I'd like to migrate or even perhaps add a secondary DNS but RS DNS doesn't seem to even offer zone transfers (the best you can do, I guess, is to use the API to get your records out).
Its tough to do. DNS is a dumb and ancient protocol from the "lets all be friends" days of the internet. Its a bit more complex than installing mod-evasive and calling it a day.
DDOS is currently an unsolved problem for many popular protocols and services. Blaming just Rackspace seems unfair. Last week in was Namecheap. The week before it was someone else, etc. DNS DDOS is just a non-trivial problem to solve.
This should also be a reminder to have more than one DNS provider in your domain record. A backup nameserver from a different provider saves you and your customers a lot of heartache.
Market cap and technical sophistication, esp at large scale, tend to become divergent. In other words, it is generally assumed that big companies do things poorly. That's the entire notion of startups.
I will say this: Dyn can probably do a better job of hosting your DNS than Rackspace, Rackspace is not focused on DNS, and I'm not aware that they even really do anything special except for running lots of big DNS servers. Even when I worked at Rackspace 10y ago, the size of their customer base made them a constant target for DoS attacks. Do you need Dyn? Also probably not.
Rackspace has patented DDos prevention technology called RiverGuard, but since being patented only illustrates that it is novel, and not that it is of any quality, that is also meaningless.
I will say that, even though I prefer as a past employee to work with other companies, because the things Rackspace is bad at are things they don't give a fuck about solving, they run a damned fine network.
Further, as a replacement for / alternative to a colo, it is irrelevant whether a company can run a good DNS infrastructure, because that's not what I'm asking them to do. Rackspace DNS is there for convenience.
Cloud providers like AWS use their own cloud infrastructure (we think) to host services like Route53, which are also not infallible, but tend not to _entirely_ go down like this. Rackspace, while being somewhat competetive in the cloud space, doesn't operate anything like Amazon, doesn't do anything in a very distributed manner, and is backing those cloud offerings with what I expect to be vertically scaled DNS servers on top-end Dell hardware behind some kind of load balancers.
Money doesn't make you good at things, rather it helps you to not have to worry about the details, so it is inversely true that a company with a substantial market share should be expected not to make the same mistakes as the little guys. They're operating all day, all week, all year under the fallacy that their scale is proof of the quality of their work, and following this logic, they don't have to do any work at all. ;)
All we know is that Rackspace has dns servers in three out of its six datacenters[2], and that they appear not to have always-on DDoS protection in place.
Market cap and technical sophistication, esp at large scale, tend to become divergent.
You say this, but go on to compare Rackspace unfavorably to Amazon who, at 141.93B (of which AWS is just a part), has over 20x Rackspace's market cap and probably 10x the infrastructure[2][3]. Big companies do things poorly, but then it's hard to have highly-available dns without having lots of infrastructure.
Namecheap, Route53, Dyn, DNSimple, and now Rackspace have suffered DDoS attacks with outages of varying severity. Don't act like DDoS prevention is a solved problem and claim technical incompetence.
1: http://www.thewhir.com/web-hosting-news/web-host-rackspace-o...
Yeah, no zone transfers, but you can always grab a complete Bind 9 export via the API or just call support and they can fetch it for you.
It's easy to forget that you can have redundancy in your load balancers, web servers and databases (replication, multiple data centres, etc), but DNS is how you're found by the rest of the Internet.
No DNS resolution = no one reaches your expensive, lovingly-crafted infrastructure.
I have DNSmadeeasy and they seem to do okay, but only because they're such a small player and avoid being targetted too often.
Sorry, but there's no silver bullet here. Cloud providers get hacked and DDOS'd all the time. Kiddies and morons find it amusing to do so. Roll your own if you want to avoid being attached to such a big target and have a cloud provider just be your secondary namesever.
No DNS doesn't always mean no one reaches your expensive infrastructure. That may be true for websites relying on lots of random traffic, but most if not all of our customers have been to our site before so there's a strong chance that the DNS has already been cached on their computer or router.
We recently went through this with another provider and wrote about it (http://blog.papertrailapp.com/dns-outage-on-monday-december-... the gist: "Relying on one DNS infrastructure, no matter how large or distributed, is an unnecessary risk"
What they do unfortunately is charge you for the queries but there is no way of knowing which host has exceeded the limits query wise. When we first started using them they stated that even though we were exceeding the limits according to how they measure "not to worry you won't get charged". Of course perhaps 1 to 1.5 years later they now do charge (email out of the blue one day) and constantly try to bump us to a higher level service. [1] All this for a few zones that use to run comfortably on a 2 servers that we had many other things going on as well as DNS. (Now they claim we get 2.5 million queries per month but there is no way to determine exactly if that is true or for what host, ie foo.domain.com vs. www.domain.com is causing the excess queries).
[1] Which is more than paying the overage charges which is what we do every month.
This affected everyone who uses CloudFront (which is a lot), including Amazon.com itself. There, all product images were timing out.
https://news.ycombinator.com/item?id=8665367
http://www.forbes.com/sites/benkepes/2014/11/26/in-response-...
It was not a good start on a Monday. And it was even harder to explain that your websites are up, but not up to a client lol, and there is basically nothing I can do.
So yah this marks the point at which I will be using R53 and RS DNS servers.
The "no more than two nameservers" rule means that those attempts will always span at least two providers.
Why don't DNS clients fail back to use the most recent good IP address as a default?
Indeed how can I set up my Kubuntu desktop to have this behaviour. Most domains probably point to the same IP for years at a time I'd imagine. If that's true it seems very strange that just because example.com's DNS server was offline this one day out of the last 600 that my browser can't "guess" that "123.45.67.89 example.com" is going to work.
You'd need to add some security around that to avoid abuse I'm sure but doesn't it seem reasonable? Shouldn't DNS failures only prevent you from getting to a server if the IP has changed??
Any advice for the future on how to add redundancy to my DNS setup? Is it as simple as maintaining Nameservers on two different providers and pointing to them both on my domain?
https://news.ycombinator.com/item?id=8716662
Seems namecheap and DNsimple have suffered from these attacks lately. I had some sites affected by namecheaps DDOS.
Having revision-control is wonderful for history-tracking.
Sure, service X might be able to block a 50 foobit attack but what about when the next vulnerability is found and they can launch 500 foobits of DDoS?
Said the guy on the Hacker News website.
https://github.com/rackspace/pyrax/blob/master/docs/cloud_dn...
You could also do it via CURL: https://community.rackspace.com/products/f/25/p/1743/4945#49...
Your primary DNS provider should allow automatic zone transfers. This makes it so that any changes you do to your primary service gets propagated to the secondary service within seconds.
Once setup you'll automatically have redundancy incase the primary provider starts timing out.
