Selfhosted

51445 readers

435 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Second set of eyes - DNS Nameservers (sh.itjust.works)

submitted 2 weeks ago by BingBong@sh.itjust.works to c/selfhosted@lemmy.world

24 comments fedilink hide all child comments

Hello all, I'm looking for a second set of eyes before I potentially screw up all my self hosted services. I'll be the first to admit I'm not an IT expert and am getting a wee bit lost in all of the reading I've been doing so please go easy on me.

I'm currently working to get my domain (already registered) to be used for internal addresses as well as get a working SSL certificate. I am following wolfgangs instructions with the exception that I already have my domain registered with BlueHost. BlueHost does not appear to be directly supported by nginx and wants to charge me $90/year for an SSL certificate which is far more than I'm willing to pay for my little self-hosting hobby.

Fundamentally I believe I need to point my domain to new nameservers which provide support for 'Let's Encrypt'. If there were a vendor that offered that as a service I think I could leave the domain with bluehost and simply point the nameservers elsewhere. I "think" cloudflare offers this but its the only one and I've heard mixed things about using it from the standpoint of privacy. Does anyone have suggestions?

The other option I see, which seems more broadly supported, is to transfer my domain from bluehost to another vendor. Does anyone have suggestions? I've struggled to see the renewal costs when looking at these transfers.

Before fully borking my setup, would appreciate some input on if I'm on the right track or not. Thank you!

you are viewing a single comment's thread
view the rest of the comments

[–] possiblylinux127@lemmy.zip 1 points 2 weeks ago (3 children)

What is the security benefit of DNSSEC?

It made more sense when everything was http now https is the norm is is less useful as far as I can tell.

[–] dihutenosa@piefed.social 1 points 2 weeks ago (2 children)

How could a hijacked DNS entry harm you?

redirect to ads/spam
downgrade to HTTP (no HSTS), then steal creds
MitM the TOFU of SSH
probably something more...

You can leverage the trust in DNSSEC to distribute TLS and SSH fingerprints too, look up DANE.

[–] possiblylinux127@lemmy.zip 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

You can't easy man in the middle authenticated protocols like SSH or HTTPS. If that was easy to do it would defeat the entire purpose of the TLS layer. Don't take this the wrong way but this feels like a dated way of thinking. I think in the future it will way less of a problem since http and other unencrypted/unauthenticated protocols are on their death bed.

I do appreciate the response but it is important to keep in mind tech changes rapidly. I personally don't care for DNSSEC as it breaks the TCP/IP model. The layers should be independent to allow for maximum flexibility.

[–] dihutenosa@piefed.social 1 points 2 weeks ago

I'm not sure if I agree.

You can't easy man in the middle authenticated protocols like SSH or HTTPS.

Unless you own a CA, or are a powerful country able to coerce a CA, or mandate installing one into users' PCs.

As for SSH - you missed the "TOFU" bit, Trust On First Use. Do you verify your SSH host keys every time before connecting to a new server? The docs for GitHub doesn't even mention it.

unencrypted/unauthenticated protocols are on their death bed.

I partially agree - encryption appears to be a solved problem today. Key distribution, however is not, it's layers upon layers of half-solutions of wishful thinking, glued together with hope.

The layers should be independent to allow for maximum flexibility.

Depends on your threat model and priorities, right :) HPKP is helpful and does not require DNSSEC. DANE and CAA are helpful but require DNSSEC.