My home lab is fast approaching the inflection point where it becomes a mini datacenter rather than a hobby. Which is fine, it teaches me a lot along the way, and nothing teaches you faster than a problem to solve. Or problems, really, because for every one I fix, I seem to find three more.
Occasionally, I find something that solves more than one problem rather than introducing more, and that's the case with self-hosting a DNS server. This reduces my reliance on managed DNS servers like the ones from my ISP, or Google, or any of the other commercially-available options, while letting me run DNS blocking, set up different rules for my home lab devices compared to my personal ones, and generally speed up my DNS resolution times (at least after the first time I've visited any sites).
It might not be for everyone, but it's now a non-negotiable for my home network, and after trying multiple options, I've found a happy place between maintenance-heavy Terminal apps and approachable GUIs.
It gives me more control over my network
Internal namespace, privacy, and different DNS rules for individual devices are all possible
We all know not to use our ISP's DNS by now, right? Just checking, because even changing to Quad9 or Cloudflare can have a big impact on query latency, to say nothing about the potential for domain-jacking or any of the other tricks the ISPs get up to. Fair enough, I haven't had an ISP interstitial page for some time, but it used to be common in the US, and it's more common across the world in countries with less regulated utilities.
The key reason for me is to be more in control of the traffic on my network, and what goes in or out of it. That happens in multiple ways by having a DNS server on my network, first by encrypting my DNS traffic to the root, top-level domain (TLD), or name servers that hold the DNS records for the internet. Encryption prevents anyone but those servers from seeing my queries, which might sound paranoid, but when we live in an age where all data can be monetized, I'd rather not take the chance when it's a simple fix.
Another big plus for me is being able to act as my own nameserver for authoritative DNS requests while on my home network (or on my VPN). That lets me not only set up human-readable domains for my self-hosted stack, but also have them resolve to those local-only domains while on my home network, while using IPv6 addresses for each service to connect from outside the network via an authenticated reverse proxy. This greatly simplifies connectivity, leaving me with fewer things to worry about.
Plus, I can connect it to the DHCP server on my router, to dynamically register hostnames as devices, VMs, and containers connect to the network. That makes my life easier, because I hate tracking down IP addresses and hostnames and matching them in my router's management pages so I know what's where.
The local caching and latency improvements build up over time
Ah, the contentious part. It's true enough that the first time you navigate to a domain, subdomain, or other internet resource, it will take a little longer to load while the recursive resolver in my DNS server walks the chain of authoritative servers. I'm okay with that. I grew up in the age of dial-up, and a few milliseconds while on fiber is nothing to be irritated about. I tend to visit the same few sites daily for work, so the speed benefits are apparent very quickly, and now it's something I don't want to go back from.
Technitium
Content filtering is a nice bonus
If I don't want to see it on my network, it doesn't exist
Let me be clear — the only time I'm opposed to network-level DNS blocks is when they're handled by my ISP. When I'm the one holding the controls, I want everything that I can off my network, so the traffic I want has as much bandwidth as it needs.
I've used on-device blocking of many types, and I'd rather stop it reaching my network in the first place, because it all adds up. That's partially ads, but it's also domains known for malware, phishing, or other nasties. And I've got DNS blocks for many geographical areas, because I rarely need a website or service hosted there, and they're also known sources of hacks and malware.
I also don't want my IoT devices to be able to phone home off my network if possible, so I've got blocks in for any I could without breaking functionality. This took a little bit of investigation with Wireshark to see where the data was going, but it's mostly working. Plus I want my kid's devices protected from any adult content or potential sources of trouble, and I feel better doing the blocking myself rather than using any block list that might be created by people with different ideals to me.
There's always a trade-off
DNS is never straightforward, and hosting your own DNS server can be a never ending string of management and tweaking. And sometimes the blocks catch things I want to use, because lists are never fully accurate. These are minor issues really considering how much utility I personally get for my home network and home lab, but your situation may be very different.
Self-hosting a DNS server isn't for everyone, but it has a place in my network
I wouldn't go back to not having my own DNS server, and I'm currently looking at setting up clustering so that if one server goes down, the rest of my network still works. My home lab and DHCP management wouldn't be the same without a DNS server that I can administer down to the last detail, and using a public managed DNS service doesn't quite meet my needs. Your network is likely different, but even for DNS level blocking, it's something I'd recommend looking into.