Gauging interest in secondary DNS

tetechtetech OG
edited January 12 in General

The quick version: interested in hearing whether you see a use for a cheap yet fully-featured secondary DNS service.

The more wordy version...

Background:
A few years back I posted about DNS offerings. I found nothing at a reasonable price point, so I built my own. It has the following characteristics:

  • Two anycast clusters for ns1 & ns2 (currently 3 POPs each: North America, Europe, APAC)
  • Responds to NOTIFY and supports AXFR in/out with TSIG authentication
  • Supports GeoDNS & LUA records in general
  • Supports failover both natively & via integration with monitoring tools like Hetrix & UptimeRobot
  • Can be updated via API (e.g. DDNS)
  • Supports DNSSEC (static signing only, i.e. GeoDNS breaks it)
  • Supports ANAME (with some limitations) and some custom record types I added

It's been running on fly.io for about 3 years and my usage (~20 domains) has been within their free tier, so it has cost me precisely $0.00.

The crunch:
In February, fly.io will start charging $2/month for anycast IPv4s. This means my setup will go from costing me $0/month to $4/month. Not a crisis, but I'm assessing whether to (a) bail out and use an existing provider, (b) just pay the $4, or (c) scale up and try to share the cost. Hence this post. I'd like to know whether you see a value in a secondary DNS with the characteristics above.

Maybe something like $10/yr for 50 domains with 1,000 total records? What really counts is the outbound bandwidth ($0.02/GB for NA/Europe POPs). It costs about $12/yr to add another POP to the anycast cluster, so you could potentially sponsor a POP close to you for that amount if you want.

Thanked by (1)FrankZ
Tagged:

Comments

  • FAQs:
    Why might I want to have a second DNS provider? To avoid having all your eggs in one basket. DNS providers can (and do) go down, albeit rarely.

    What is wrong with HE.net? Nothing. Personally I use it and have a high opinion of it. What I do is use 3 HE.net nameservers and 1 somewhere else. It is finding the "somewhere else" that is the challenge.

    Why is AXFR important? If you've bought into the idea of two DNS providers, you ideally want to maintain your DNS in one place (the 'primary'). The idea is that primary copy is transferred to multiple secondary DNS servers. For example, a copy to HE.net and a copy to another service.

    What's wrong with just using Cloudflare? A couple of issues. First, you can't use geo records for your origin servers unless you are on an expensive plan. If you have origin servers in North America & Europe, you have to pick one for CF to pull from. This actually means using CF can slow down some sites. Second, CF doesn't support AXFR.

    Could this be my primary DNS? Yes.

    Any SLA? No.

    Aren't there lots of competitors? Actually, no. Take a look at anycast DNS providers (eliminates Hetzner, BuddyNS, etc.) and then filter out the ones which don't support AXFR (eliminates AWS, NameCheap, Vultr, Bunny, gCore, CF, etc.). Then filter out the ones who charge per domain or where 10 domains puts you into an enterprise plan (that's eliminated GoDaddy and quite a few others). You're basically down to a few, such as HE.net & Dyn/Oracle, and that's before looking at monitoring, GeoDNS or any other features. Companies generally don't want to cannibalize their larger/expensive plans.

  • bro said fuck it and made it himself

    Thanked by (2)c1vhosting COLBYLICIOUS

    youtube.com/watch?v=k1BneeJTDcU

  • @Otus9051 said:
    bro said fuck it and made it himself

    I am pleased to see you are consistent in the level of helpfulness across your posts.

    Thanked by (2)tjn supriyo_biswas
  • @tetech said:

    @Otus9051 said:
    bro said fuck it and made it himself

    I am pleased to see you are consistent in the level of helpfulness across your posts.

    i am a lurker and a professional disturbance, not a helper

    youtube.com/watch?v=k1BneeJTDcU

  • @Otus9051 said:

    @tetech said:

    @Otus9051 said:
    bro said fuck it and made it himself

    I am pleased to see you are consistent in the level of helpfulness across your posts.

    i am a lurker and a professional disturbance, not a helper

    I would not grade you as professional in any respect.

  • @tetech said:

    @Otus9051 said:

    @tetech said:

    @Otus9051 said:
    bro said fuck it and made it himself

    I am pleased to see you are consistent in the level of helpfulness across your posts.

    i am a lurker and a professional disturbance, not a helper

    I would not grade you as professional in any respect.

