13 comments

[ 3.1 ms ] story [ 46.3 ms ] thread
I don't see anything here I couldn't do myself, and in a more secure way. I don't trust handling of my DNS to random projects.
I think this is more a "we did it because it was fun and we can" project than a "you will find this useful" one
Exactly :)

I also have a more serious project regarding DNS, even with an anycasted network, dnssec, etc - but that is still in beta and I just wanted to do something for fun (Idea came while I was implementing a zonefile importer)

Hm, but that's not an issue with this specific project, and yes, of course there is nothing what is impossible to do on yourself - but I never said that ;)

If you would let me know if there is anything what you don't like, then I'm happy to fix it or whatever :)

Well, from what I see on your site security and trust is an issue. You are asking people to direct their DNS to your servers, that is a lot of responsibility to take on. Who are you? How do I trust you? How do I know that someone can't corrupt my zone entries in your system, either on purpose or on accident. eg. lets say I setup a git repo with zone entries for another customer you serve, how do you decide which one is authoritative?

I would only consider this useful if you posted your code on github so that people can run it on their own DNS servers.

Brilliant in its simplicity.

Could you share the technical details? What DNS server/software are you using? How do you handle input, errors (broken zones? do you perform sanity checks?), and reloads?

Do you enforce any limits? Support DNSSEC?

What's the web stack?

I'm glad to answer your questions. As I wrote, this was just a fun project for like two (maybe three) evenings, you can't expect to much.

Webstack is Nginx + Ruby + Sinatra + MySQL (Datamapper, I know I should switch to Sequel) and a worker in Node.js on the slave nameserver for writing configs + reloading nsd

Servers are two small VPS, one on my own dedicated server in Frankfurt, Germany, the other in Canada from lfchosting. Nameserver is nsd, because it looked not to bad.

> How do you handle input, errors (broken zones? do you perform sanity checks?), and reloads?

I'm performing some checks, with nsd-checkconf, etc, but I'm sure there is something I could improve. It gets reloaded everytime someone enters a domain name or pushes changes to bitbucket/githup and they are posting to the specific URL.

> Do you enforce any limits? Support DNSSEC?

Nah, there are no limits, currently. DNSSEC: No, also not looking to implement it with this project, since besides that I'm working on a more serious one, even with anycast, etc and there is dnssec already possible.

I hope I was able to answer your questions as you expected it, please let me know if you want anything more detailed or have more questions for me :)

Love the idea, but seems a little too fly-by-night for me to want to trust real production stuff to it. DDoS-ing DNS providers seems to be the rage these days, and I'd hate to be collateral damage because the weekend project I was using as a DNS provider couldn't handle it...

And I totally get that this was just for fun... but a variant project that still used git as the UI, but sat on top of a bigger-player DNS provider's API (Route 53, maybe?) could probably give you the best of both worlds: a weekend's worth of hacking, but still using infrastructure people felt like they could trust.

Thanks for your comment, and yes, of course I understand you.

I would have the infrastructure (an anycasted network with 11 PoPs, etc) - but as you said, was only a weekend project and I wasn't about using this for the project. But hm, I could later just rewrite this away from a independend dns service to some parsing thingy to input zonefiles and use APIs of existing, reliable providers (most of the popular ones have nice APIs). It's something to think about, thanks.

+1 on making this a frontend to 3d-party DNS providers.

Git-push integration with Dyn, Route53, Zerigo/8x8, Gandi, etc. would be an awesome feature.

I like the idea of building a bridge to other DNS providers - it seems like less work in the long run, for a much more reliable service.

Using CloudFormation to manage your Route 53 records will achieve most of the goals of this solution, although editing CloudFormation stack templates has a little more overhead than managing zone files.

I use git to manage my dns and publish to my server, which serves as a master for slave servers hosted by zerigo. Not sure if Route 53 can serve as slave servers.