One of the biggest wins in home networking is self-hosting your own DNS server. It's not just that you can enable DNS filtering to clear your network — that's a good start — but it can be so much more. From creating local domain translations to easily remembering my home lab experiments with human-readable URLs, to handling different domain resolution on different subnets or DHCP scopes, and other advanced tweaks, DNS is the technology that keeps my home lab purring along.
The DNS server I prefer to run at home is Technitium, which is powerful, has a great UI, and now has clustering, so I can run multiple copies and have them in sync without extra setup steps. It's also as powerful as any commercial option, so I can use zones and split-horizon DNS to ensure my devices always use the lowest-latency DNS resolution method.
I hosted my own DNS server using my NAS, and you can too
Self-hosting a DNS server makes your searches faster and more secure.
DNS filtering is a powerful tool
Where else can you block threats before they touch your network?
I have two conditions for DNS filtering. One, it's great if I'm the one doing it. Two, it's less than great if my ISP is the one doing it. I've used AdGuard, Pi-hole, Technitium, and the inbuilt block lists in OPNsense, and they all do pretty much the same job. After all, they're using the same lists of troublesome DNS records to ensure my network is spam and scam-free.
I have two conditions for DNS filtering. One, it's great if I'm the one doing it. Two, it's less than great if my ISP is the one doing it.
It's an instant improvement to any network, but you don't have to take my word for it. In 2024, Akamai Technologies Inc. found that bots accounted for 42% of all web traffic, with 65% of those being malicious. If you thought your network is safe, it's not, not really, until you implement a firewall and some DNS filtering, and possibly some IDS/IDP solution to identify and ban malicious traffic that's not covered by the DNS blocklists.
Pi-hole
- OS
- Linux
- Price model
- Free
But DNS can be so much more
DNS filtering is one of the simplest things a DNS server can implement, because it simply prevents those domains from resolving and sending data to your devices. The less incoming junk traffic, the better the rest of your network behaves.
It doesn't stop there, though. Local caching speeds up your browsing after the first hit to any domain, making a huge difference to the responsiveness of the sites you visit regularly. Plus, you can add an internal namespace for home lab content, encrypt your DNS queries for privacy, and more. And my favorite: linking it to my DHCP servers to dynamically register hostnames for devices, VMs, and containers as they pop on and off my network.
DNS is the most powerful tool in your home lab
It's the backbone of any successful home lab
Split horizon DNS makes things more responsive
Make your internal resources more secure and faster by limiting where they can resolve
Okay, while it's true enough that split-horizon DNS does provide security in depth, that's not the reason you use it in the home lab or home network. It's to reduce reliance on 3rd-party services, making our networks more resilient. If you're using an external DNS server (hi Cloudflare, have you crashed lately?), then when it or your internet goes out, so do your internal services, as they're all tied together. If your devices can't resolve the domain used for Jellyfin or any other service you want access to, you can't use it. And when the internet goes out, it's a prime example of when you'll want that internal DNS resolution to keep yourself entertained.
By not having to route packets out and back, or within the network as a hairpin, you save milliseconds on every DNS query, which adds up when you're using latency-aware services and tools.
Set the internal DNS server to forward unresolved requests to a recursive server in your DMZ or a public DNS server — this avoids recursion issues if your internal DNS server receives a bad response from an external host.
The other big thing is privacy. Yes, you can put all your services and devices on a subnet, making it harder for external attackers to map your network. That's a lot of extra firewall rules to deal with, though, and it's often easier to use split-horizon DNS, so that external attempts to map don't resolve to your actual service domains.
Technitium
Although they can be tricky to implement
Split horizon in my favorite DNS server, Technitium, lets you handle this two ways. APP records are the simplest, when you have zones locally hosted, and you can return custom A or CNAME responses depending on the requesting device's IP address:
{
"192.168.1.0/25": [
"192.168.1.40"
],
"0.0.0.0/0": [
" But you could also use Address Translation, which works for all domain names, whether you're hosting them or not. This needs adjusting in the specific app config for the services you want, by specifying groups for your client networks, and then putting the translations as a map in those groups. It's more involved, but because the closest DNS server is used as the authoritative one, you can do things like make web searches on your home network always resolve to a locally hosted SearXNG instance.
Split horizon is one of the many things that make self-hosting a DNS server powerful
DNS is incredibly powerful, and the more I get deep into the weeds, the more I realize that it's a wonder the internet functions at all. It's incredibly easy to break DNS records to remove your network from being able to resolve external domain names, and that's to say nothing about needing high-availability or graceful fallback, or conditional forwarding for those times that everything else breaks down. Split horizon is an incredibly powerful tool, and while it's more at home in the world of enterprise Active Directory installations, it's also very useful at home.