Ask HN: DNS best practices?

10 points by rebootthesystem ↗ HN
Given DDoS attacks like the one Namecheap is undergoing, what are your recommended best practices before and during such attacks in order to ensure business continuity?

In other words:

How do you setup DDoS-proof (to the extent it is possibe) DNS for your servers?

If you find yourself in the middle of the firestorm, how have you dealt with it?

6 comments

[ 3.0 ms ] story [ 26.5 ms ] thread
DDoS protection benefits from an economy of scale (the more network resources you can use to buffer against an adversary, the better). You're better off delegating your service to a third party who's already implemented effective DDoS protection, such as Dynect or UltraDNS.
DNS is inherently fault tolerant. That's why you can specify more than one NS record (if server A is down, go to server B!) on a domain.

Unfortunately if you use Namecheap's DNS service, you CAN'T specify failover / secondary DNS servers. This has been a known issue for a year & a half that they've failed to address: https://community.namecheap.com/forums/viewtopic.php?f=6&t=5...

Poor man's anycast: Setup a hidden master and push zone updates to multiple slave DNS servers at different providers, which are all registered as your domain's DNS servers (at your registrar).

Actual anycast: Piggy back on a network provider that already announces an anycast network block and "lease" a single IP address. Have lots of time and money? Obtain BGP access, colocate servers, purchase network equipment, etc. and do it all yourself.

A good compromise is to use a DNS provider that offers anycast already, like DNS Made Easy, AWS Route 53, or a number of others at reasonable cost.

We use Route53. It has Anycast and GeoDNS and isn't as susceptible to DDoS. The free DNS provided by most registrars is great, but if you want reliability and high availability it's worth exploring all of your options.
Yes Route53 provides a fantastic service. Just make sure you setup billing alerts to ensure you're not caught out by exceptional traffic.

One of the advantages of Route53 is that each domain gets its own "random" nameserver, so if you host 50+ domains they're unlikely to all be affected by a DoS attack.

I wrap Route53 with git to keep history and allow quick updates over at https://dns-api.com/ but even if you use their control panel manually, rather than any of the APIs their service is exceptionally good.