Rackspace DNS DDOS

RAX has a 6.3 billion market cap. If an org this size -- specialising in hosting -- cannot field a DDOS-resistant DNS server, who can?<p>I&#x27;d like to migrate or even perhaps add a secondary DNS but RS DNS doesn&#x27;t seem to even offer zone transfers (the best you can do, I guess, is to use the API to get your records out).

For those looking to export your zone from Rackspace, the rackspace python library (prax) will let you:<p><a href="https://github.com/rackspace/pyrax/blob/master/docs/cloud_dns.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;rackspace&#x2F;pyrax&#x2F;blob&#x2F;master&#x2F;docs&#x2F;cloud_dn...</a><p>You could also do it via CURL: <a href="https://community.rackspace.com/products/f/25/p/1743/4945#4945" rel="nofollow">https:&#x2F;&#x2F;community.rackspace.com&#x2F;products&#x2F;f&#x2F;25&#x2F;p&#x2F;1743&#x2F;4945#49...</a>

Been dealing with this all morning, finally got all of my zones migrated to Route53, but with the amount of time it takes for DNS changes to propagate we are going to be feeling this all day.<p>Any advice for the future on how to add redundancy to my DNS setup? Is it as simple as maintaining Nameservers on two different providers and pointing to them both on my domain?

It&#x27;s easy to blame &#x27;large hosting provider&#x27; and suggest going with &#x27;specialized provider&#x27;, but isn&#x27;t stuff like this really leapfrog between hackers and the good guys?<p>Sure, service X might be able to block a 50 foobit attack but what about when the next vulnerability is found and they can launch 500 foobits of DDoS?

<a href="https://status.rackspace.com/" rel="nofollow">https:&#x2F;&#x2F;status.rackspace.com&#x2F;</a>

We went through this recently at Codeship when our provider, DNSimple, had an outage due to DDoS- <a href="https://blog.codeship.com/dnsimple-ddos-outage/" rel="nofollow">https:&#x2F;&#x2F;blog.codeship.com&#x2F;dnsimple-ddos-outage&#x2F;</a> DNS is a service that often ends up as a single point of failure in infrastructures I&#x27;ve seen as it&#x27;s non-trivial to implement redundancy. Having a repository&#x2F;API approach to deploying DNS records saved us in this incident: <a href="http://blog.codeship.com/dnsimple-dns-history-continuous-deployment/" rel="nofollow">http:&#x2F;&#x2F;blog.codeship.com&#x2F;dnsimple-dns-history-continuous-dep...</a>

It&#x27;s nice having cheap&#x2F;free DNS from people like Rackspace and Amazon, but situations like these make you realise that it&#x27;s sensible to use a company like Dyn (<a href="http://dyn.com/" rel="nofollow">http:&#x2F;&#x2F;dyn.com&#x2F;</a>) that are experts in highly-available DNS, rather than something that&#x27;s a small part of a hosting provider&#x27;s services.<p>It&#x27;s easy to forget that you can have redundancy in your load balancers, web servers and databases (replication, multiple data centres, etc), but DNS is how you&#x27;re found by the rest of the Internet.<p>No DNS resolution = no one reaches your expensive, lovingly-crafted infrastructure.

Here is the status page - note that it uses Rackspace DNS, though:<p><a href="https://status.rackspace.com/" rel="nofollow">https:&#x2F;&#x2F;status.rackspace.com&#x2F;</a>

For anyone else worried about this, the best way to mitigate this going forward is to have secondary DNS servers.<p>Your primary DNS provider should allow automatic zone transfers. This makes it so that any changes you do to your primary service gets propagated to the secondary service within seconds.<p>Once setup you&#x27;ll automatically have redundancy incase the primary provider starts timing out.

Who launches these massive DDoS attacks against DNS infrastructure? It would require a substantial botnet to pull off, so they must have some compelling reason. Maybe there&#x27;s something obvious I&#x27;m missing, but I don&#x27;t see one, except perhaps for a government or large organization which had many competitors using the DNS service they attack.

All of my websites using Rackspace DNS where down for around 9 hours.<p>It was not a good start on a Monday. And it was even harder to explain that your websites are up, but not up to a client lol, and there is basically nothing I can do.<p>So yah this marks the point at which I will be using R53 and RS DNS servers.

I&#x27;ll make the answer simple. Market cap and size do not matter. All it takes is _competent staff_ and management support. Actually DNS is not that hard to mitigate. You just need optimized compute and the bandwidth to take it to the clean up equipment.

Anyone with an idea how well Google Cloud DNS handles DDoS? I would image it just sucks it up, because they already saw any DDoS volume (would it be any or every, I&#x27;m not a native speaker?) before.

I&#x27;m not savvy to this stuff so pardon the unsolicited conspiracy theory, does this DDoS have anything to do with the NK internet outage, or is it just coincidence?