DNS Services for a registrar
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. Cheers Ryan
On Aug 12, 2016, at 1:56 AM, Ryan Finnesey <ryan@finnesey.com> wrote:
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
My big concern would be the current lack of v6 support on AWS for such a deployment. I suspect it’s coming soon as they just announced IPv6 support on S3 yesterday. How many zones do you expect to scale to? I’ve been running a free secondary DNS service for many years on BIND, but moving to something else makes a lot of sense these days. Do you have a lot of DNS server experience in-house? There’s a lot of little things that come up along the way. You really should consider being subscribed to the dns-operations list and asking there as well.
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
I like having good control over my own fate, so would prefer running my own service, but plenty of people use hosted DNS at their providers, and there’s plenty of folks who can sell you a service from dyn to neustar with their own cost models. I would either provide a completely opaque service offering where you retain control of the NS records so can easily move/renumber as you scale up, or consider a solution which can be expanded globally as needed over time. I’m able to host ~10k zones in my free secondary service without issues, but to “take the next step” requires decoupling 20 years of history I’m dragging around. - Jared
And regardless of what / who you choose make sure that they are running RFC compliant servers. There are a lot of DNS providers that feel they don't need to use RFC compliant servers which makes problems for all the resolver vendors out there. It also make it hard to deploy new features that depend on servers actually behaving as specified in the RFCs. Most of the problems I see would take 10 minutes for a developer to fix if they are not already fixed and just require a more recent version to be installed. For a list of some of the things you should be checking for see https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-03 You can also run the EDNS compliance checker at https://ednscomp.isc.org Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Someone registered the domain “corp.gr” and now sells subdomains similar to .com.gr, .co.uk, etc. They use a “clever” way to make sure they will have 100% uptime at virtually no cost: $ dig NS corp.gr ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.3-P1 <<>> NS corp.gr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47495 ;; flags: qr rd ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;corp.gr. IN NS ;; ANSWER SECTION: corp.gr. 21599 IN NS puck.nether.net. corp.gr. 21599 IN NS ns4.dnsunlimited.com. corp.gr. 21599 IN NS i.ns.buddyns.com. corp.gr. 21599 IN NS d.ns.zerigo.net. corp.gr. 21599 IN NS f.ns.zerigo.net. corp.gr. 21599 IN NS b.nskey.com. corp.gr. 21599 IN NS g.ns.buddyns.com. corp.gr. 21599 IN NS ns4.he.net. corp.gr. 21599 IN NS ns5.dnsunlimited.com. corp.gr. 21599 IN NS f.ns.buddyns.com. corp.gr. 21599 IN NS h.ns.buddyns.com. corp.gr. 21599 IN NS d.ns.buddyns.com. corp.gr. 21599 IN NS ns2.he.net. corp.gr. 21599 IN NS ns2.afraid.org. corp.gr. 21599 IN NS a.nskey.com. corp.gr. 21599 IN NS b.ns.zerigo.net. corp.gr. 21599 IN NS b.ns.buddyns.com. corp.gr. 21599 IN NS e.ns.buddyns.com. corp.gr. 21599 IN NS ns1.dnsunlimited.com. corp.gr. 21599 IN NS c.ns.zerigo.net. corp.gr. 21599 IN NS c.ns.buddyns.com. corp.gr. 21599 IN NS ns3.dnsunlimited.com. corp.gr. 21599 IN NS a.ns.zerigo.net. corp.gr. 21599 IN NS ns5.he.net. corp.gr. 21599 IN NS ns2.dnsunlimited.com. corp.gr. 21599 IN NS ns1.twisted4life.com. corp.gr. 21599 IN NS e.ns.zerigo.net. corp.gr. 21599 IN NS ns3.he.net. ;; Query time: 161 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Aug 12 14:42:58 2016 ;; MSG SIZE rcvd: 577 Of course, I don’t recommend you do this. On a serious note, as mentioned previously, AWS lacks IPv6 currently. A custom solution would provide more control but it may have some challenges. In addition to that, you’d probably need some form of network redundancy but you’re most likely not going to reach AWS’ anycasted network’s availability easily. I’d recommend looking to some other providers as well, some of which may be in the list of name servers above.. Just my 2c
On 12 Aug 2016, at 08:56, Ryan Finnesey <ryan@finnesey.com> wrote:
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
On Fri, Aug 12, 2016 at 03:50:55PM +0300, DaKnOb wrote:
Someone registered the domain “corp.gr” and now sells subdomains similar to .com.gr, .co.uk, etc. They use a “clever” way to make sure they will have 100% uptime at virtually no cost:
heh. amusing. surprised they don't have esgob in there too. but seriously, look at the anycast on a shoestring presentation from nat morris. There are a lot of ways to skin this cat. I've been meaning to respin a variant of my service for a few years now, maybe it's time to do it. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up time in the last 10-12 years excluding an 8 hour period 4-5 years ago where they got DDOSed, no issues since), very affordable. #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07 Has been #1 several months this year. Beckman On Fri, 12 Aug 2016, Ryan Finnesey wrote:
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
--------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Peter, That test is meaningless as it is from only few locations which seems to overlap with those who scored well. I would suggest using that as a base to compare speed. Mehmet On Friday, August 12, 2016, Peter Beckman <beckman@angryox.com> wrote:
I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up time in the last 10-12 years excluding an 8 hour period 4-5 years ago where they got DDOSed, no issues since), very affordable.
