Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Alternatives to Cloudflare for DNS hosting?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Alternatives to Cloudflare for DNS hosting?

umiumi Member
edited July 18 in Outages

Which domain registrars' control panels and dns hosting services were not affected by Cloudflare downtime?
First thing I tried during outage is to move dns hosting from CF to Vultr where I had backup dns records for my domains but Vultr was also down so I didn't even bother to check porkbun's control panel availability.

Comments

  • tetechtetech Member

    Basically anyone who doesn't resell. Major players like DNSME/Constellix, NS1, Route53, HE, Oracle, ...

    Thanked by 1umi
  • JasonMJasonM Member

    try Godaddy dns, its quite stable.

    Good Morning!!

  • umiumi Member
    edited July 18

    Can anyone confirm that https://dns.he.net/ and domains hosted there were working during the CF's outage? https://downdetector.com/status/he/ tells us it was ok.

  • ricardoricardo Member

    The correct thing to do is use more than one provider, so use one CF nameserver and another provider's. That way your site still resolves if one goes down.

    If it's very important you're up all the time, have a short TTL so you can quickly remove the non-functioning nameserver.

    Thanked by 5umi Aidan Pwner bdl alwyzon
  • rm_rm_ Member

    Just get two DDoS-protected VPSes from different providers and run your own. nsd is easy to set up.

  • cloudns.net ?

    Thanked by 1AlwaysSkint
  • tetechtetech Member

    @umi said:
    Can anyone confirm that https://dns.he.net/ and domains hosted there were working during the CF's outage? https://downdetector.com/status/he/ tells us it was ok.

    HE was up. I use it.

    Thanked by 1umi
  • umiumi Member

    @rm_ said:
    Just get two DDoS-protected VPSes from different providers and run your own. nsd is easy to set up.

    Yes, I agree that if you want something to be done right it's better to do it yourself!
    I can setup powerdns on my vpses, even anycasted ones, but how to integrate my nameservers with other provider's nameservers which I use normally because of better PoPs and latency?

  • tetechtetech Member

    @ricardo said: The correct thing to do is use more than one provider, so use one CF nameserver and another provider's. That way your site still resolves if one goes down.

    Yes. And preferably neither of them is CF :)

  • tetechtetech Member

    @rm_ said:
    Just get two DDoS-protected VPSes from different providers and run your own. nsd is easy to set up.

    I do that with 4 servers where latency isn't a big deal. But if you want good lookup times worldwide, then anycast DNS is preferable.

  • tetechtetech Member

    @umi said:

    @rm_ said:
    Just get two DDoS-protected VPSes from different providers and run your own. nsd is easy to set up.

    Yes, I agree that if you want something to be done right it's better to do it yourself!
    I can setup powerdns on my vpses, even anycasted ones, but how to integrate my nameservers with other provider's nameservers which I use normally because of better PoPs and latency?

    Decent providers will act as secondary servers and pull the records via AXFR.

    Thanked by 1AlwaysSkint
  • umiumi Member

    Does HE has an API to change records from scripts?

  • rm_rm_ Member

    because of better PoPs and latency?

    Just start simple and you'll be surprised how well the modern Internet actually works, that you might not need a dozen of PoPs or anycast to provide a decently working service.

    if you want good lookup times worldwide

    Could be important if your site earns you money via selling products with worldwide delivery, but most for people it's not like that, and typically a couple well-picked locations will do the job just fine for the majority of visitors.

    Thanked by 2quicksilver03 pbx
  • umiumi Member
    edited July 18

    Yes, I have BuyVM's anycasted VPSes in LasVegas,NewYork and Luxembourg and latencies are quite nice in US and Europe, but when my LasVegas node went down, the whole US West coast was routed into black hole until the support rebooted the vps. So I'll need more nameservers to make the setup more reliable. And then I added one more unicast nameserver located in US West coast the latencies from Europe went south then they were selected that nameserver. So I'll need a second independent ring of anycasted vpses to handle that.

  • NeoonNeoon Member

    As @rm_ said, get at least 2 POP's, one should at least have AntiDDoS.
    The point you miss is the TTL, the client looks up your domain once, for 1 hour or longer it keeps the entry.

    So if the response takes 20ms or 120ms does not really matter.
    Plus, put it on different networks so CF won't happen to you.

  • tetechtetech Member

    @rm_ said:

    because of better PoPs and latency?

