
Ask HN: DNS best practices? - rebootthesystem
Given DDoS attacks like the one Namecheap is undergoing, what are your recommended best practices before and during such attacks in order to ensure business continuity?<p>In other words:<p>How do you setup DDoS-proof (to the extent it is possibe) DNS for your servers?<p>If you find yourself in the middle of the firestorm, how have you dealt with it?
======
skrowl
DNS is inherently fault tolerant. That's why you can specify more than one NS
record (if server A is down, go to server B!) on a domain.

Unfortunately if you use Namecheap's DNS service, you CAN'T specify failover /
secondary DNS servers. This has been a known issue for a year & a half that
they've failed to address:
[https://community.namecheap.com/forums/viewtopic.php?f=6&t=5...](https://community.namecheap.com/forums/viewtopic.php?f=6&t=5905)

~~~
Someone1234
Plus their TTL policies/issues:

[https://community.namecheap.com/forums/viewtopic.php?f=6&t=8...](https://community.namecheap.com/forums/viewtopic.php?f=6&t=8630)

------
otterley
DDoS protection benefits from an economy of scale (the more network resources
you can use to buffer against an adversary, the better). You're better off
delegating your service to a third party who's already implemented effective
DDoS protection, such as Dynect or UltraDNS.

------
ammmir
Poor man's anycast: Setup a hidden master and push zone updates to multiple
slave DNS servers at different providers, which are all registered as your
domain's DNS servers (at your registrar).

Actual anycast: Piggy back on a network provider that already announces an
anycast network block and "lease" a single IP address. Have lots of time and
money? Obtain BGP access, colocate servers, purchase network equipment, etc.
and do it all yourself.

A good compromise is to use a DNS provider that offers anycast already, like
DNS Made Easy, AWS Route 53, or a number of others at reasonable cost.

------
wise_young_man
We use Route53. It has Anycast and GeoDNS and isn't as susceptible to DDoS.
The free DNS provided by most registrars is great, but if you want reliability
and high availability it's worth exploring all of your options.

~~~
stevekemp
Yes Route53 provides a fantastic service. Just make sure you setup billing
alerts to ensure you're not caught out by exceptional traffic.

One of the advantages of Route53 is that each domain gets its own "random"
nameserver, so if you host 50+ domains they're unlikely to all be affected by
a DoS attack.

I wrap Route53 with git to keep history and allow quick updates over at
[https://dns-api.com/](https://dns-api.com/) but even if you use their control
panel manually, rather than any of the APIs their service is exceptionally
good.

