back to article The DNS was designed for diversity, but site admins aren't buying

The world's top eight DNS providers now control 59 per cent of name resolution for the biggest Websites - and that puts the Web at risk, according to a group of Harvard University researchers. The group was led by Harvard's Shane Greenstein, and warned that since 2011, the "entropy" of the DNS (referring to how widely …

  1. john.jones.name

    agreed

    DNS and security should be run in house.

    corporations trusting the root of their business security to a cloud provider is strange...

    1. Adam 52 Silver badge

      Re: agreed

      Seems sensible, not strange. Why trust someone in-house who has little DNS experience and no security experience to run something so important?

      Even the Army trusts the physical security of it's home bases to a third party.

      1. john.jones.name

        not sensible at all

        your confusing the website of a small business or one that makes no money with Alexa's top 1,000

        while their maybe some outliers all of those will be making money from their website/presence

        This is not about having multiple or even backup DNS run by a specialist it's about your root

        its a bit like drawing an analogy with the military (Completely different sphere). However to respond to that Its like allowing your nuclear arsenal to be guarded, deployed and armed by a third party....

  2. Blotto Silver badge
    Facepalm

    Duh

    ITS IN THE CLOUD

    The issue of dns has been outsourced to someone who’s promised reliability.

    What could possibly go wrong, and if the worst does happen it’s someone else's problem!!!! (As well as someone else profiting from being available but no one is ever going to shout that bit out loud)

  3. Anonymous Coward
    Anonymous Coward

    This is the argument I have with the Pointy-haired Boss every time Virgin's DNS service goes TITSUP, that we should be using two different external DNS services. But the answer is always Virgin provide the broadband and we need to use their DNS services. Life is to short to have arguments with stupid.

    1. Adam 52 Silver badge

      You should probably re-read the article or read the paper. This is about authorative nameservers not resolvers.

    2. Scott Marshall
      Devil

      Arguments with stupid?

      Straight from Chapter 1 of the BOFH manual:

      "Duct tape; while it can't cure stupid it sure muffles the sound"

  4. Crypto Monad Silver badge

    "a comparatively costless and therefore puzzlingly rare decision"

    It's important to have a single interface for administering the zone, which all DNS servers slave (replicate) from; otherwise you risk inconsistent results from different servers.

    Unfortunately, many of the registrars don't allow you to mix their own DNS with third-party secondaries which slave from it, or don't allow their own DNS servers to slave from some other primary.

    Popular example: Amazon route53 does not allow additional secondaries (AXFR), nor can it act as secondary itself

    Relatively few providers support this. Godaddy is one example which does: if you manage your zones with them as primary, you to add additional secondaries which AXFR from Godaddy (you could just run a £10/month cloud VM for this); and equally you can make your own nameserver the primary and Godaddy will slave from that.

    Even if you find two providers which support this, I think it's fair to say that most people don't understand DNS well enough to set this up; they therefore rely on a single cloud-hosted provider to manage it on their behalf. Sad but true.

    1. rh587

      Re: "a comparatively costless and therefore puzzlingly rare decision"

      Unfortunately, many of the registrars don't allow you to mix their own DNS with third-party secondaries which slave from it, or don't allow their own DNS servers to slave from some other primary.

      Popular example: Amazon route53 does not allow additional secondaries (AXFR), nor can it act as secondary itself

      To be fair, the ones that don't (like Cloudflare) are usually the ones where your DNS provider is not just a DNS provider but is also doing things like CDN or - in extreme cases - something like CF's new Warp Tunnel which calls for them to have some level of dynamic control over the DNS so they can route traffic to their network's ingest points rather than directly to your host.

      In principle it is of course possible to disambiguate the two - your root DNS pointing to the public entry IPs/domains of (one or more) CDN providers who each have a private DNS record to your actual host IPs which are never made public. However, setting that up is much more complex than the turnkey solution these providers are typically trying to offer ("set these two name-servers with your registrar and we'll sort the rest").

    2. SImon Hobson Bronze badge

      Re: "a comparatively costless and therefore puzzlingly rare decision"

      Relatively few providers support this

      I'll add PortFast who can handle multiple permutations. At my last place, we used them for our slaves while running our own master for around 500 domains - with a script that automatically added/removed domains from their system to match ours.

      You can also use a local database on their system - ie using a web interface to manually manage records.

      And you can specify a list of IPs allowed to do AXFRs, allowing you to use other slaves.

      Amusingly, a few months after I was made redundant, the manager who thought he knew more than he did just turned off the master - part of ripping out all the well managed network I'd left them with. He's one of those who just changes things and waits to see what he's broken. Oh how I chuckled to myself when I heard what he'd done - and how they were panicking and rushing to get all the domains manually added to Heart Internet's hosting (not my choice !). Politics being what they are, there's no way he'd ever consider asking me - if he had done so in advance, I'd have told him that Postfast have a neat trick - you can configure a slave zone and it'll fetch all the records from your master; then you can change it to use a local database with an option to retain all the records, thus turning them into the master. This only works if you do it before the zone times out and all the records get deleted.

      Needless to say, the customer problems and outages were blamed on everything but this person breaking things !

  5. Allan George Dyer
    Coat

    Good news for those running their own, multi-site, DNS. They win by default when the major service providers suffer the inevitable outage and every other online service falls over.

    As Sun Tzu said,

    “If you wait by the river long enough, the bodies of your enemies will float by.”

    1. stephanh

      beam me up, Scotty?

