Slashdot Mirror
What are the Benifits of Running Your Own DNS?
baileyjs asks: "I help run a small web development firm, and we are always trying to save money, but not at the cost of service to our customers. We currently purchase DNS services from our ISP, but are looking at getting our own rack. I was going to put some DNS servers there when I saw that Network Solutions offers free DNS. All our of domains (about 150) are currently on Network Solutions, so transfer is not an issue. Why shouldn't I use Network Solutions? Why should I build my own? What reasons, besides 'Network Solutions is Evil', can I give my boss?"
I don't know how good customer service is at Network Solutions, but our ISP was taking over 24 hours to process our change requests. This was unacceptable to us. So we roll our own.
The downside is that you have to make sure these machines are secure, hence there is an overhead to it all.
I'm actually moving the other way - toward hosted DNS. This is especially important if you only have one data line - dual DNS is useless if both servers are on the same connection (just ask Microsoft - that's why they ended up outsourcing theirs a couple of years ago after a big DNS problem).
But sometimes it's great to be able to do quick changes for test/development and such so you can either delegate a sub-domain that you run internally or you can set up a test/dev domain and run your own DNS for that one.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
DYNDNS
Instant changes
One of the advantages of having your own DNS servers is that you can reload the master server whenever you makes changes to your zone files. IOW, changes are pretty much instant instead of the 24-48 hours common with other providers.
:)
Of course there are other issues that will delay the propogation of your changes but with things like adding a new subdomain there is no delay. (Always be sure to increment your serial!
The other reason we use our own DNS is so that additions can be automatically handled through a simple server script rather than using a web form.
For a pithy 150 domains, setup TinyDNS. It takes about 20 minutes to download/compile/install. There are plenty of helpful guides to setting up the software.
If you are unsure about the format, use a zone-xfer to get them to TinyDNS format. Then your DNS is 100% under your control (easy updating!), cost effective (TinyDNS needs to maintenance), and has a light impact on the server (usually 1 second of CPU time for every few days + a few hundred kb of HD space). On top of that, you can transfer your registrations to an alternative registrar (like Joker) which would be cheaper in the long run.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Network Solutions may be evil. Network Solutions is expensive. If you decide to rely on them for DNS, then you are installing yet another obstacle stopping you from switching to a different registration service.
On the other hand, many other registration services also offer included DNS, so it's not that big of a deal.
Personally, I would probably use the "free" service that you already overpaid for. I would also switch to a less expensive company for future registrations and renewals.
I'd recommend you set up your own DNS and use network solutions as the backup DNS.
Remember that the backup DNS really shouldn't be geographically located near the primary. Even though 9/10 they are on the same network sadly.
Yes, I'm being a spelling nazi, but come on, it's the headline!
William of Ockham had no beard. The most likely explanation is that it was chewed off by squirrels every morning.
I currently work for a web hosting firm where we run our own DNS of course. Its not without its problems, for sure. But as long as you know what you're doing, or know where to go for help, its pretty easy and worth doing.
I run my own DNS for my personal server, so that I can make changes and they are instant to me, since I configured my Winders XP box to reference my server for DNS.
There are lots of neat things you can do by running your own but personally I like it because you can run hundreds of domains off of one small box that has some decent memory in it, and it won't go down unless there is hardware failure.
So, in my opinion, if you have the resources, then there is no reason NOT to. Go for it!
Nobodies Prefect
Tidbits for Techs Technology Blog
...until it just plain become a huge PITA with little return.
I can't think of a reason to host your own corporate DNS. For personal DNS - i.e. you browsing the web, etc., you can control timeouts and your queries are processed much faster - but for corporate DNS, outsource it.
Be afraid of free though. Free generally means no guarantee. Of course NetSol hosts one of the root servers so I guess you'd expect their data lines to be fairly redundant.
We currently use UltraDNS (http://www.ultradns.net). They've been fantastic and have a terrific interface for making changes. Requires some knowledge but we've *never* had a DNS problem since switching two years ago.
--T
My reality check bounced.
That said, for all intensive purposes, you shouldent be making arbitrary changes like that anyway, I no for me I could care less how responsive it is as long as DNS changes propogeat within a few hour's.
You'd have more control over DNS if you managed it in house. You'd be able to decide maintennace scheduling, patching, etc. You'd also direct control over hardware and configuration needs. If there's anything you'd want to research, it would be TCO for in house vs a DNS provider. You might also want to see if you can find statistics relating to performance, uptime, reliability, etc of in house vs provider for DNS.
