Desec stack self-hosted (no docker)

I would like to have deSEC run my personal and private DNS infrastructure instead of using PowerDNS directly, as I plan on later providing access to third parties and I’d like to be able to manage it nicely.
I also don’t like the fact of running services on docker, as I’d like to do it without using the technology, which I see how it is awesome, but I wish to run without it to be able to easily modify things on the fly.

I currently have 2 servers, and I wish one of them to act as the master (with the keys and everything), and the other as the slave, they are ns1. and ns2. respectively. But I also plan on setting up ns3. later on if I see the process of setting a slave isn’t frustrating as I have another server in another provider.

I am more or less experienced with the command-line but I haven’t developed any node applications, if that helps.

Also, after setting it up, I’d like to know which mariadb table I have to modify to update the domain limits and to grant myself extra rights, but I asume I’ll automatically be granted all rights if I my address is in the DESECSTACK_API_ADMIN enviroment variable.

You probably needs to explain this a little more in details. What excactly is it you wish to achieve?

I wish(ed) to setup desec’s infrastructure in two servers, without using docker, but at the end I ended up going for PowerDNS with mysql database, so if deSEC supports it, I might later patch it to use the alredy running normal PowerDNS setup.

I was not aware deSEC offered a self hosting DNS server?

deSEC is built on a Docker stack, I wished to replicate such stack without docker, but I later just ran with the plain old PowerDNS server (which is what dns server deSEC uses under the hood), you can see that by doing:

dig chaos txt version.bind

Which results in: Served by PowerDNS -
I now think I will try to patch the api part of it and the www part of it to offer a website to manage dns, but doing that I think I am better off using something else, like powerdns admin tools. So I think this’ now offtopic.

Ah! You try to deploy the stack yourself and not trying to use the hosted service. Got it.

1 Like

While running deSEC without Docker is certainly possible, please do keep in mind that desec-stack quite heavily relies on network isolation and other security features provided by Docker. Without a proper full replacement of these features, the resulting application is likely to be insecure!


Oh, then I will find other better alternatives, but I still think deSEC is pretty cool, thanks everybody who contributed to it.

Just to give an option: Run it in LXC instead. Gives you the flexibility of containers and the powers of a vm-like environment. Isolation is pretty easy to and you have the benefit of the desec stack to run on completely unprivileged mode and easy-to-isolate network layer to.