    Just start simple and you'll be surprised how well the modern Internet actually works, that you might not need a dozen of PoPs or anycast to provide a decently working service.

    if you want good lookup times worldwide

    Could be important if your site earns you money via selling products with worldwide delivery, but most for people it's not like that, and typically a couple well-picked locations will do the job just fine for the majority of visitors.

    Depends on the circumstances. For many, you're probably right. Some of my sites are getting decent amounts of traffic from places like Australia. Doing a transpac lookup adds around 250 msec. Even if page load dependencies are optimized it is easy to end up with 2-3 blocking lookups and suddenly the page load is over 1 sec, mostly due to DNS. Adding a NS in Australia is not the answer, because clients pick a random one, so there's as much chance of someone in North America using the Australian NS.

    Therefore, for frontends I am not using my own NS.

    Thanked by 1umi
  • tetechtetech Member

    @umi said:
    Does HE has an API to change records from scripts?

    No. Only dynamic DNS.

  • SplitIceSplitIce Member, Provider

    If your a customer of ours we resell Rage4 and include a couple free zones with every service.

    They have been acceptably stable over the years.

    Thanked by 1umi
    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
  • umiumi Member

    @tetech said:

    @umi said:
    Does HE has an API to change records from scripts?

    No. Only dynamic DNS.

    Dynamic DNS might actually work.
    I made a test setup with HE and marked www.mydomain.com as dynamic.
    So I can use curl to set www.mydomain.com any ip address I need automatically via script.
    The minimul TTL is 300 seconds. Which is ok for my needs. That means up to 300 seconds downtime if I need to switch my backends which is still better than 30 minutes with Cloudflare.

  • tetechtetech Member

    @umi said:

    @tetech said:

    @umi said:
    Does HE has an API to change records from scripts?

    No. Only dynamic DNS.

    Dynamic DNS might actually work.
    I made a test setup with HE and marked www.mydomain.com as dynamic.
    So I can use curl to set www.mydomain.com any ip address I need automatically via script.
    The minimul TTL is 300 seconds. Which is ok for my needs. That means up to 300 seconds downtime if I need to switch my backends which is still better than 30 minutes with Cloudflare.

    Yep. That might be enough. Better solution is to run your own primary NS and use HE as secondary via AXFR. Like ricardo said, better to have two different providers in case HE goes down, and AXFR would update both automatically without you needing to 'curl' each one. For example, also use NS1 free tier. BuddyNS good as a failover (you can pick NS locations but not anycast on free tier).

    Thanked by 2umi AlwaysSkint
  • pbxpbx Member
    edited July 18

    @umi said: Vultr was also down

    This is strange as they appear to host DNS servers on their own network. Did you investigate a bit to see if this was related to the outage at CF?

    That being said while it's great to look for CF alternatives rather than putting all your eggs in the same basket, incidents at CF are taken care of quickly. They monitor their shit and act accordingly: not sure smaller players are necessarily better (as far as uptime is concerned, privacy and centralisation are different issues)

    Thanked by 1vimalware
  • umiumi Member
    edited July 18

    @pbx said:

    @umi said: Vultr was also down

    This is strange as they appear to host DNS servers on their own network. Did you investigate a bit to see if this was related to the outage at CF?

    That being said while it's great to look for CF alternatives rather than putting all your eggs in the same basket, incidents at CF are taken care of quickly. They monitor their shit and act accordingly: not sure smaller players are necessarily better (as far as uptime is concerned, privacy and centralisation are different issues)

    The link https://my.vultr.com/dns/ was inaccessible during the CF outage and went up as soon as outage was over. Looks like they have CF somewhere in frontend or both of my providers have using CF dns resolvers which is highly not likely. Anyone with vultr control panel down during CF outage? In addition I think that 30min mess up for the company like CF is a quite serious signal to avoid them.

  • umiumi Member
    edited July 18

    @tetech said:

    @umi said:

    @tetech said:

    @umi said:
    Does HE has an API to change records from scripts?

    No. Only dynamic DNS.

    Dynamic DNS might actually work.
    I made a test setup with HE and marked www.mydomain.com as dynamic.
    So I can use curl to set www.mydomain.com any ip address I need automatically via script.
    The minimul TTL is 300 seconds. Which is ok for my needs. That means up to 300 seconds downtime if I need to switch my backends which is still better than 30 minutes with Cloudflare.

