Gauging interest in secondary DNS
The quick version: interested in hearing whether you see a use for a cheap yet fully-featured secondary DNS service.
The more wordy version...
Background:
A few years back I posted about DNS offerings. I found nothing at a reasonable price point, so I built my own. It has the following characteristics:
- Two anycast clusters for ns1 & ns2 (currently 3 POPs each: North America, Europe, APAC)
- Responds to
NOTIFY
and supports AXFR in/out with TSIG authentication - Supports GeoDNS &
LUA
records in general - Supports failover both natively & via integration with monitoring tools like Hetrix & UptimeRobot
- Can be updated via API (e.g. DDNS)
- Supports DNSSEC (static signing only, i.e. GeoDNS breaks it)
- Supports ANAME (with some limitations) and some custom record types I added
It's been running on fly.io for about 3 years and my usage (~20 domains) has been within their free tier, so it has cost me precisely $0.00.
The crunch:
In February, fly.io will start charging $2/month for anycast IPv4s. This means my setup will go from costing me $0/month to $4/month. Not a crisis, but I'm assessing whether to (a) bail out and use an existing provider, (b) just pay the $4, or (c) scale up and try to share the cost. Hence this post. I'd like to know whether you see a value in a secondary DNS with the characteristics above.
Maybe something like $10/yr for 50 domains with 1,000 total records? What really counts is the outbound bandwidth ($0.02/GB for NA/Europe POPs). It costs about $12/yr to add another POP to the anycast cluster, so you could potentially sponsor a POP close to you for that amount if you want.
Comments
FAQs:
Why might I want to have a second DNS provider? To avoid having all your eggs in one basket. DNS providers can (and do) go down, albeit rarely.
What is wrong with HE.net? Nothing. Personally I use it and have a high opinion of it. What I do is use 3 HE.net nameservers and 1 somewhere else. It is finding the "somewhere else" that is the challenge.
Why is AXFR important? If you've bought into the idea of two DNS providers, you ideally want to maintain your DNS in one place (the 'primary'). The idea is that primary copy is transferred to multiple secondary DNS servers. For example, a copy to HE.net and a copy to another service.
What's wrong with just using Cloudflare? A couple of issues. First, you can't use geo records for your origin servers unless you are on an expensive plan. If you have origin servers in North America & Europe, you have to pick one for CF to pull from. This actually means using CF can slow down some sites. Second, CF doesn't support AXFR.
Could this be my primary DNS? Yes.
Any SLA? No.
Aren't there lots of competitors? Actually, no. Take a look at anycast DNS providers (eliminates Hetzner, BuddyNS, etc.) and then filter out the ones which don't support AXFR (eliminates AWS, NameCheap, Vultr, Bunny, gCore, CF, etc.). Then filter out the ones who charge per domain or where 10 domains puts you into an enterprise plan (that's eliminated GoDaddy and quite a few others). You're basically down to a few, such as HE.net & Dyn/Oracle, and that's before looking at monitoring, GeoDNS or any other features. Companies generally don't want to cannibalize their larger/expensive plans.
bro said fuck it and made it himself
youtube.com/watch?v=k1BneeJTDcU
I am pleased to see you are consistent in the level of helpfulness across your posts.
i am a lurker and a professional disturbance, not a helper
youtube.com/watch?v=k1BneeJTDcU
I would not grade you as professional in any respect.
youtube.com/watch?v=k1BneeJTDcU
Another "feature" which is orthogonal to the DNS but I put on the same fly.io container is a "www bouncer", which does a 301 on the apex for domain.com, sending it to www.domain.com. So pretty low traffic, but gets around the challenges of hosting a static site on S3 or a CDN. There's other ways, of course, but this is a way that seems to be recommended by CDN providers like Bunny, and putting it on anycast is OK in terms of speed & reliability.
Aren't free DNS services, both primary and secondary, a dime a dozen out there, even besides CloudFlare and HE.net?
@tetech Open source it.
That could work.
Have you considered reading his post where he explains that they aren't for this particular purpose?
Doesn't IBM's NS1.com, among others not cited, fit what the OP is looking for?
See now that is a question that makes it clear you read the post and I am interested to see what @tetech says.
His post says, "Aren't there a lot of competitors? Actually, no. ....." and details why a bunch of the big boys aren't right. So when your post was, "Aren't these a dime a dozen?" I kinda assumed you hadn't read it.
Thanks for the suggestions. I never wanted to do it myself, so I'm happy if someone can suggest an existing solution. NS1 is great and I have used them for years for a couple of my most critical domains. They probably do deserve a more detailed consideration, so here's the issues:
I'm happy to share my research, I was just trying not to make everything too long. I'll write it up in a separate post.
Here's the list of providers I looked at. They're colour-coded but it won't show up in the post.
The table does not mention DNSSEC or access via API. If they're not on this list (e.g. Sectigo, Edgio, IronDNS, ...) it means I either forgot about them or can't find info without contacting sales.