#2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07
Has been #1 several months this year.
Beckman
On Fri, 12 Aug 2016, Ryan Finnesey wrote:
We need to provide DNS services for domains we offer as a registrar. We
were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
------------------------------------------------------------ --------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ------------------------------------------------------------ ---------------
From the speed comparison report: "Averaged across all name servers"
That's a silly, synthetic, and non-representative test. It encourages cohosting all your NS at all your sites to game the performance numbers, hurting availability. I'd expect to see a decent amount of latency variance across the NS in a given delegation because I want them to get anycasted to different transit/physical locations, and I would also expect that not to translate into notable user-perceived latency due to resolver's server selection logic. -eli On Fri, Aug 12, 2016 at 9:41 AM, Peter Beckman <beckman@angryox.com> wrote:
I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up time in the last 10-12 years excluding an 8 hour period 4-5 years ago where they got DDOSed, no issues since), very affordable.
#2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07
Has been #1 several months this year.
Beckman
On Fri, 12 Aug 2016, Ryan Finnesey wrote:
We need to provide DNS services for domains we offer as a registrar. We
were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
------------------------------------------------------------ --------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ------------------------------------------------------------ ---------------
Also a big fan of DNS Made easy, but I wish they’d add DNSSEC already. I’m happy with AWS - one thing to consider is model out the network costs. That seems to get some people, who just expect the bill for instances at end of month. If you’re worried about availability due to an availability zone going down, ensure you have the service replicated across multiple AZs or regions and It might be worth a few minutes pondering just using Amazon’s Route53 instead of running the DNS server yourself. I haven’t looked at how the cost compares.
On Aug 12, 2016, at 6:41 AM, Peter Beckman <beckman@angryox.com> wrote:
I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up time in the last 10-12 years excluding an 8 hour period 4-5 years ago where they got DDOSed, no issues since), very affordable.
#2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07
Has been #1 several months this year.
Beckman
On Fri, 12 Aug 2016, Ryan Finnesey wrote:
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
--------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month. You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure. On Aug 12, 2016, at 9:44 AM, John Kinsella <jlk@thrashyour.com<mailto:jlk@thrashyour.com>> wrote: Also a big fan of DNS Made easy, but I wish they’d add DNSSEC already. I’m happy with AWS - one thing to consider is model out the network costs. That seems to get some people, who just expect the bill for instances at end of month. If you’re worried about availability due to an availability zone going down, ensure you have the service replicated across multiple AZs or regions and It might be worth a few minutes pondering just using Amazon’s Route53 instead of running the DNS server yourself. I haven’t looked at how the cost compares. On Aug 12, 2016, at 6:41 AM, Peter Beckman <beckman@angryox.com<mailto:beckman@angryox.com>> wrote: I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up time in the last 10-12 years excluding an 8 hour period 4-5 years ago where they got DDOSed, no issues since), very affordable. #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07 Has been #1 several months this year. Beckman On Fri, 12 Aug 2016, Ryan Finnesey wrote: We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. Cheers Ryan --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com<mailto:beckman@angryox.com> http://www.angryox.com/ --------------------------------------------------------------------------- --- Keith Stokes
On 12 Aug 2016, at 18:36, Keith Stokes <keiths@neilltech.com> wrote:
Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month.
You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less.
