DNS Provider Choice

stefanadelbert · August 15, 2024, 4:07am

I'm currently self-hosting a zrok instance, created using these instructions. My DNS provider is Squarespace after Google Domains sold up. Squarespace doesn't support,

wildcard entries
API access

As suggested in the guide linked above, it's a good idea to use a DNS provider that does support the above and have a caddy DNS plugin (see this list).

I'd like to change to a suitable DNS provider and I'm looking for any advice and recommendations about which one to choose to suit a self-hosted zrok instance.

qrkourier · August 15, 2024, 1:03pm

You're in luck.

It's not necessary to use the DNS service provided by Squarespace. Your DNS is separate from domain registration, i.e., you may delegate name authority to any provider by IP address.

Here's an overview:

Choose a provider like CloudFlare, Route53 from the list of those supported by Caddy.
In your registrar dashboard, e.g., Squarespace, set the NS (nameserver) records for your domain to the IP addresses prescribed by your chosen DNS provider. There will be at least two.
In your chosen DNS provider's dashboard, obtain an API token.

In your zrok instance's environment, assign these variables.

CADDY_DNS_PLUGIN=cloudflare
CADDY_DNS_PLUGIN_TOKEN=abcd1234

If you choose Route53 to provide DNS, then you must edit the Caddyfile to accommodate the shape of Route53 credentials and set the AWS variables instead of CADDY_DNS_PLUGIN_TOKEN.

tls {
  dns {$CADDY_DNS_PLUGIN} {
    access_key_id {$AWS_ACCESS_KEY_ID}
    secret_access_key {$AWS_SECRET_ACCESS_KEY}
  }
}

stefanadelbert · August 16, 2024, 1:07am

@qrkourier Thanks again for another quick and helpful reply!

If I understand you correctly,

my domain can stay registered with the registrar (Squarespace)
DNS resolution can be delegated to another DNS service provider by configuring custom domain nameservers at the registrar

I currently have several DNS records configured in Squarespace 'DNS settings' (company website, MX for Google Workspace, a few web apps, etc). Presumably these would all need to be migrated to the DNS provide I choose to use, right?

Squarespace distinguishes between,

Domain Nameservers (add nameserver hostname)
- Note the "Using our nameservers enables the most functionality for your domain"
  
  image1731×230 37.2 KB
Nameserver Registration (add hostname + IP address)

image1739×246 47.8 KB

I'm nervous about breaking things, especially given I'm nowhere close to an expert.

BTW, this is what Gemini suggested I do (is it just me or are these LLM's getting quite good?),

My company domain is registered with Squarespace. I would like to keep the domain registered there, but use an alternative DNS provider (one that allows for wildcard records and has an API). How do I go about doing that?

To keep your domain registered with Squarespace but use an alternative DNS provider, follow these steps:

Choose Your DNS Provider: Select a DNS provider that supports wildcard records and has an API. Some popular options include Cloudflare, DNSimple, and Amazon Route 53.

Get Name Servers from New Provider: Once you've signed up with your chosen DNS provider, they will provide you with a set of name servers (usually two or more). These name servers will be responsible for handling DNS queries for your domain.

Update Name Servers at Squarespace: Log in to your Squarespace account, navigate to your domain settings, and find the option to update name servers. Replace the existing Squarespace name servers with the ones provided by your new DNS provider.

Configure DNS Records at New Provider: Log in to your new DNS provider's control panel and configure the necessary DNS records for your domain. This will typically include:

A Records: Point your domain or subdomains to their respective IP addresses.

CNAME Records: Create aliases for your domain or subdomains.

MX Records: Specify the mail servers responsible for handling email for your domain.

TXT Records: Add any additional text information required for your domain (e.g., SPF records for email authentication).

Wildcard Records: Configure a wildcard record to handle requests for any subdomain that doesn't have an explicit record.

Propagation: It may take some time (usually a few hours, but sometimes up to 48 hours) for the name server changes to propagate across the internet. During this time, some users may still be directed to the old Squarespace name servers, while others will be directed to the new ones.

Important Considerations:

Squarespace Email: If you're using Squarespace's email services, you'll need to configure MX records at your new DNS provider to point to Squarespace's mail servers.

API Access: Ensure that your chosen DNS provider's API allows you to programmatically manage your DNS records. This can be helpful for automating tasks or integrating with other systems.