You'll need at least two boxes running in different locations. But you can have multiple dns records pointing at the same boxes. So a surfer looks up your site, tries record 1 on box 1, then record 2 on box 2, then record 3 perhaps on box 1 again. In other words, even if box 1 and 2 are offline temporarilly perhaps the 3rd - 6th attempts will succeed. Now, say you wanted to do some network re-configuration. Having the DNS under your control allows you to set the TTL or time-to-live on the records to very small values. Try a different configuration without worries that some bozo's computer somewhere will have the wrong ip address for your new box for 24 hours till the default record expires. Say you have a redundant off-site backup of all your sites - a short TTL plus DNS under your control will allow you to almost instantly redirect all users to your backup system if needed. Many other benefits as well, plus it is better to keep these things under your control assuming you can handle the burden of setting it up.
For one, you can have as many lines and zones as you want. Which means you can have many subdomains and many subsubdomains. Hosting providers usually put a cap, and I've seen some caps are horrific (only 5 subdomains).
I am hosting 7 domains, and 2 of the domains have 20 subdomains each. A friend on a different ISP hosts my secondary and I host his. Quite honestly, with a static IP, you dont really need DNS services at all, unless youre virtualhosting, in which case self-hosting DNS is best since you send out zones once, and just leave it there. They only change when you edit the zones.
Running BIND on a static IP server and not changing anything has low overhead, and it doesnt take much skill or time. However if youre only hosting 2 domains, not too many subdomains, usually the hosting providers offer a basic DNS service for free. Might as well use that till you hit their cap.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
We have many technically clueless clients. We provide DNS and domain regirstration for them at a slight markup and small monthly expense. They think they're getting a huge bargain and it takes us almost no time and resources. Our colo provider and office ISP (different companies) both provide secondary for free, so we have servers on different nets. A win for everybody.
Karma: It's not just a good idea. It's the law.
The possibilities are limitless.
Imagine having the ability to provide your customers with customized pointers to
You can point them to your own range of services, or to a clumsy-looking buck-toothed site "Doh! We're dorks!".And that doesn't even begin to enumerate the lucrative possibilities of being a window to various on-line casinos and to paypal...
"Provided by the management for your protection."
just insecure, slow, and not trustworthy.
DiscDividers tabbed plastic CD dividers: divider cards f
There are some comments here about the benefits of having a DNS server in your home. It's peripheral to the main topic, but since I've seen this mentioned in some other threads, could someone elaborate on this? What are the benefits? What is the best way to implement this with minor maintenance? What experiences have y'all had this this?
Unlike what some people are saying speed is not a reason to roll your own dns. If you managed your own dns then on your network you'll probably see changes instantly but your changes are still going to take 1 day to a week to go through everyone else's caching dns. I'd assume you want to see the same data as your customers. The main reason to choose is failover; if you can have two systems for dns at different locations on different network connections then you *can* do it yourself if you want. Otherwise unless Network Solutions doesn't give you some feature you want(for example: unlimited sub-domains) then there is no reason not to use them.
My Hello World is 512 bytes. But it's also a valid Fat12 boot sector, Fat12 file reader, and Pmode routine.
You need a secondary DNS in case your site is cutoff from the net (backhoe cuts your cable), or if your ISP has routing/service problems, or if you suffer a loss of power for an extended period of time.
Loss of DNS service is more than people simply not being able to reach your site, loss of DNS service means EMail bounces (servers return EMail if they can no longer resolve your domain). Loss of DNS service means that web browsers tell your customers that you do not exist instead of simply telling them that you are down / not responding.
You want a secondary DNS that is located " elsewhere ". You want it far enough away that a single regional disaster (power outages, floods, earthquakes, etc.) does not take out both your primary DNS and your secondary DNS. You want your secondary DNS to have a distinct set of service providers to increase the chance that sites will be able to resolve your domain if the regional network is partitioned.
Run your own primary DNS. Make it a non-caching, non-forwarding, static, only answers queries for the domains it is authoritative. Then pick 1+ secondary DNS services that will slave off of your DNS master keeping in mind the points raised above.
One example of a secondary DNS Service is BackupDNS. They are inexpensive: Secondary DNS hosting your 150 domains would cost $28.50 US per month ($0.19 US per zone per month). They let you be in full control of your DNS service: Their site lets you new add zones, update (purge your zone on their servers and then force an reload) or remove zones on the fly. They will be a backup MX site if you like. They can even grok TSIG to improve the security of zone transfers. The BackupDNS folks are clueful, efficient, reliable and (unlike NetSol/Verisign) non-evil. I'm sure there are other secondary DNS Services that are both clueful, inexpensive. I mention these folks because we have had years of flawless secondary DNS service from them.