    Yep. That might be enough. Better solution is to run your own primary NS and use HE as secondary via AXFR. Like ricardo said, better to have two different providers in case HE goes down, and AXFR would update both automatically without you needing to 'curl' each one. For example, also use NS1 free tier. BuddyNS good as a failover (you can pick NS locations but not anycast on free tier).

    Yes, next step I'll try to setup this: https://blog.zswap.net/dns-slave-setup-with-hurricane-electric-free-dns/
    I like the idea of shadow master dns setup.

  • I use a combination of my own cross-Atlantic/Pacific nameservers, with either ClouDNS or BuddyDNS secondaries. Has been pretty reliable, touch wood.

    Thanked by 1umi

    Long live LowEndInfo.com

  • tetechtetech Member

    @umi said:

    @tetech said:

    @umi said:

    @tetech said:

    @umi said:
    Does HE has an API to change records from scripts?

    No. Only dynamic DNS.

    Dynamic DNS might actually work.
    I made a test setup with HE and marked www.mydomain.com as dynamic.
    So I can use curl to set www.mydomain.com any ip address I need automatically via script.
    The minimul TTL is 300 seconds. Which is ok for my needs. That means up to 300 seconds downtime if I need to switch my backends which is still better than 30 minutes with Cloudflare.

    Yep. That might be enough. Better solution is to run your own primary NS and use HE as secondary via AXFR. Like ricardo said, better to have two different providers in case HE goes down, and AXFR would update both automatically without you needing to 'curl' each one. For example, also use NS1 free tier. BuddyNS good as a failover (you can pick NS locations but not anycast on free tier).

    Yes, next step I'll try to setup this: https://blog.zswap.net/dns-slave-setup-with-hurricane-electric-free-dns/
    I like the idea of shadow master dns setup.

    Sounds like a good plan. Remember to block access to your primary NS to IPs other than HE (216.218.133.2). Good to do this in both firewall and in the DNS software (in bind, allow-transfer { 216.218.133.2; };).

    Thanked by 1umi
  • umiumi Member

    The HE.net have 5 anycasted nameservers on 2 different networks and response time is pretty decent unless if you are in Australia.

  • tetechtetech Member

    @umi said:
    The HE.net have 5 anycasted nameservers on 2 different networks and response time is pretty decent unless if you are in Australia.

    Yeah, Australian queries to HE get routed to Tokyo (around 100 msec).

  • I honestly doubt my ability to get better network uptime for my DNS by self-hosting, compared to CF.

    It's fine as a learning exercise. Be sure to budget time to fighting some fires.

    Thanked by 1pbx

    250GB USA RAID6 StorageKVM from €13/yr (no-torrenting, TopProvider)
    (affiliate for 🥰 ) https://clients.inceptionhosting.com/aff.php?aff=401&gid=30

  • umiumi Member
    edited July 18

    if I'd gone the HE route instead of CF from the begining then yesterday would be as smooth as usual. But instead the bunch of people went nervous for half an hour. So far the plan is to use HE with AXFR zone transfer from mine leading dns server and maybe I'll add 1 anycasted BuyVM's ip to this setup later.

    Thanked by 1pbx
  • umiumi Member
    edited July 18

    AXFR transfer to HE.net works ok. After changes to zone is made and SOA serial is increased the command "pdns_control notify domain.com" sends udp NOTIFY packets to all slaves dns servers and shorly after that the AXFR transfer is complete. This way I can change any zone records including CNAMEs. But if you need to change A record only (for load balancing/failover) then dynamic dns approach is better as you can use https while updating your dynamic ip. Next question how secure is AXFR zone transfers? Of course tcp access on port 53 is restricted to allowed ips both in pdns and in firewall. I see mention of TSIG in AXFR setup dialogue.

  • rm_rm_ Member
    edited July 18

    Well, HE.net is not the ultimate solution either. I actually migrated off HE and decided to run my own DNS back then, because of a multiple-hour outage that they had. OK, that was in 2013. Maybe they have improved by now. But still, it sucked to feel that all my sites are down and I cannot do anything, not even yell and complain at them much, since it is just a free service.

  • umiumi Member
    edited July 18

    Ok. I have 2 NS records of HE.net and 2 NS records of my dns servers. In case HE.net is not capable/want to answer requests still there are my servers. Is this setup still be able to answer requests (although a bit slower due to timeouts/next ns server retries) till this situation is detected and unresponsive nameservers are removed from domain registrar's control panel.

