3

I'm trying to wrap my head around something that I thought I kinda understood, but clearly there's some piece missing.

We're currently using Zerigo as our primary dns, with slave dns running on linode. This works quite well. However, recent DDOS attacks on zerigo meant that whilst dns queries were still resolved, we were unable to make any dns changes. Since we rely on dns changes on our own infrastructure, I'm looking to improve this somehow.

I'd rather not ditch zerigo completely, and realise that this or similar problems can happen with ANY primary dns hosting provider. It might not be DDOS, but a bug on their server, or something that means we can no longer issue updates.

For this I want to have some fallback option: a completely independent (primary) dns provider (maybe AWS), which we will keep in-sync manually. We will switch-over to it when there's a problem. This brings me to my question:

How do I make sure we can switch those providers quickly enough? specifically, on our registrar, there's a list of name servers, but no settings like TTL etc. How do dns clients know to use the newly updated name server records? Is this configured in the SOA? However, the SOA itself is hosted with the dns provider and we might not be able to update it...

This is not a question about a one-time move, which can be planned and scheduled and tested, but rather to be able to do so when things are half-broken.

Yoav Aner
  • 561
  • 2
  • 6
  • 13
  • 1
    Please replace "root name server records" by "name server records" since it has nothing to do with the DNS root. – bortzmeyer Oct 10 '12 at 20:17

3 Answers3

1

Yes, the duration of the NS records (which indicate that yourdomain.example is hosted by ns1.zerigo.net or my-ec2.amazon.com) is determined by the TTL value of these NS records. If your hoster does not allow you to change these TTL, you're toasted.

Even if your DNS hoster allows you to change them, there is also the TTL of the NS records at the parent zone and these are fixed by the registry.

So switching over from one DNS hoster to another one cannot really be done in real time. Spammers and other bot herders do it (this is called "fast flux") to evade detection, but they host their domain, they can set TTL at will. (They still have the limit of the TTL at the registry.)

bortzmeyer
  • 3,941
  • 1
  • 21
  • 24
  • The DNS hosting (both amazon and zerigo) I believe allow me to change all type of records. My registrar however only seem to have fields to list the name servers for my domain. Are there any registrars that allow specifying the TTL for those records? – Yoav Aner Oct 10 '12 at 20:21
  • As mentioned in another comment, it depends on the DNS hoster, not on the registrar. (Sometimes the same company, but not always.) – bortzmeyer Oct 13 '12 at 20:54
  • this is what I'm trying to understand / ask. On my registrar, I can configure a list of name servers, but cannot set any TTL values. How can I ensure that *this list* is not cached for too long, and that if I decide to use a different DNS hoster (with different name server IPs), I can switch *quickly*? – Yoav Aner Oct 14 '12 at 07:13
  • You cannot. The TTL in the parent zone is determined by the parent registry.For the TTL in your zone, switch to aother DNS hoster, after checking its interface allows to change this parameter. – bortzmeyer Oct 21 '12 at 19:21
  • Thanks for clarifying. My DNS hoster does allow setting TTLs. It's a shame there isn't much flexibility it seems with the 'parent registry' to allowing switching more quickly if necessary. – Yoav Aner Oct 22 '12 at 12:24
1

Switching authoritative name servers for your zone is not really something that you want to do "in event of emergency", since that is a change that needs at least 48h to propagate throughout the internet.

You will not be able to do anything about that, since the tld name servers doesn't find it amusing to reply to queries regarding which nameserver you choose to use to often, so they control the TTL and you will have to live with it.

From what I've learned, the usual scenario is like this:

  • Have a hidden master. That one is in charge of zone editing. This could even be hosted by your self in your office, this doesn't need to be live at all times.
  • Have at least two open slaves. These are the ones that are defined as authoritative for your zone.

This requires you to handle your DNS-servers yourself, but relying on a service would always be prone to potential attacks and if they don't have enough redundancy your still out of luck. Unless you can find a provider that sets up slave zones. It's not really clear to me if you use Zenigo as a plain VPS and run your own DNS, or if they have a DNS-service.

Although, I can't help wonder what kind of business you are in if you need to change DNS-records on a daily basis? I have about 50 clients with multiple websites but I still only do DNS-changes maybe once a month..?

jishi
  • 868
  • 2
  • 11
  • 25
  • so there are no registrars that allow you control over, or at least offer a reasonably-low value of the TTL? – Yoav Aner Oct 11 '12 at 06:23
  • Not that I'm aware of. Unless it's controlled by SOA or NS records that is, I became uncertain about it now. Either way, I don't think that is a good approach to start with. – jishi Oct 11 '12 at 08:35
  • Thanks for your input. if we can disregard the discussion around the approach, I'm still interested in finding out whether/how the registrar TTL can be set / controlled by us as a customer. – Yoav Aner Oct 11 '12 at 12:47
  • @yoav-aner Be careful in your terminology. It is not the registrar that controls the DNS data (and the TTL), it is the DNS hoster. In practice, it is often the same organization but not always (you can host yourself, or you can go to a DNS hoster which is not a registrar). – bortzmeyer Oct 13 '12 at 20:52
  • Be careful with broad statements like "at least 48h to propagate throughout the internet". It is much more complicated and depend on several factors. For instance, the TTL set by the .org registry for NS records is 24h, not 48. – bortzmeyer Oct 13 '12 at 20:54
1

It sounds like you have a good infrastructure in place with Zerigo acting as the master and hosting your own slaves.

Assuming you're using BIND (and this should be true for other DNS software), you can change a slave zone into a master. As a master, you can alter the zone.

This really is just a simple configuration change, but here's an example of an automated process: http://www.mikeperry.org/tech_tips/bind_switch_slave_to_master.html

If you were to do that, once Zerigo comes back up, you could either:

  • Duplicate the changes you made and then convert your hosted zones back to slaves, or
  • delete the zones from Zerigo and recreate them, importing the zone records.

But also note that while Zerigo was experiencing the DDOS last year, the management interface was unavailable but the DNS hosts continued to serve requests. So if you made a change to zones hosted on your servers, the incorrect records would have still been served by Zerigo even though they were mostly down.

Robin Daugherty
  • 501
  • 5
  • 7
  • Thanks Robin. Our experience was sadly different. We've had several occasions with zerigo when changes didn't propagate through to all dns servers, producing old/wrong responses to queries. This happened not only when they were under DDOS attack. Eventually we decided to switch away from Zerigo to AWS. Route53 doesn't have the ability to natively support slave dns servers, but overall seems much more stable and reliable so far. That's at least based on our (limited) experience. – Yoav Aner Jan 27 '13 at 09:44