DNS without DDoS
2026-03-27
Problem: I want one homelab server to act as both recursive DNS resolver for other devices on the network, and authoritative resolver for my own domain(s). However, all DNS queries go to port 53, and you can only have one server listening to it.
Naive solution: Point everything at the recursive resolver, and configure the resolver to forward requests for our domains to the authoritative server. Authoritative server responds to a port other than 53.
Issue: Our authoritative server needs to be reachable from the internet to really be authoritative for our own domain. Yet, having a recursive resolver reachable from the public internet allows it to be used in DNS amplification DDoS attacks.
Solution: Recursive resolver only reachable from internal network, block requests from the internet. Router has port forwarding set up that any incoming requests on port 53 go to our authoritative resolver, but on it's custom port.
it's a WIP, but i'll try setting it up like that in the homelab.