    Let's set SOA TTL to 300 seconds and check nameservers every 300 seconds with test requests. Maybe not all at once, just 1 in round-robin fashion every 300seconds. I'm interested to see the behavior of 2 unresponsive nameservers to 2 still working. The problem I guess in unresponsiveness of a nameserver. if it returns error then resolver immediately should jump to next one. But if it is black holed then there will be timeouts and the request might take too long...

    Does anyone seen the domain registrar with the ability to edit nameservers with a script/API?

  • tetechtetech Member

    @umi said:
    Ok. I have 2 NS records of HE.net and 2 NS records of my dns servers. In case HE.net is not capable/want to answer requests still there are my servers. Is this setup still be able to answer requests (although a bit slower due to timeouts/next ns server retries) till this situation is detected and unresponsive nameservers are removed from domain registrar's control panel.

    Let's set SOA TTL to 300 seconds and check nameservers every 300 seconds with test requests. Maybe not all at once, just 1 in round-robin fashion every 300seconds. I'm interested to see the behavior of 2 unresponsive nameservers to 2 still working. The problem I guess in unresponsiveness of a nameserver. if it returns error then resolver immediately should jump to next one. But if it is black holed then there will be timeouts and the request might take too long...

    Does anyone seen the domain registrar with the ability to edit nameservers with a script/API?

    This setup is fine. Most resolvers have a short timeout and move to the next NS (or some hit all definitive NS in parallel and take the first valid reply). This is why you're required to supply two NS records.

    FWIW, I'm using a combination of NS1, HE, Softlayer, Oracle, LunaNode and my own NS for years. Each of these have different pro/con making them better/worse for particular cases, e.g. some have a free tier, some are not anycast, some allow shorter TTL, etc. Most of them run as secondary so I only do updates on my own master and don't have to juggle many services.

    Thanked by 2pbx umi
  • umiumi Member
    edited July 19

    After some experimenting I have interesting results: Same setup: 2NS of HE.net 2NS of mine own. I have blackholed my nameservers with iptables so they did not respond with any answer, not good or bad record, no nothing. To imitate the complete outage like we have with CF yesterday. And with 50% chances, when the resolver got "unresponsive" nameserver then the total dns resolving timeout was around 4 seconds. Both for chrome and firefox. wget and dig showed up timeout with 2seconds with Cloudflare resolver, 3-4 seconds with Google and Quad9 resolvers. The key component here is unresponsiveness of a nameserver. If it is able to say anything, even SERVFAIL then it would not affect the responce time that much. Just one more rtt to anycasted server. That's the way the cookie crumbles... That was using webpagetest and gtmetrix. In real life with real browsers I don't see the huge delay. iphone's safari is snappy. firefox,firefox nightly and chrome show page "as usual" without 4 seconds waiting time for sure. https://tools.keycdn.com/performance test shows that resolvers are learning to ignore "bad" nameservers pretty fast. This may well be SRTT feature in action. https://www.uptrends.com/tools/cdn-performance-check shows that initially lots of requests took up to 3,4 some even to 8 seconds. Then with second and third run they almost all are within milliseconds range.

    Thanked by 2bdl vimalware
  • DylanDylan Member

    @pbx said: That being said while it's great to look for CF alternatives rather than putting all your eggs in the same basket, incidents at CF are taken care of quickly. They monitor their shit and act accordingly: not sure smaller players are necessarily better (as far as uptime is concerned, privacy and centralisation are different issues)

    Yeah, I think it's important to remember that every vendor has outages, and CF's overall uptime is still excellent. You just don't hear about it when the small companies go down because half the internet doesn't notice. That said, if you really want the best, go with Akamai -- I don't think they've had a major DNS outage in at least 5 years -- but know you're gonna pay a hefty premium.

  • DazzleDazzle Member
    edited July 19

    Damn.. didnt read

    UpCloud free $25 through this aff link - Linode, DigitalOcean and Vultr alternative, multiple location, IPv6.

  • LTnigerLTniger Member

    Imperva.

  • @SplitIce said:
    If your a customer of ours we resell Rage4 and include a couple free zones with every service.

    They have been acceptably stable over the years.

    Is it possible to access the rage4 API (say, for DDNS) through your service?

  • SplitIceSplitIce Member, Provider

    @sgheghele we can create subaccounts for anyone who needs more than our panel provides.

    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
Sign In or Register to comment.