Thanks to all the wonderful info here and on joohoi’s github I think i have a basic understanding of setting up a self-hosted acme-dns server at home. But I have a few questions on the best practices for securing the installation. I think I will use certbot—acme-dns-certbot-joohoi—acme-dns docker instance.
I assume I will port forward 53 from my firewall to the internal VM hosting the acme-dns server. I am loathe to leave the server up with an open port 53 to the Internet. So I will get certbot to bring up the acme-dns instance as required. This seems easier than opening and closing the port on the actual firewall which is on another machine and not particularly friendly to scripted (re-)configuration
does this seem reasonable, is there a better way say ufw on server (VM) to close the port or something
can acme-dns be persuaded to log for DNS, who is talking to it; I can see the logs about what, but not who was asking.
does LE work equally well on 53/udp only; if I turn off the acme-dns server and it is UDP only, it will be more of a ‘black hole’
If there is nothing listening (most of the time) on that port, then it really makes no difference if the UFW is closed or open.
UDP/53 might work for most situations; it basically depends on the size of the DNS request - which will have to be TCP once it gets too large (Like for DNSSEC). But if you are only doing one domain at a time, it may work.
But overall there is not much of a greater security implication from TCP over UDP for DNS (recent MS SIGRed excluded).
To help secure acme-dns, I use iptables and have a custom acme-dns chain (see https://github.com/joohoi/acme-dns/issues/67). I use a certbot hook to open the ports into the chain on startup, and on shutdown I flush the chain; the same hook script starts/stops the acme-dns service too. The result is that acme-dns is only running and the port 53 resolver and the 8011 website are only accessible when i explicitly need it.
if you’re not familiar with iptables, it’s lowerlevel than ufw.
Noted re iptables. I seem to have a mental block when it comes to iptables “my brain just hurts and i always get it wrong”; on the whole, ufw seems a bit simpler to me …
But thanks for the hint. I am setting up specific logging on the firewall to see how much incoming traffic i am currently blocking on port 53 so I, have an idea of the magnitude of the problem and also to see if there is a increase after I publish the acme-dns server’s IP on my main DNS.
…