Hacker News Re-Imagined

Ask HN: Is secondary DNS setup worth it?

After recent Cloudflare outage, more people are suggesting to go with a secondary DNS. I'm afraid that it would be difficult to maintain configuration across multiple DNS providers. I'd love to know your experience in maintaining multiple DNS providers.

  • 19 points
  • 13 days ago

  • @gkrishna
  • Created a post

Ask HN: Is secondary DNS setup worth it?


@jf 13 days

Replying to @gkrishna 🎙

If you want to your site to be online when your DNS provider isn’t, then having a secondary DNS provider is an absolute must.

Reply


@__d 13 days

Replying to @gkrishna 🎙

Secondary DNS providers will do a zone transfer from your primary provider, so the configuration is pretty minimal.

Reply


@wiml 13 days

Replying to @gkrishna 🎙

I'm always confused that anybody doesn't have secondary servers, for anything larger than a one-off vanity site.

If your DNS needs are simple, then running a secondary is extremely easy. The hardest part is that you'll probably interact with it so rarely you'll forget it's there.

If your DNS needs are complex, then running a secondary is harder but it's still probably a small fraction of the effort you're putting into the primary server.

Reply


@jesterson 13 days

Replying to @gkrishna 🎙

Worth it? It's absolutely necessary if you want to avoid single point of failure.

Given quality of service declining over years for big and small companies and mass influx of soy latte boys into IT we can only expect amount of issues to grow in coming years, both in scope and magnitude.

And yea, if you are using single provider for your critical infrastructure, you have a ticking bomb.

Reply


@toast0 13 days

Replying to @gkrishna 🎙

If your DNS is pretty much standard DNS (basic zone files, or something equivalent), it's pretty simple to use multiple providers using AXFR to transfer from wherever your source of truth is.

If you do fancy DNS, you'll need to manage configuring them all to be 'the same' yourself. Maybe there's some tools out there, but it becomes write a config file you understand, and a script to reconfigure the provider to match, etc.

The fancier your DNS is, the harder it is to synchronize among multiple services. Things like monitoring and removing dead hosts is probably not awful, but if you need to synchronize geographic targeting, that's going to be complex (and unlikely to be perfectly in sync; different DNS servers are likely to categorize IPs differently, and you'll just have to live with it). Many moons ago, I used Akamai load feedback to divide usage between different locations, I don't think that would work that well if using two (or more) services.

Reply


@donmcronald 13 days

Replying to @gkrishna 🎙

I’d like to add.. Does anyone provide low volume secondary dns for cheap? Cloudflare would be my first pick, but:

> Secondary DNS is only available to Enterprise customers. For more details on activation and pricing, contact your account team.

I recently hit the 150 host limit on Namecheap’s DynDNS and I wanted to see if I could set up a hidden primary DNS server that takes updates from something web based like nsupdate.info. It would be nice to have something like Cloudflare serving things publicly rather than exposing my self hosted bind server.

However, anything I can find is either rate limited a fair bit (Hurricane Electric - which looks nice feature wise) or doesn’t have proper TSIG support or is too expensive for what I need.

I hate having to start with the ghetto feature tier everywhere when I’m trying to learn. I wish I could just use all the features and pay for usage / scale :-(

Reply


@treffer 13 days

Replying to @gkrishna 🎙

Terraform and OctoDNS can make this easy.

Never let the UI of your vendor be the source of truth for your DNS setup.

If you have the zones in code then updates should be easy to distribute to multiple vendors.

Also: given the nature of DNS caching you will have to roll changes in a way that is compatible with temporary inconsistency anyway.

I have seen such a setup once and it was a life saver. People recommending that are right. People fearing the complexity are also right. Be careful to have good tooling.

Reply


@master_crab 13 days

Replying to @gkrishna 🎙

Secondary DNS is great for failover. I run dual piholes in a primary-secondary setup for that purpose.

The only issue you will run into is if your router can’t pass two DNS server addresses, or your client machines don’t know how to handle multiple DNS servers or failover behavior.

Reply


@wahern 13 days

Replying to @gkrishna 🎙

> I'm afraid that it would be difficult to maintain configuration across multiple DNS providers

A secondary host should be able to pull zones from the primary using standard AXFR, optionally using TSIG authentication. The primary can also notify a secondary using DNS NOTIFY for near instantaneous synchronization.

For some of my domains I prefer hosting primary myself, along with e-mail, web, etc. I just find it easier managing NSD configs and zone files the old fashioned way (version controlled, of course), rather than mucking about with GUIs or proprietary APIs. But in those cases I'll often use EasyDNS for secondary or tertiary. Whenever I edit and reload a zone file for one of these domains, NSD automatically pings EasyDNS, which then AXFR's the new zone. Easy peasy, at least once you wrap your head around AXFR, TSIG, and NOTIFY.

Your domain registrar is the gatekeeper for glue NS records, so if your primary DNS host[1] ever had a sustained down period, it's still relatively simple and fast to update your nameservers as needed.

[1] Yourself or another service--hopefully not the same as your registrar as that would defeat the purpose.

Reply


About Us

site design / logo © 2022 Box Piper