I’d also recommend multiple providers as well if you’re getting dedicated servers so you can avoid non-technical provider-based issues.
You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure.
On Aug 12, 2016, at 9:44 AM, John Kinsella <jlk@thrashyour.com<mailto:jlk@thrashyour.com>> wrote:
Also a big fan of DNS Made easy, but I wish they’d add DNSSEC already.
I’m happy with AWS - one thing to consider is model out the network costs. That seems to get some people, who just expect the bill for instances at end of month. If you’re worried about availability due to an availability zone going down, ensure you have the service replicated across multiple AZs or regions and
It might be worth a few minutes pondering just using Amazon’s Route53 instead of running the DNS server yourself. I haven’t looked at how the cost compares.
On Aug 12, 2016, at 6:41 AM, Peter Beckman <beckman@angryox.com<mailto:beckman@angryox.com>> wrote:
I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up time in the last 10-12 years excluding an 8 hour period 4-5 years ago where they got DDOSed, no issues since), very affordable.
#2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07
Has been #1 several months this year.
Beckman
On Fri, 12 Aug 2016, Ryan Finnesey wrote:
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
--------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com<mailto:beckman@angryox.com> http://www.angryox.com/ ---------------------------------------------------------------------------
---
Keith Stokes
On 2016-08-12 11:36 AM, Keith Stokes wrote:
Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month. If you had 1000 domains, you'd pay $110/month, not $500. The first 25 domains at $0.50/month each, after that it's $0.10. And that's based on the publicly available pricing -- they have special pricing if you're hosting >500 domains.
You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. If you were to use c4.large instances, it would cost just under $400/month to have 6 instances spread across 2 regions with 3 AZs each, after instances, load balancers and bandwidth. That's assuming you do
Including queries, if each hosted domain had a million queries a month, your total bill would $310. That's probably a high estimate because it doesn't account for the >500 domain special pricing and your average registrar-hosted domain doesn't get anywhere near 1M queries a month. Your actual bill would probably be significantly less. the discounted 1-year, no-upfront-fee term on the instances. And you're still not as redundant or fast as Route 53, which is anycast from way more than 6 places. The math gets a little trickier when we start looking at labour costs for both initial development of your platform and ongoing maintenance, but from strictly an infrastructure cost perspective, I don't think the claim that it would cost "far less" to run your own infrastructure is necessarily true for a registrar-doing-hosting scenario.
Much better math than mine. I pulled from memory and didn’t know the discount @ 25. I’m only running a half-dozen domains in Route53 and the rest are hosted internally. You could probably use less than a c4.large too. On Aug 12, 2016, at 11:29 AM, Peter Kristolaitis <alter3d@alter3d.ca<mailto:alter3d@alter3d.ca>> wrote: On 2016-08-12 11:36 AM, Keith Stokes wrote: Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month. If you had 1000 domains, you'd pay $110/month, not $500. The first 25 domains at $0.50/month each, after that it's $0.10. And that's based on the publicly available pricing -- they have special pricing if you're hosting >500 domains. Including queries, if each hosted domain had a million queries a month, your total bill would $310. That's probably a high estimate because it doesn't account for the >500 domain special pricing and your average registrar-hosted domain doesn't get anywhere near 1M queries a month. Your actual bill would probably be significantly less. You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. If you were to use c4.large instances, it would cost just under $400/month to have 6 instances spread across 2 regions with 3 AZs each, after instances, load balancers and bandwidth. That's assuming you do the discounted 1-year, no-upfront-fee term on the instances. And you're still not as redundant or fast as Route 53, which is anycast from way more than 6 places. The math gets a little trickier when we start looking at labour costs for both initial development of your platform and ongoing maintenance, but from strictly an infrastructure cost perspective, I don't think the claim that it would cost "far less" to run your own infrastructure is necessarily true for a registrar-doing-hosting scenario. --- Keith Stokes
If there are other metrics in which to measure DNS speed, availability and redundancy, I'd love to seeing them. I have but my own datapoint and the metrics from others. Tear down the testing model, but at least show a different/better one in return. On Fri, 12 Aug 2016, Keith Stokes wrote:
Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month.
You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less.
You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure.
