I had several sites become inaccessible yesterday due to the DDOS on Namecheap's DNS servers:
http://status.namecheap.com/?p=3739<p>Everything appears to be back to normal for us right now, but this has definitely rattled us a bit. We've never had problems with Namecheap before. Admittedly, DNS / Nameserver routing is not something I have a lot of expertise in. Like many developers/ dev ops people, DNS is something I set once and mostly leave alone. I had not considered it a vector for failure.<p>Several question:<p>1) What are the best practices in mitigating something un-forseen like a DDOS attack on your DNS / Nameserver provider? It seems like redundancy is the only good option, since any provider we go with could get DDOS-ed. What are good redundancy setups?<p>2) I've heard people say 'don't do DNS with your registrar'. But I'm not clear on exactly why not. Are registrars just inherently worse at DNS & nameserving?<p>3) Out of curiosity, does anyone know why Namecheap was DDOS-ed? Was it just for the lolz?
Really, the best thing you can do is make certain you're with a good, stable, Anycast provider. Preferably one that's been beefing up their network. I've been using DNS Made Easy for a few months now for the ability to have vanity name servers and have noticed a significant boost in speed since. I also started using their failover service to help avoid going down since they included 3 records with my membership anyway :P. They're also crazy cheap for the features I'm been getting: <a href="http://www.dnsmadeeasy.com/enterprisedns/pricing.html" rel="nofollow">http://www.dnsmadeeasy.com/enterprisedns/pricing.html</a><p>As for why Namecheap got hit, who knows. Could be a malicious attack on a site using the service, could be a prank. Maybe just for lolz. There's any number of reasons. Unless they release that info, I don't think you'll find a clear answer any time soon :-/.
I've seen a lot of praise for easyDNS, but I've never used them myself. They have failover DNS, which is interesting. <a href="http://support.easydns.com/Failoverfaq.php" rel="nofollow">http://support.easydns.com/Failoverfaq.php</a> I guess you could technically use 2 (or more) different hosts for DNS, which would give you some redundancy, but I've never seen anyone do that.<p>I usually don't like to host DNS with the registrar because they tend to be kind of bad as far as flexibility. GoDaddy's DNS controls are pretty good, but I still tend to host my DNS elsewhere.
I sure wish some company would step-up and offer a reasonable, quality registrar/DNS offering, but I have yet to find that one. Until that time, I will keep them separate, and would suggest using DynDNS. It really depends on your needs and/or budget. I would check out this page: <a href="http://www.dyndns.com/services/dynectsmb/" rel="nofollow">http://www.dyndns.com/services/dynectsmb/</a><p>If that looks like overkill, you might consider this plan:
<a href="http://www.dyndns.com/services/upgrades/" rel="nofollow">http://www.dyndns.com/services/upgrades/</a>
You really can't do that much. Pick a good provider.<p>I'm using route53 from Amazon. It's dirt cheap and they no slouches when it comes to reliability. It's still relatively new though.