    :pensive:

    youtube.com/watch?v=k1BneeJTDcU

  • Another "feature" which is orthogonal to the DNS but I put on the same fly.io container is a "www bouncer", which does a 301 on the apex for domain.com, sending it to www.domain.com. So pretty low traffic, but gets around the challenges of hosting a static site on S3 or a CDN. There's other ways, of course, but this is a way that seems to be recommended by CDN providers like Bunny, and putting it on anycast is OK in terms of speed & reliability.

    Thanked by (1)FrankZ
  • Aren't free DNS services, both primary and secondary, a dime a dozen out there, even besides CloudFlare and HE.net?

  • @tetech Open source it.

    Maybe something like $10/yr for 50 domains with 1,000 total records

    sponsor a POP

    That could work.

    Thanked by (1)tetech
  • @Joseph said:
    Aren't free DNS services, both primary and secondary, a dime a dozen out there, even besides CloudFlare and HE.net?

    Have you considered reading his post where he explains that they aren't for this particular purpose?

    @tetech said: Aren't there lots of competitors? Actually, no. Take a look at anycast DNS providers (eliminates Hetzner, BuddyNS, etc.) and then filter out the ones which don't support AXFR (eliminates AWS, NameCheap, Vultr, Bunny, gCore, CF, etc.). Then filter out the ones who charge per domain or where 10 domains puts you into an enterprise plan (that's eliminated GoDaddy and quite a few others). You're basically down to a few, such as HE.net & Dyn/Oracle, and that's before looking at monitoring, GeoDNS or any other features. Companies generally don't want to cannibalize their larger/expensive plans.

  • @skorous said:

    @tetech said: Aren't there lots of competitors? Actually, no. Take a look at anycast DNS providers (eliminates Hetzner, BuddyNS, etc.) and then filter out the ones which don't support AXFR (eliminates AWS, NameCheap, Vultr, Bunny, gCore, CF, etc.). Then filter out the ones who charge per domain or where 10 domains puts you into an enterprise plan (that's eliminated GoDaddy and quite a few others). You're basically down to a few, such as HE.net & Dyn/Oracle, and that's before looking at monitoring, GeoDNS or any other features. Companies generally don't want to cannibalize their larger/expensive plans.

    Doesn't IBM's NS1.com, among others not cited, fit what the OP is looking for?

    Thanked by (1)tetech
  • @Joseph said:

    Doesn't IBM's NS1.com, among others not cited, fit what the OP is looking for?

    See now that is a question that makes it clear you read the post and I am interested to see what @tetech says.

    His post says, "Aren't there a lot of competitors? Actually, no. ....." and details why a bunch of the big boys aren't right. So when your post was, "Aren't these a dime a dozen?" I kinda assumed you hadn't read it.

  • @Joseph said:

    @skorous said:

    @tetech said: Aren't there lots of competitors? Actually, no. Take a look at anycast DNS providers (eliminates Hetzner, BuddyNS, etc.) and then filter out the ones which don't support AXFR (eliminates AWS, NameCheap, Vultr, Bunny, gCore, CF, etc.). Then filter out the ones who charge per domain or where 10 domains puts you into an enterprise plan (that's eliminated GoDaddy and quite a few others). You're basically down to a few, such as HE.net & Dyn/Oracle, and that's before looking at monitoring, GeoDNS or any other features. Companies generally don't want to cannibalize their larger/expensive plans.

    Doesn't IBM's NS1.com, among others not cited, fit what the OP is looking for?

    Thanks for the suggestions. I never wanted to do it myself, so I'm happy if someone can suggest an existing solution. NS1 is great and I have used them for years for a couple of my most critical domains. They probably do deserve a more detailed consideration, so here's the issues:

    • Their free tier allows 500K queries and above that is $8 per million. Compare that to e.g. AWS $0.40/M. It gets real expensive real fast (I usually end up with an invoice from them each month).
    • They offer only one monitor & "smart record" (i.e. failover, GeoDNS, ...) on the free tier. You can get around the monitoring by integrating with Hetrix (I wrote a tutorial on how to do this). You can't get around the "smart record" limit without moving to another plan. One of many implications is that you can't do a failover for both IPv4 and IPv6 on their lowest tier.
    • There's some other limits on the number of domains/records, like 50 records total.
    • If the free tier doesn't work for you, the next step up was $45 per month last I checked, which for me is totally beyond budget.

    I'm happy to share my research, I was just trying not to make everything too long. I'll write it up in a separate post.

    Thanked by (3)skorous DanSummer wankel
  • tetechtetech OG
    edited January 13

    Here's the list of providers I looked at. They're colour-coded but it won't show up in the post.

    Provider Lowest cost AXFR Anycast Failover GeoDNS Note
    Alibaba $7/zone Yes Yes    
    AWS Route53 $0.50/zone No Yes Yes Yes Monitors are expensive or require a work-around
    BuddyNS Free Yes No No No No TSIG, 300K limit on free tier, handle failover at primary
    Bunny $1/mo No Yes Yes Yes Cannot edit NS records
    CloudCone Free No Yes     Limited documentation
    CloudFlare Free No Yes No No
    CloudfloorDNS $8/zone Yes Yes Yes Yes No TSIG, failover & GeoDNS significant extra cost
    ClouDNS Free Yes Yes Yes Yes 1 zone free, $5/mo for 75 zones, GeoDNS starts $10/mo for 1 zone
    Constellix $5/zone No Yes Yes Yes Additional zones $0.50, queries $0.40/M PAYG, supports AXFR but not NOTIFY
    deSEC Free No Yes No No
    Digital Ocean Free No Yes    
    DNSimple $0.50/zone Yes Yes No No AXFR only on $29+/mo plan
    DNSMadeEasy $19/mo Yes Yes Yes Yes "Smart records" require significantly more expensive plan
    DNSPod/Tencent Free No Yes No Yes Documentation unclear
    DurableDNS $15/yr/zone Yes No Yes No $6/M above 1M queries
    Dyn/Oracle Free Yes Yes Yes Yes $0.85/M queries PAYG, difficult to use
    EasyDNS $20/yr/zone No Yes Yes No Limited failover
    EdgeDirector $15/M No No Yes Yes Flat $15/M queries prepaid, AXFR unclear
    EntryDNS $18 once No Yes No No
    EuroDNS €0.90/zone No Yes No No
    ExoScale €1/zone No Yes No No Uses DNSimple
    Faelix £1/zone Yes Yes No No Failover at primary
    Gandi Free Yes Yes No No Only domains with them, failover at primary
    gCore Free No Yes Yes Yes Limits on "smart records" with PAYG tier
    Geoscaling Free Yes No Yes Yes "Smart records" require credits; unclear if NOTIFY supported
    GoDaddy premium $5.49/mo Yes Yes No No Flat rate per month
    Gransy/AnycastDNS $5/mo Yes Yes No No AXFR requires a separate plan from other zones; $5/M queries after 1M
    HE.net Free Yes Yes No No Handle failover at primary
    Hetzner Free Yes No No No Failover at primary
    Linode/Akamai Free Yes Yes No No Requires one VPS to be active ($5/mo); failover at primary
    LuaDNS Free Yes Yes No No Free plan 3 zones, next step $29/yr for 10 zones
    LunaNode Free No No Yes Yes Expected to be non-fre "at some point"
    NameCheap $3/yr/zone No Yes No No
    No-IP $20/yr/zone Yes Yes No No Failover at primary
    NS1 Free Yes Yes Yes Yes Limits on "smart records" and monitors, $8/M after 500K
    NS-Global Free Yes Yes No No No TSIG, handle failover at primary
    OVH $1.31/yr/zone No Yes No No AXFR not 100% sure
    Rage4 €2/zone Yes Yes Yes Yes "Smart records" require significantly more expensive plan
    Vultr Free No Yes No No
    Wedos Free Yes Yes No Yes Seems AXFR supported but not NOTIFY. "Smart records" require premium, cost unclear. May require domain with them.
    Zilore Free No Yes Yes Yes Free plan 5 zones; 10 zones $7.50/mo; "smart records" require significantly more expensive plan
    ZoneEdit Free No No No No Seems AXFR out supported but not in. "Free" but a complicated credit system.

    The table does not mention DNSSEC or access via API. If they're not on this list (e.g. Sectigo, Edgio, IronDNS, ...) it means I either forgot about them or can't find info without contacting sales.

  • bikegremlinbikegremlin ModeratorOGContent Writer
    edited January 13

    @tetech said:
    Here's the list of providers I looked at. They're colour-coded but it won't show up in the post.

    The table does not mention DNSSEC or access via API. If they're not on this list (e.g. Sectigo, Edgio, IronDNS, ...) it means I either forgot about them or can't find info without contacting sales.

    If it's of any help, I'd be happy to publish this on the io.bikegremlin.com - table and the relevant explanation (either with your forum nick credits, your real credentials, or completely anonymous - however you prefer - though I think it would be very good to add a link to this discussion thread either way, but not insisting on that).

