We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
Cheers
Ryan
We need to provide DNS services for domains we offer as a registrar. We were discussing internally the different options for the deployment. Does anyone see a down side to using IaaS on AWS and Azure?
My big concern would be the current lack of v6 support on AWS for such a deployment. I suspect it’s coming soon as they just announced IPv6 support on S3 yesterday.
How many zones do you expect to scale to? I’ve been running a free secondary DNS service for many years on BIND, but moving to something else makes a lot of sense these days.
Do you have a lot of DNS server experience in-house? There’s a lot of little things that come up along the way. You really should consider being subscribed to the dns-operations list and asking there as well.
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
I like having good control over my own fate, so would prefer running my own service, but plenty of people use hosted DNS at their providers, and there’s plenty of folks who can sell you a service from dyn to neustar with their own cost models.
I would either provide a completely opaque service offering where you retain control of the NS records so can easily move/renumber as you scale up, or consider a solution which can be expanded globally as needed over time.
I’m able to host ~10k zones in my free secondary service without issues, but to “take the next step” requires decoupling 20 years of history I’m dragging around.
- Jared
Someone registered the domain “corp.gr” and now sells subdomains similar to .com.gr, .co.uk, etc. They use a “clever” way to make sure they will have 100% uptime at virtually no cost:
$ dig NS corp.gr
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.3-P1 <<>> NS corp.gr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47495
;; flags: qr rd ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;corp.gr. IN NS
;; ANSWER SECTION:
corp.gr. 21599 IN NS puck.nether.net.
corp.gr. 21599 IN NS ns4.dnsunlimited.com.
corp.gr. 21599 IN NS i.ns.buddyns.com.
corp.gr. 21599 IN NS d.ns.zerigo.net.
corp.gr. 21599 IN NS f.ns.zerigo.net.
corp.gr. 21599 IN NS b.nskey.com.
corp.gr. 21599 IN NS g.ns.buddyns.com.
corp.gr. 21599 IN NS ns4.he.net.
corp.gr. 21599 IN NS ns5.dnsunlimited.com.
corp.gr. 21599 IN NS f.ns.buddyns.com.
corp.gr. 21599 IN NS h.ns.buddyns.com.
corp.gr. 21599 IN NS d.ns.buddyns.com.
corp.gr. 21599 IN NS ns2.he.net.
corp.gr. 21599 IN NS ns2.afraid.org.
corp.gr. 21599 IN NS a.nskey.com.
corp.gr. 21599 IN NS b.ns.zerigo.net.
corp.gr. 21599 IN NS b.ns.buddyns.com.
corp.gr. 21599 IN NS e.ns.buddyns.com.
corp.gr. 21599 IN NS ns1.dnsunlimited.com.
corp.gr. 21599 IN NS c.ns.zerigo.net.
corp.gr. 21599 IN NS c.ns.buddyns.com.
corp.gr. 21599 IN NS ns3.dnsunlimited.com.
corp.gr. 21599 IN NS a.ns.zerigo.net.
corp.gr. 21599 IN NS ns5.he.net.
corp.gr. 21599 IN NS ns2.dnsunlimited.com.
corp.gr. 21599 IN NS ns1.twisted4life.com.
corp.gr. 21599 IN NS e.ns.zerigo.net.
corp.gr. 21599 IN NS ns3.he.net.
;; Query time: 161 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 12 14:42:58 2016
;; MSG SIZE rcvd: 577
Of course, I don’t recommend you do this. On a serious note, as mentioned previously, AWS lacks IPv6 currently. A custom solution would provide more control but it may have some challenges. In addition to that, you’d probably need some form of network redundancy but you’re most likely not going to reach AWS’ anycasted network’s availability easily. I’d recommend looking to some other providers as well, some of which may be in the list of name servers above..
Just my 2c
And regardless of what / who you choose make sure that they are
running RFC compliant servers. There are a lot of DNS providers
that feel they don't need to use RFC compliant servers which makes
problems for all the resolver vendors out there. It also make it
hard to deploy new features that depend on servers actually behaving
as specified in the RFCs.
Most of the problems I see would take 10 minutes for a developer
to fix if they are not already fixed and just require a more recent
version to be installed.
For a list of some of the things you should be checking for see
https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-03
You can also run the EDNS compliance checker at https://ednscomp.isc.org
Mark
I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up
time in the last 10-12 years excluding an 8 hour period 4-5 years ago where
they got DDOSed, no issues since), very affordable.
#2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07
Has been #1 several months this year.
Beckman
Peter,
That test is meaningless as it is from only few locations which seems to
overlap with those who scored well.
I would suggest using that as a base to compare speed.
Mehmet
From the speed comparison report: "Averaged across all name servers"
That's a silly, synthetic, and non-representative test. It encourages
cohosting all your NS at all your sites to game the performance numbers,
hurting availability.
I'd expect to see a decent amount of latency variance across the NS in a
given delegation because I want them to get anycasted to different
transit/physical locations, and I would also expect that not to translate
into notable user-perceived latency due to resolver's server selection
logic.
-eli
Also a big fan of DNS Made easy, but I wish they’d add DNSSEC already.
