-5

Ever since GoDaddy's DNS outage I definitely don't trust name servers.

I just created a domain name and next step is setting up name servers. I'm thinking of using Route 53, CloudFlare DNS, and another provider. This means I'd probably end up with about 13 name servers attached to my domain name.

Should I limit that amount? Main concern is adding a tiny bit of latency each time someone does a lookup on my domain name. Does the lookup download the list of 13 name servers?

iDev247
  • 751
  • 1
  • 11
  • 23
  • 5
    It took you 1116 days to react to an outage? – Reaces Oct 02 '15 at 07:37
  • For GoDaddy's outage, the app that I was working on went down and it was a pain. I wasn't part of DevOps but nevertheless bad move on their part trusting one point of failure. – iDev247 Oct 02 '15 at 07:41
  • I've personally been using Route 53. Main question is since there's free redundant options (Cloudflare...) is it worth using them (any tradeoff?) or is one stable provider good enough? – iDev247 Oct 02 '15 at 07:42
  • I really doubt the outage cost that much of an impact on your end users. Key point in the [answer of TomTom](http://serverfault.com/a/726212/218888) below `DNS answers are cached, possibly on multiple levels. I.e. I would bet most end users use their provider's DNS.`. – Reaces Oct 02 '15 at 07:45
  • 4
    Too many is one more than you need. – user9517 Oct 02 '15 at 07:54
  • The godaddy outage was from people using godaddy DNS as resolvers, not just authoritative nameservers. – Jacob Evans Oct 04 '15 at 05:01
  • you never known people why they down vote legitimate question strange and stupid. – danone Aug 14 '20 at 08:57

3 Answers3

9

There is such a thing as "too many nameservers", but not for the reasons you're concerned with. The others have covered the irrelevance of latency concerns and I won't beat that horse to death.

The real problem with adding too many nameservers is authority bloat. A reply to a SOA record request should not exceed 512 bytes if at all possible, including both the authority and additional sections. TCP and EDNS can be used to overcome the 512 byte barrier in most cases, but some nameserver software still behaves poorly when the authority+additional information can't fit within a standard 512 byte response. (mostly in regards to zone transfers or DNS forwarders)

Taking the above into consideration, the answer on how many DNS servers is too many still boils down to "it depends". You should plan on your DNS servers supporting IPv6, so that's going to add overhead. (A+AAAA records)

For reference, here is what Yahoo's SOA reply looks like at this point in time:

$ dig @ns1.yahoo.com +norecurse yahoo.com soa

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> @ns1.yahoo.com +norecurse yahoo.com soa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53960
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1272
;; QUESTION SECTION:
;yahoo.com.                     IN      SOA

;; ANSWER SECTION:
yahoo.com.              1800    IN      SOA     ns1.yahoo.com. hostmaster.yahoo-inc.com. 2015100224 3600 300 1814400 600

;; AUTHORITY SECTION:
yahoo.com.              172800  IN      NS      ns2.yahoo.com.
yahoo.com.              172800  IN      NS      ns3.yahoo.com.
yahoo.com.              172800  IN      NS      ns6.yahoo.com.
yahoo.com.              172800  IN      NS      ns1.yahoo.com.
yahoo.com.              172800  IN      NS      ns4.yahoo.com.
yahoo.com.              172800  IN      NS      ns5.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com.          1209600 IN      A       68.180.131.16
ns1.yahoo.com.          86400   IN      AAAA    2001:4998:130::1001
ns2.yahoo.com.          1209600 IN      A       68.142.255.16
ns2.yahoo.com.          86400   IN      AAAA    2001:4998:140::1002
ns3.yahoo.com.          1209600 IN      A       203.84.221.53
ns3.yahoo.com.          86400   IN      AAAA    2406:8600:b8:fe03::1003
ns4.yahoo.com.          1209600 IN      A       98.138.11.157
ns5.yahoo.com.          1209600 IN      A       119.160.247.124
ns6.yahoo.com.          172800  IN      A       121.101.144.139
ns6.yahoo.com.          1800    IN      AAAA    2406:2000:108:4::1006

;; Query time: 27 msec
;; SERVER: 68.180.131.16#53(68.180.131.16)
;; WHEN: Fri Oct 02 19:03:45 EDT 2015
;; MSG SIZE  rcvd: 411

As you can see above, six NS records along with their corresponding A and AAAA addresses are already weighing in at 411 bytes. If I were to add so much as six characters to the base domain (6 * 19 = 144, 411 + 144 = 555) I'd already be breaching 512 on mandatory records alone, nevermind optional bloat this usually adds to the right hand side of the SOA record.

Most companies don't use more than four NS records. Six is probably too much. There aren't many good reasons for extending into this number so long as you're following the usual guidelines, or using a well-respected DNS provider.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • 1
    I would have marked this as the correct answer, as I did indeed run into this issue a while ago. However, I circumvented it by distributing my 10 NS records across 2 different TLDs that do not share the same root servers (so, not across com and net as both those TLDs use gtld-servers.net) but instead net and uk. Because each set of root servers doesn't know about the glue-records of the other set, the response on each is below 512 bytes, even with each NS record having both an IPv4 and IPv6 glue-record, with 5 NS records per set of root servers (making 10 NS records in total). – parkamark Feb 20 '17 at 17:04
7

Let's be clear. Ever since the outage of a low cost low end provider of whatever you do not trust a technology that is proven. Why? You think everyone is as incompetent as GoDaddy? Never had a DNS issue in years.

I'm thinking of using Route 53, CloudFlare DNS, and another provider. This means I'd probably end up with about 13 name servers attached to my domain name.

No. You have no clue how many name servers. What you see as one server can be a cluster using the same IP address. You only have a minimal amount.

Seriously, you totally overestimate the issue. If you use CloudFlare than this is good enough - especially if your content is behind CloudFlare.

Main concern is adding a tiny bit of latency each time someone does a lookup on my domain name.

Which happens exactly how often? Remember - DNS answers are cached, possibly on multiple levels. I.e. I would bet most end users use their provider's DNS. You REALLY overthink the estimate of that 1ms (max) in the whole larger amount of work it takes to get to the host name and then make something with it.

Overengineering showing a paranoia mostly built on not knowing technology AND Professional providers. Get rid of that.

I personally use CloudFlare for everything and I am happy with ONLY them for my DNS.

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • Thanks for the quick reply. I get that it's overestimating the issue. I guess main concern isn't completely about latency. I realized there's great low cost, great quality options (cloudflare, route 53...) for name servers. Wasn't sure if there was a tradeoff of adding many services to the same domain name. – iDev247 Oct 02 '15 at 07:49
7

RFC2182 section 5 recommends at least 3 nameservers, and preferably no more than 7.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55