Ask HN: DNS best practices?
Given DDoS attacks like the one Namecheap is undergoing, what are your recommended best practices before and during such attacks in order to ensure business continuity?
In other words:
How do you setup DDoS-proof (to the extent it is possibe) DNS for your servers?
If you find yourself in the middle of the firestorm, how have you dealt with it?
6 comments
[ 3.0 ms ] story [ 26.5 ms ] threadUnfortunately if you use Namecheap's DNS service, you CAN'T specify failover / secondary DNS servers. This has been a known issue for a year & a half that they've failed to address: https://community.namecheap.com/forums/viewtopic.php?f=6&t=5...
https://community.namecheap.com/forums/viewtopic.php?f=6&t=8...
Actual anycast: Piggy back on a network provider that already announces an anycast network block and "lease" a single IP address. Have lots of time and money? Obtain BGP access, colocate servers, purchase network equipment, etc. and do it all yourself.
A good compromise is to use a DNS provider that offers anycast already, like DNS Made Easy, AWS Route 53, or a number of others at reasonable cost.
One of the advantages of Route53 is that each domain gets its own "random" nameserver, so if you host 50+ domains they're unlikely to all be affected by a DoS attack.
I wrap Route53 with git to keep history and allow quick updates over at https://dns-api.com/ but even if you use their control panel manually, rather than any of the APIs their service is exceptionally good.