Not with the protections that Cloudflare provides, no. The DNS itself can be self-hosted, yes. You will likely have even more downtime from your own problems and screw-ups than you will from ever using Cloudflare. There is likely little practical benefit. But I don’t think it’s as hard as people make out. So without further ado:

##The really simple guide to self-hosted authoritative DNS:

###Step 1: glue and static IPs (the hardest part)

“Glue records” are used to tell the root servers about your authoritative servers, and very specifically, what IP they have. For reasons that will become obvious, this needs to be a pretty static IP if possible, because the glue records will need to be changed whenever your authoritative DNS moves. Two or more authoritative DNS servers are “recommended” and in some cases assumed, but for self-hosting purposes it’s really over-encouraged in my opinion. A single authoritive DNS is not ideal, but neither is self-hosting with limited resources, which is something we all do. Worst case scenario, if they force you to have two DNS servers, just use different names and set them to the same IP, that usually works. You do not need to (or want to) use glue records for ANY other DNS entries, IPs, or any normal day-to-day changes to your DNS. Only if your static IP changes.

“Glue records” are typically not hard to update, but they do often take quite a lot of time, called “propagation delay” and during that time, your DNS will be intermittent or down. In modern times I find the propagation delay for glue records is sometimes a matter of minutes and typically less than an hour for like 90% of users, but it can be up to several days in the worst case scenarios. This is why static IP is important, changing your glue records is free to do but very disruptive.

In order to actually do this, get a domain from, or transfer your existing domain to, a registrar that lets you set up glue records for self-hosting authoritative DNS. This is effectively not self-hostable, this has to be done through a registrar. In my experience, this is most of them that aren’t big-names. Cloudflare is a notable exception, you should not be using them as a registrar for self-hosting authoritative DNS. I have used misk.com for decades and am happy and familiar with them, and they call these custom nameservers. I have heard the best reviews lately for porkbun.com and their documentation for the process is here](https://kb.porkbun.com/article/112-how-to-host-your-own-nameservers-with-glue-records) but I do not use them personally. “The best” is a moving target, anyway. In any case, review the documentation and support for your chosen provider to figure out how to specify a glue record, which in almost all cases is as simple as putting in a name (the traditional old-school choice is “ns” or “ns1”) and an IP address associated with that name, which you will then use to specify as the “nameserver” for all your other domains. There should be no additional charge for this. Once it’s “glued”, then you wait. Eventually, it will start working, and third-parties outside your network will be able to ping that ns1.yourdomain.com address and get the IP you specified.

###Step 2: the DNS servers

You’ve done the “hard” work of getting the glue pointed at your IP, but that’s just a single DNS name and a single IP, and you’re not actually self-hosting anything yet. Now you have to make sure an authortitative DNS server is responding on that IP so people can get all the real details for any and all of your domains right from the source, YOU, authoritatively. That’s why it’s called authoritative DNS, you are the final authority for your domains and everyone knows it thanks to those glue records.

This is when you fire up a DNS server, the standard traditional choice for old grumpy curmudgeons like me is “bind” (version 9) to be specific, which has all kinds of crazy functionality that you don’t really care about because all you’re really going to be using it for is to read a text file called a “zone” file for each of your domains, which has an ugly archaic format but at it’s simplest is just an $ORIGIN line saying what domain it is, a $TTL line (how many seconds other DNS users are supposed to cache things before coming back to you to check if its changed), the SOA line which is a mess of stupid arbitrary info most of which is irrelevant these days and in this configuration, then a whole bunch of lines with other records (mostly A records for IPv4 addresses, but there are plenty of other options for different types of DNS records for various purposes)

So, install bind9, add a zone into the configuration for each of your domains that has type master; and file "/your/zone/file/path"; and create each text zone file for it to read. Then reload or restart bind, and your DNS should just start working.

It’s not magic and it’s really not that complicated, it’s just telling someone to start pointing your domain at your server’s IP, and then running a program on that IP that turns turn some text files into DNS. Then you can go ahead and make it complicated, if you want. There are lots of ways to make it complicated. This isn’t one of them.

