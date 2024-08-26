These are all valid reasons to self-host your DNS at scale—at least in theory. What we’ve found from talking to large enterprises in various industries is that the perceived advantages of self-hosted authoritative DNS often go unrealized. The logic behind self-hosting looks good on a PowerPoint, but doesn’t deliver actual business value.

Here are some areas where the reality of self-hosted authoritative DNS doesn’t match up to the theory:

Resilience: Any large business is probably important enough that any downtime would have a devastating impact on the bottom line. That’s why most authoritative DNS administrators insist on a secondary or failover option in case disaster strikes. Self-hosted authoritative DNS rarely includes this—it’s too resource intensive to build and maintain a secondary system as a form of insurance.

Brittle architectures: Most authoritative DNS infrastructures are built on BIND, which usually requires a Rube Goldberg machine of scripts to operate. Over time, the complexity of those scripts can become difficult to maintain as you account for new capabilities and operating requirements. One false move, such as one single coding error, could easily bring down your entire authoritative DNS infrastructure and take your customer-facing sites offline. For a large, complex enterprise, brittle BIND architectures and scripts can be especially perilous.

Technical debt: When you run your own authoritative DNS, it’s easy to rack up a significant backlog of feature requests. This is especially true if you have a DevOps, NetOps or CloudOps team working against a deadline. Let’s face it: most of those DNS features are going to be delivered on a much longer timeline than any application development team requires.

Cost: A self-hosted large enterprise may have done the math and concluded that building, deploying and maintaining an authoritative DNS system is worth the investment. However, the reality is that these decisions usually happen without a deliberate cost-benefit analysis. In the long term, the outlay cost and the hidden opportunity costs of self-hosted authoritative DNS tend to outweigh any perceived financial benefit.

Staff turnover: DIY architectures only work for as long as the person (or the team) who built them stays with the company. If that person leaves the company for whatever reason, their institutional knowledge about how DIY architectures were built leaves with them. Some companies get to the point where they’re afraid to change anything because it might easily result in a downtime incident that’s difficult to recover from.

Automation: BIND doesn’t have an Application Programming Interface (API) and wasn’t built to support any form of automation. DIY architectures usually aren’t built to support standard automation platforms like Ansible or Terraform. It’s nearly impossible to orchestrate DIY architectures using third-party tools. If you’ve got a DIY authoritative DNS, you’re probably stuck with manual changes that slow down application development efforts to a crawl.