    WordPress won't do colour-coding by table fields (only all or nothing :) ), but it will let me "insert" a normal HTML code section, so that's how I'd try to insert the table.

    Let me know if you think that's a good idea.

    Edit/update:

    Well, it seems like XenForo is quite good for that kind of work. So, that's another good option IMO:
    https://www.bikegremlin.net/forums/io-articles/

    Relja TheLibrarian Novović

    Thanked by (2)tetech FrankZ

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @bikegremlin said:

    @tetech said:
    Here's the list of providers I looked at. They're colour-coded but it won't show up in the post.

    The table does not mention DNSSEC or access via API. If they're not on this list (e.g. Sectigo, Edgio, IronDNS, ...) it means I either forgot about them or can't find info without contacting sales.

    If it's of any help, I'd be happy to publish this on the io.bikegremlin.com - table and the relevant explanation (either with your forum nick credits, your real credentials, or completely anonymous - however you prefer - though I think it would be very good to add a link to this discussion thread either way, but not insisting on that).

    WordPress won't do colour-coding by table fields (only all or nothing :) ), but it will let me "insert" a normal HTML code section, so that's how I'd try to insert the table.

    Let me know if you think that's a good idea.

    Edit/update:

    Well, it seems like XenForo is quite good for that kind of work. So, that's another good option IMO:
    https://www.bikegremlin.net/forums/io-articles/

    Relja TheLibrarian Novović

    Thanks for the offer, you can get HTML file here: https://misc-files.b-cdn.net/dns-comparison.html. If you feel there's additional benefit to putting it somewhere else that's fine, I don't need personal credit but linking back to LES would be appropriate, I think.

    To explain the colour-coding a little: I used 10 domains as a rough benchmark, so anything under $5-6/month for 10 domains is green, anything over is red, and orange means there's caveats that should be noted. For me, a row with red in any of the first three columns is eliminated as a viable solution.

    Thanked by (2)bikegremlin FrankZ
  • @tetech This thread piqued my interest, as I have been working for a while on a similar project to offer primary and secondary DNS backed by PowerDNS with API access. I also did a comparison table, though it looks like you have found a few more providers than I have.

    With respect to the question in your first message, if you intend to offer this as a paid service you'll have to figure out stuff like recurring billing, invoicing, taxes, support, acceptable usage policy and what to do if someone abuses your resources... All of this stuff will take quite a bit of your time, you may soon end up charging prices in line with the other providers in your table to justify the effort you put in.

    Thanked by (1)tetech
  • edited January 13

    Use pretty much any DNS providers and https://github.com/octodns/octodns/ to sync records across them.
    OctoDNS is supported by Free DNS providers such as Gcore and many more.

    There are similar "industry backed" solutions to OctoDNS but I cannot remember their name, when I find them I will post.

    edit, got it
    https://dnscontrol.org/ even more supported providers

    Thanked by (1)tetech
  • @treesmokah said:
    Use pretty much any DNS providers and https://github.com/octodns/octodns/ to sync records across them.
    OctoDNS is supported by Free DNS providers such as Gcore and many more.

    There are similar "industry backed" solutions to OctoDNS but I cannot remember their name, when I find them I will post.

    edit, got it
    https://dnscontrol.org/ even more supported providers

    Thanks, I'd seen these before. Yes, fair point, maybe they're enough for most people and makes what I'm thinking about too "niche". A few limitations:

    • GeoDNS. With my current setup, I just put a LUA record for GeoDNS and it gets propagated to the secondary via plain old AXFR. As they acknowledge themselves, syncing GeoDNS between providers with their tool is tricky.
    • Failover. Their tool isn't really designed to monitor and adjust in the event of failover, nor to tell the DNS provider how to.
    • API keys need to be stored. Some of those aren't fine-grained and are the "keys to the kingdom", unlike just a TSIG.

    Potentially what I could do is extend/fork the tool and add these capabilities. In other words, focus more on a "DNS orchestration" tool and leave the actual DNS resolvers to others. Hmm.

    @quicksilver03 said:
    @tetech This thread piqued my interest, as I have been working for a while on a similar project to offer primary and secondary DNS backed by PowerDNS with API access. I also did a comparison table, though it looks like you have found a few more providers than I have.

    With respect to the question in your first message, if you intend to offer this as a paid service you'll have to figure out stuff like recurring billing, invoicing, taxes, support, acceptable usage policy and what to do if someone abuses your resources... All of this stuff will take quite a bit of your time, you may soon end up charging prices in line with the other providers in your table to justify the effort you put in.

    Thanks for the comments. Good to have a "voice of reason". I'm also using PDNS on the backend.