Having worked for AWS, there is no "global" control plane that would bring two regions down at the same time. While possible, due to say a targeted successful attack on both regions simultaneously, highly unlikely. Control and data plane software updates and deployments are done regionally, and often on an Availability Zone basis where applicable, to ensure there are no defects. Automation measures and will automatically roll back code that breaks deployment metrics. It's pretty sweet. Their internal tools team does amazing things with automation. Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 per month per zone after that. 1000 domains would be $110 a month, not $500. 500 million queries at $0.40 per million, another $200/month. Who knows if you need that much, but it is pretty affordable. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
I won't push further than this -- but it seems a bit silly not to mention that CloudFlare provides free AnyCast DNS. You can elect not to even use any of our caching if you just want to use us for DNS. J ____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Fri, Aug 12, 2016 at 12:24 PM, Peter Beckman <beckman@angryox.com> wrote:
If there are other metrics in which to measure DNS speed, availability and redundancy, I'd love to seeing them. I have but my own datapoint and the metrics from others. Tear down the testing model, but at least show a different/better one in return.
On Fri, 12 Aug 2016, Keith Stokes wrote:
Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month.
You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less.
You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure.
Having worked for AWS, there is no "global" control plane that would bring two regions down at the same time. While possible, due to say a targeted successful attack on both regions simultaneously, highly unlikely. Control and data plane software updates and deployments are done regionally, and often on an Availability Zone basis where applicable, to ensure there are no defects. Automation measures and will automatically roll back code that breaks deployment metrics.
It's pretty sweet. Their internal tools team does amazing things with automation.
Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 per month per zone after that. 1000 domains would be $110 a month, not $500. 500 million queries at $0.40 per million, another $200/month.
Who knows if you need that much, but it is pretty affordable.
Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Even for registrars? Because OP's question was
We need to provide DNS services for domains we offer as a registrar.
Best Regards, Filip On 12.8.2016 22:11, Justin Paine via NANOG wrote:
I won't push further than this -- but it seems a bit silly not to mention that CloudFlare provides free AnyCast DNS. You can elect not to even use any of our caching if you just want to use us for DNS.
J
____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
On Fri, Aug 12, 2016 at 12:24 PM, Peter Beckman <beckman@angryox.com> wrote:
If there are other metrics in which to measure DNS speed, availability and redundancy, I'd love to seeing them. I have but my own datapoint and the metrics from others. Tear down the testing model, but at least show a different/better one in return.
On Fri, 12 Aug 2016, Keith Stokes wrote:
Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month.
You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less.
You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure.
Having worked for AWS, there is no "global" control plane that would bring two regions down at the same time. While possible, due to say a targeted successful attack on both regions simultaneously, highly unlikely. Control and data plane software updates and deployments are done regionally, and often on an Availability Zone basis where applicable, to ensure there are no defects. Automation measures and will automatically roll back code that breaks deployment metrics.
It's pretty sweet. Their internal tools team does amazing things with automation.
Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 per month per zone after that. 1000 domains would be $110 a month, not $500. 500 million queries at $0.40 per million, another $200/month.
Who knows if you need that much, but it is pretty affordable.
Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Right -- we could do it, though it would be a first for us. ____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Fri, Aug 12, 2016 at 1:17 PM, Filip Hruska <fhr@fhrnet.eu> wrote:
Even for registrars?
Because OP's question was
We need to provide DNS services for domains we offer as a registrar.
Best Regards, Filip
On 12.8.2016 22:11, Justin Paine via NANOG wrote:
I won't push further than this -- but it seems a bit silly not to mention that CloudFlare provides free AnyCast DNS. You can elect not to even use any of our caching if you just want to use us for DNS.
J
____________ Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
On Fri, Aug 12, 2016 at 12:24 PM, Peter Beckman <beckman@angryox.com> wrote:
If there are other metrics in which to measure DNS speed, availability and redundancy, I'd love to seeing them. I have but my own datapoint and the metrics from others. Tear down the testing model, but at least show a different/better one in return.
On Fri, 12 Aug 2016, Keith Stokes wrote:
Route53 can get expensive for lots of domains. Queries are cheap with the
first 1M free, but if you have 1000 domains you’ll pay $500/month.
You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less.
You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure.
Having worked for AWS, there is no "global" control plane that would bring two regions down at the same time. While possible, due to say a targeted successful attack on both regions simultaneously, highly unlikely. Control and data plane software updates and deployments are done regionally, and often on an Availability Zone basis where applicable, to ensure there are no defects. Automation measures and will automatically roll back code that breaks deployment metrics.
It's pretty sweet. Their internal tools team does amazing things with automation.
Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 per month per zone after that. 1000 domains would be $110 a month, not $500. 500 million queries at $0.40 per million, another $200/month.
Who knows if you need that much, but it is pretty affordable.
Beckman ------------------------------------------------------------ --------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ------------------------------------------------------------ ---------------
Never say “never”. ;-) Notice I did not say “you must” or “you should”. It is something to consider based on how many 9s are important to your business. The job of many of us is to think of those things that are highly unlikely, assign a risk and make a plan (or not) accordingly. The likely ones are written down and “anyone” can follow them. In this case I’d say the risk is higher that someone puts the wrong info into a DNS change and if they are in different services and not automatically replicated, you could be better off. Again, what are the risks to your business? On Aug 12, 2016, at 2:24 PM, Peter Beckman <beckman@angryox.com<mailto:beckman@angryox.com>> wrote: If there are other metrics in which to measure DNS speed, availability and redundancy, I'd love to seeing them. I have but my own datapoint and the metrics from others. Tear down the testing model, but at least show a different/better one in return. On Fri, 12 Aug 2016, Keith Stokes wrote: Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month. You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less. You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure. Having worked for AWS, there is no "global" control plane that would bring two regions down at the same time. While possible, due to say a targeted successful attack on both regions simultaneously, highly unlikely. Control and data plane software updates and deployments are done regionally, and often on an Availability Zone basis where applicable, to ensure there are no defects. Automation measures and will automatically roll back code that breaks deployment metrics. It's pretty sweet. Their internal tools team does amazing things with automation. Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10 per month per zone after that. 1000 domains would be $110 a month, not $500. 500 million queries at $0.40 per million, another $200/month. Who knows if you need that much, but it is pretty affordable. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com<mailto:beckman@angryox.com> http://www.angryox.com/ --------------------------------------------------------------------------- --- Keith Stokes
On Fri, Aug 12, 2016 at 1:56 AM, Ryan Finnesey <ryan@finnesey.com> wrote:
Does anyone see a down side to using IaaS on AWS and Azure [for DNS]?
Latency is critical for DNS. Literally everything else an application does stalls behind completion of the DNS lookups. Everything else being equal, virtuallized infrastructure will always exhibit higher latency than bare metal. Always.
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
I don't know their implementations well. I would hope they run the underlying DNS servers on bare metal rather than leveraging their VM infrastructure. I would worry that they offer all sorts of extra features which are -single source-. If you pick Route 53 and your customers get used to those features you may find yourself locked in at Amazon's mercy. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Hi, I have been very happy with route53 while lack of IPv6 support was not an issue for the use case. Did you evaluate CloudFlare in PaaS solution ? Their free plan includes DNS. Best regards, On Fri, Aug 12, 2016 at 7:56 AM, Ryan Finnesey <ryan@finnesey.com> wrote:
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
-- Matthieu MICHAUD
Thanks everyone for their response. We are going to use the Azure Zone Service. Cheers Ryan From: Matthieu Michaud [mailto:matthieu@nxdomain.fr] Sent: Friday, August 12, 2016 1:34 PM To: Ryan Finnesey <ryan@finnesey.com> Cc: nanog@nanog.org Subject: Re: DNS Services for a registrar Hi, I have been very happy with route53 while lack of IPv6 support was not an issue for the use case. Did you evaluate CloudFlare in PaaS solution ? Their free plan includes DNS. Best regards, On Fri, Aug 12, 2016 at 7:56 AM, Ryan Finnesey <ryan@finnesey.com<mailto:ryan@finnesey.com>> wrote: We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure? We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53. Cheers Ryan -- Matthieu MICHAUD
Route 53 have IPv6 now handled out of the .co.uk zones though they still don't do EDNS. Azure also mishandles EDNS. Route 53 returns plain DNS responses when presented with a EDNS(1) query. This breaks validating EDNS(1) clients getting answers from a signed zone. Azure echoes back unknown EDNS options and returns NOERROR NODATA to EDNS(1) queries. This breaks EDNS(1) clients regardless of whether the data is coming from a signed zone or not. It also potentially breaks any client using a EDNS options regardless of the version of EDNS they have in the query. It is server misbehaviour like this that requires clients to whitelist ECS servers. If a DNS COOKIE client is picky it will also break them. EDNS(0) specified how to handle EDNS(1) queries when you only support EDNS(0) back in 1999. It isn't hard to get it right. It also isn't hard to test. Mark harveynorman.com.au. @64.4.48.5 (ns2-05.azure-dns.net.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok harveynorman.com.au. @13.107.24.5 (ns3-05.azure-dns.org.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok harveynorman.com.au. @40.90.4.5 (ns1-05.azure-dns.com.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=echoed edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok harveynorman.com.au. @13.107.160.5 (ns4-05.azure-dns.info.): dns=ok edns=ok edns1=status edns@512=ok ednsopt=ok edns1opt=status do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @205.251.195.234 (ns-1002.awsdns-61.net.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @205.251.197.70 (ns-1350.awsdns-40.org.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @205.251.192.97 (ns-97.awsdns-12.com.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @205.251.198.160 (ns-1696.awsdns-20.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok energeticsinstitute.com.au. @2600:9000:5306:a000::1 (ns-1696.awsdns-20.co.uk.): dns=ok edns=ok edns1=status,noopt,soa edns@512=ok ednsopt=ok edns1opt=status,noopt,soa do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok Mark In message <BLUPR05MB595CEB3D1F875F1D20D7889B4A00@BLUPR05MB595.namprd05.prod.ou tlook.com>, Ryan Finnesey writes:
Thanks everyone for their response. We are going to use the Azure Zone Service.
