We're kinda tied into DNSimple since we use an ALIAS record for our bare/naked/root domain. Amazon's Route53 supports aliases, but via a 301 redirect, which doesn't work in an SSL context (without browser warnings).<p>Nonetheless, we just spun up a Route53 zone, exported our zone from DNSimple, imported to Route53, and hand-migrated our ALIAS records to static A records in the new zone.<p>Not perfect or permanent, but we've gotten around the outage. Also, I just learned that pointhq has (seemingly-undocumented) support for ALIAS records in the same style as DNSimple, so this could be another avenue to explore.
We can watch this happen live @ <a href="http://map.ipviking.com/" rel="nofollow">http://map.ipviking.com/</a><p>Fascinating traffic floods from various locations, but the attack is not continuous.
Free solution that worked for me: Set up a free account on cloudflare.com, duplicate all dns records (thankfully I have a simple setup)... but next time I will keep a backup zone file!<p>FYI - Instead of an Alias record on DNSimple, CloudFlare will allow a CNAME record for the root domain using "CNAME flattening".<p>You can now set CloudFlare's DNS service to "bypass Cloudfare" on all records by clicking the icon so you don't get any of their magic (unless you want it).<p>Then add CloudFlare's 2 nameserves to your domain as your first 2 name servers. No need to remove dnsimple's name servers.<p>Now you have 2 DNS providers in case one fails, just make sure the records are the same across them both!
DNS is so straightforward, so easily distributed, and so fundamental, that I'm always astounded when it's a single point of failure for so many operations.<p>I wonder how many of the affected companies <i>do</i> have redundant appservers and load balancers, but missed this piece of the puzzle...
Can someone help me understand what happens to email sent to a domain hosted by DNSimple while it's down?<p>I'm hoping it will get queued by the sending server, and make it's way back when DNSimple is up and running. Is that correct?
I moved from Zerigo to DNSimple, and it's been awesome until now!<p>What can you do to prevent this in future? Can you run multiple DNS providers simultaneously? So, ns1/ns2 go to DNSimple, and ns3/ns4 go to another provider?
If you have an active DNSimple web UI session (or API key) you can change your root nameservers by hitting their web tier directly at
50.31.213.210.<p>We've successfully switched our domains over to nsone.net.
For anyone else who needs to mitigate this in a hurry:<p>Set up a new account on another host that does ALIAS records (I used pointDNS)<p>Create your new record without much in it<p>Change your nameservers on your domain now - they'll take time to propagate<p>Fill in the records on your domain. If you can't remember them, print out most of your existing records with<p>dig yourdomain.com ANY<p>Add the rest of the records to pointDNS<p>Wait for the new Nameservers to propagate (0-24 hours - it took 15-30 min for us on a small-medium traffic domain today during sales crunch)
Here's where you can request your cached SERVFAILs be flushed from Google's public DNS (i.e. 8.8.8.8):
<a href="https://developers.google.com/speed/public-dns/cache" rel="nofollow">https://developers.google.com/speed/public-dns/cache</a>
"30 minute ETA from our network provider to begin scrubbing traffic in a location with capacity."<p><a href="https://twitter.com/dnsimplestatus/status/539551209452232705" rel="nofollow">https://twitter.com/dnsimplestatus/status/539551209452232705</a>
Does anyone have a simple explanation or link to an article / blog that explains the naked domain / ALIAS "problem" that DNSSimple solves? I recently set up DNS with DNSimple (due to nudging by Heroku) and am affected by this DDoS. I am still struggling to understand the exact nature of this issue. All of Heroku's documentation is pretty cryptic (to me):<p>"Some DNS hosts provide a way to get CNAME-like functionality at the zone apex using a custom record type. " .. and then on to suggest DNSimple as their first suggestion.
For those wondering about alternatives to ALIAS: if you use a www subdomain, then you can simply use CNAMEs. (Though the appearance is a matter of taste...)<p>Google, Facebook, etc, all use this approach.
Anyone switching from DNSimple? I really don't want to, but we've been down for almost 3 hours. I've seen chatter about Cloudfare and it looks pretty good, reviews?
DNSimple is my registrar and (was my only) DNS provider. Now that they're back up I've exported the zone file and imported it to route 53 for redundancy in case this happens again. I also I updated the name servers in DNSimple to be 2 route 53, and 2 DNSimple, in that order. Is that the right way to do it? Does the order of the NS records matter? I set them up so that they're in the same order in both places.
I wrote a follow-up article about what we at Canopy.co learned from this incident. Check it out (this covers and expands on some of the ideas talked about here):<p><a href="https://medium.com/@brianarmstrong/youre-probably-doing-dns-wrong-like-we-were-6625efaed390" rel="nofollow">https://medium.com/@brianarmstrong/youre-probably-doing-dns-...</a>
Unfortunately, it's not the first time it happens, my app is down and customers unhappy.<p>I always wonder, why is it that someone wants to attack a small company like DNSimple ? Is it that they were blackmailed and did not surrender to the criminals? If so, why would anyone be interested in blackmailing such a small company?
You can use my cross-platform cli for dnsimple to export your zone files easily to txt or json format: <a href="https://www.npmjs.org/package/dnsimple-cli" rel="nofollow">https://www.npmjs.org/package/dnsimple-cli</a><p>dnsimple domain record list example.com > example.txt<p>OR<p>dnsimple domain record list example.com --json > example.json