    I've got a business registered for tax & the like, and I've got AUPs drafted from other projects, so the "compliance" side isn't daunting. But I don't really see it becoming a business. More like a "cooperative" where if 10-20 people (whatever number, didn't get to that yet) are interested we'd share the cost and have something that works pretty good for ourselves. I'd hope that would limit support & abuse overhead - definitely don't want to get my time sucked into that.

    I considered the abuse aspect and have some ideas swirling around, but still a work in progress. I do note that NS-Global is a free/volunteer project, and they seem to do OK by verifying the SOA contact.

    But your overall comment is well-taken, and given that most of the responses so far are somewhat skeptical, it is looking unlikely I'll open it up to others at this point. Either I'll just bail out of the project and pay an existing provider or I'll pay fly a bit to keep it as-is (for my own use).

    Thanked by (1)bikegremlin
  • Is going through all this trouble worth saving $4/month?

    Thanked by (1)marcopolio
  • Had a little time to spare on the weekend, so I looked into how much work it would be to extend the API for multiple 'tenants'. Looks like it is not too bad, a bit easier than I had expected, given most of it was already done (as described in the original post).

    Thanked by (1)treesmokah
  • After a bit of playing around, the current status...
    https://misc-files.b-cdn.net/basic-dns-demo.mp4

    I am not a UI guru :#

  • @tetech said:
    After a bit of playing around, the current status...
    https://misc-files.b-cdn.net/basic-dns-demo.mp4

    I am not a UI guru :#

    It doesn't look bad at all, good job.
    Any plans to release it publicly some day?

    Thanked by (1)tetech
  • @treesmokah said:

    @tetech said:
    After a bit of playing around, the current status...
    https://misc-files.b-cdn.net/basic-dns-demo.mp4

    I am not a UI guru :#

    It doesn't look bad at all, good job.
    Any plans to release it publicly some day?

    Maybe, just haven't thought that far ahead - it is in too rough shape right now.
    Good question and thanks for the feedback.

    After looking at the comments, what I'll probably do is some sort of "limited beta" where the parts I'm comfortable underwriting myself (i.e. free) are opened up for people to play with.

    What you've seen in the video is basically a halfway-decent PowerDNS admin tool which supports multiple 'tenants'. Next week I should have a video showing some of the more exotic stuff I've mentioned.

  • @tetech said:
    After a bit of playing around, the current status...
    https://misc-files.b-cdn.net/basic-dns-demo.mp4

    I am not a UI guru :#

    It looks much nicer than my own, interested in what you come up with.

    Thanked by (1)tetech
  • jadenjaden OG
    edited January 20

    @tetech said:
    After a bit of playing around, the current status...
    https://misc-files.b-cdn.net/basic-dns-demo.mp4

    I am not a UI guru :#

    I was expecting something much rougher, but the UI looked good to me, especially the modals. What UI / CSS framework did you use?

    Thanked by (1)tetech
  • @jaden said:

    @tetech said:
    After a bit of playing around, the current status...
    https://misc-files.b-cdn.net/basic-dns-demo.mp4

    I am not a UI guru :#

    I was expecting something much rougher, but the UI looked good to me, especially the modals. What UI / CSS framework did you use?

    Just plain tailwind.css and fontawesome for the icons, and velocity.js in a few places. On the stats page I'm using apexcharts, I should show that in the next video.

    Thanked by (1)jaden
  • Here's a short video showing how to do monitor integrations (with Hetrix & StatusCake) and API keys (e.g. dynamic DNS).
    https://misc-files.b-cdn.net/dns-monitor-demo.mp4

  • @tetech said:
    Here's a short video showing how to do monitor integrations (with Hetrix & StatusCake) and API keys (e.g. dynamic DNS).
    https://misc-files.b-cdn.net/dns-monitor-demo.mp4

    Hi! A bit late to the party.

    Anycast ip starts from 25 euros/monthly + plan the cheapest ( geo dns) on some players. Do you consider it as option. ? Most geo dns do not even offer it as a option.Another form is to buy from fly.io 2 euros ip anycast ip4v? Fairly cheaper than the another option.

    For anycast dns what you would recommend on the lowend part? I guess you have more knowledge than me about it.

    I was planning to experiment it. Load balancing+anycast ip(may be the cheaper fly.io ones) +anycast geo dns.

    What you would add to this plan for the crazy dentist??? ;)
    Many thanks once again

    I believe in the good luck. Harder than I work luckier i get.

Sign In or Register to comment.