3

we are managing our DNS data at Azure DNS. They provide 4 NS for redundancy, but just two days ago the whole Azure DNS service went down for a few hours, and all of our services with it as well. Now i'm looking for a better redundancy for such a worst case scenario.

Unfortunately Azure DNS does not support outgoing zone transfer to a secondary NS hosted by a different provider. But they provide a tool for exporting all data of a zone into a zone file.

Amazon Route 53 gives me the option, to import such a zone file. But for this i have to recreate that zone for my domain at Amazon first. And this leads to a different SOA record (and also 4 different NS entries).

My plan was to use both services (Azure and Amazon), and take from both two NS:

  • MyDomain NS1 -> Azure
  • MyDomain NS2 -> Amazon
  • MyDomain NS3 -> Azure
  • MyDomain NS4 -> Amazon

As i synchronize the zone data between the 2 providers over export / import by myself, i don't see a problem in terms of accurate DNS data. But the SOA and the NS records for the domain are not consistent.

What are the implications in such a szenario? Could that lead to problems with spam prevention or other services, who query DNS data for a domain?

Thank you in advance.

user82563
  • 33
  • 4
  • Note that intermixing two providers here has no benefit: it is a set, not a list, and most authoritative nameservers will return these records in random order each time. Not very much relevant to your problem, but it is an error often made (thinking it is a list). – Patrick Mevzek Jun 15 '18 at 23:21
  • Wow! This is a 2016 post and I can tell you that the situation has not changed. It happened twice for my Org. And worst is that they do not allow AFXR, which prevented us from having a secondary zone. BTW, Amazon Route53 also doesn't allow Zone transfer, but R53 is surely more resilient DNS than Azure's. – anup Jun 03 '21 at 10:53

1 Answers1

3

I originally wrote this as a comment, but honestly, I think it's really your best course of action.

Your DNS provider lost all its marbles for several hours and it won't support secondary DNS off-premises, and your response is to try to hack around it? I'd be curious to know what Azure would have to do to actually lose your business; shoot your dog, maybe? Myself, I'd be running for the exit so fast no-one would see the blur. It's time to change your DNS provider to one that doesn't suck.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Fair enough. But all DNS service providers i evaluated are operating in the same way, they give you multiple NS from there own network. Can you recommend me one provider who has this option of a secondary NS off-premise with a fair price? – user82563 Apr 20 '16 at 06:46
  • 1
    I have never come across one that *doesn't* support zone transfers, but I roll my own DNS servers, and in any case we don't do service recommendations around here, so: no, I'm sorry, but I can't. The usual practice is to swap 2ary DNS between yourself and a fellow sysadmin, or two, at a neighbouring company. - not everything has to be bought as SaaS! – MadHatter Apr 20 '16 at 07:01
  • 1
    Thanks for your time MadHatter. The reason for us to rely on a SaaS provider for DNS services is to outsource the responsibility for product exploits, DNS Floods aso. As DNS services are crucial (we just learnt it the hard way) i think, this is justifiable. – user82563 Apr 20 '16 at 07:17
  • I entirely agree that your DNS is operation-critical. My personal feeling is that critical services are the ones *best* kept in-house. That said, it is of course your call what to outsource, but If you must outsource critical services, you will want hard, expensive-to-breach SLAs in place. If you don't have those, honestly, you haven't done due-diligence for your outsourcing. In the end, DNS has a mechanism in place for dealing with outage - distributed secondaries - and a provider that doesn't support them is only half a DNS provider. – MadHatter Apr 20 '16 at 07:22
  • As suggested by MadHatter we change our DNS provider to avoid this hack. Still interested in the technical answer to my initial quesstion. – user82563 Apr 21 '16 at 09:22
  • I am at a similar stage as user82563. Experience with Azure DNS has been really painful. To make matters worst, both the cloud providers do not support Zone transfer (Azure, AWS). – anup Jun 03 '21 at 11:00