This post is part of our six part series on DNS. The complete list is here: Part 1: DNS Basics, Part 2: DNS and Performance, Part 3: Common Problems and Solutions, Part 4: Best Practices for Setup, Part 5: Monitoring an Anycast Service, Part 6: The Importance of Highly Available DNS.
In our DNS Series we’ve covered the basics of DNS, why DNS is important to performance and common problems and solutions, in this part we’re covering the best practices for DNS setup. It’s crucially important that you’re configuring DNS correctly in order to ensure performance and protect yourself from any outages.
What are some DNS best practices?
Research Provider’s Reliability
We’ve covered this a bit in Part 2, but we’d be remiss not to mention it again. Choosing a good provider with the stats to back it up is the most basic best practice there is. Do your due diligence looking at what others are saying about the provider, performance indexes, points of presence and referencing any trust pages they expose showing their uptime/performance from around the globe. .
Here’s two good questions to ask when vetting a provider or assessing your current one:
Do you support Anycast?
Hint: they should. Anycast is a modern network delivery scheme to reduce network latency, improve performance and provide high availability. Even if your infrastructure is not being served with AnyCast, your enduser can still benefit from an AnyCast DNS provider since each request ultimately starts with a DNS lookup.
We wrote an in-depth post explaining AnyCast and how you should be monitoring AnyCast based services. Check it out here.
What’s their uptime over the last month?
Check to see if your provider’s responses match up with publicly available performance metrics. CloudHarmoy uses Panopta to measure uptime and performance of service providers, including DNS providers. The top 5 (in no order) as of this post are:
Google Cloud DNS
Amazon Route 53
Microsoft Azure DNS
There are a number of providers who achieved 100% uptime prior to this month as well. To get the most up to date list, visit the Panopta powered dashboard on Cloudharmony.com.
Using Multiple Providers
The phrase “don’t put all your eggs in one basket” holds true here as well. Failures will happen and all you can do is be prepared for them. By Incorporating multiple authoritative DNS providers you’re insulating yourself from a failure like the DynDNS incident in October of 2016.
Protecting Your Email
Using SPF records in your DNS zone is an important way to protect your company’s identity and integrity. This ensures only mail originating from servers you specify are honored by recipient mail servers, thus protecting the integrity of your brand. Your domain’s SPF record essentially acts as the authority saying email coming from @yourdomain.com domain will come from XX.XXX.X.X server. That way, malicious attempts to spoof the headers in an e-mail to make it look like it’s coming from your company get marked as spam.
Make Sure You Have a “WWW.” Record
It’s amazing how many organizations forget about this. Adding www seems like such an afterthought that it’s just assumed that www.yourdomain.com and yourdomain.com are the same thing. They’re not. You need to make sure that there’s a record in your DNS zone that points the “WWW” record to the same IP as your domain. In addition to having the DNS record in place, force redirects on your webserver to always direct traffic down one or the other.
Use CNAMES When Possible
Suppose you’re using the same IP address across many different A records within your DNS zone to point to resources that other services in your infrastructure rely on. What happens when you need to move or scale those resources out? The last thing you want to do at that time is find every reference to that resource/IP. Instead, use CNAME’s to centralize all of that management in one spot. CNAME’s can also be useful when you’re having other external/third-party zones (which you don’t control) refer to your resources/IP’s. This allows you to be agile and make changes without having to coordinate with the owners of the other zones.
IPv6 is the future of the internet. With more devices coming online every day the adoption of IPv6 increases daily as well. Most internet servers/devices and consumer connections will prefer to route traffic over IPv6 if it’s available. Make sure your DNS provider is on an IPv6 supported network (for maximum performance) and adopt IPv6 on your infrastructure where possible as well. You’ll need a AAAA record for your sites/resources if you do.
Last, but not least, Monitor Your DNS Provider(s)
We’re a monitoring company so it should be fairly obvious that we save this best practice for last. It’s crucial to monitor your DNS providers to ensure they are holding up to the availability/performance SLAs that they’ve agreed to and so you know why your service may be unreachable.
The three questions that monitoring DNS answers? Is it up? Is it performing? Is it correct?
Answering whether or not your provider is “up” and performing is relatively simple uptime check to know whether the DNS server is online and the roundtrip latency. Knowing whether the responses are correct requires configuring a synthetic DNS check that not only gets a response, but checks that response against a predetermined IP. Make sure you have the the full depth of monitoring covered for all your critical DNS zones.