If it's of any help, I'd be happy to publish this on the io.bikegremlin.com - table and the relevant explanation (either with your forum nick credits, your real credentials, or completely anonymous - however you prefer - though I think it would be very good to add a link to this discussion thread either way, but not insisting on that).
WordPress won't do colour-coding by table fields (only all or nothing ), but it will let me "insert" a normal HTML code section, so that's how I'd try to insert the table.
Let me know if you think that's a good idea.
Edit/update:
Well, it seems like XenForo is quite good for that kind of work. So, that's another good option IMO:
https://www.bikegremlin.net/forums/io-articles/
Relja TheLibrarian Novović
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Thanks for the offer, you can get HTML file here: https://misc-files.b-cdn.net/dns-comparison.html. If you feel there's additional benefit to putting it somewhere else that's fine, I don't need personal credit but linking back to LES would be appropriate, I think.
To explain the colour-coding a little: I used 10 domains as a rough benchmark, so anything under $5-6/month for 10 domains is green, anything over is red, and orange means there's caveats that should be noted. For me, a row with red in any of the first three columns is eliminated as a viable solution.
@tetech This thread piqued my interest, as I have been working for a while on a similar project to offer primary and secondary DNS backed by PowerDNS with API access. I also did a comparison table, though it looks like you have found a few more providers than I have.
With respect to the question in your first message, if you intend to offer this as a paid service you'll have to figure out stuff like recurring billing, invoicing, taxes, support, acceptable usage policy and what to do if someone abuses your resources... All of this stuff will take quite a bit of your time, you may soon end up charging prices in line with the other providers in your table to justify the effort you put in.
Use pretty much any DNS providers and https://github.com/octodns/octodns/ to sync records across them.
OctoDNS is supported by Free DNS providers such as Gcore and many more.
There are similar "industry backed" solutions to OctoDNS but I cannot remember their name, when I find them I will post.
edit, got it
https://dnscontrol.org/ even more supported providers
Thanks, I'd seen these before. Yes, fair point, maybe they're enough for most people and makes what I'm thinking about too "niche". A few limitations:
Potentially what I could do is extend/fork the tool and add these capabilities. In other words, focus more on a "DNS orchestration" tool and leave the actual DNS resolvers to others. Hmm.
Thanks for the comments. Good to have a "voice of reason". I'm also using PDNS on the backend.
I've got a business registered for tax & the like, and I've got AUPs drafted from other projects, so the "compliance" side isn't daunting. But I don't really see it becoming a business. More like a "cooperative" where if 10-20 people (whatever number, didn't get to that yet) are interested we'd share the cost and have something that works pretty good for ourselves. I'd hope that would limit support & abuse overhead - definitely don't want to get my time sucked into that.
I considered the abuse aspect and have some ideas swirling around, but still a work in progress. I do note that NS-Global is a free/volunteer project, and they seem to do OK by verifying the SOA contact.
But your overall comment is well-taken, and given that most of the responses so far are somewhat skeptical, it is looking unlikely I'll open it up to others at this point. Either I'll just bail out of the project and pay an existing provider or I'll pay fly a bit to keep it as-is (for my own use).
Is going through all this trouble worth saving $4/month?
Had a little time to spare on the weekend, so I looked into how much work it would be to extend the API for multiple 'tenants'. Looks like it is not too bad, a bit easier than I had expected, given most of it was already done (as described in the original post).
After a bit of playing around, the current status...
https://misc-files.b-cdn.net/basic-dns-demo.mp4
I am not a UI guru
It doesn't look bad at all, good job.
Any plans to release it publicly some day?
Maybe, just haven't thought that far ahead - it is in too rough shape right now.
Good question and thanks for the feedback.
After looking at the comments, what I'll probably do is some sort of "limited beta" where the parts I'm comfortable underwriting myself (i.e. free) are opened up for people to play with.
What you've seen in the video is basically a halfway-decent PowerDNS admin tool which supports multiple 'tenants'. Next week I should have a video showing some of the more exotic stuff I've mentioned.
It looks much nicer than my own, interested in what you come up with.
I was expecting something much rougher, but the UI looked good to me, especially the modals. What UI / CSS framework did you use?
Just plain tailwind.css and fontawesome for the icons, and velocity.js in a few places. On the stats page I'm using apexcharts, I should show that in the next video.
Here's a short video showing how to do monitor integrations (with Hetrix & StatusCake) and API keys (e.g. dynamic DNS).
https://misc-files.b-cdn.net/dns-monitor-demo.mp4
Hi! A bit late to the party.
Anycast ip starts from 25 euros/monthly + plan the cheapest ( geo dns) on some players. Do you consider it as option. ? Most geo dns do not even offer it as a option.Another form is to buy from fly.io 2 euros ip anycast ip4v? Fairly cheaper than the another option.
For anycast dns what you would recommend on the lowend part? I guess you have more knowledge than me about it.
I was planning to experiment it. Load balancing+anycast ip(may be the cheaper fly.io ones) +anycast geo dns.
What you would add to this plan for the crazy dentist???
Many thanks once again
I believe in the good luck. Harder than I work luckier i get.