So our DNS provider, every so often, experiences DDOS attacks on their systems that causes our front-facing web sites to go down.
What are some options in terms of reducing dependency on a SINGLE external managed DNS provider? My first thought was using lower expire TTL and other SOA TTLs, but it feels like these affect secondary DNS server behavior more than anything else.
i.e. If you experience a DNS outage (due to DDOS, in this example) that lasts more than, say, 1 hour, delegate everything to a secondary provider.
What do people do out there when it comes to their external DNS and using another managed DNS provider as backup?
Note to our friendly moderators: this question is much more specific then the " "generic mitigate DDOS attack" questions out there.
EDIT: 2016-05-18 (A few days later): So, first off thank you AndrewB for your excellent answer. I have some more information to add here:
So we reached out to another DNS service provider and had a chat with them. After thinking and doing a bit more research, it's actually a LOT more complicated than I thought to go with two DNS providers. This is not a new answer, it's actually more meat/info to the question! Here is my understanding:
-- A lot of these DNS providers offer proprietary features like 'intelligent DNS', for example DNS load balancing with keepalives, logic chains to configure how responses are handed back (based on geo location, various weights to records, etc. etc.). So the first challenge is to keep the two managed providers in sync. And the two managed providers are going to have to be kept in sync by the customer who has to automate interacting with their APIs. Not rocket science, but an ongoing operational cost that can be painful (given changes on both sides in terms of features and APIs).
-- But here is an addition to my question. Let's say someone did do use two managed providers as per AndrewB's response. Am I correct in that there is no 'primary' and 'secondary' DNS here as per spec? I.e., you register your four DNS server IPs with your domain registrar, two of them are one of your DNS providers, two of them are DNS servers of the other. So you would essentially just be showing the world your four NS records, all of which are 'primary'. So, is the answer to my question, "No"?
No comments:
Post a Comment