Nonetheless, we just spun up a Route53 zone, exported our zone from DNSimple, imported to Route53, and hand-migrated our ALIAS records to static A records in the new zone.
Not perfect or permanent, but we've gotten around the outage. Also, I just learned that pointhq has (seemingly-undocumented) support for ALIAS records in the same style as DNSimple, so this could be another avenue to explore.
FWIW, the IP I have cached is 50.31.213.210.
I wonder how many of the affected companies do have redundant appservers and load balancers, but missed this piece of the puzzle...
Small wonder that a proprietary syntactical sugar leaves you at the mercy of select vendors?
As for volumetric attacks: your point is correct, but is irrelevant if you're using multiple vendors, and a specific, single vendor is the target, like it appears here. Your other authoritative servers would be unaffected.
1 http://support.dnsimple.com/articles/alias-record/, or http://webcache.googleusercontent.com/search?q=cache:ST1BABj...
I agree though that it is a pretty simple service to run for a small domain.
Many customers were able to resolve the domain in the minutes immediately following the switch, and the rest seem to be trickling in.
EDIT: right, must have been able to log in during a brief period where dnsimple was not down.
(ObRandom: I run a service that wraps route53 with git integration, at https://dns-api.com/ )
Hence, I'm going to try CloudFlare (assuming they take over DNS hosting, I need to check) and Google Cloud DNS, because then all parts of my site (from DNS to CSS hosting) will be with providers with bigger pipes than attackers can create. Hopefully that will prevent this kind of attack from taking my site down.
The reason for this is that resolvers will generally try at least three different name servers before giving up, so if you have three or more from a single provider that may not help.
There is also a big caveat to consider: once you use two more providers, whenever you need to make rapid DNS changes for your own availability reasons you will need to wait for the slowest-to-update provider.
my experience shows, that at least 3 servers with 3 different providers is good enough. and "providers" I mean different company, city, datacenter, transit provider...
trusting single entity with anything (even if they say that they have many servers blabla... geologically blabla...)... well, you have situation like this right now :)
* Get accounts with AWS (Route 53), dnsmadeeasy, and cloudflare.
* Monitor resolution at all of their name servers
* Either proactively spread your authoritative nameservers across providers, or update your root NS records based on your monitoring.
FYI - Instead of an Alias record on DNSimple, CloudFlare will allow a CNAME record for the root domain using "CNAME flattening".
You can now set CloudFlare's DNS service to "bypass Cloudfare" on all records by clicking the icon so you don't get any of their magic (unless you want it).
Then add CloudFlare's 2 nameserves to your domain as your first 2 name servers. No need to remove dnsimple's name servers.
Now you have 2 DNS providers in case one fails, just make sure the records are the same across them both!
Any ideas?
Fascinating traffic floods from various locations, but the attack is not continuous.
As far as I understand, ipviking simply hosts honeypots around the world and uses those to graph "attacks" against IP blocks, etc.
I would very much like someone to correct me if this assumption is incorrect, because it'd be neat to actually watch targeted DDoS attacks, but I don't think that's what ipviking is offering.
We've successfully switched our domains over to nsone.net.
Set up a new account on another host that does ALIAS records (I used pointDNS)
Create your new record without much in it
Change your nameservers on your domain now - they'll take time to propagate
Fill in the records on your domain. If you can't remember them, print out most of your existing records with
dig yourdomain.com ANY
Add the rest of the records to pointDNS
Wait for the new Nameservers to propagate (0-24 hours - it took 15-30 min for us on a small-medium traffic domain today during sales crunch)
If you really really want to do it anyway, most caches use either the TTL on your SOA record, or the final field in the SOA record as the negative cache TTL; so lower both of those values to something like 60 seconds.
https://twitter.com/dnsimplestatus/status/539551209452232705
Unlike Dyn or CloudFlare:
I always wonder, why is it that someone wants to attack a small company like DNSimple ? Is it that they were blackmailed and did not surrender to the criminals? If so, why would anyone be interested in blackmailing such a small company?
I'm hoping it will get queued by the sending server, and make it's way back when DNSimple is up and running. Is that correct?
What can you do to prevent this in future? Can you run multiple DNS providers simultaneously? So, ns1/ns2 go to DNSimple, and ns3/ns4 go to another provider?
"Some DNS hosts provide a way to get CNAME-like functionality at the zone apex using a custom record type. " .. and then on to suggest DNSimple as their first suggestion.
Heroku prefers you didn't use A RECORDS at all because the IP addresses in their underlying architecture might change. [1]
"DDoS attacks...will generally fall into one of three broad categories:
Volumetric Attacks: Attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet. These attacks are simply about causing congestion."
Google, Facebook, etc, all use this approach.
https://medium.com/@brianarmstrong/youre-probably-doing-dns-...
dnsimple domain record list example.com > example.txt
OR
dnsimple domain record list example.com --json > example.json
