Self-host Cloudflare DNS

Authoritative DNS hosting

Cloudflare DNS is the most popular hosted authoritative-DNS — anycast nameservers, polished web UI, free DNSSEC, API. The self-hostable replacements all serve authoritative DNS records; what they don't replicate easily is Cloudflare's anycast network of 300+ edge POPs (you'd run a few VPSs in different regions for crude global anycast).

Cloudflare DNS pricing anchor: Free for typical use; Cloudflare for Enterprise required for SLA / advanced filtering.

PowerDNS PowerDNS/pdns alive

GitHub: ★ 4.36k · last commit 3d ago · 928 open issues
License: GPL-2.0
Setup time: 30min — pdns-auth + Postgres/MySQL/SQLite backend + PowerDNS-Admin web UI
Monthly cost: $5-10/mo per VPS; run 2-3 VPSs in geographically separated regions for redundancy.

Migration sketch. Install `pdns-server` and `pdns-backend-pgsql` from your distro. Configure `gpgsql-host` and credentials in `/etc/powerdns/pdns.conf`. Add the PowerDNS-Admin web UI (`ngoduykhanh/powerdns-admin` Docker image). Migrate from Cloudflare: export each zone as BIND-format via `cf-terraforming` or by API, then `pdnsutil load-zone example.com example.com.zone`. Update registrar to point at your new NS records.

Good fit forTeams that want a battle-tested, RFC-compliant authoritative DNS with a clean web admin and SQL-backed records.

Weak atAnycast story — bring your own (BGP + multiple POPs) or accept regional latency; Cloudflare's free anycast is impossible to match cheaply.

BIND isc-projects/bind9 dead · archived

GitHub: ★ 739 · last commit 9mo ago · 0 open issues
License: MPL-2.0
Setup time: 30min — install + zone files
Monthly cost: $5/mo VPS minimum; redundancy needs 2-3 boxes.

Migration sketch. Install `bind9` from your distro. For each zone, write a BIND zone file at `/etc/bind/zones/example.com.zone` with SOA, NS, A, MX records — Cloudflare zone export via `cf-terraforming` or the API → BIND format. Configure `/etc/bind/named.conf.local` with each zone definition. Test with `dig @localhost example.com`. Update registrar NS records to point at your BIND servers.

Good fit forSysadmins who want the reference DNS implementation and are comfortable with text-file zone management.

Weak atNo built-in web UI; zone-file editing is unforgiving (missing dot, fat-finger TTL); no API without bolt-ons.

NSD + Knot DNS NLnetLabs/nsd alive

GitHub: ★ 545 · last commit 2w ago · 66 open issues
License: BSD-3-Clause
Setup time: 30min — install + zone files (similar to BIND)
Monthly cost: $5/mo VPS minimum.

Migration sketch. NSD is authoritative-only (smaller attack surface than BIND, which combines authoritative + recursive). Install `nsd` from your distro, write zone files in `/etc/nsd/zones/`, list each zone in `/etc/nsd/nsd.conf` under a `zone:` block. Knot DNS is similar but supports DNS-over-TLS / QUIC for modern privacy hardening. Cloudflare export → BIND-format zone file is consumable by both.

Good fit forAuthoritative-only deployments where minimal attack surface and high performance per CPU matter (TLDs, DNS providers).

Weak atNo bundled UI; less common in tutorials than BIND/PowerDNS.

In a terminal? npx os-alt cloudflare-dns prints this table — how the CLI works →