DNS and Registrar

Thu Jun 27 14:19:13 CDT 2019

On 6/27/19 12:53 PM, jim stephens wrote:
> They don't have to be combined.

Agreed.

I've been running DNS servers for about 20 years.  I /always/ prefer to 
run my own DNS servers if I can.

I have never run across a situation where I was unable to do so for 
/technical/ reasons.  I have had clients that /chose/ to /not/ host 
their own DNS for a /business/ reason.

> I have a friend running his and my DNS on a server at his house with two 
> DSL feeds for good measure, one is primary DNS for our domains, second 
> one is published as the secondary.

*nod*

I'd worry about DSL circuits and stability for DNS.  But it will 
probably work > 98% of the time.  If you're comfortable with it, more 
power to you.

I would likely do something more like I'm doing now, run the master name 
server (MNAME field in the SOA record) on the DSL and have somebody else 
with a more robust connection (DSL had issues where I'm from) do a slave 
zone transfer and be the listed Name Servers (NS records) that the world 
talks to.

I actually do that now with my VPS being the MNAME server and my VPS 
provider doing slave zone transfers off of me.

Note how the registrar is not part of that mix.  ;-)

> The biggest thing to watch for is the lax rules for transfering 
> domains.  There was a problem with that, but most registrars allow locks 
> now that impede the movement of domains w/o a bit of work.

That sounds like you're talking about moving domains between registrars, 
which is decidedly different than and independent of where DNS is hosted.

Admittedly the registrar has to point (delegate) to the DNS hosting 
provider.  But it's fairly easy to move domains between registrars 
without even logging into a portal at the DNS host.

> Used to take a couple of emails to highjack a domain, as there wasn't 
> even a notification to verify that the transfer process email was 
> requested by the owner.

Ya.  Registrars have had some deficiencies over the years.  I think they 
are getting better.

> You are strongly encouraged to use a third party "professional" DNS 
> service, but it only really need to be up reliably.

~whistling~ … ~quiet~ … I'm sorry, did you say something?  No.  Never 
mind.  I'll go back to what I was doing.  …  ~whistling~

I mean that as a joke.  I let a LOT of what companies that are trying to 
sell to me go in one ear, sanity check it, and then go out the other ear.

I'm of the opinion that a static IP is the biggest requirement for 
/most/ DNS service.  I.e. somewhere to have the registrar delegate the 
DNS to.

Beyond that, I'm happy to delegate sub-domains to people on dynamic IPs 
if they want them.

It's possible to put DNS a LOT of places that don't qualify as "Best 
Practice".  Most of them will work most of the time.

> We have the dual providers for the node my friend runs, as we know from 
> the phone companies and providers that though the DNS is over the same 
> 12 pair wire into his house (another trick), the CO actually has the 
> DNS switches on different racks and UPS's.  Which isn't a bad precaution.

That's probably okay for most things.  But it's still subject to Backhoe 
Bob and the fade that he can induce.

That's why I have my master that I can do anything and everything I want 
to, and outsource to slave secondaries.  Linode, my VPS provider, has 
five different DNS servers that (I belie) are geographically diverse. 
It will be quite a bit harder to take out all five of their DNS servers. 
  Plus, I don't have to pay for connectivity in five different 
locations.  ;-)

I'm curious, you said DSL.  But that could be anything from 1.5 Mbps 
ADSL to SDSL to VDSL.  Each of which have different capabilities and 
SLAs.  Other than the backhoe fade taking out both connections at the 
same time, higher quality DSL with SLAs is probably okay to do.

I think the official recommendation for big (think root level) DNS 
servers is to have each server in a different network, where network is 
defined as /24 (or larger), preferably under different ASNs.

But that's not a /requirement/, especially for smaller DNS operators.

> thanks

You're welcome.

-- 
Grant. . . .
unix || die