or nonstandard port, then expose via port forwarding. Machines in LAN don’t need direct access to the authoritative DNS server, they can just as well resolve via the regular system.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          DNS translates IPv4 addresses to IPv6 NAT64 addresses for networks that are IPv6 only

          I believe that DNSSEC breaks it since the IP addresses will be different.

          • dihutenosa@piefed.social
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            Oh, now I see. I guess then the DNS64 server needs to do the dnssec verification on behalf of the user, then drop the RRSIG records for the v4->v6 translated names.

            Oh, and now I realize I confused the direction. DNS64 makes v4 into v6.

            • Possibly linux@lemmy.zip
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              What is the security benefit of DNSSEC?

              It made more sense when everything was http now https is the norm is is less useful as far as I can tell.

              • dihutenosa@piefed.social
                link
                fedilink
                English
                arrow-up
                1
                ·
                2 months ago

                How could a hijacked DNS entry harm you?

                • redirect to ads/spam
                • downgrade to HTTP (no HSTS), then steal creds
                • MitM the TOFU of SSH
                • probably something more…

                You can leverage the trust in DNSSEC to distribute TLS and SSH fingerprints too, look up DANE.

                • Possibly linux@lemmy.zip
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  2 months ago

                  You can’t easy man in the middle authenticated protocols like SSH or HTTPS. If that was easy to do it would defeat the entire purpose of the TLS layer. Don’t take this the wrong way but this feels like a dated way of thinking. I think in the future it will way less of a problem since http and other unencrypted/unauthenticated protocols are on their death bed.

                  I do appreciate the response but it is important to keep in mind tech changes rapidly. I personally don’t care for DNSSEC as it breaks the TCP/IP model. The layers should be independent to allow for maximum flexibility.

                  • dihutenosa@piefed.social
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    2 months ago

                    I’m not sure if I agree.

                    You can’t easy man in the middle authenticated protocols like SSH or HTTPS.

                    Unless you own a CA, or are a powerful country able to coerce a CA, or mandate installing one into users’ PCs.

                    As for SSH - you missed the “TOFU” bit, Trust On First Use. Do you verify your SSH host keys every time before connecting to a new server? The docs for GitHub doesn’t even mention it.

                    unencrypted/unauthenticated protocols are on their death bed.

                    I partially agree - encryption appears to be a solved problem today. Key distribution, however is not, it’s layers upon layers of half-solutions of wishful thinking, glued together with hope.

                    The layers should be independent to allow for maximum flexibility.

                    Depends on your threat model and priorities, right :) HPKP is helpful and does not require DNSSEC. DANE and CAA are helpful but require DNSSEC.