Now that we’ve laid out some best practices, this week we wanted to talk about some common DNS mistakes we see many companies make when it comes to their hostname and authoritative DNS. Some of them may seem obvious because they ignore many of the best practices we’ve discussed previously, but we still want to touch on them so we can offer solutions for as many use cases as possible.
After this, we’re going to talk about DNSSEC in more detail. If you’re interested in learning more, subscribe to this series in the sidebar to get notified when it updates.
DNS Mistake 1: Relying on a single authoritative DNS provider or relying on your registrar for authoritative DNS services.
These are two different DNS mistakes, but they often go hand in hand. Many companies never look beyond their registrar for an authoritative DNS provider, but that could put your hostname at serious risk for disruption. Often, if a company has left their authoritative DNS services with the registrar it means they are using only one provider as well. We’ve talked about this a lot throughout the series because it’s just that important, so we want to make sure we’ve thoroughly covered the topic.
Let’s break down this mistake. First, there’s the issue of relying on a single authoritative DNS provider. This is a big one that you want to avoid, but it’s simple to correct if you’re currently thinking more about DNS performance. As we’ve noted previously, if you have a single authoritative DNS provider, it’s easier for your DNS to become unavailable and it’s more difficult to resolve a disruption if you don’t have a backup. So, when you do your research on a provider, it’s best to take your top two choices and use both if you have the budget.
If you don’t have the budget for multiple authoritative DNS providers, then it’s important not to leave your authoritative DNS services with your registrar. Separating the two will prevent disruptions if there’s an issue with your registrar, and if you have an issue with your authoritative DNS provider, you can go to the registrar to at least temporarily change the authoritative DNS during the disruption. If you’re unable to respond to a disruption, it could cause frustration for your end users and probably cost your company money.
DNS Mistake 2: Assuming that DNS performance doesn’t matter.
It’s rather easy to write off DNS performance. While DNS isn’t new, it’s not something that will automatically optimize, and it is also the first step whenever a user is interacting with your hostname. When you neglect DNS performance it can increase latency, and ultimately affect user experience, so we suggest occasionally going back and checking to see if the decisions you made at setup still meet the current DNS best practices for performance.
DNS Mistake 3: Not properly securing your DNS
Security is at the top of nearly every conversation about the internet, which makes it impossible to ignore when you’re talking about DNS. You’ve probably heard of DNS spoofing or DNS poisoning before. These scams are rather common and rely on changing the IP address that a domain points to so a scammer can reroute users to a server under their control. This type of scam is difficult for even the most aware users to catch before they’ve wound up supplying information to the hacker because it literally uses your domain.
The main way to prevent a DNS poisoning or similar attack is by using the DNS Security Extensions (DNSSEC). DNSSEC is a security protocol created to help fill some of the holes in DNS’s limited security. We’re going to go into more detail about DNSSEC in another blog post, but to make it as simple as possible, the protocol adds a digital signature that must be verified at every level of the DNS lookup process to ensure that the data has not been tampered with.
DNS Mistake 4: Using the wrong TTL settings
TTL settings will determine how long downstream caching servers will hold on to a particular record in your DNS zone file. This is how a caching server knows how long to keep a record before they reach out to the authoritative nameservers to see if there have been any updates.
Setting your TTL too long can result in users accessing data that is out of date and setting your TTL too short can result in the nameservers refreshing so often that it affects performance. When you’re setting TTLs, you need to be mindful of each type of record you’re setting it for (A, AAAA, CNAME, MX, TXT). Do some research about the optimized TTL settings for each record type and think carefully about how often you currently update or change these records. If it’s something you don’t change often, there’s no reason to have a 30 second TTL.
The Mother of All DNS Mistakes: Not monitoring your DNS
As we touched on in our previous post, it’s common for companies to forget about DNS when they start to set up their monitoring systems. A lack of visibility when it comes to DNS can create a blind spot to latency and other performance issues. Obviously, we’re a bit partial to Panopta when it comes to monitoring, but it’s important to ensure that the monitoring services you use and set up are both agile and that they do not miss important areas of coverage.
Having gaps in your monitoring, in general, can cause all sorts of trouble, so it’s better to head that off before a problem occurs. Here’s a handy list of everything relating to DNS you should be sure you’re monitoring in each of your zones:
- Latency between users and authoritative and caching DNS servers
- DNS Servers are accepting and responding to queries
- DNS response times during both low and high traffic times
- Check that the responses to queries are accurate and that the correct IPs are being returned
- Test for IPv6 connectivity and that it uses DNSSEC verification
It’s important to remember that DNS is something that’s frequently set up and then completely forgotten for years at a time. Setting up your DNS without making occasional optimization changes and never monitoring it will only result in problems in the future. It’s better to avoid DNS mistakes from the start.