Cheers Ryan
From: Matthieu Michaud mailto:matthieu@nxdomain.fr Sent: Friday, August 12, 2016 1:34 PM To: Ryan Finnesey <ryan@finnesey.com> Cc: nanog@nanog.org Subject: Re: DNS Services for a registrar
Hi,
I have been very happy with route53 while lack of IPv6 support was not an issue for the use case.
Did you evaluate CloudFlare in PaaS solution ? Their free plan includes DNS.
Best regards,
On Fri, Aug 12, 2016 at 7:56 AM, Ryan Finnesey <ryan@finnesey.com<mailto:ryan@finnesey.com>> wrote: We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
-- Matthieu MICHAUD
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Hi, If you are going the IaaS route, definitely checkout KnotDNS project. According to their benchmarks [1], it does much better than other DNS servers in about every workload. Best Regards, Filip [1] https://www.knot-dns.cz/benchmark/ On 12.8.2016 07:56, Ryan Finnesey wrote:
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers Ryan
On Fri, Aug 12, 2016 at 3:28 PM, Filip Hruska <fhr@fhrnet.eu> wrote:
Hi,
If you are going the IaaS route, definitely checkout KnotDNS project. According to their benchmarks [1], it does much better than other DNS servers in about every workload.
The problem with KnotDNS/Yadifa/NSD is that they are too optimized for servers with a small number of zones containing large numbers of records, usually delegation-only. That is the use of TLD registries, but not the use case of registrars... ... all those 3 are getting better in supporting large number of zones with small number of records, but the canonical solution in that space is Power DNS. Things that TLDs usually don't like, SQL-backend for instance, makes perfect sense for this use case. Note that the only workload they tested is serving the root zone, not multiple number of zones with variable number of RR-sets... so aligning the testing with the actual use case is crucial to make good decisions. What I strongly support, though, is getting out of the BIND comfort zone. Rubens
In message <CAGFn2k2+8zq8hjDQFwSaZ+s2Z6DTZOCWD_nnW+_4e0mgP7J5Mw@mail.gmail.com> , Rubens Kuhl writes:
On Fri, Aug 12, 2016 at 3:28 PM, Filip Hruska <fhr@fhrnet.eu> wrote:
Hi,
If you are going the IaaS route, definitely checkout KnotDNS project. According to their benchmarks [1], it does much better than other DNS servers in about every workload.
The problem with KnotDNS/Yadifa/NSD is that they are too optimized for servers with a small number of zones containing large numbers of records, usually delegation-only. That is the use of TLD registries, but not the use case of registrars...
... all those 3 are getting better in supporting large number of zones with small number of records, but the canonical solution in that space is Power DNS. Things that TLDs usually don't like, SQL-backend for instance, makes perfect sense for this use case.
Note that the only workload they tested is serving the root zone, not multiple number of zones with variable number of RR-sets... so aligning the testing with the actual use case is crucial to make good decisions.
What I strongly support, though, is getting out of the BIND comfort zone.
