IT: Question for DNS Experts
IT: Question for DNS Experts
Work question.
Over the weekend, the company we have our primary domain registered through (Register.com) became victim of a DDoS attack, thus bringing their services down completely. Not only are they our registrar, we also currently use their DNS services.
So, the attack resulted in DNS queries failing for our domain for the later part of Friday, and most of the day Saturday.
I'm trying to think of a way to avoid this in the future. I was thinking that we could set up secondary DNS with another provider (or host it ourselves), but if the registrar goes down, would having secondary DNS hosted somewhere else matter?
Isn't the registrar responsible for telling the DNS world who to query for DNS lookups? If the registrar can't tell DNS servers where to look, wouldn't backup DNS be pointless?
Over the weekend, the company we have our primary domain registered through (Register.com) became victim of a DDoS attack, thus bringing their services down completely. Not only are they our registrar, we also currently use their DNS services.
So, the attack resulted in DNS queries failing for our domain for the later part of Friday, and most of the day Saturday.
I'm trying to think of a way to avoid this in the future. I was thinking that we could set up secondary DNS with another provider (or host it ourselves), but if the registrar goes down, would having secondary DNS hosted somewhere else matter?
Isn't the registrar responsible for telling the DNS world who to query for DNS lookups? If the registrar can't tell DNS servers where to look, wouldn't backup DNS be pointless?
Creepy guy in the mirror.
Joined: Oct 2004
Posts: 2,631
Likes: 35
From: Ontario, Canada
In answer to your last question... Root servers tell the DNS world where to query for DNS lookups. Root servers are a robust network of many different hosts located worldwide. Root servers are usually highly available. There has been very rare occasions where there has been problems at a root server level, but we are talking very rare and it shouldn't happen again.
If your registrar who is currently hosting your DNS will do a zone transfer (basically a copy of your domain's records) to your host, you could setup a DNS server to accept those transfers, then set that DNS server as a secondary or tertiary name server. That would cover you should your registrar's DNS servers go down.
You also could take on hosting of your own DNS completely. Host two physically and logically diverse systems both running a DNS service - avoid BIND unless you want more downtime
This way you can change records whenever you want and you don't have to wait for your registrar to make those changes for you.
If your registrar who is currently hosting your DNS will do a zone transfer (basically a copy of your domain's records) to your host, you could setup a DNS server to accept those transfers, then set that DNS server as a secondary or tertiary name server. That would cover you should your registrar's DNS servers go down.
You also could take on hosting of your own DNS completely. Host two physically and logically diverse systems both running a DNS service - avoid BIND unless you want more downtime
This way you can change records whenever you want and you don't have to wait for your registrar to make those changes for you.
Creepy guy in the mirror.
Joined: Oct 2004
Posts: 2,631
Likes: 35
From: Ontario, Canada
Close...
A DNS lookup occurs as follows:
Lets say we are looking up www.acurazine.com
First who is authoritative for .com? Lets ask the root servers using my known root hints.
- it answers with an IP for .com TLD servers (probably a root server )
Next lets ask the .com TLD server who is authoritative for acurazine.com
- it answers with DNSCDC.INTERNETBRANDS.COM
Next we ask DNSCDC.INTERNETBRANDS.COM, or DNSLA.INTERNETBRANDS.COM what the A record is for www.acurazine.com (this is where your registrar's DNS servers come into play).
- the INTERNETBRANDS.COM dns server answers with 67.201.16.157 (the result response)
So InternetBrands manages their own 2 DNS servers in geographically diverse datacentres to ensure availability of the name resolution, rather than depend on their registrar (GoDaddy). The registrar is never contacted in this scenario. This is probably kind of what you want if availability is important to you.
If they used GoDaddy to host their DNS the above scenario would play out in short like the following:
1. Q. to root, Who has .com?
- A. .com TLD
2. Q. to .com TLD, Who has acurazine.com
- A. NS.GODADDY.COM
3. Q. to NS.GODADDY.COM, Who has www.acurazine.com
- A. 67.201.16.157
This sounds close to what the OP has setup.
A DNS lookup occurs as follows:
Lets say we are looking up www.acurazine.com
First who is authoritative for .com? Lets ask the root servers using my known root hints.
- it answers with an IP for .com TLD servers (probably a root server )
Next lets ask the .com TLD server who is authoritative for acurazine.com
- it answers with DNSCDC.INTERNETBRANDS.COM
Next we ask DNSCDC.INTERNETBRANDS.COM, or DNSLA.INTERNETBRANDS.COM what the A record is for www.acurazine.com (this is where your registrar's DNS servers come into play).
- the INTERNETBRANDS.COM dns server answers with 67.201.16.157 (the result response)
So InternetBrands manages their own 2 DNS servers in geographically diverse datacentres to ensure availability of the name resolution, rather than depend on their registrar (GoDaddy). The registrar is never contacted in this scenario. This is probably kind of what you want if availability is important to you.
If they used GoDaddy to host their DNS the above scenario would play out in short like the following:
1. Q. to root, Who has .com?
- A. .com TLD
2. Q. to .com TLD, Who has acurazine.com
- A. NS.GODADDY.COM
3. Q. to NS.GODADDY.COM, Who has www.acurazine.com
- A. 67.201.16.157
This sounds close to what the OP has setup.
If I'm understanding correctly...
So it's simply that the registrar updates root DNS servers on who is authoritative for a given domain. If the registrar becomes unavailable, but the domain's DNS servers are still available, the root DNS servers still know where to get DNS information for our domain. The only limitation to a registrar being down is that you can't change the DNS servers associated with the domain.
Why should I avoid BIND? We've been using it for years for DNS on one of our older domains without any problems.
So it's simply that the registrar updates root DNS servers on who is authoritative for a given domain. If the registrar becomes unavailable, but the domain's DNS servers are still available, the root DNS servers still know where to get DNS information for our domain. The only limitation to a registrar being down is that you can't change the DNS servers associated with the domain.
Why should I avoid BIND? We've been using it for years for DNS on one of our older domains without any problems.
Creepy guy in the mirror.
Joined: Oct 2004
Posts: 2,631
Likes: 35
From: Ontario, Canada
Perfect. You got it correct.
BIND is riddled with security holes, is susceptible to DDoS, etc. I run TinyDNS. It isnt that BIND is impossible to secure... It is just more difficult. But that is just my opinion - your mileage may vary.
BIND is riddled with security holes, is susceptible to DDoS, etc. I run TinyDNS. It isnt that BIND is impossible to secure... It is just more difficult. But that is just my opinion - your mileage may vary.
Thread
Thread Starter
Forum
Replies
Last Post
4drviper
3G TL Audio, Bluetooth, Electronics & Navigation
1
Apr 23, 2025 07:13 PM
navtool.com
5G TLX Audio, Bluetooth, Electronics & Navigation
31
Nov 16, 2015 08:30 PM
navtool.com
1G RDX Audio, Bluetooth, Electronics & Navigation
1
Sep 25, 2015 05:15 PM