I would like to have deSEC run my personal and private DNS infrastructure instead of using PowerDNS directly, as I plan on later providing access to third parties and I’d like to be able to manage it nicely.
I also don’t like the fact of running services on docker, as I’d like to do it without using the technology, which I see how it is awesome, but I wish to run without it to be able to easily modify things on the fly.
I currently have 2 servers, and I wish one of them to act as the master (with the keys and everything), and the other as the slave, they are ns1. and ns2. respectively. But I also plan on setting up ns3. later on if I see the process of setting a slave isn’t frustrating as I have another server in another provider.
I am more or less experienced with the command-line but I haven’t developed any node applications, if that helps.
Also, after setting it up, I’d like to know which mariadb table I have to modify to update the domain limits and to grant myself extra rights, but I asume I’ll automatically be granted all rights if I my address is in the DESECSTACK_API_ADMIN enviroment variable.
You probably needs to explain this a little more in details. What excactly is it you wish to achieve?
I wish(ed) to setup desec’s infrastructure in two servers, without using docker, but at the end I ended up going for PowerDNS with mysql database, so if deSEC supports it, I might later patch it to use the alredy running normal PowerDNS setup.
I was not aware deSEC offered a self hosting DNS server?
deSEC is built on a Docker stack, I wished to replicate such stack without docker, but I later just ran with the plain old PowerDNS server (which is what dns server deSEC uses under the hood), you can see that by doing:
dig @ns1.iwnp.org chaos txt version.bind
Which results in:
Served by PowerDNS - https://www.powerdns.com/
I now think I will try to patch the api part of it and the www part of it to offer a website to manage dns, but doing that I think I am better off using something else, like powerdns admin tools. So I think this’ now offtopic.
Ah! You try to deploy the stack yourself and not trying to use the hosted service. Got it.
While running deSEC without Docker is certainly possible, please do keep in mind that desec-stack quite heavily relies on network isolation and other security features provided by Docker. Without a proper full replacement of these features, the resulting application is likely to be insecure!
Oh, then I will find other better alternatives, but I still think deSEC is pretty cool, thanks everybody who contributed to it.
Just to give an option: Run it in LXC instead. Gives you the flexibility of containers and the powers of a vm-like environment. Isolation is pretty easy to and you have the benefit of the desec stack to run on completely unprivileged mode and easy-to-isolate network layer to.