Named will support millions of zones and they don't need to be listed in named.conf. BIND 9.11 supports catalog zone which is a meta zone which says what zones the server should configure itself for and where to transfer those zones from, etc. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On a serious note, what are the providers out there that can do a decent secondary dns hosting service?. looks like a lot of people stopped offering this service for bulk amount of domains at reasonable price. Let's say (100K domains) mehmet On Fri, Aug 12, 2016 at 4:09 PM, Mark Andrews <marka@isc.org> wrote:
On Fri, Aug 12, 2016 at 3:28 PM, Filip Hruska <fhr@fhrnet.eu> wrote:
Hi,
If you are going the IaaS route, definitely checkout KnotDNS project. According to their benchmarks [1], it does much better than other DNS servers in about every workload.
The problem with KnotDNS/Yadifa/NSD is that they are too optimized for servers with a small number of zones containing large numbers of records, usually delegation-only. That is the use of TLD registries, but not the use case of registrars...
... all those 3 are getting better in supporting large number of zones with small number of records, but the canonical solution in that space is Power DNS. Things that TLDs usually don't like, SQL-backend for instance, makes perfect sense for this use case.
Note that the only workload they tested is serving the root zone, not multiple number of zones with variable number of RR-sets... so aligning
In message <CAGFn2k2+8zq8hjDQFwSaZ+s2Z6DTZOCWD_nnW+_4e0mgP7J5Mw@ mail.gmail.com> , Rubens Kuhl writes: the
testing with the actual use case is crucial to make good decisions.
What I strongly support, though, is getting out of the BIND comfort zone.
Named will support millions of zones and they don't need to be listed in named.conf. BIND 9.11 supports catalog zone which is a meta zone which says what zones the server should configure itself for and where to transfer those zones from, etc.
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Fri, Aug 12, 2016 at 7:07 PM, Mehmet Akcin <mehmet@akcin.net> wrote:
On a serious note, what are the providers out there that can do a decent secondary dns hosting service?. looks like a lot of people stopped offering this service for bulk amount of domains at reasonable price. Let's say (100K domains)
What do you consider a reasonable price? As a starting point for discussion, Google Cloud DNS can host 100k zones for ~$3700/month ( https://cloud.google.com/dns/pricing). Damian
On Friday, August 12, 2016, Damian Menscher via NANOG <nanog@nanog.org> wrote:
On Fri, Aug 12, 2016 at 7:07 PM, Mehmet Akcin <mehmet@akcin.net <javascript:;>> wrote:
On a serious note, what are the providers out there that can do a decent secondary dns hosting service?. looks like a lot of people stopped offering this service for bulk amount of domains at reasonable price. Let's say (100K domains)
What do you consider a reasonable price? As a starting point for discussion, Google Cloud DNS can host 100k zones for ~$3700/month ( https://cloud.google.com/dns/pricing).
Damian
But google does not do an axfr based secondary? This is a very important service that Mehmet mentioned.
Good point ;) Yeah axfr would be useful (must have) On Saturday, August 13, 2016, Ca By <cb.list6@gmail.com> wrote:
On Friday, August 12, 2016, Damian Menscher via NANOG <nanog@nanog.org <javascript:_e(%7B%7D,'cvml','nanog@nanog.org');>> wrote:
On Fri, Aug 12, 2016 at 7:07 PM, Mehmet Akcin <mehmet@akcin.net> wrote:
On a serious note, what are the providers out there that can do a decent secondary dns hosting service?. looks like a lot of people stopped offering this service for bulk amount of domains at reasonable price. Let's say (100K domains)
What do you consider a reasonable price? As a starting point for discussion, Google Cloud DNS can host 100k zones for ~$3700/month ( https://cloud.google.com/dns/pricing).
Damian
But google does not do an axfr based secondary?
This is a very important service that Mehmet mentioned.
On Aug 11, 2016, at 22:56, Ryan Finnesey <ryan@finnesey.com> wrote:
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
No anycast.
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
participants (19)
-
Ask Bjørn Hansen
-
Ca By
-
DaKnOb
-
Damian Menscher
-
Eli Lindsey
-
Filip Hruska
-
Jared Mauch
-
Jared Mauch
-
John Kinsella
-
Justin Paine
-
Keith Stokes
-
Mark Andrews
-
Matthieu Michaud
-
Mehmet Akcin
-
Peter Beckman
-
Peter Kristolaitis
-
Rubens Kuhl
-
Ryan Finnesey
-
William Herrin