I've got FQDN's, public IPv4 space on my WAN, and the need to host parts of the public IP for services. I would like to host my own BitWarden (Lastpass bubye), along with some other services. To do this, I'm putting my OpenWrt devices at the edge and assigning public IP's to their WAN ports.
Ok... So, how do I handle DNS? Leave it at Google where I can add entries? I've got up to 4 public IPs, but if I can consolidate to 1 or 2, I'd rather have it that way. Web hosting it done externally. Mail is done externally. So, host DNS it local? Host a secondary that can handle LAN routing? I'm just familiar enough with DNS to be an attackers erotic fantasy. I know that handling it myself brings total control, and all the responsibility, so, advice?
Edit: This premise is based on a device with a MIPS64 Dual-Core Octeon3, 1Gb RAM. It gets 910MiB/s down, 240 MiB/s up to the ISP Speedtest server, which is my throughput max. So it is at least getting past my leg at full bandwidth. So, assume the device would be able to handle the light/moderate load it might see.. Although, if it's an issue, certainly voice it.
Most consumer ISP won't like you answering DNS queries, this is typically one of the metrics they use for determining botnet members (DNS based amplification attacks, etc.).
Well, I'm not explicitly denied it, but I acknowledge they might get huffy about it. They don't mind the rest of it (I control 21/22/25 for example), but who knows. Assuming they won't mind though...
Do you have a suggestion on the best way to go about the issue? I posted it here because there are super talented folks and the opinions to match. I'm not set on any give way of doing it, so.. Whatcha Got?
The primary concern is 24/7 (five nines) availability, this is typically nothing you'd want to do on your home devices. Yes, DNS itself isn't very complicated - but resisting the urge to reboot your home systems very often is. One of the better DNS registrars usually does a decent job at this (regionally diverse alternatives) and offers a good-enough webfrontend to cover most semi-common bases.
If you still want to do this, I wouldn't do this on the router - and not really on OpenWrt either (a more general purpose distribution with in-place upgrade support makes sense, as does virtualization/ containerization (this is an attack vector, so restrict whatever the potential attacker can do is king); SELinux or other security modules wouldn't be the worst decision either. Which DNS server to choose is mostly a matter of personal preference, as long as you pick a battle-tested 'major' one.
Fair enough. Perhaps I can leave it at Google (my registrar), and do something like a reverse proxy to route from public to private, and just point the A/AAAA/CNAME to one or two address?
I should mention that I maintain my own images, and I'm not dependent on major releases, so unless you think OpenWrt as an embedded OS can't handle it, I'm ok with using it.