To sum it all up: Run a primary DNS to maximize the control and flexibility over your own domains. Use a clueful off-site secondary DNS service to maximize the chance that others will be able to resolve your domain.
chongo (was here)
Two very good public DNS services that will act as secondary for you:
They'll also act as primary, dynamic, etc. Both free, but of course they take donations! :)
Once you get the basics down, it is trivial to host your own DNS listings. The primary advantages, as far as I have been able to determine are:
1) I don't ever have to rely on someone else's DNS listing being accurate OR up
2) I can make changes and they are immediately propagated to my entire LAN
3) ability to prevent man-in-the-middle attacks
Malachi
http://www.google.com/profiles/malachid
Why even bother with DNS? You can just use IP addresses, and it doesn't cost you a thing. No hosting or anything. With google, and bookmarks, hardly anyone bothers typing URLs anyway. Those that do can get by with an IP address. IPv4 addresses aren't that much to remeber anyway.
One big advantage is you can set your root servers to something other than the Verisign monopoly. For your users than you can transparently connect to those weird sites that don't end in .com. Not helpful if you are only hosting websites, but if you have users using your server it is important.
You should check these out too, some are free, others cost but are cheap, give you web interfaces to manage your own DNS
n s.org
/ /www.ultradns.com/
FREE
http://www.everydns.net/
http://www.dynd
For pay
http://www.easydns.com/dnsmanage.php3
http:
There's more to DNS than A records. Ask if NS
will let you do DDNS, SRV records, or dynamic SRV.
-I like my women like I like my tea: green-
Now Register.com offers DNS with domains registered through them, and they are more reliable by far than GC's volunteer service. I still run my own (which gives me immediate reloads of new data), and use them as my failsafe.
http://alternatives.rzero.com/
I run our DNS locally in our shop. I can't imagine having it any other way. We run BIND on Suse and it is so very convenient.
Eh? I run my own. Many of my customers, even small ones, run their own. They tick over quietly, day after day, year after year. I (they) get as much control as I (they) want, instant updates, and a choice of how to specify those updates (hand edit, web form, automated etc). For vanila-flavoured domains the zonefiles are all pretty much identical anyway.
For outgoing DNS queries, the traffic and time saving through query cacheing is not huge, but it is there and does help a lot when the ISP's DNSes go legs-in-the-air (which has not been a problem with ArachNet, but other local ISPs haven't been such a lucky choice).
Maintenance? Pretty much zero. Maybe once every year or two, URPMI will nudge the version number to cope with a security flaw, but that's about it.
BTW, I generally us ethe much-maligned BIND. Yes, it is huge and probably not necessary but it works, and does do the special tricks when you want it to.
Got time? Spend some of it coding or testing
I think my GP should have said catachrestic, which would both have been more correct and more interesting, as well as letting you know that you didn't have a clue what was being said, whereas "pedant" is used often enough that you might be under the delusion of knowing what it really means. (-: Your mis-step was blatant rather than flagrant
It was fun being your pedant du jour, have a good day. (-:
Got time? Spend some of it coding or testing
I have my own running on my OpenBSD firewall. Does DNS for my LAN and is the DNS for my website.
You control your own DNS, you can control all the sub-domains for free, manage them however and whenever you want, and I think the lag time is smaller from when you make the change and when it actually works (probably not, but you could tell your boss that... time is money, afterall.... right?)
The only problem I can see is getting someone to manage the 150+ domains. But if you current staff is capable, then I say go for it. More power to ya...
My need is smaller than yours.. just a couple personal domains for my various mail & hosting needs. But, the concept is the same.
I started out doing my own DNS. I wanted the flexibility and complete control of running it myself. After diligently updating bind versions for a long time, I missed one. A 1337 h4x0r quickly exploited my system. Luckily, he was dumb enough to reboot the box, and broadcasted a message saying "you are owned". Yup, time for an OS re-install.
I tried a cheap DNS hosting service.. too unreliable. Then I switched to NetSol. It's been very reliable. I'm sure they have their servers in some core network areas, with lots of bandwidth, and all kinds of redundancy. I don't think you'll do much better than what they offer.
Face it, if you don't run your own DNS you are a dickless weenie with no tech chops. It's laughably easy after all...
