Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

Is it time for everyone to actually start using secondary name servers/DNS resolvers too from a different provider from primary? DNS _is_ built for this, for the very purpose of handling failure of the primary resolver, isn't it? Just most people don't seem to do it -- including major players?

Or would that not actually solve this particular scenario?



Yes, I think this attack has brought to everyone's attention that many companies have gone away from what used to be the extremely common practice of having your authoritative DNS serving shared across multiple DNS hosting providers. This would have addressed the issue... and we're seeing that by the end of the day many of these sites have gone to having multiple providers.


The attack is on the authoritative name servers, not a DNS resolver. A public DNS resolver will query the authoritative name server for a record if it doesn't exist in it's cache.


Agreed, but there is nothing stopping you from having the authoritative name servers for a domain with different providers. As someone previously said, DNS was designed for this.


It's used to be common for universities to do this, mine still does:

  ic.ac.uk.		45665	IN	NS	ns1.ic.ac.uk.
  ic.ac.uk.		45665	IN	NS	ns2.ic.ac.uk.
  ic.ac.uk.		45665	IN	NS	ns0.ic.ac.uk.
  ic.ac.uk.		45665	IN	NS	authdns1.csx.cam.ac.uk.
(and Cambridge use Imperial College as a secondary) but the best-known American universities are on cloud providers now.


Can you have secondary name servers too though? And would it have worked to avoid outage for domains doing such in this case?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: