How to mitigate the risks of DIY authoritative DNS

While many network admins outsource the management of authoritative domain name system (DNS) infrastructure to a third party like IBM® NS1 Connect®, there is a sizable community of network operators who prefer to dig in and build something themselves.

These do it yourself (DIY) authoritative DNS architectures can be cobbled together from various tools. BIND is most often used as an open source tool for managing internal DNS, but some people extend it out into external authoritative DNS as well. Others build on top of Microsoft DNS infrastructures with home-grown scripts and other tools.

Control is the main reason that you’d go with a DIY system for authoritative DNS. Or, maybe you have a funky, abnormal network setup that would naturally require several customizations even if a third party were to deliver your authoritative DNS.

While everyone has their reasons for adopting a DIY system for authoritative DNS, there are some distinct disadvantages to consider:

• DIY systems are brittle: If your authoritative DNS infrastructure is built on BIND or Microsoft, you’ve probably pieced together a Rube Goldberg machine of scripts to make it work. Over time, the complexity of those scripts can become difficult to maintain as you account for new functionality and operating requirements. One false move—one single coding error—could easily bring down your entire authoritative DNS infrastructure and take your customer-facing sites offline.
• It’s a lot of work to build and maintain: It takes time to get up to speed on the underlying tools like BIND. You must create and deploy the system. Then, you must maintain it, which isn’t a small task, particularly when you’re dealing with such a mission-critical system.
• The hit-by-a-bus problem: DIY architectures only work for as long as the person who built them stays with the company. If that person leaves the company, their institutional knowledge about how DIY architectures were built leaves with them. Some companies get to the point where they’re afraid to change anything because it could very easily result in a downtime incident that’s difficult to recover from.
• No automation support: DIY systems usually don’t work with any form of automation. DIY architectures usually aren’t built to support standard automation platforms like Ansible or Terraform. It’s near-impossible to orchestrate DIY architectures with a third-party tool. If you have a DIY authoritative DNS, you’re probably stuck with manual changes.

All these factors usually result in more time, energy and resources devoted to authoritative DNS management than most network teams are willing to spend. DIY systems are often perceived as “free”, but they can end up costing you quite a bit. If those maintenance and management issues cascade into an outage, then the business impact is even more profound.

Using DIY systems for authoritative DNS without any sort of resilient, redundant backup is asking for trouble. Finding the source of an error, particularly when you’ve got a maze of overlapping, interdependent scripts, can be a nightmare. It can take several days to locate the source of an issue and get your site back online. Most operations teams simply don’t have that kind of leeway, particularly for e-commerce and SaaS sites that have a direct impact on revenue generation.

None of this means that you have to abandon your DIY systems completely. It just means that you should have a plan B if (or really, when) things go wrong. Ideally, you’d have a redundant solution in place that can pick up the slack without any impact to site performance. What should that redundant system contain? We thought you’d never ask.

• Separate infrastructure: Any redundant authoritative DNS system should be completely separate from your existing infrastructure so you can afford to spin things down on the main system while you hunt for the source of technical errors.
• Real-time performance data: Metrics would also be important for a DIY backup, to ensure that everything fails over correctly and traffic isn’t interrupted. This would be particularly valuable in the case of a DDoS attack, to identify the source of the issue and rule out any architectural cause.
• Health checks: How do you know whether a site is performing as you want it to perform? Does the site need to fail over to a redundant architecture because performance is deprecated in some way? Health checks and alerts are needed to ensure that service outages can be spotted and dealt with quickly.

Nobody should operate their authoritative DNS without a safety net. It’s just too important, particularly if your website is the primary generator of revenue. That’s why NS1 Connect offers a physically and logically separate system for redundant authoritative DNS. We started offering Dedicated DNS as an add-on to our Managed DNS service, and now we offer it to customers who just want to add a separated, redundant layer to their existing architecture.

• Separate infrastructure: NS1’s Dedicated DNS uses the same robust architecture as our flagship-Managed DNS service, but it’s set up on a separate infrastructure that’s unique to a single company. It’s the ultimate in downtime protection.
• Compatible with any primary: Our Dedicated DNS service is available as a backup or secondary system to any kind of primary architecture. That makes it perfect for BIND-compatible authoritative name servers and DIY architectures. You can easily slide in a Dedicated DNS service as a secondary to a DIY set up. It’ll be spun up and ready to go at a moment’s notice in case disaster strikes.
• Real-time performance data: Our innovative DNS Insights feature can collect critical data from any Dedicated DNS set up. When you’re experiencing an outage in your primary system, this data can help to quickly pinpoint the source of external issues (like DDoS attacks) that may have brought your system down. It can help you get back to the primary system as soon as possible.
• Health checks: DNS can tell you a lot about how your applications, services and websites are performing. NS1 Connect automatically delivers alerts to tell you when site performance is deprecated or not returning results at all. NS1 also uses health check data to trigger and route failover logic so you can avoid downtime. This kind of automation simply isn’t available in DIY systems.
• Easy migrations: NS1 Connect makes it simple to tack on Dedicated DNS as a secondary to any system. Importing zones and records into that secondary system with files from BIND and other architectures is easy to do in the NS1 Connect user interface.

External authoritative DNS is one of the most critical pieces of infrastructure on your network. It’s so critical that it deserves the highest level of protection and assurance. DIY authoritative DNS offers administrators a lot of control, until the complexity of those overlapping scripts and tools becomes too much to support.

Even the most sophisticated, reliable authoritative DNS systems have a hiccup every now and then. NS1 Dedicated DNS provides the peace of mind you need to keep the lights on even when all your dashboards are flashing red.