      “If you wait by the river long enough, the bodies of your enemies will float by.”

      This is not in Sun Tzu's "Art of War". The book is far too practical to contain that kind of fortune cookie "wisdom". Here's an actual quote, to get the idea of the content.

      "When there is dust rising in a high column, it is the sign of chariots advancing; when the dust is low, but spread over a wide area, it betokens the approach of infantry. "

      1. Allan George Dyer
        Facepalm

        Re: beam me up, Scotty?

        mea culpa, I wanted to find a source for the saying and didn't check carefully enough.

        I'm tempted to claim it comes from Sun Tzu's lesser-known work, "The Art of Fly Fishing".

  6. Anonymous Coward
    Anonymous Coward

    Data

    I don't grok the HHI metric, but the article implies that the concentration of DNS in the "big" providers means little redundancy. If someone has their primary DNS with AWS and a secondary with GoDaddy, that would be a DNS entry in the "big" providers, but would have redundancy, right?

    Or does the HHI metric also consider if DNS is only in one of the big providers?

    1. Adam 52 Silver badge

      Re: Data

      HHI is the sum of market share. So if everyone is with Dyn, Dyn will have 100% and the score will be 10,000. If Dyn has 55% and AWS has 55%, i.e. 5% dual host then the score will be 6,000 (lower monopoly).

      It's a measure of market diversity but a poor measure of reliability because it'll score everyone self-hosting as 1, even though they could still all be taken out by the same network switch failure or data centre power supply fault.

      As a redundancy score it's entirely useless, because Dyn will likely have massively more redundancy​ than a niche player or anyone self-hosting.

      You'd have expected a journalist writing a story to have pointed this out rather than cut-and-paste a précis of a paper.

      1. Claptrap314 Silver badge

        Re: Data

        The problematic underlying assumptions go even further. If a company is completely running there systems on AWS, then having their DNS solely with Route53 increases their expected downtime by how much?

        Certainly, some redundancy is likely to be useful, but I'm not going to bet strongly that if Route53 gets hacked, that access to AWS services is going to be fine if only we have redundant authoritative hosts.

        Although it is at least just plain rude for Route53 not to support functioning as a authoritative host.

  7. Nate Amsden

    Need multiple CDN too

    Assuming you use CDN .. I remember in the earlier days of amazon they used Ultra DNS only, then about 7 years ago I noticed they were using Dyn as well(still the case now, actually they have 4 Dyn DNS and only 2 UltraDNS for amazon.com). I was told amazon started using Dyn after a big outage/DDoS against UltraDNS the previous holiday season.

    I have used Dyn at organizations I work for the past 9 years or so. No real complaints. I have hosted my own personal DNS since 1996, and we do run DNS internally (with something like 100 zones), so fully capable of running DNS obviously. Though Dyn works well too.

    When Dyn came under attack the org I'm with was affected of course, all of our sites were down, add to that slack was down, and pager duty was down. Other DNS vendors came to me suggesting to use them along with Dyn, though in order to truly protect would need multiple CDN providers as well. Every DDoS attack that has impacted stuff I manage has always been collateral damage, whether it was DNS (Dyn - 1 time in 9 years), or ISP (few times over past few years). Haven't had impact from a DDoS against CDN yet. In the grand scheme of things it wasn't important enough to add or change DNS providers as a result of the Dyn attack. During the attack my senior director was in the midst of trying to get our zone transferred to another DNS provider but then Dyn came back up and he left the 2nd DNS provider hanging(never got the zone imported).

    At the end of the day adding or changing DNS providers is low on the list of priorities for making things better. The original reason current org I'm with went with Dyn was before we were using Godaddy and their TTL config wasn't good enough at the time(2011) to deal with amazon's crappy load balancers. So we switched to Dyn. This was when we had no data center resources(that changed in 2012), wasn't about to try to host external DNS on amazon VMs. Keeping dyn since has just been a low impact thing it just runs, and for once the UI doesn't change. It hasn't changed since I started using it 9 years ago(as far as I can tell), which is great. Takes some getting used to but at least they aren't constantly messing with it.

    Previous org was also hosted in amazon too and the dns provider they used had big outages(small cloud automation provider at the time they had to host DNS to integrate with the automation stuff). So changed to dyn(and manual dns updates since the automation couldn't integrate). That company got pissed off at me so after I left tried to go to Dyn to break the contract and literally told Dyn I did not have the authority to sign up for the service. Dyn pulled up the contract and showed the company it was signed by my Director(who resigned the day after I left), not me. Oh how priceless. That company was in a big cost cutting move at that time, later they died off.

    Previous to that company used F5 GTM for external DNS, which worked fine though Dyn provided lower latency and latency for that business (serving ad pixels) was really critical (way overkill IMO), so they opted to switch to Dyn. That was my first exposure to Dyn back in 2009 I think.

    UltraDNS's pricing generally was quite a bit more $$ (Dyn's billing model is/was different, not sure if UltraDNS model has changed or not). I remember an UltraDNS rep telling me once that Dyn was a solid #2 in the space -- I was happy with that assessment.

    If the DNS provider(s) had more regular outages (if I recall right Dyn's SLA is 20 seconds??) then sure would be good to have multiple providers. But as is, when there has been 1 outage noticed over the past 9 years, there isn't a lot of incentive to move when the price is reasonable. I do occasionally look at Dyn's RSS feed for their service issues, there are a lot, but nothing my monitors have been sensitive enough to be able to detect.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like