this post was submitted on 15 Nov 2023
157 points (95.9% liked)

Selfhosted

39435 readers
3 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

A few months ago I went on a quest for a DNS server and was dissatisfied with current maintained projects. They were either good at adblocking (Blocky, grimd...) or good at specifying custom DNS (CoreDNS...).

So I forked grimd and embarked on rewriting a good chunk of it for it to address my needs - the result is leng.

  • it is fast
  • it is small
  • it is easy
  • you can specify blocklists and it will fetch them for you
  • you can specify custom DNS records with proper zone file syntax (SRV records, etc)
  • it supports DNS-over-HTTPS so you can stay private
  • it is well-documented
  • can be deployed on systemd, docker, or Nix

I have been running it as my nameserver in a Nomad cluster since! I plan to keep maintaining and improving it, so feel free to give it a try if it also fulfils your needs

top 45 comments
sorted by: hot top controversial new old
[–] [email protected] 27 points 1 year ago (3 children)
[–] [email protected] 24 points 1 year ago (2 children)
[–] [email protected] 4 points 1 year ago

Or Technitium...

[–] [email protected] 1 points 1 year ago (1 children)

Probably speed. I find pihole really slow, and I'm running it as a VM on a Xeon server.

[–] [email protected] 1 points 1 year ago

Talking about a Xeon CPU in a context vacuum is like talking about a car.
A car is anything between 100€ rust bowl on wheels and a multi million € vehicle.

So either we need a benchmark score like Passmark (or other platform of choice) score for single and multicore or your cpu model.
Giving a piHole VM 1 or 2 cores from a CPU with a single core performance equal to a Raspberry Pi 3 is quite obvious why it isnt performing as well as say a shiny new Ryzen 7900X.

Context is key.

Mine runs in docker with full hardware access (no cpu/ram limits) on a i5-1135g7. The performance is (to me) pretty good.
BUT I only tried a comparison with unbound which gave me so-so results.

[–] [email protected] 12 points 1 year ago (2 children)

I am working on adding a feature comparison to the docs. But in the meantime: leng has less features (like no web UI, no DHCP server) which means it is lighter (50MB RAM vs 150MB for adguard, 512MB for pihole), and easier to reproducibly configure because it is stateless (no web UI settings).

I believe blocky and coredns are better comparisons for leng than "tries to achieve it all" solutions like adguard, pihole...

[–] [email protected] 6 points 1 year ago (1 children)

My pihole runs at 40MB in an LXC container...

[–] [email protected] 2 points 1 year ago

Same with Adguard Home here sitting at 38MB.

[–] [email protected] 1 points 1 year ago

I'll likely stick with Blocky as it seems to offer similar plus more. But good efforts!

[–] [email protected] 3 points 1 year ago

You can script this with nix quite easily without needing a UI. For many this is a big plus.

[–] [email protected] 15 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
LXC Linux Containers
PiHole Network-wide ad-blocker (DNS sinkhole)
VPN Virtual Private Network
k8s Kubernetes container management package

6 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #282 for this sub, first seen 15th Nov 2023, 10:25] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 12 points 1 year ago (1 children)

This looks interesting.

So it's like PiHole, but written in Go, smaller and faster?

[–] [email protected] 4 points 1 year ago (1 children)

Yes (much simpler) and also allows you to specify custom DNS, which is very useful for more advanced self-hosted deployments - this is something PiHole is just not built to address

[–] [email protected] 36 points 1 year ago (2 children)

How is PiHole not built for custom DNS? It literally has an entire management page for that.

[–] [email protected] 11 points 1 year ago (2 children)

Last I used PiHole many years back, it was possible to use it as DHCP but not possible to add custom DNS records like TXT, SRV, etc. . Perhaps that’s what OP is trying to solve for?

[–] [email protected] 26 points 1 year ago (1 children)

Pinhole has allowed custom local records for a very long time now

[–] [email protected] 2 points 1 year ago (3 children)

Including SRV records? I found that some servers (blocky as well) only support very basic CNAME or A records, without being able to specify parameters like TTL, etc.

I also appreciate being able to define this in a file rather than a web UI

[–] [email protected] 13 points 1 year ago (1 children)

It's based on dnsmasq. You could always specify custom records, even before there was an option in the web interface. Just create a config file in /etc/dnsmasq.d

Just look up these options: host-record cname srv-host

[–] [email protected] 5 points 1 year ago

Thanks! I didn't know you could do that. I'll see how it compares to my current solution

[–] [email protected] 5 points 1 year ago

I do it via dnsmasq, that Pi uses.

I have a ansible playbook, that i use to sync my Piholes.

[–] [email protected] 2 points 1 year ago

You can do the basic records via file. /etc/pihole/custom.list is a hosts formatted file for records so you don't have to use a gui.

[–] [email protected] 3 points 1 year ago

You can set CNAME and DNS. Not much else I need at home for a reverse proxy.

[–] [email protected] 3 points 1 year ago (1 children)

Like [email protected] said - I want to be able to add my own records (SRV, A, CNAME...) so that I can point to the services hosted in my VPN. CoreDNS is good for this but it doesn't also do adblocking. If PiHole can do this, I don't know how.

I also don't need a web UI, DHCP server, and so on: I just want a config file and some prometheus metrics

[–] [email protected] 2 points 1 year ago (1 children)

Tangential partial offtopic aside: Unless i'm misunderstanding, you're setting this up behind your home router and allowing it on your various devices using a VPN. Am i right? Any details, or even better, guides, on how to replicate this setup? I guess the DNS records on Leng are to be able to call services inside your home LAN by name instead of IPs, which is a nice quality of life upgrade.

[–] [email protected] 1 points 1 year ago (1 children)

What you described is correct! How to replicate this will depend heavily on your setup.

