

Ask HN: How to mitigate DNS provider issues? - sghael

I had several sites become inaccessible yesterday due to the DDOS on Namecheap's DNS servers:
http://status.namecheap.com/?p=3739<p>Everything appears to be back to normal for us right now, but this has definitely rattled us a bit.  We've never had problems with Namecheap before.  Admittedly, DNS / Nameserver routing is not something I have a lot of expertise in.  Like many developers/ dev ops people, DNS is something I set once and mostly leave alone.  I had not considered it a vector for failure.<p>Several question:<p>1) What are the best practices in mitigating something un-forseen like a DDOS attack on your DNS / Nameserver provider? It seems like redundancy is the only good option, since any provider we go with could get DDOS-ed.   What are good redundancy setups?<p>2) I've heard people say 'don't do DNS with your registrar'.   But I'm not clear on exactly why not.  Are registrars just inherently worse at DNS &#38; nameserving?<p>3) Out of curiosity, does anyone know why Namecheap was DDOS-ed?  Was it just for the lolz?
======
retronick
Really, the best thing you can do is make certain you're with a good, stable,
Anycast provider. Preferably one that's been beefing up their network. I've
been using DNS Made Easy for a few months now for the ability to have vanity
name servers and have noticed a significant boost in speed since. I also
started using their failover service to help avoid going down since they
included 3 records with my membership anyway :P. They're also crazy cheap for
the features I'm been getting:
<http://www.dnsmadeeasy.com/enterprisedns/pricing.html>

As for why Namecheap got hit, who knows. Could be a malicious attack on a site
using the service, could be a prank. Maybe just for lolz. There's any number
of reasons. Unless they release that info, I don't think you'll find a clear
answer any time soon :-/.

------
jrsmith1279
I've seen a lot of praise for easyDNS, but I've never used them myself. They
have failover DNS, which is interesting.
<http://support.easydns.com/Failoverfaq.php> I guess you could technically use
2 (or more) different hosts for DNS, which would give you some redundancy, but
I've never seen anyone do that.

I usually don't like to host DNS with the registrar because they tend to be
kind of bad as far as flexibility. GoDaddy's DNS controls are pretty good, but
I still tend to host my DNS elsewhere.

------
18pfsmt
I sure wish some company would step-up and offer a reasonable, quality
registrar/DNS offering, but I have yet to find that one. Until that time, I
will keep them separate, and would suggest using DynDNS. It really depends on
your needs and/or budget. I would check out this page:
<http://www.dyndns.com/services/dynectsmb/>

If that looks like overkill, you might consider this plan:
<http://www.dyndns.com/services/upgrades/>

------
staunch
You really can't do that much. Pick a good provider.

I'm using route53 from Amazon. It's dirt cheap and they no slouches when it
comes to reliability. It's still relatively new though.

~~~
PizzaPanther
If you use route53 aren't you still storing the nameservers at Namecheap in
this case, thus, not eliminating the problem since they are still part of the
route?

~~~
staunch
Nope. Only problems with the root servers or Amazon would be an issue.

------
bdwalter
Hire dyndns and don't worry about it again.

