How can I mitigate DNS Server outages?

Question

Let's say I have a root domain of "mysite.com". That domain and its sub-domains have DNS served by an external service - let's call them Setwork Nolutions. If this external company is hit with a DDoS attack, my interally-hosted websites under this domain are no longer accessible at "mysite.com" or "*.mysite.com", even though the website(s) is/are fully up and operational.

How can I mitigate such a problem so as to keep end users happy?

The only solution others at my company have come up with is to create a second domain - i.e. "mysite2.com", and host its DNS at another company, and then communicate to all end users that this is the website they should use. I think this is ridiculous, and just leads to a bunch of other problems.

I'd like to find a solution where we can point to the same website with the same URL without the original DNS host being operational.

Any thoughts?

@MichaelHampton I'm guessing they do not, since this has happened twice in the past few months and the domains were inaccessible for hours at a time. — Eric Belair, Nov 07 '13 at 04:56
Well, you are using an overpriced, under-featured provider... — Michael Hampton, Nov 07 '13 at 14:05

score 3 · Answer 1 · answered Nov 06 '13 at 19:49

You can set up additional DNS servers outside of SN and then register those nameservers as authoritative for that domain.

One such DNS provider I can strongly recommend is called UltraDNS.

This will solve all the problems. Instead of having:

mysite.com ns ns1.sn.com 
mysite.com ns ns2.sn.com

you'd have:

mysite.com ns ns1.sn.com
mysite.com ns ns2.sn.com
mysite.com ns ns3.ultradns.com

If your real problem is only internally-hosted websites, you could partially mitigate any outage of your authoritative nameservers by setting up local caching nameserers for your domain and then pointing your LAN machines at these caching nameservers.

http://www.tldp.org/HOWTO/DNS-HOWTO-3.html

Combine this with a somewhat longer TTL (say as long as a outage you'd like to survive * 2) and you should be able to survive that scenario just fine.

As a final, oh crap, we're down, always remember a local /etc/hosts entry (or equivalent) can get you out of a jam.

score 0 · Answer 2 · answered Nov 07 '13 at 02:47

0

You will encounter this problem with any domain whose servers are hit by a DDOS attack. Having the servers for your own domain hit by a DDOS is more likely to be visible and traceable.

Setting up one or more caching name servers on your own network and configuring your computers to use those for DNS resolution should resolve the problem unless the DDOS is extremely prolonged. I use dnsmasq on a linux server, and have run it on an OpenWRT router. It will also read values from /etc/hosts and/or other files in the same format.

It your external DNS host supports it, you could run a local bind server as a hidden slave. This would provide the best protection you could get without hosting DNS locally. Alternatively, you could run bind as your local caching name server.

answered Nov 07 '13 at 02:47

BillThor

27,737
3
37
69

The only problem here is that, while the websites are HOSTED internally, they are publicly accessible websites with hundreds of daily users. I'm trying to make this seamless for the end users. – Eric Belair Nov 07 '13 at 05:00
@EricBelair To make DNS for publicly accessible sites more reliable, add mirrors. This will need to be done with the co-operation of your DNS provider. Setting a long time to live on the DNS entries for your name servers and web addresses will make the normal DNS caching more effective. Servers like Google's are likely continue to server your DNS records even if their is a DDOS against your DNS servers. DDOS of your web site would be much easier. – BillThor Nov 08 '13 at 00:21

How can I mitigate DNS Server outages?

2 Answers2