What are the Best Practices for DNS Setup?
Now that we’ve discussed a bit about how DNS works and its basic components, we wanted to spend this week talking about DNS setup best practices to answer some frequently asked questions. DNS is crucial to both security and performance, so we created this simple guide to help you work through each of the important aspects of DNS setup.
If you’re looking to go into more detail about why both setting DNS up and monitoring it are so important, we’re going to talk about monitoring DNS in our next post. You can subscribe in the sidebar to get updates for this series.
I’m trying to set up my authoritative DNS, where do I start?
The first thing you should do when looking into DNS setup is researching authoritative DNS providers. There are a lot of providers out there, and it can be a bit difficult to see through the fog of promises they all make about their services, especially when you’re new to DNS. Luckily, there are plenty of great tools out there to help you figure out which providers are the most reliable and some key questions you should ask to help choose the best option.
We suggest starting with Gartner’s CloudHarmony tool which gives real-time data on the uptimes of different DNS providers. This will help you determine just how reliable the providers you’re looking into actually are by providing you with a third-party look at their uptimes for the past month. It also gives you toggles to look at particular regions in case you’re looking to increase service in just one part of the world.
In addition to their uptime over the previous month, something to consider is whether or not the provider is using an Anycast system. We’ve gone into detail about the benefits of an Anycast system and how to monitor one before, but we feel it’s important to mention it again, even if Anycast isn’t the newest thing on the market—after all, it’s not like DNS is bleeding edge either.
Anycast ensures an end user is routed to the nearest node when making a request. This way, a user in London isn’t trying to connect to a server in Seattle and ultimately experiencing a large latency due to physical distance. Obviously, you can see the advantage that Anycast offers, and it’s commonly used today, so you should be sure to check if the providers you’re considering are working on an Anycast system. If they’re not, you might want to consider a different provider.
I’ve chosen an authoritative DNS provider, now what?
Chose a second provider. One of the best things you can do to protect your system’s availability to the public is using multiple authoritative DNS providers. As many learned from the DDoS attack on DynDNS back in October of 2016, having a highly available DNS requires having multiple DNS providers. Otherwise, you’ll find yourself out in the cold if your DNS provider goes down for any reason.
If for any reason you do need to rely on a single authoritative DNS provider, make sure it’s not your registrar. Separating your authoritative DNS from the registrar will allow you the flexibility to go to the registrar and move your authoritative DNS if there is ever an issue with your single provider. So, even if you experience a disruption, this will give you the tools to make sure the disruption is as short as possible.
Does DNS affect my email?
DNS affects anything that uses your hostname, so yes, it affects your email servers as well! You’ve probably heard of email spoofing scams before, and you would never want your hostname to be impersonated. Using Sender Policy Framework (SPF) records in your DNS zone will prevent this type of scam from happening. Essentially, it allows you to specify the servers which emails from @yourdomain.com must originate. If a scammer attempts to send an email spoofing your hostname that is not linked to one of the IP addresses you specified, it will be marked as spam and never reach your customers.
Much like with DNS spoofing, scammers will sometimes try to hack your DNS and intercept all your emails. There are MX records within your DNS which allow you to specify where mail sent to your domain should be delivered. This will help prevent a scammer from rerouting your emails to a server they control.
Will caching affect my DNS setup?
It’s important to consider caching when you’re setting up DNS and choosing an authoritative DNS provider. As we discuss in our previous post, caching DNS utilizes a nonauthoritative DNS server to store the IP addresses for servers you’ve connected to previously. This server is usually provided by your internet service provider (ISP) or even an external provider like Google who offers these services to reduce latency times and improve resilience for its customers.
Due to the nature of caching DNS, it’s important to remember that you want to strike a balance between providing the correct and most up-to-date version of your IP address without causing yourself a lot of trouble when trying to update your hostname. This is where TTL settings become an important part of your DNS setup. You want to make sure that your IP address is cached in one of the downstream servers long enough that you’re taking advantage of caching DNS, but short enough that an end user never reaches an out of date version of your hostname.
In the past, people often set a TTL of 24 hours, but now, it’s more common that they are set to 15 mins or less because it allows system admins the ability to update easily. A good range for critical content or content that changes regularly is anywhere from 30 seconds to 5 minutes depending on the needs of your use case, but it can be extended for content which doesn’t change often.
What other things should I be looking out for?
During DNS setup, you have to remember that it will affect everything related to your hostname. Make sure that you have a DNS record in your zone that points to the www. version of your hostname. There’s a big difference between yourdomain.com and www.yourdomain.com.
In addition to using the “www.” version of your hostname, it’s important to include records for any CNAMES (canonical names) you have for your hostname within your DNS zone. This can be as simple as making sure both www.yourdomain.com and yourdomain.com point to the same IP Address, or it can include centralizing things like mail.yourdomain.com under your hostname. This will also make it easier to adjust and scale resources and allows for greater flexibility when working in zones you don’t control yourself.
Also, make sure your DNS service provider is on an IPv6 supported network. Internet-connected devices will prefer to route through IPv6, so it’s important to make sure you’re using it both with your DNS provider and on whatever infrastructure you can.
Finally, backing up your DNS settings is essential. Most DNS servers have a command line function that you can automate to run on regular backups schedule. Make sure to utilize it not only for the settings mentioned in this article, but also any other general settings that might apply to your DNS.
Is there a way to know if something’s gone wrong?
Yes! The most important thing to do after choosing a provider and setting up your DNS is monitoring it. Obviously, when it comes to monitoring, we’re a bit partial to Panopta, but any good monitoring service should answer three important questions for you at any time: Is it up? Is it performing? Is it correct?
Knowing why you’re experiencing high latency or downtime and keeping informed about uptimes gives you a basis to help judge your current DNS provider, and even the opportunity to switch if your current provider isn’t living up to the promises they’re making. We’ll be going into more detail about the best practices for DNS monitoring in the next post.
Next in the Series: Best practices for DNS Monitoring
Interested in learning more about DNS? Subscribe in the sidebar to get notified when this series updates!