###Conclusion: Why and why not

Cloudflare brings a lot of value to the table, which is why they’re so popular, but there is a cost for that. They need full control of everything and have it running on their own networks so they can protect it from DDoS and other attacks. They’re your bodyguard, they’re standing in front of you to protect you from bad guys, but the downside is, you’ll always have that guy standing in front of you. It can be kind of annoying. It’s a question of priorities. If you want to self-host your DNS, you’re effectively giving up Cloudflare’s protections. If you want Cloudflare’s protections, you’re effectively giving up self-hosting DNS. Your call, either way.

Self-hosting my own DNS, I have little to no protection from DDoS attacks. Sure I get hammered by the occasional password attempt bot or data scraper that makes my server slow and overwhelmed, that mostly gets dealt with manually or with defensive monitoring tools like fail2ban. A larger, more targeted or sophisticated attack could easily wipe my sites off the internet and probably even my intranet. If it didn’t stop, my only resolution would be to unplug the targeted machine or machines from the internet. Maybe unplug my whole network. And just wait it out. Maybe I’d have to rely on my phone hotspot, or even change ISPs if it refused to stop. I actually don’t know, because it’s never happened. If I was hosting anything controversial or highly lucrative, I might have a different experience and I might make different choices. But I’m not, I’ve never been attacked on a large scale for a long duration and I can’t really imagine any motivation or purpose that I ever would be.

I use bind9 self-hosted

Self-hosting an authoritative dns server is not a good idea for several reasons.

Cloudflare doesn’t have access to data hosted in your server unless you’re using their reverse proxy tunnel.

A momentary (if severe) blip in their availability isn’t a good reason to change providers.

Doubt cloudflare has access to your date. more like the time old joke of it was DNS.

Most likely because you purchased your domain through Cloudflare they are also your authoritative name servers for your domain. When you try to access home.your.domain if the local DNS server doesn’t already know the IP to send that traffic to it will ask CF because they are the name servers. As they are having issues they didn’t respond.

I don’t know if CF allows you do use other name servers with domains purchased by them.

Depends on a few things. If you actually put the site ‘through’ cloudflare then they act as a SSL offloading proxy and could read the content.

If they’re just providing a DNS record than no, that just points people in your direction.

I’m pretty sure Cloudflare requires you to use their nameservers if you purchase a domain through them. So you would need to transfer your domain to another registrar first. I could be wrong though. I’m not an expert on this stuff and prefer to just use a dynamic DNS service instead of paying for a domain.

I use Linode

Is there some way to self host what cloudflare does?

Your domain will always have to be rented through a 3rd party. Cloudflare is (or was?) one of the better choices for that.

Cloudflare does other things as well, most notably it can acts as a proxy: an inbetween between your server and the users. This inbetween can be useful against DOS attacks, blocking of bots, etc. But for most self hosters that part is not necessary. It’s a toggle in cloudflare’s DNS dashboard: I think you’d want it to say DNS only.

Another thing cloudflare can do is tunneling. It’s useful for when your server is behind a firewall or NAT or double NAT you can’t or don’t want to configure. You’d probably know if you use this, so I assume you don’t?

if your after alternative to CLoudflare DNS, I can recommend OVH for both domain name and zone, they have API so you can get certs for both internet facing stuff and internal domains

1984.hosting has a great free tier, and I’ve never had an issue in 7+ years

I’m fairly new at this, so I apologize if this is a silly question

Those don’t exist, afaic.

Caveat: I am unsure if Cloudflare will let you use other nameservers or if you are required to use theirs. I do know that if you use their Tunnel/ZeroTrust, you have to use their nameservers, but you can buy a domain from anywhere.

Yes, you can self host your own DNS. Bind, PowerDNS, Pi-Hole + unbound, Technitium has emerged as a new favorite, so there are options. I think you can selfhost AdGuard DNS tho the blocking service is a paid tier.

deleted by creator

Your server needs to have a static IP address. Once you have that, and have your DNS service set up, then you should be able to update your domain(s) to point to the new DNS. This new server doesn’t have to be your primary DNS entry for the domain(s), but it should be one of the first two entries. And that’s pretty much all you need to get started.

One other consideration is setting up the master/slave status of your DNS servers so you only have to make updates in one spot (helpful to ensure everything stays in sync). This isn’t a requirement, it just makes your life easier.

deleted by creator