In my specific scenario, I make the containers of all my apps use leng as my DNS server. If you use plain docker see here, if you use docker compose you can do:

version: 2
services:
 application:
  dns: [10.10.0.0] # address of leng server here!

Personally, I use Nomad, so I specify that in the job file of each service.

Then I use wireguard as my VPN and (in my personal devices) I set the DNS field to the address of the leng server. If you would like more details I can document this approach better in leng's docs :). But like I said, the best way to do this won't be the same if you don't use docker or wireguard.

If you are interested in Nomad and calling services by name instead of IP, you can see this tangentially related blog post of mine as well

[–] [email protected] 1 points 1 year ago

Looks like your blog web server fell over. =(

[–] [email protected] 8 points 1 year ago (1 children)

Damn! In a previous comment somewhere else I had just recently shared my dispair at how I hadn't found an easy to follow self hosted DNS server.

I appreciate this immensely and hope to enjoy it once I figure out how to install!

Keep up any and all good work you feel passionate enough about to crank out helpful things in physical reality.

[–] [email protected] 3 points 1 year ago

If it's helpful to you it's helpful in reality!

If you are having trouble installing or the documentation is not clear, feel free to point it out here or in the issues on github. Personally I think it is simplest to use docker :)

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

Reads nice but your docs are 404'ing so I can't investigate much :D

EDIT. Found it. You've got a '.com' instead of a '.io'.

[–] [email protected] 5 points 1 year ago

Ouch, thanks for catching that! Should be good now. Link here for the curious

[–] [email protected] 4 points 1 year ago

This is awesome. I've been looking into DNS servers with ad blocking and this seems to be a perfect fit. And it is packaged for Nix, so I'll definitely give it a go.

[–] [email protected] 3 points 1 year ago (1 children)

So cool! I was looking for something really simple like this recently.

Tossed a PR in there BTW, the template config in Configuration.MD was causing me some issues.

[–] [email protected] 1 points 1 year ago

Thank you for your PR! Keen to hear your feedback after you've used it a bit

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Does this just use an upstream dns server or can it do recursive resolution like unbound? Does it cache results?

[–] [email protected] 1 points 1 year ago (1 children)

If you mean CNAME flattening I have an issue for it. If you mean recursively resolving CNAME until the end record is found, it does support it.

For example, if you set a custom record mygoogle.lol IN CNAME google.com Leng will return a response with an A record with a google.com IP address when you visit mygoogle.lol

[–] [email protected] 3 points 1 year ago (1 children)

I’m basically just wondering if I can replace my blocky+unbound setup with just leng!

[–] [email protected] 1 points 1 year ago (1 children)

I think the answer is yes (as leng is recursive) but can you explain your use-case and expected behaviour a bit so I can get a better idea of what you want unbound to do that blocky is not doing?

[–] [email protected] 2 points 1 year ago (1 children)

I think it does caching because grimd does caching. I want a dns filter and dns resolver that's selfhosted but still performant and low latency. Caching of course is big part of that because if you're running recursive queries every time, your ping will be like 100-200ms.

[–] [email protected] 1 points 1 year ago (1 children)

Leng will cache each step of recursion, and it relies on upstream resolvers to do recursion for it as well (like grimd), so you should not be seeing 200ms resolution in any scenario.

I am keen for you to give it a shot - if you do please make an issue if it's not behaving like you were hoping for

[–] [email protected] 1 points 1 year ago (1 children)

Ahh interesting. So do you have to manually set an upstream dns server?

[–] [email protected] 1 points 1 year ago

Correct, and much like grimd you can specify several. But unlike grimd, leng will perform recursion when the upstream server is not capable of resolving queries completely (namely, because a CNAME resolved by upstream somewhere points to a domain that is part of your custom DNS records, or vice versa)

[–] [email protected] 2 points 1 year ago (1 children)

Does this support DNS management with nsupdate? I'm currently automating DNS on pihole by changing a text file and reloading the service, which is just not very convenient not to mention slow.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

I have a similar use case where I also need my records to change dynamically.

Leng doesn't support nsupdate (feel free to make an issue!), but it supports changing the config file at runtime and having leng reread it by issuing a SIGUSR1 signal. I have not documented this yet (I'll get to it today), but you can see the code here

Alternatively, you can just reload the service like you do with pihole - I don't know how quick pihole is to start, but leng should be quick enough that you won't notice the interim period when it is restarting. This is what I used to do before I implemented signal reloading.

Edit: my personal recommendation is you use templating to render the config file with your new records, then reload via SIGUSR1 or restart the service. nsupdate would make leng stateful, which is not something I desire (I consider it an advantage that the config file specifies the server's behaviour exactly)

[–] [email protected] 1 points 1 year ago (1 children)

Pihole reloading in my case is probably mostly slow because of the hardware. That signal functionality to reload is pretty neat, though I think I disagree with the config files being the only thing specifying the servers behaviour exactly being a big advantage. In an environment using infrastructure as code it would probably be better to define DNS over the generic nsupdate API (e.g. with ansible or other equivalent tools) than having to write custom code to reload some config files that have to be regenerated every time. But for smaller home setups both options are probably fine anyhow.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I think there are two approaches to infrastructure as code (and even code in general):

  • as steps (ansible, web UI like pihole...)
  • declarative (nix, k8s, nomad, terraform...)

Both should scale (in my company we use templating a lot) but I find the latter easier to debug, because you can 'see' the expected end result. But it boils down to personal preference really.

As for your case, ideally you don't write custom code to generate your template (I agree with you in that it's tedious!), but you use the templating tool of your framework of choice. You can see this example, it's on grimd (what I forked leng from) and Nomad, but it might be useful to you.

P.S also added to the docs on the signal reloading here