Ask HN: Is secondary DNS setup worth it?
After recent Cloudflare outage, more people are suggesting to go with a secondary DNS. I'm afraid that it would be difficult to maintain configuration across multiple DNS providers. I'd love to know your experience in maintaining multiple DNS providers. If your DNS is pretty much standard DNS (basic zone files, or something equivalent), it's pretty simple to use multiple providers using AXFR to transfer from wherever your source of truth is. If you do fancy DNS, you'll need to manage configuring them all to be 'the same' yourself. Maybe there's some tools out there, but it becomes write a config file you understand, and a script to reconfigure the provider to match, etc. The fancier your DNS is, the harder it is to synchronize among multiple services. Things like monitoring and removing dead hosts is probably not awful, but if you need to synchronize geographic targeting, that's going to be complex (and unlikely to be perfectly in sync; different DNS servers are likely to categorize IPs differently, and you'll just have to live with it). Many moons ago, I used Akamai load feedback to divide usage between different locations, I don't think that would work that well if using two (or more) services. Terraform and OctoDNS can make this easy. Never let the UI of your vendor be the source of truth for your DNS setup. If you have the zones in code then updates should be easy to distribute to multiple vendors. Also: given the nature of DNS caching you will have to roll changes in a way that is compatible with temporary inconsistency anyway. I have seen such a setup once and it was a life saver. People recommending that are right. People fearing the complexity are also right. Be careful to have good tooling. > I'm afraid that it would be difficult to maintain configuration across multiple DNS providers A secondary host should be able to pull zones from the primary using standard AXFR, optionally using TSIG authentication. The primary can also notify a secondary using DNS NOTIFY for near instantaneous synchronization. For some of my domains I prefer hosting primary myself, along with e-mail, web, etc. I just find it easier managing NSD configs and zone files the old fashioned way (version controlled, of course), rather than mucking about with GUIs or proprietary APIs. But in those cases I'll often use EasyDNS for secondary or tertiary. Whenever I edit and reload a zone file for one of these domains, NSD automatically pings EasyDNS, which then AXFR's the new zone. Easy peasy, at least once you wrap your head around AXFR, TSIG, and NOTIFY. Your domain registrar is the gatekeeper for glue NS records, so if your primary DNS host[1] ever had a sustained down period, it's still relatively simple and fast to update your nameservers as needed. [1] Yourself or another service--hopefully not the same as your registrar as that would defeat the purpose. > Your domain registrar is the gatekeeper for glue NS records, so if your primary DNS host[1] ever had a sustained down period, it's still relatively simple and fast to update your nameservers as needed. It's simple, but not exactly fast. .com and .net glue records have a TTL of 2 days, so expect significant delay. Different tlds have different times though, .org is only 1 hour, and I'm not looking up anything else ;) Good point, I forgot about TTLs in the recursive chain. How common is it for recursive resolvers to cache glue records? Is it more common for in-bailiwick NS domains? (This issue exists regardless of setup, so I hope the OP and others aren't dissuaded from exploring their options.) I'd expect all caching recursive resolvers to cache glue records as well as the requested records. It's part of the deal; if they didn't, the root servers would have an insane load. (After all, you need to get glue records for .com, etc, too) Of course, there's probably exceptions, and cache size is limited. I can say that some resolvers seem to cache glue records for a long time, more than the published TTL; when I switched NS records for a popular domain, we continued to get requests on the old domain for more than 4 weeks (at which point we needed to end the previous service). I’d like to add.. Does anyone provide low volume secondary dns for cheap? Cloudflare would be my first pick, but: > Secondary DNS is only available to Enterprise customers. For more details on activation and pricing, contact your account team. I recently hit the 150 host limit on Namecheap’s DynDNS and I wanted to see if I could set up a hidden primary DNS server that takes updates from something web based like nsupdate.info. It would be nice to have something like Cloudflare serving things publicly rather than exposing my self hosted bind server. However, anything I can find is either rate limited a fair bit (Hurricane Electric - which looks nice feature wise) or doesn’t have proper TSIG support or is too expensive for what I need. I hate having to start with the ghetto feature tier everywhere when I’m trying to learn. I wish I could just use all the features and pay for usage / scale :-( How cheap is cheap? How low volume is low volume? You could run secondary DNS on a VPS anywhere. Won't be anycast of course, but won't be hard to make work either. I see lots of articles about fly.io's anycast platform, but I'm not affiliated and haven't tried anything, but they do have a page about UDP services (which don't work on IPv6 right now according to their documentation) and mention DNS. It looks like it takes a bit more config, but not that much. Really cheap. Lol. Maybe $50 ish per year and then I’d just tolerate exposing my bind server. Low volume is very low since most queries would be for monitoring where the DNS lookups could be done locally to the hidden primary. Cloudflare looked super appealing because I could spin everything up in Docker containers and expose the web based part via Cloudflare Tunnel which would keep my self hosted infrastructure completely hidden. It’s tempting to just write something that runs on Cloudflare TBH. At your budget, I'd run authoritative DNS on the free tier at a few clouds. If you can get one resolver in east US, west US and Europe, that'll be pretty ok. I'm always confused that anybody doesn't have secondary servers, for anything larger than a one-off vanity site. If your DNS needs are simple, then running a secondary is extremely easy. The hardest part is that you'll probably interact with it so rarely you'll forget it's there. If your DNS needs are complex, then running a secondary is harder but it's still probably a small fraction of the effort you're putting into the primary server. If you want to your site to be online when your DNS provider isn’t, then having a secondary DNS provider is an absolute must. Secondary DNS is great for failover. I run dual piholes in a primary-secondary setup for that purpose. The only issue you will run into is if your router can’t pass two DNS server addresses, or your client machines don’t know how to handle multiple DNS servers or failover behavior. Secondary DNS providers will do a zone transfer from your primary provider, so the configuration is pretty minimal. Worth it? It's absolutely necessary if you want to avoid single point of failure. Given quality of service declining over years for big and small companies and mass influx of soy latte boys into IT we can only expect amount of issues to grow in coming years, both in scope and magnitude. And yea, if you are using single provider for your critical infrastructure, you have a ticking bomb.