Support: Choose a DNS provider with reliable customer support in case you encounter any issues during setup or management.

Remember that changing name servers can impact your website's accessibility and email delivery. Double-check all your DNS records before making the switch, and be prepared for potential downtime during propagation. If you encounter any difficulties, don't hesitate to reach out to the support teams of both Squarespace and your new DNS provider for assistance.

qrkourier · August 16, 2024, 12:09pm

I understand you wish to take advantage of Squarespace's nameserver features for other things besides your self-hosted zrok instance and, again, you're in luck!

You can choose a DNS zone from your Squarespace domain to use with another DNS provider. This is called a "delegation."

Here's an overview:

Choose a zone for zrok. If your Squarespace domain is example.com then your zrok zone could be zrok.example.com.
In your wildcard DNS provider, create the zone zrok.example.com and note the NS records for the new zone.
In Squarespace DNS dashboard, create NS records matching those provided by the new zone's provider.
Create a wildcard record * in the new zone, i.e., *.zrok.example.com for the public IP address of your zrok instance.

Now DNS for zrok.example.com will work normally and globally without modifying the pre-existing DNS records in Squarespace.

stefanadelbert · August 20, 2024, 5:19am

Hi @qrkourier

Thank you once again for a quick and detailed response.

I have been trying in vain to get a solution working. Below is my actual setup, but using hypothetical data.

I own example.com which is registered with Squarespace
I'm using the Squarespace DNS service for MX and other "apps" (A records), like app.example.com, which need to stay intact
I have got a self-hosted zrok+Caddy on a VPS with IP 1.2.3.4
- I configured Caddy to use the duckdns DNS plugin
I would like to use the subdomain zrok.example.com as my DNS zone for zrok
I have registered my-zrok.duckdns.org and pointed it to 1.2.3.4
- I'm not able to create the zone zrok.example.com here
I can drill abc.my-zrok.duckdns.org and it yields 1.2.3.4, so it is correctly supporting wildcard DNS as hoped for.

The piece of the puzzle that I'm missing here to configure Squarespace such that abc123.zrok.example.com can become abc123.my-zrok.duckdns.org and resolve to 1.2.3.4 where Caddy can take over.

I think your most recent subdomain delegation solution requires that I create a zone zrok.example.com ("In your wildcard DNS provider, create the zone zrok.example.com and note the NS records for the new zone."), but DuckDNS doesn't allow for that. Subdomains need to be under the duckdns.org apex.

I tried adding a CNAME record in Squarespace for zrok --> my-zrok.duckdns.org, but this doesn't delegate for sub-sub-domains, like abc123.zrok.example.com and Squarespace doesn't allow for wildcarding...

Unless I've misunderstood, I think the combination of Squarespace and DuckDNS isn't going to work in this scenario. I might need to switch to another DNS service provider, like dynu.com.

Update 1

I have looked at deSEC as a DNS provider - it appears to be excellent (supports wildcard record names, API, zonefile download, bulk atomic record upload) and there is a caddy-dns plugin. I'm busy testing it with Caddy at the moment (rebuilding with xcaddy takes a long time...). I'm considering using it for my entire domain.

Update 2

I realised that I would be able to create a subdomain of my apex domain in deSEC, i.e. zrok.example.com, which is something I couldn't do with DuckDNS. I could therefore do as @qrkourier had suggested which was to add NS records to my apex domain DNS for zrok which point to the deSEC nameservers.

And I can confirm that this now works! I can see the caddy-dns deSEC plugin creating TXT records which allows the ACME challenge to succeed, so TLS certificates can successfully be created for *.zrok.example.com. And this allows me to create arbitrary zrok shares without having to manually update the Caddyfile. And I can leave all the other DNS records untouched in Squarespace DNS.

@qrkourier

Topic		Replies	Views
Fronted endpoint zrok	31	91	August 22, 2024
Duckdns + zrok tls: internal error zrok	3	46	August 20, 2024
ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[172.20.0.4:38382] error=[tls: client didn't provide a certificate]} handshake failed zrok	30	45	November 10, 2024
Cant forward to a Dedicated Custom Domain Name zrok	24	628	June 27, 2024
Zrok & Zrok's Public Share Firewall zrok	1	596	August 13, 2023

DNS Provider Choice

Related topics