The best practice for architecting nameservers is to use a hidden master (primary) nameserver and secondary nameservers. This has the benefit of keeping a hidden primary/master server within the corporate infrastructure for administration of the zones. With this structure in place, management of the server and/or downtime at this server will not impact access to the organization’s web properties. For security, the firewall should be configured to only allow communication to and from the secondary servers.
Once this architecture is in place, the choices and scope of the secondary infrastructure is based on organizational needs and risk tolerance.
DNS nameserver addressing methodologies
Like any server infrastructure, it is best practice to have redundancy built into the DNS infrastructure. There are two methods of addressing DNS nameservers:
Broadly applied, unicast is the communication from a single sender to a single receiver on a network. As it applies to the DNS it is a one-to-one association between a network address and the end-point. In other words, if the unicast DNS has 2 records (ns1 and ns2) then each corresponds to exactly one server. This does not preclude building in redundancy at unicast nodes or having more than one node online to answer queries, but it does not afford the full suite of benefits of an anycast solution for external DNS resolution.
Anycast is one of several routing schemes that can be used to control the flow of traffic across a network, typically using the Border Gateway Protocol (BGP). With anycast DNS, multiple nodes that are copies of each other are geographically dispersed. In this way, multiple servers sit behind identical IP addresses and answers to queries are always done by the geographically closest node. Benefits of an anycast network include: lower latency,
increased redundancy, and higher resilience to DNS DDoS attacks.
Anycast for the secondary DNS service
Much like other organizational decisions, the provisioning of DNS secondary services comes down to a, “build, buy, or both” decision. Whatever is chosen, adding an anycast secondary DNS service improves speed and resiliance for the organization’s web properties and services.
If a secondary DNS service architecture is already in place, whether in house or from a service provider, this does not preclude adding additional secondary DNS services. By incrementally adding new services to their DNS an IT manager can improve speed and resilience for their web properties and can get additional benefits from geo-focused services. For instance, CIRA runs the D-Zone Anycast DNS Service, which offers both global and local secondary nodes, where the local nodes are set-up to serve Canadian traffic and to protect the Canadian traffic from external DDoS attacks. In business parlance, the D-Zone solution will help protect a company’s Canadian audience and related objectives while also improving global reach through nodes located in Internet hubs around the world.
DDoS attacks on the DNS are a top operations threat with “one-third of DNS operators having experienced a customer-impacting attack” – Arbor 2016 Worldwide Infrastructure Security Report.