I’m happy with AWS - one thing to consider is model out the network costs. That seems to get some people, who just expect the bill for instances at end of month. If you’re worried about availability due to an availability zone going down, ensure you have the service replicated across multiple AZs or regions and
It might be worth a few minutes pondering just using Amazon’s Route53 instead of running the DNS server yourself. I haven’t looked at how the cost compares.
Does anyone see a down side to using IaaS on AWS and Azure [for DNS]?
Latency is critical for DNS. Literally everything else an application
does stalls behind completion of the DNS lookups.
Everything else being equal, virtuallized infrastructure will always
exhibit higher latency than bare metal. Always.
We were also kicking around the idea of a PaaS offering and using Azure DNS or AWS Route 53.
I don't know their implementations well. I would hope they run the
underlying DNS servers on bare metal rather than leveraging their VM
infrastructure. I would worry that they offer all sorts of extra
features which are -single source-. If you pick Route 53 and your
customers get used to those features you may find yourself locked in
at Amazon's mercy.
Regards,
Bill Herrin
Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month.
You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less.
You might also consider running dedicated servers in each of AWS and Azure to avoid a single-provider failure.
Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month.
You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less.
I’d also recommend multiple providers as well if you’re getting dedicated servers so you can avoid non-technical provider-based issues.
Route53 can get expensive for lots of domains. Queries are cheap with the first 1M free, but if you have 1000 domains you’ll pay $500/month.
If you had 1000 domains, you'd pay $110/month, not $500. The first 25 domains at $0.50/month each, after that it's $0.10. And that's based on the publicly available pricing -- they have special pricing if you're hosting >500 domains.
Including queries, if each hosted domain had a million queries a month, your total bill would $310.
That's probably a high estimate because it doesn't account for the >500 domain special pricing and your average registrar-hosted domain doesn't get anywhere near 1M queries a month. Your actual bill would probably be significantly less.
You can build dedicated servers in multiple AZs and data centers able to handle that many domains for far less.
If you were to use c4.large instances, it would cost just under $400/month to have 6 instances spread across 2 regions with 3 AZs each, after instances, load balancers and bandwidth. That's assuming you do the discounted 1-year, no-upfront-fee term on the instances.
And you're still not as redundant or fast as Route 53, which is anycast from way more than 6 places.
The math gets a little trickier when we start looking at labour costs for both initial development of your platform and ongoing maintenance, but from strictly an infrastructure cost perspective, I don't think the claim that it would cost "far less" to run your own infrastructure is necessarily true for a registrar-doing-hosting scenario.
Much better math than mine. I pulled from memory and didn’t know the discount @ 25. I’m only running a half-dozen domains in Route53 and the rest are hosted internally.
You could probably use less than a c4.large too.
Hi,
I have been very happy with route53 while lack of IPv6 support was not an
issue for the use case.
Did you evaluate CloudFlare in PaaS solution ?
Their free plan includes DNS.
Best regards,
Hi,
If you are going the IaaS route, definitely checkout KnotDNS project.
According to their benchmarks [1], it does much better than other DNS servers in about every workload.
Best Regards,
Filip
If there are other metrics in which to measure DNS speed, availability and
redundancy, I'd love to seeing them. I have but my own datapoint and the
metrics from others. Tear down the testing model, but at least show a
different/better one in return.
Route53 can get expensive for lots of domains. Queries are cheap with the
first 1M free, but if you have 1000 domains you’ll pay $500/month.You can build dedicated servers in multiple AZs and data centers able to
handle that many domains for far less.You might also consider running dedicated servers in each of AWS and
Azure to avoid a single-provider failure.
Having worked for AWS, there is no "global" control plane that would bring
two regions down at the same time. While possible, due to say a targeted
successful attack on both regions simultaneously, highly unlikely. Control
and data plane software updates and deployments are done regionally, and
often on an Availability Zone basis where applicable, to ensure there are
no defects. Automation measures and will automatically roll back code that
breaks deployment metrics.
It's pretty sweet. Their internal tools team does amazing things with
automation.
Route53 is $0.50 per month per "zone" (domain) for the FIRST 25, then $0.10
per month per zone after that. 1000 domains would be $110 a month, not
$500. 500 million queries at $0.40 per million, another $200/month.
Who knows if you need that much, but it is pretty affordable.
Beckman
I won't push further than this -- but it seems a bit silly not to
mention that CloudFlare provides free AnyCast DNS. You can elect not
to even use any of our caching if you just want to use us for DNS.
J
Even for registrars?
Because OP's question was
> We need to provide DNS services for domains we offer as a registrar.
Best Regards,
Filip
Right -- we could do it, though it would be a first for us.
Never say “never”. 
Notice I did not say “you must” or “you should”. It is something to consider based on how many 9s are important to your business. The job of many of us is to think of those things that are highly unlikely, assign a risk and make a plan (or not) accordingly. The likely ones are written down and “anyone” can follow them.
In this case I’d say the risk is higher that someone puts the wrong info into a DNS change and if they are in different services and not automatically replicated, you could be better off. Again, what are the risks to your business?