Skip to main content Skip to search
Ben Ball
Posted by
Ben Ball on
September 15, 2022

How to mitigate the risks of DIY authoritative DNS

If you’re using DIY or BIND authoritative DNS without a redundant backup layer, the risks can be significant. Here’s how to operate those DIY systems with confidence by adding a dedicated, secondary system as a backup.

Most network admins would rather outsource management of authoritative DNS infrastructure to a third party like NS1 - it’s just easier, and the feature set is more robust. Yet there’s a sizable community of network operators who prefer to dig in and build something themselves. We’re always surprised to find who these companies are - sometimes it’s the largest, most complex enterprises out there.

These do it yourself (DIY) authoritative DNS architectures can be cobbled together from a lot of different tools. BIND is most often used as an open source tool for managing internal DNS, but some people extend it out into external authoritative DNS as well. Others build on top of Microsoft DNS infrastructures with home-grown scripts and other tools.

Control is the main reason you’d go with a DIY system for authoritative DNS. Or maybe you’ve got a funky, abnormal network setup that would naturally require a lot of customization even if a third party were to deliver your authoritative DNS.

Challenges of DIY authoritative DNS

While everyone has their reasons for adopting a DIY system for authoritative DNS, there are some distinct disadvantages to consider:

DIY systems are brittle: If you’ve got an authoritative DNS infrastructure built on BIND or Microsoft, you’ve probably pieced together a Rube Goldberg machine of scripts to make it work. Over time, the complexity of those scripts can become difficult to maintain as you account for new functionality and operating requirements. One false move - one single coding error - could easily bring down your entire authoritative DNS infrastructure and take your customer-facing sites offline.

It’s a lot of work to build and maintain: It takes time to get up to speed on the underlying tools like BIND. Then you actually have to create and deploy the system. Then you have to maintain it, which isn’t a small task - particularly when you’re dealing with such a mission-critical system.

The hit-by-a-bus problem: DIY architectures only work for as long as the person who built them stays with the company. If that person leaves the company for whatever reason, their institutional knowledge about how DIY architectures were built leaves with them. Some companies get to the point where they’re afraid to change anything because it could very easily result in a downtime incident that’s difficult to recover from.

No automation support: DIY systems usually don’t work with any form of automation. DIY architectures usually aren’t built to support standard automation platforms like Ansible or Terraform. It’s near-impossible to orchestrate DIY architectures with a third party tool. If you’ve got a DIY authoritative DNS, you’re probably stuck with manual changes.

All these factors usually result in more time, energy, and resources devoted to authoritative DNS management than most network teams are willing to spend. DIY systems are often perceived as “free”, but they can actually end up costing you quite a bit. If those maintenance and management issues cascade into an outage, then the business impact is even more profound.

Backing up DIY systems

Using DIY systems for authoritative DNS without any sort of resilient, redundant backup is asking for trouble. Finding the source of an error - particularly when you’ve got a maze of overlapping, interdependent scripts - can be a nightmare. It can take several days to locate the source of an issue and get your site back online. Most operations teams simply don’t have that kind of leeway, particularly for e-commerce and SaaS sites that have a direct impact on revenue generation.

None of this means that you have to abandon your DIY systems completely. It just means that you should have a plan B if (or really, when) things go wrong. Ideally, you’d have a redundant solution in place that can pick up the slack without any impact to site performance. What should that redundant system contain? We thought you’d never ask.

Separate infrastructure: Any redundant authoritative DNS system should be completely separate from your existing infrastructure so you can afford to spin things down on the main system while you hunt for the source of technical errors.

Real-time performance data: Metrics would also be important for a DIY back-up, to ensure that everything fails over correctly and traffic isn’t interrupted. This would be particularly valuable in the case of a DDOS attack, to identify the source of the issue and rule out any architectural cause.

Health checks: How do you know if a site is performing as you want it to perform? Does the site need to fail over to a redundant architecture because performance is deprecated in some way? Health checks and alerts are needed to ensure that service outages can be spotted and dealt with quickly.

NS1 as your DIY backup

Nobody should operate their authoritative DNS without a safety net. It’s just too important, particularly if your website is the primary generator of revenue. That’s why NS1 was the first company to offer a physically and logically separate system for redundant authoritative DNS. We started offering Dedicated DNS as an add-on to our flagship Managed DNS service, and now we offer it to customers who just want to add a separated, redundant layer to their existing architecture.

Separate infrastructure: NS1’s Dedicated DNS uses the same robust architecture as our flagship Managed DNS service, but it’s set up on separate infrastructure that’s unique to a single company. It’s the ultimate in downtime protection.

Compatible with any primary: Our Dedicated DNS service is available as a back-up or secondary system to any kind of primary architecture. That makes it perfect for BIND-compatible authoritative nameservers and DIY architectures. You can easily slide in a Dedicated DNS service as a secondary to a DIY set-up. It’ll be spun up and ready to go at a moment’s notice in case disaster strikes.

Real-time performance data: NS1’s innovative DNS Insights feature can collect critical data from any Dedicated DNS set-up. When you’re experiencing an outage in your primary system, this data can help to quickly pinpoint the source of external issues (like DDOS attacks) that may have brought your system down. It can help you get back to the primary system as soon as possible.

Health checks: DNS can tell you a lot about how your applications, services, and websites are performing. NS1 automatically delivers alerts to tell you when site performance is deprecated or not returning results at all. NS1 also uses health check data to trigger and route failover logic so you can avoid downtime. This kind of automation simply isn’t available in DIY systems.

Easy migrations: NS1 makes it simple to tack on Dedicated DNS as a secondary to any system. Importing zones and records into that secondary system with files from BIND and other architectures is easy to do in the NS1 user interface.

Critical infrastructure needs a redundant layer

External authoritative DNS is the most critical infrastructure on your network. It’s so critical that it deserves the highest level of protection and assurance. DIY authoritative DNS offers administrators a lot of control…until the complexity of those overlapping scripts and tools becomes too much to support.

Even the most sophisticated, reliable authoritative DNS systems have a hiccup now and then. NS1 Dedicated DNS provides the peace of mind you need to keep the lights on even when all your dashboards are flashing red.

Learn more about NS1 Dedicated DNS.