To be a bull moose alpha geek you have to run your own on-site DNS with multiple views (inside/outside your physical net) local slave nodes on every production server, and an off-site backup that your alpha-geek buddy in another hemisphere runs for free.
You'll note the above assumes you are nominally male. Female geeks with their own DNS gain even more respect, and will be inundated with marriage proposals from wealthy, brilliant (but pimply) peers.
By and large, one of the simplest DNS features to use on a home or home-office level is a DNS caching server. It usually involves setting up a full-blown DNS server (Micro$soft, BIND, etc.), but you can configure it to only cache DNS entries you've requested. You'll instantly see a return on that endeavor by not having to always seek out your ISP's DNS servers (which can be down, slow, under attack, whatever) for name resolution.
Then, configure your internal DHCP or IP configurations to use your internal DNS server as primary, and your ISP's DNS servers as secondary and tertiary DNS servers. Instant ROI!!
Don't do this arbitrarily without knowing something about DNS, though, and be careful not to open any DNS ports (UDP/53) to the outside if you're only using caching.
Done. And...?
Loser's limp if ever I saw it. (-:
Got time? Spend some of it coding or testing
Another option that hasn't been fully covered in this thread is the notion of running a stealth primary.
We have a lot of users who run a primary nameserver but never list it as an authoritative nameserver in the DNS. Then they use someone (yes, like us, or anyone...) to pull secondary from them.
This way they control their zone and TTLs but if they are running their nameserver off one machine or a DSL line or something and it goes down all of their DNS servers are still operating and serving data.
It's a pretty good solution.
-davidu
# Hack the planet, it's important.
A lot of people are mentioning DYNDNS and other free dns servers(no-ip.com is my favorite). Most if not all of these use the berkeley dns servers, which is free and updates instantly. but because these Servers are so available and widley used, perhaps a few other reasons, they are prone to DDoS attacks. I've used these for years, and I've only noticed a few times when the service wasn't working. But on a corporate scale, it's probably better to get the garuantee from a host that costs money.
I use a site called EveryDNS [http://www.everydns.net/] and have found them to be very good. Allow all manner of changes to records plus have 4 DNS servers not all in the same area. Read as failover. David and David have spent some time putting together a good usable system. You can even have Dynamic DNS services.
They are others like Zoneedit but EveryDNS is free or donation based. I've not had a single problem with any of the domains I have with them.
When shit hits the fan get some of these https://youtu.be/pY-GncsZ-UE
Secondary, off-site DNS doesn't gain you much if the real services (HTTP, SMTP, etc) aren't redundant as well. Read the section called "Erroneous arguments for third-party DNS service" in DJB's Costs and benefits of third-party DNS service.
They only "update instantly" because services like dyndns set them to something low. That's not the default behavior.
Take EMail for example. If a MUA thinks your domain does not exist (because no NS exists can resolve it) then your EMail message will likely bounce. Try this experiment:
Now if some NS had an MX for that host (or parent domain), then your EMail will be queued.
What do you gain by off-site DNS? At a minimum, you gain extra time between when you go offline and when queued EMail times out (often 3-5 days). And if you have a backup MX that is willing to hold your EMail even longer (until the records at the secondary NS expire), you gain even more time before queued EMail times out.
Advantages for HTTP exist as well. Assuming that www.asld34.53kfjasldfksdafsd.com does not resolve, the link for ww.asld34.53kfjasldfksdafsd.com will show Unknown host instead of timing out. The former suggests you are dead and gone, the later exist but not responding (/.-ed? :-)).
Try not to think that everything DJB says is the truth. He has some good ideas, your job is to find the nuggets in between the flaws. That 'Costs and benefits of third-party DNS service' document is flawed.
Usually, MUAs just pass mail off to the ISP's MTA. Did you mean to say MTA? I have not tested the behavior of MTAs in the event of various types of network failures and I took DJB's word that failure to lookup a name is usually no worse than failure to connect. Different MTAs may behave very differently.
Interestingly, I did just receive an immediate bounce from my ISP's (Alltel) MTA because it claimed not to be able to find an MX, so perhaps DJB is mistaken about this particular issue. I will try to discover what MTA they're running.
I'm not sure if it's worse to get an "unknown host" message from a browser or to watch it try to connect for a minute or two. At least a failed name lookup is quick. Failure of either DNS or HTTP is extremely undesirable, since both prevent the client from getting any useful information.
> Usually, MUAs just pass mail off to the ISP's MTA. Did you mean to say MTA?
Yes, my bad!