3

I've been doing some research on how DNS records can be managed but I'm a little overwhelmed. I'm looking for a low-cost (brainpower, time, money) solution to mitigate the risk that my domain registrar - also hosting my DNS records - will buckle under a DDoS again, costing me business. Options I've read about include:

  • Google Public DNS
  • Amazon Route 53

What questions should I be asking as I evaluate these (and other) options?

SB2055
  • 33
  • 5
  • @yagmoth555 with due respect that's not contributing much. Hover isn't quite what I would call an "underground" shop. – SB2055 Oct 22 '16 at 00:01
  • If you want to put your authoritative records, then Google Public DNS will not help as they are open resolvers only and don't authoritative services on these server. – Gaurav Kansal Oct 23 '16 at 16:10
  • 1
    I answered a [similar Q&A](http://serverfault.com/q/777094/152073) awhile ago. Let me know if you need more information. – Andrew B Oct 24 '16 at 21:45
  • @AndrewB - wow, that's great. Thank you. It seems like uptime comes at the (huge) cost of monitoring and synchronization, something we just don't have the bandwidth for. This sounds like an opportunity for a niche "dns uptime" service provider to handle... do you know of any services that take the headache out of this? – SB2055 Oct 24 '16 at 23:25
  • None, unfortunately. That said, it's probably not as expensive as you think. Monitoring can be as simple as comparing the SOA serials for your zones. Having two DNS hosting companies shouldn't be very expensive, you'd just need one that accepts external zone transfers. I can't advise hosting your own without an in-house DNS expert or external consultant...you'll get downtime of a different sort. If you want to go the consulting route and are serious about it, I'm available. Otherwise I'll stick to dispensing free advice here until it starts feeling too much like a job. :) – Andrew B Oct 24 '16 at 23:43
  • @AndrewB I'll take what you've given with gratitude :). Much appreciated. – SB2055 Oct 25 '16 at 00:10
  • 1
    We had another Q&A today that is also relevant to this discussion. ([Real-world impact of partial authoritative DNS outage](http://serverfault.com/q/811166/152073)) – Andrew B Oct 25 '16 at 18:40
  • @AndrewB thank you. You could probably make a lot of money by creating a product to help folks like us! – SB2055 Oct 25 '16 at 19:00

4 Answers4

6

Google Public DNS

As Gaurav Kansal said Google public DNS is a caching(recursive) DNS and wouldn't be much of your help.

Amazon Route 53

You can go for it and many others, But I would like to point some things which you should be looking for when you choose your DNS provider.

  • Choose more than one: If possible, Have a Master Name Server placed at one of the provider and slave of it at some other provider. If at different geo-locations then even better. So that in case of any attacks to one provider other provider is still available to server your records.
  • Anycasting: Providers should run more than one instances of your Name server at geographically different locations. This can be done using doing anycasting which uses the same IP address at different geo-locations in order to provide higher availability in case of attacks at one location.
  • Multiple Slaves: Have multiple slave servers so that your records can be served in case multiple NS go down(Master or Slave).
  • TTL: Yes TTL maybe important, if you don't change your records that often and the provider can provide them for longer than 15 minutes.

  • Remain in touch with gTLD managers and keep your zone file at hand: In case of an emergency its good to have contingency plans ready.

Hope this helps!

Anirudh Malhotra
  • 1,290
  • 7
  • 11
  • 2
    However, Google does provide authoritative name service: Cloud DNS on the Google Cloud Platform. – Mark Wagner Oct 25 '16 at 20:25
  • The questioner asked about **Google Public DNS** that is why I wrote that, Also haven't researched much on providers, So thanks for letting me know. – Anirudh Malhotra Oct 26 '16 at 06:33
2

As the customer you can't really do anything to prevent outages of a supplier, although as long as you're not the actual target of the DDOS you can mitigate some of the effect of outages from a single supplier either by having multiple suppliers (at the risk that such additional complexity will increase the risk of operator error by you/your team), or by switching to better supplier with fewer outages.

Pure for DNS a zero cost mitigating measure you can easily take is to simply increase the TTL value of your DNS records.
A TTL of 5 minutes means that an outage of all authoritative DNS servers (at the same time) with a duration longer than 5 minutes will probably effect 100% of your users, while with a TTL of 1 week an outage of 24 hours will still roughly effect only 1/7 or 15% of your users.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
1

Assuming your domain registrar only host your dns servers, you can find secondary dns services at many places. Also keep in mind that you are not usually forced to use the dns servers of your domain registrar.

For those secondary dns services to work efficiently, the management interface of your (primary) dns service provider should allow you to:

  1. add, change and remove dns servers, and
  2. add, change and remove authorized secondary servers.

Secondary dns servers will periodically download a copy of your dns records from the primary servers.

Often you'll hear master for primary server and slave for secondary server.

A quick google search for 'dns secondary service' return a few companies providing that service.

Remember that having resilient dns servers don't help at all if the target of the DDoS is your web servers and your web servers are hosted at a single provider.

user210584
  • 111
  • 3
1

So, this is a tricky question. Most people answering this are giving technically excellent answers - distribute your zones across multiple nameservers, use high TTLs, invest in anycast, etc. - but I want to give you a contrarian viewpoint.

DNS is critical to the functioning of the internet. Everyone is on edge right now because of the recent DDoS against Dyn but this fear will fade.

I would like to point out that:

  1. This is the first major DNS outage (that lasted more than ~15 minutes) that I'm aware of in decades
  2. It was not a total outage (DYN faced the largest loss of service on the east coast, but was not globally down)

And also point out that every DNS provider on earth is focused on hardening themselves to DDoS right now.

Here's a funny but relevant tangent: in ~2004 some tiny site (fido.net?) with its own ASN broadcast a bad BGP prefix that cascaded to take down most of the internet core routing. Cisco and the major players fixed the bug, and we've never seen an internet wide outage due to a bad BGP prefix being broadcast again.

What I'm trying to say is - the entire internet relies on DNS. This DDoS against Dyn last week was extraordinary - in its magnitude, severity, and improbability.

This is not cheap or easy to mitigate from your end without owning your own infrastructure (which I can assure you is not cheap if Dyn's didn't stand up). The point of the DNS system is it is just supposed to work.

Which is my long way of saying you have an extremely valid fear that's so improbable and unlikely to ever happen again that you should just move on and not worry about it. Not because you're not right to worry and there's a 0% chance of this ever happening again (it might!), but because you have far more real and salient things that will affect your business in the near future that are better uses of your time, money, and effort than attempting to mitigate this.

¯\_(ツ)_/¯

Seth Blank
  • 119
  • 3
  • How can I get in touch with you? – SB2055 Oct 28 '16 at 01:05
  • find me on twitter @antifreeze – Seth Blank Oct 28 '16 at 04:37
  • I can't agree with the "in decades" remark, unfortunately. This is an arms race, and many major providers (Cloudmark, Neustar, DYN, etc.) have been getting black eyes in recent history. The BGP bug was a case of "fix once, gone forever". The auth DNS arms race is currently in a state of "expect at least one major auth DNS provider to be in the news this year", and the question businesses should ask themselves is "what is the business impact when mine bites the pillow"? – Andrew B Oct 28 '16 at 22:47