Originally published at: Interview: automatic, secure DNS in the Nextcloud VM with desec.io – Nextcloud
Recently the popular VM developed by Hansson IT introduced automatic, secure setup of DNS. This makes accessing the Nextcloud instance from the web easy, something most administrators need. Desec.io was the used solution, and we spoke to both the desec.io founder and Daniel Hansson.
Could you shortly introduce desec.io?
deSEC https://desec.io/ is a free, secure DNS hosting platform and has been designed with security in mind. Our goal is to spread the use of secure communication technologies with as much automation and usability as possible. In particular, we add digital DNSSEC signatures to all DNS information hosted at deSEC, so that clients can verify that DNS responses have not been manipulated.
Initially, we started this when I was running web hosting services for a few hundred domains, and couldn’t manage to find a decent DNSSEC-enabled provider that fulfilled all the requirements I had. It was pretty clear that something should be done about it, so we gathered a team and started developing what is now called deSEC.
We value security and privacy very much and therefore provide our services for free to the Internet community, without asking for any personal details besides an email address, just like Let’s Encrypt does for TLS certificates. Think of deSEC as “Let’s Encrypt for DNS Security”.
What makes it different from other DNS providers, both free and paid?
We are a non-profit organization based in Berlin, Germany. Our service is free for everyone to use, and the software under the hood is open source. DNS queries are answered from two redundant networks with 15 locations all over the world so that everyone gets low latency. Still, all sensitive key material is kept in Germany, under European GDPR jurisdiction. We only publish public DNS data and signatures globally.
While focusing on security, we think that people will use it more when if it’s easy. We, therefore, have a very advanced REST API, a quite intuitive user interface, comprehensive documentation, integration with a lot of tools and so on, to give people no excuse to not use a secure service! 🙂
As our services are free, we depend on user donations and sponsoring partners to cover our costs. With SSE Secure Systems Engineering, we have a strong and generous partner who provides us with sufficient funding to run our global infrastructure. We are also very grateful for the appreciation that many of our users show us through their tips, small and large.
Apart from things that should be standard today (near real-time updates, IPv6 support everywhere, cloud integration), we support very modern DNS and DNSSEC use cases. For example, you can use signed DNS records to coordinate key exchanges, e.g. for SSH fingerprints or GPG keys and TLS certificates (for the nerds: DANE, with OPENPGPKEY or TLSA records). You can also use automation tools like dnscontrol to orchestrate the DNS configuration of a large number of domains.
There are also several tools (such as Terraform or acme.sh) that support automated certificate issuance through Let’s Encrypt. This is a feature that is also used by Nextcloud VM now. Daniel from Hansson IT can say a bit more about how it has been implemented.
Hi Daniel, can you quickly introduce yourself and the VM?
I’m the founder and lead developer of the official Nextcloud VM. I’m a typical Swede that lives in the southern parts of Sweden close to Malmö together with my wife and daughter. I spend most of my days doing some kind of IT-related work and currently, I’m hired as a sysadmin in Malmö full-time, and run my business (T&M Hansson IT AB) in the evenings and sometimes weekends(!) It’s a hectic life but I love what I’m doing. I mean, I work with my hobby, that’s pretty nice if you ask me. 🙂
As you may already know, I founded the VM back in 2014. Back then it was because there was no easy way to install ownCloud. You needed Linux know-how and the Windows support was lacking behind. Everything had to be done manually, and coming from Windows without any knowledge in Linux – I had quite the struggle to get everything up and running. Actually, another guy in an IT forum here in Sweden helped me making the first VM for my own use. That was the “aha-moment” I needed to get inspiration for making what you can use today. That made me realize; if I could ship this as a pre-configured package with all the basics already deployed, then anyone could use it and deploy the server without any Linux skills at all!
I knew that there were more people like me – with a need for an easy and automated installation. Since I believe that self-hosting is the way to go, I started to script the installation to automate the whole process and offer just that, so that everyone could benefit from having a server deployed in no time.
In the beginning, it was very basic with almost no options but rapidly grew to what it is today. Sure, it’s years of fine-tuning and adding new features, and still is, but all and all I’d say I’m super happy with the result – and of course grateful for all the contributions over the years. The VM makes it super easy for anyone to get Nextcloud up and running in no time!
In 2016 Nextcloud was founded and the VM was the perfect fit which is why I was offered to join the Nextcloud community as the VM developer. The Nextcloud VM was actually the first way to install Nextcloud that wasn’t “the manual way”. It’s been with Nextcloud since day one and I’m grateful for all the happy users that got the chance to try it out, and that it inspired others to go down the same path. Today there are plenty of ways to install Nextcloud – either with the scripts from the VM, the actual VM itself, Snap, Docker, Ansible, NextcloudPi and many more.
When and how did you find out about desec.io and why is it such a good fit?
A long-standing issue in the Nextcloud VM appliance has been to fully automate the whole setup when it comes to including DNS/domain registration, DDNS and adding a valid TLS certificate on top of that. Parts of it was already made before, but what was missing was the complete package where you simply could run a single “one-click” installation to publish your server online. With the API of deSEC that’s now a reality! As the end-user, the only decision you have to make is what name you want to give your domain, the rest is taken care of in an automated manner. As it works even behind closed firewalls it couldn’t really be easier to get your own secure Nextcloud server.
I picked deSEC as it is a trusted and very well crafted DNS provider, their GUI is intuitive and their REST API made the whole implementation a breeze. The end-user result is a setup that doesn’t require any technical skills at all, because it’s all taken care of – 100% automated.
I am very happy with the end result and can finally say: my Nextcloud VM is the most complete automated setup of Nextcloud! We’ve covered not-so-easy-to-install apps before, we provided you with extra security measures, an installation which would give you as an end-user the complete Nextcloud experience – and now we’ve also done the domain part for you.
Eager to try it out? Download it here!