I would like to have deSEC run my personal and private DNS infrastructure instead of using PowerDNS directly, as I plan on later providing access to third parties and I’d like to be able to manage it nicely.
I also don’t like the fact of running services on docker, as I’d like to do it without using the technology, which I see how it is awesome, but I wish to run without it to be able to easily modify things on the fly.
I currently have 2 servers, and I wish one of them to act as the master (with the keys and everything), and the other as the slave, they are ns1. and ns2. respectively. But I also plan on setting up ns3. later on if I see the process of setting a slave isn’t frustrating as I have another server in another provider.
I am more or less experienced with the command-line but I haven’t developed any node applications, if that helps.
Also, after setting it up, I’d like to know which mariadb table I have to modify to update the domain limits and to grant myself extra rights, but I asume I’ll automatically be granted all rights if I my address is in the DESECSTACK_API_ADMIN enviroment variable.
I wish(ed) to setup desec’s infrastructure in two servers, without using docker, but at the end I ended up going for PowerDNS with mysql database, so if deSEC supports it, I might later patch it to use the alredy running normal PowerDNS setup.
deSEC is built on a Docker stack, I wished to replicate such stack without docker, but I later just ran with the plain old PowerDNS server (which is what dns server deSEC uses under the hood), you can see that by doing:
dig @ns1.iwnp.org chaos txt version.bind
Which results in: Served by PowerDNS - https://www.powerdns.com/
I now think I will try to patch the api part of it and the www part of it to offer a website to manage dns, but doing that I think I am better off using something else, like powerdns admin tools. So I think this’ now offtopic.
While running deSEC without Docker is certainly possible, please do keep in mind that desec-stack quite heavily relies on network isolation and other security features provided by Docker. Without a proper full replacement of these features, the resulting application is likely to be insecure!
Just to give an option: Run it in LXC instead. Gives you the flexibility of containers and the powers of a vm-like environment. Isolation is pretty easy to and you have the benefit of the desec stack to run on completely unprivileged mode and easy-to-isolate network layer to.