Monday, June 6, 2016

domain name system - switching dns server providers



I'm trying to wrap my head around something that I thought I kinda understood, but clearly there's some piece missing.



We're currently using Zerigo as our primary dns, with slave dns running on linode. This works quite well. However, recent DDOS attacks on zerigo meant that whilst dns queries were still resolved, we were unable to make any dns changes. Since we rely on dns changes on our own infrastructure, I'm looking to improve this somehow.




I'd rather not ditch zerigo completely, and realise that this or similar problems can happen with ANY primary dns hosting provider. It might not be DDOS, but a bug on their server, or something that means we can no longer issue updates.



For this I want to have some fallback option: a completely independent (primary) dns provider (maybe AWS), which we will keep in-sync manually. We will switch-over to it when there's a problem. This brings me to my question:



How do I make sure we can switch those providers quickly enough? specifically, on our registrar, there's a list of name servers, but no settings like TTL etc. How do dns clients know to use the newly updated name server records? Is this configured in the SOA? However, the SOA itself is hosted with the dns provider and we might not be able to update it...



This is not a question about a one-time move, which can be planned and scheduled and tested, but rather to be able to do so when things are half-broken.


Answer



Yes, the duration of the NS records (which indicate that yourdomain.example is hosted by ns1.zerigo.net or my-ec2.amazon.com) is determined by the TTL value of these NS records. If your hoster does not allow you to change these TTL, you're toasted.




Even if your DNS hoster allows you to change them, there is also the TTL of the NS records at the parent zone and these are fixed by the registry.



So switching over from one DNS hoster to another one cannot really be done in real time. Spammers and other bot herders do it (this is called "fast flux") to evade detection, but they host their domain, they can set TTL at will. (They still have the limit of the TTL at the registry.)


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...