Managed DNS considered harmful

Outsourcing your DNS is not a magic bullet.


There is frequently a tendency toward letting one’s guard down when it comes to threats to your IT systems. Absent an immediate “hair-on-fire” situation, we may relax and assume all is well. Yet malicious activity such as hacking, phishing, malware, and DDoS attacks never stop accelerating in terms of frequency and intensity.

So it’s important to have a “Plan B” DNS solution in place and ready before a crisis hits. That way, even if you’re taken off guard, you still have a backup plan and can respond appropriately.

DNS is one of those things nobody really thinks about, until it stops working. The first time easyDNS went off the air on April 15, 2003, it induced a type of existential crisis in me. That summer, after meditating intensely on the situation, I came away with the conclusion that the centralized managed DNS model, as we understood it then, was doomed.

My response at the time was a proposal to pivot to a DNS appliance with decentralized deployments, but centralized monitoring and management. That concept was promptly shot down my co-founders and we’ve kept on with the centralized, hosted DNS model to this day.

The core problem is this: there are many reasons to elect to outsource your DNS to a managed DNS provider. Those reasons include:

  • Gaining access to specialized DNS deployments which were traditionally not feasible for a single organization acting alone, such as DNS anycast, GeoDNS or IP failover
  • Leveraging the managed DNS provider’s toolkit and interface for managing larger and more complex domain portfolios, including API access
  • Offloading “DNS problems” – whatever they end up being, you don’t have your own ops people running around frantically flipping through the Cricket book, you just open a ticket and tell your managed DNS provider to deal with it.
  • Reducing your own support load – when you’re managing large numbers of domains and DNS for your own end-users and your managed DNS provider offers multi-user DNS-in-a-box solutions, you can push self-management of your customer domains right down to your end users.

But the benefits can be outweighed by some paradoxical situations:

  • Despite the fact that most DNS providers have a near-pathological fetish for redundancy at every level, they are still logical single-point-of-failures unto themselves. Some may dispute this, but I can list off enough documented outages among DNS providers and domain registrars across the continuum from the smaller outfits right on up to the multi-billion dollar, publicly traded behemoths to hold up this assertion.

  • Once you outsource your DNS to a DNS Provider, you are more likely to impacted by a DDoS attack that has nothing to do with you. In other words, you may never be the direct target of a DDOS attack, but somebody at your DNS Provider will be (nearly every day, in fact). You may get lucky stretches of uneventfulness lasting for years; but when your managed DNS provider’s turn finally comes (and it will), you feel the impact of the mother of all DDoS attacks aimed at somebody else entirely. Last year (2014) it was NTP reflection (300+ Gb/sec) This year it’ll be something else, and it’ll be bigger.

  • Non-DDoS related outages can still occur among DNS platforms.

The core of the paradox is that once a firm makes the decision to outsource their DNS and settles on a vendor, they make the mistake of thinking “they’re done” and they forget about it. (DNS is alas, the runt protocol. No matter what gets decided, in-house, outsourced, whatever, once it’s set up, it’s forgotten about and generally neglected. It’s the one thing that’s set-and-forget that really shouldn’t be).

When the outage hits there is no Plan B. There are no backup name servers primed and ready to go. There is no plan to migrate away to another DNS platform, even temporarily. The company may not even have in-house repositories of their own DNS data.

The harmful assumption then is in thinking that once you’ve decided on the “managed DNS route,” you don’t have to worry about your DNS anymore. This is wrong. Because so much on the Internet is reliant on DNS, you can never stop worrying about DNS. No matter what you decide to do about it, somebody or some team inside your organization has to be tasked with losing sleep over the DNS.

There is a way to mitigate this and it is simply to think of DNS management in the same “high availability” mindset you think about anything else, whether it’s dual power supplies, dual NICs in every server, data centre redundancy, or even two separate gas suppliers for the backup generators on the roof; you simply do the same thing with your DNS solutions and you set up more than one.

That could be multiple disparate managed DNS providers — preferably those that play well with others. They allow third-party zone transfers in and out; they have APIs; they make it easy to get your data out or even have integrations with third party platforms.

It could be a combination of in-house and outsourced, where you run your own name servers in conjunction with a managed DNS provider.

You can go active/passive — where you run your primary solution and failover to your backup platform in an emergency, or you can run active/active and have the multiple vendors or platforms on all the time. There are trade offs to each method, but one thing is universal; have a DNS failover plan and dedicated resources to execute it when the time comes.

Editor’s note: if you’re ready to start formulating your “Plan B” DNS solution, check out Managing Mission Critical Domains and DNS by Mark Jeftovic, available in early release now.

This post is part of our ongoing exploration into Ubiquitous delivery.

Public domain bridge image courtesy of Pixabay.

tags: , , , , , ,