12

As I'm writing this our company website and the web-service we developed are down in the big GoDaddy outage resulting from an Anonymous attack (or so says Twitter).
We used GoDaddy as our registrar and we use it for DNS for some domains.

Tomorrow is a new day - what can we do to mitigate such outages?
Simply moving to, say, Route 53 for DNS might not be enough.
Is there any way to remove this single point of failure?

Tal Weiss
  • 223
  • 1
  • 5
  • 5
    Well it kind of sounds like you know what to do. Not only can you spread your services around (have more than 1 DNS provider, lower the TTL, and possibly use DNS round robin) but also scale out (additional web host like amazon, replicating content between hosts, depending on budget and deployment size scale up to CDNs and anycasting) – jwbensley Sep 10 '12 at 19:52
  • 1
    http://tools.ietf.org/html/rfc2182 that might be of help to someone – jwbensley Sep 10 '12 at 21:20
  • 3
    Normally I wouldn't give product recommendations, but I can't speak highly enough of http://www.dnsmadeeasy.com/ - a grand total of 1.5 hours of downtime since they went into business (when we signed up 5 years ago they boasted 100% uptime, and as far as I know 100% is still their SLA), and it took 50Gbps of DDoS to take them offline. Even at 49Gbps of DDoS their servers were responding, even so, that's resilliance. – Mark Henderson Sep 10 '12 at 21:47
  • @MarkHenderson Hell, I see 500% SLA? `A 500% SLA for all DNS services, raising the bar industry wide.` http://www.dnsmadeeasy.com/services/managed-dns/ – Brent Pabst Sep 11 '12 at 03:04
  • @BrentPabst - well, that's interesting. What does that actually mean though? Does it just mean that they will credit you 5x the downtime period? – Mark Henderson Sep 11 '12 at 03:28
  • @MarkHenderson I don't know, but I'd be interested to find out, thats for sure. – Brent Pabst Sep 11 '12 at 11:42
  • @javano +1 for **have more than 1 DNS provider** — Amazon.com for instance uses [Dyn](http://dyn.com/dns/dynect-managed-dns/) and [UltraDNS](http://www.neustar.biz/enterprise/dns-and-ddos) (acquired by NeuStar). – its_me Sep 11 '12 at 12:22
  • Not to hijack this question, but how can you have more than 1 DNS provider? Who is usually willing to run as a slave, any of them? How do you tell your auth provider to slave to the secondary? – TheCleaner Sep 11 '12 at 13:15
  • Apart from choosing more than 1 DNS provider, you should also look at other registrars, IMHO. I use Name.com as of now, but just realized that wikileaks.org's registrar is Dynadot.com, so they must be good! – its_me Sep 13 '12 at 13:55
  • As many folks know by now, this was not an attack, but was actually a networking issue internal to GoDaddy. See http://www.thedailybeast.com/articles/2012/09/13/godaddy-s-service-disruption-how-anonymous-hacked-the-media.html and http://www.godaddy.com/newscenter/release-view.aspx?news_item_id=410&isc=smtwlp&iphoneview=1 – Stefan Lasiewski Sep 19 '12 at 23:15

3 Answers3

10

You can eliminate this single point of failure by using two DNS providers.
It might also be feasible to run your own DNS server on one of your servers.
GoDaddy allows you to do zone transfers from their servers (IIRC premium DNS is required for this).

Get a second DNS provider which allows you to run a slave server (or run it yourself).
Adjust NS/Nserver records so they point to both providers and you are done.

faker
  • 17,326
  • 2
  • 60
  • 69
  • Cool, but: I see some claims on Twitter that domains that use Godaddy just as their registrar are down as well. I'm not sure how that works. – Tal Weiss Sep 10 '12 at 20:18
  • 4
    If it's done correctly, I don't see how. People tend to claim that they only use it as their registrar and host their website elsewhere but fail to mention that DNS is still running on GoDaddy. – faker Sep 10 '12 at 21:10
  • For my important sites, I've always felt the registrar and NS provider should be different. Even if it doesn't provide higher availability... separation of powers can be a good thing. – Bret Fisher Sep 18 '12 at 15:50
3

(1) Ways to stay "unaffected" if the domain registrar's servers (NOT just the domain) themselves are DDOSed, if any.

the registrar's servers only matter if you are using them for DNS (or hosting or other services, obviously). Once your domain is registered, the records go into the root registry and you don't need your registrar to be on line for your domain to work. If they are your only DNS provider then you want to consider adding more than one.

(2) "How to have more than one DNS service provider for a domain?

(for this part you do need your registrar online, so you can enter the changes through them) In your domain registry account, add multiple authoritative DNS servers hosted by multiple providers. This will probably require NOT using the registrar's DNS service so that you can enter the 3rd party servers. (eg with godaddy you can't use their "domain control" in addition to 3rd party providers, you have to choose "my domain is hosted elsewhere" to set your dns)

user16081-JoeT
  • 1,950
  • 11
  • 18
  • for 3rd party DNS i've used both ultradns and dnsmadeeasy, in my experience both work about equally well and the latter is much less expensive. – user16081-JoeT Sep 22 '12 at 03:48
3

1) Don't keep all your eggs in one DNS basket. If you're big enough to be thinking anycast and CDN why are you using a single provider like GoDaddy? Diversify your DNS providers.

2) Anycast. Check out this blog to see how a provider mitigated a DDOS of up to 65Gbps. http://blog.cloudflare.com/65gbps-ddos-no-problem

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
notmyname
  • 142
  • 6