Zerigo DNS services down for 6+ hours due to massive DDoS (opens in new tab)

I know there's much love for DNSimple, but this is the first time that I can remember when the top comment of an X is down post is a competitor essentially posting an advert with no insight on the OP.

Long time user of DNSimple.

Great product, great support, great team, great price.

Recommended.

The philosophy behind DNSimple is great! A few questions:

* How much DNS traffic can it handle for one customer? Usually DNS-services that charge much more than DNSimple have this capped.

* 99% availability (3.65d/y) sounds a bit too much for a production server DNS SLA, maybe after introducing a secondary DNS a much higher availability could be offered. Any timeline for adding a secondary DNS?

I signed up for your service earlier this morning because Zerigo were taking their time to solve the issue.

However, what I would like to know is - have you guys implemented any procedures to mitigate any negative effects a DDoS may have on your services? (Assuming your service gets DDoS'd like Zerigo) The last thing I want is more down time and to switch to another provider once again.

Another big fan of DNSimple here. Been with them for over a month and the services and support have been great.

Even more impressive is we have directed a couple very non-technical customers to them and they all have been able to get up and running in no time.

I admit that Zerigo was first to spoil me with a simple interface, but I came to DNSimple from there because of all the extra labor-saving features it has. I figure I get back at least 1-2 weeks of my life every year as a result of being a 100% DNSimple shop.

I'm not (yet) an actual customer of DNSimple, but I know literally half of the team and I can vet for them, both humanly and technically.

That said, I don't know anything about Zerigo and I have no opinion about them.

Just to second this one: I've used DNSimple for years, and it's an awesome product. I can't imagine doing DNS without it now.

Maybe you should check if your own services are up next time you spam them in a thread where your competitors are down.

Your pricing looks amazing - but it looks like you had an outage this morning too. Can you talk about that?

DNSimple is the best, seriously, no really, seriously.

As you're probably aware the server that you use has little impact when the DDoS sends enough traffic to actually saturate your allocated bandwidth. Anycast provides a good way to handle DDoS, along with proactive monitoring and defense mechanisms, but at the end of the day DDoS are still extremely difficult to defend from completely. The downside is that Anycast is expensive and thus you need the capital to build it out and run it - which often raises the cost of systems built using it.

Sounds good... but do you have a REST API? That's the primary reason I chose Zerigo in the first place.

We've seen the same kind of attack. We ended up limiting our DNS resolvers only to our own prefixes. It's a simple ACL in bind that allows recursion (domains your DNS server is not authoritative for), only to our subnets.

Do you mind sharing the script / code to accomplish that? (some gist somewhere) I'm seeing a lot of these sort of things on our servers too..

FWIW the SlickDNS name servers are hosted by Linode so I'm a fan of their server hosting. For DNS management, the Linode interface is fine if you have a handful of domains with simple configurations, but beyond that it's unwieldy IMHO.

I'd say the main reason to use a DNS hosting service is to consolidate your DNS management for all of your domains regardless of registrars or server hosting providers. E.g., I personally have domains registered with 5 registrars and use two server providers. And because they specialize in DNS, DNS hosting providers should have superior interfaces, APIs and support for DNS hosting compared to generalist hosting providers.

The SlickDNS interface has two features in particular that I haven't seen in any other DNS hosting service: automatic management of "alias domains" and mapping IP addresses to named servers. See https://www.slickdns.com/features/ for details.

A dedicated DNS provider will often focus on the experience around managing DNS, including APIs and advanced features. Additionally some folks don't like putting all of their eggs in one basket and prefer to have their registrar be one company, their DNS be another and their hosts be another.

This might help: http://route53d.googlecode.com/svn-history/r2/trunk/README

Looks like they are close to getting NOTIFY and IXFR (incremental AXFR) working. It's an interesting approach none-the-less.

There are many types of DDoS. Some max out your CPU, some your network. Given that a DDoS (Distributed Denial of Service) involves potentially thousands of willing or unwilling systems, it's relatively easy to make a server unresponsive.

I have a 100 Mb/s internet connection. Scale that up to 10000, and you have saturated even the fastest of internet connections.

Mitigating a DDoS is not easy. Heck, its damn near impossible, considering the fact that DNS DDoS attacks are done via UDP, which allow you to spoof the source IP address. Even if you do block the IP address of al the attackers, your upstream provider is still impacted by the packets trying to come into your server. Most upstream ISPs will blackhole your server IP to diminish the impact on their network.

Thank you so much!

Ideally your primary provider would support AXFR and NOTIFY which are part of the DNS zone transfer protocol. It's something we're working on adding to DNSimple, but we're not quite ready to launch it yet. The primary and secondary providers also both need to report the correct authoritative name server delegation details so the primary needs to ensure that that data is in the zone file.

There is another challenge in that we're pushing the envelope a bit by offering features that rely on more than just a DNS record (for example ALIAS and POOL records). These are useful features for some people, but if you're using these types of features then they won't be portable to secondary providers.

We've switched our DNS provider and we're waiting for it to propagate. Check http://fogcreekstatus.typepad.com/ for updates.

We've switched our DNS provider and we're waiting for the change to propagate. http://fogcreekstatus.typepad.com/2012/07/index.html has all the details.