Ask HN: How to mitigate DNS provider issues?
I had several sites become inaccessible yesterday due to the DDOS on Namecheap's DNS servers: http://status.namecheap.com/?p=3739
Everything appears to be back to normal for us right now, but this has definitely rattled us a bit. We've never had problems with Namecheap before. Admittedly, DNS / Nameserver routing is not something I have a lot of expertise in. Like many developers/ dev ops people, DNS is something I set once and mostly leave alone. I had not considered it a vector for failure.
Several question:
1) What are the best practices in mitigating something un-forseen like a DDOS attack on your DNS / Nameserver provider? It seems like redundancy is the only good option, since any provider we go with could get DDOS-ed. What are good redundancy setups?
2) I've heard people say 'don't do DNS with your registrar'. But I'm not clear on exactly why not. Are registrars just inherently worse at DNS & nameserving?
3) Out of curiosity, does anyone know why Namecheap was DDOS-ed? Was it just for the lolz? Really, the best thing you can do is make certain you're with a good, stable, Anycast provider. Preferably one that's been beefing up their network. I've been using DNS Made Easy for a few months now for the ability to have vanity name servers and have noticed a significant boost in speed since. I also started using their failover service to help avoid going down since they included 3 records with my membership anyway :P. They're also crazy cheap for the features I'm been getting: http://www.dnsmadeeasy.com/enterprisedns/pricing.html As for why Namecheap got hit, who knows. Could be a malicious attack on a site using the service, could be a prank. Maybe just for lolz. There's any number of reasons. Unless they release that info, I don't think you'll find a clear answer any time soon :-/. I've seen a lot of praise for easyDNS, but I've never used them myself. They have failover DNS, which is interesting. http://support.easydns.com/Failoverfaq.php I guess you could technically use 2 (or more) different hosts for DNS, which would give you some redundancy, but I've never seen anyone do that. I usually don't like to host DNS with the registrar because they tend to be kind of bad as far as flexibility. GoDaddy's DNS controls are pretty good, but I still tend to host my DNS elsewhere. I sure wish some company would step-up and offer a reasonable, quality registrar/DNS offering, but I have yet to find that one. Until that time, I will keep them separate, and would suggest using DynDNS. It really depends on your needs and/or budget. I would check out this page: http://www.dyndns.com/services/dynectsmb/ If that looks like overkill, you might consider this plan:
http://www.dyndns.com/services/upgrades/ You really can't do that much. Pick a good provider. I'm using route53 from Amazon. It's dirt cheap and they no slouches when it comes to reliability. It's still relatively new though. If you use route53 aren't you still storing the nameservers at Namecheap in this case, thus, not eliminating the problem since they are still part of the route? Nope. Only problems with the root servers or Amazon would be an issue. That's a good point: direct link:
http://aws.amazon.com/route53/#pricing Hire dyndns and don't worry about it again.