Not with the protections that Cloudflare provides, no. The DNS itself can be self-hosted, yes. You will likely have even more downtime from your own problems and screw-ups than you will from ever using Cloudflare. There is likely little practical benefit. But I don’t think it’s as hard as people make out. So without further ado:
##The really simple guide to self-hosted authoritative DNS:
###Step 1: glue and static IPs (the hardest part)
“Glue records” are used to tell the root servers about your authoritative servers, and very specifically, what IP they have. For reasons that will become obvious, this needs to be a pretty static IP if possible, because the glue records will need to be changed whenever your authoritative DNS moves. Two or more authoritative DNS servers are “recommended” and in some cases assumed, but for self-hosting purposes it’s really over-encouraged in my opinion. A single authoritive DNS is not ideal, but neither is self-hosting with limited resources, which is something we all do. Worst case scenario, if they force you to have two DNS servers, just use different names and set them to the same IP, that usually works. You do not need to (or want to) use glue records for ANY other DNS entries, IPs, or any normal day-to-day changes to your DNS. Only if your static IP changes.
“Glue records” are typically not hard to update, but they do often take quite a lot of time, called “propagation delay” and during that time, your DNS will be intermittent or down. In modern times I find the propagation delay for glue records is sometimes a matter of minutes and typically less than an hour for like 90% of users, but it can be up to several days in the worst case scenarios. This is why static IP is important, changing your glue records is free to do but very disruptive.
In order to actually do this, get a domain from, or transfer your existing domain to, a registrar that lets you set up glue records for self-hosting authoritative DNS. This is effectively not self-hostable, this has to be done through a registrar. In my experience, this is most of them that aren’t big-names. Cloudflare is a notable exception, you should not be using them as a registrar for self-hosting authoritative DNS. I have used misk.com for decades and am happy and familiar with them, and they call these custom nameservers. I have heard the best reviews lately for porkbun.com and their documentation for the process is here](https://kb.porkbun.com/article/112-how-to-host-your-own-nameservers-with-glue-records) but I do not use them personally. “The best” is a moving target, anyway. In any case, review the documentation and support for your chosen provider to figure out how to specify a glue record, which in almost all cases is as simple as putting in a name (the traditional old-school choice is “ns” or “ns1”) and an IP address associated with that name, which you will then use to specify as the “nameserver” for all your other domains. There should be no additional charge for this. Once it’s “glued”, then you wait. Eventually, it will start working, and third-parties outside your network will be able to ping that ns1.yourdomain.com address and get the IP you specified.
###Step 2: the DNS servers
You’ve done the “hard” work of getting the glue pointed at your IP, but that’s just a single DNS name and a single IP, and you’re not actually self-hosting anything yet. Now you have to make sure an authortitative DNS server is responding on that IP so people can get all the real details for any and all of your domains right from the source, YOU, authoritatively. That’s why it’s called authoritative DNS, you are the final authority for your domains and everyone knows it thanks to those glue records.
This is when you fire up a DNS server, the standard traditional choice for old grumpy curmudgeons like me is “bind” (version 9) to be specific, which has all kinds of crazy functionality that you don’t really care about because all you’re really going to be using it for is to read a text file called a “zone” file for each of your domains, which has an ugly archaic format but at it’s simplest is just an $ORIGIN line saying what domain it is, a $TTL line (how many seconds other DNS users are supposed to cache things before coming back to you to check if its changed), the SOA line which is a mess of stupid arbitrary info most of which is irrelevant these days and in this configuration, then a whole bunch of lines with other records (mostly A records for IPv4 addresses, but there are plenty of other options for different types of DNS records for various purposes)
So, install bind9, add a zone into the configuration for each of your domains that has type master; and file "/your/zone/file/path"; and create each text zone file for it to read. Then reload or restart bind, and your DNS should just start working.
It’s not magic and it’s really not that complicated, it’s just telling someone to start pointing your domain at your server’s IP, and then running a program on that IP that turns turn some text files into DNS. Then you can go ahead and make it complicated, if you want. There are lots of ways to make it complicated. This isn’t one of them.
###Conclusion: Why and why not
Cloudflare brings a lot of value to the table, which is why they’re so popular, but there is a cost for that. They need full control of everything and have it running on their own networks so they can protect it from DDoS and other attacks. They’re your bodyguard, they’re standing in front of you to protect you from bad guys, but the downside is, you’ll always have that guy standing in front of you. It can be kind of annoying. It’s a question of priorities. If you want to self-host your DNS, you’re effectively giving up Cloudflare’s protections. If you want Cloudflare’s protections, you’re effectively giving up self-hosting DNS. Your call, either way.
Self-hosting my own DNS, I have little to no protection from DDoS attacks. Sure I get hammered by the occasional password attempt bot or data scraper that makes my server slow and overwhelmed, that mostly gets dealt with manually or with defensive monitoring tools like fail2ban. A larger, more targeted or sophisticated attack could easily wipe my sites off the internet and probably even my intranet. If it didn’t stop, my only resolution would be to unplug the targeted machine or machines from the internet. Maybe unplug my whole network. And just wait it out. Maybe I’d have to rely on my phone hotspot, or even change ISPs if it refused to stop. I actually don’t know, because it’s never happened. If I was hosting anything controversial or highly lucrative, I might have a different experience and I might make different choices. But I’m not, I’ve never been attacked on a large scale for a long duration and I can’t really imagine any motivation or purpose that I ever would be.
I’m not sure about hate, but people have a pretty understandable aversion to them I would say. People don’t really have an opportunity to see or interact with normal healthy wild bats very commonly, and that’s probably a good thing. They are not really possible to be kept as pets and it is not really responsible to try. They aren’t popular at zoos because they are hard to keep in captivity and hard to exhibit as their activity schedule is pretty incompatible with ours. The bats people are most likely to interact with are rabid wild bats, because they are acting strange and erratic and unhealthy and end up in places and at times where humans will be in a position to interact with them. And they are, as you noted, freaking adorable, and they seem hurt or injured, so people will naturally be inclined to interact with them, and now they’re interacting with a rabid bat. This means if any typical human is typically interacting with a typical bat, there is a good chance they are about to get bitten and get rabies and have a really really bad time. Bats, therefore, don’t have a great reputation, because that’s how typical interactions with them usually play out.
The bats going out and eating bugs at night while we’re all sleeping aren’t bothering or attracting the notice of anyone and the vast majority of people don’t even know they’re there beyond a vague understanding that they exist.