Preamble
Best Practices in any field changes over time – especially in technology. Older best practices like “at least two servers not in the same class C” were intended for Unicast DNS, which has since largely been overtaken by AnyCast DNS. As such, here is our distilled knowledge of how to create a high-performing, resilient and secure DNS infrastructure to be authoritative for your domain. Note that this is fundamentally different from operating a public (or LAN) resolver that does recursive lookups for domains you know nothing about. In an authoritative DNS infrastructure, you provide the source of truth.
Best Practice 1: Use a hidden primary
A hidden primary is a name server that is not advertised and does not appear in any name server records. In other words, it is not known publicly on the Internet and does not answer any queries. The hidden primary’s purpose is to provide zone transfers to a set of secondary name servers that are known publicly and answer queries. Primary just means changes were loaded here. In the context of Authoritative DNS, both “primary” and “secondary” DNS servers can be authoritative.
FAULT TOLERANCE
The hidden primary can be under maintenance without impacting the resolution of your domain (although updating the domain records will not be possible during the downtime)
SECURITY
IP address of the name server is not published, and is less likely to be hacked – especially if you only allow AXFR/IXFR from known good slaves.
EASY ADMINISTRATION
Reloads and restarts of the hidden master do not impact resolution of your domain for even the fraction of a second.
Best Practice 2: Disable recursion and use TSIG
Disable recursion on your hidden master and authoritative external nameservers. Honestly this should go without saying, but we’ll say it anyways. Turning off recursion reduces the vulnerability to denial of service attacks and cache poisoning, and helps improve performance. Keep the authoritative and recursive servers separate – they do different things!
USE TSIG TO SECURE NAMESERVER TO NAMESERVER COMMUNICATIONS
Communication between the hidden master and secondary nameservers should be cryptographically authenticated using Transaction Signatures (TSIG). TSIG is much more secure than source IP address filtering which can be easily spoofed with UDP.
Best Practice 3: Place nameservers close to users
The latency of DNS lookups is important for your website. Long latency can translate into lost customers and revenue. Your authoritative nameservers answer queries from other nameservers on the Internet. To ensure a good user experience and fast access to your website, place your nameservers close to, or quickly accessible from the public nameservers querying them. Optimally, this would involve placing nameservers in locations with good access to the Internet such as Internet Exchange Points (IXPs).
The highly recommended solution is an outsourced secondary anycast DNS service. With anycast, multiple geographically distributed nameservers share a single IP address and queries are routed to the closest authoritative nameserver. For our purposes, we have a small selection of AnyCast providers that have POPs in IXPs that can be mapped to your customer geography if needed, or if you’re global, then all contintents except Antartica.
Best Practice 4: Outsource your secondaries to Anycast DNS
Anycast has been in use for more than 10 years to provide name services for the root server on the Internet as well as many top-level domains including .CA. Anycast DNS is the optimal solution for fault-tolerance, DDoS resiliency and placing name servers close to users. For most organizations, building and managing their own anycast DNS infrastructure is too expensive and not practical. Fortunately, an anycast DNS service like Anycast DNS can be easily added to your DNS infrastructure.
Best Practice 5: Mitigate DDoS
DDoS attacks using DNS as the attack vector are on the rise. Increase resiliency to DDoS attacks with the extra query capacity and bandwidth of an anycast DNS cloud. To the world, the AnyCast cloud appears as a single IP address. In reality it is a network of geographically distributed nameservers. An anycast cloud is much more resilient to a DDoS attack than single unicast servers because it uses geo-location to specify what server answers a query and it has the combined capacity and bandwidth of all the servers. With anycast, the impact of an attack is isolated to the name server closest to the source(s) of the attack.
Most DDoS attacks originate offshore. When selecting an anycast DNS service ensure there are international nodes that can soak offshore attacks. An international node sinks traffic from an offshore attack while helping domestic name servers to remain unaffected.
Best Practice 6: Make your DNS disaster-proof
Use redundancy to make your external DNS disaster-proof. With unicast servers, this means at least two nameservers with a reasonable geographicall and network distance (e.g. not in same class C). A better alternative is a AnyCast DNS cloud to provide redundancy. If a nameserver in an anycast cloud goes down, it is automatically removed from the routing tables, and the query will hit the next closest server. In this way, AnyCast adds redundancy and fault tolerance.
With anycast, the highest level of redundancy is achieved with two separate clouds. When compared to unicast redundancy, it is like replacing two unicast nameservers with two anycast clouds. Make sure the clouds use independent hardware and transit providers. This protects against a routing problem or transit network outage from bringing down your DNS.
Lightspeed provides a choice of one or two AnyCast clouds from a selection of trusted providers. The best solution varies depending on your budget and goals, so please consult your Service Delivery Manager to determine the appropriate AnyCast configuration to match your needs.