Posted on by packetcat

The Path to DNS Independence (Part 2)

To quote from Wikipedia:

An authoritative name server is a name server that gives answers that have been configured by an original source, for example, the domain administrator or by dynamic DNS methods, in contrast to answers that were obtained via a regular DNS query to another name server. An authoritative-only name server only returns answers to queries about domain names that have been specifically configured by the administrator.

Continuing on from my theme of DNS independence, I’d like to explore the advantages and disadvantages of hosting your own authoritative name servers.

Let us take a look at my own setup for authoritative name servers.

The Setup

My authoritative DNS is powered by 4 name servers running BIND.

  • ns1.hopcount.nl running FreeBSD 9.2-RELEASE and BIND 9.9.4
  • ns[2-4].hopcount.nl are all running Debian 7 and BIND 9.8.4-rpz2+rl005.12-P1

As recommended by RFC 2182, my name servers are located in 4 separate networks in 4 separate physical locations.

  • ns1.hopcount.nl is in AS25795 and in Los Angeles, CA, USA.
  • ns2.hopcount.nl is in AS8001 and in Newark, NJ, USA.
  • ns3.hopcount.nl is in AS45671 and in Sydney, Australia.
  • ns4.hopcount.nl is in AS15830 and in London, UK.

DNSSEC

Sixteen out of twenty-three of my zones are signed using DNSSEC using RSA-SHA256.

The remaining are not signed due to registrar and/or registry limitations.

Advantages

  • No arbitrary limits on number of zones (as an example – HE DNS, managed DNS providers like Dyn)
  • No arbitrary limit on RR types (!) (as an example – PointHQ)

Disadvantages

  • Administrative cost (management of the servers, dealing with potential attacks etc.)
  • Financial cost (cost of the servers)
  • Complete name resolution failures (especially with low TTLs) resulting in mail not received immediately, users unable to reach your website etc.)

Conclusion/Recommendations

My recommendation is one should try hosting their own authoritative name servers, especially if one has a decent grasp of DNS concepts.

Start slow, set up BIND or your name server of choice on a non-critical zone, and a second one to AXFR that zone from your master. Advanced concepts like split DNS and DNSSEC can come later.

Third party fallbacks

  • HE slave DNS
  • Gandi slave DNS (requires that the domain be registered with them)
  • Linode DNS (requires at least one active Linode in the account)

Reading list