Why you should use stealth master DNS

DNS is one of those simple facts of life that bears worrying about. It’s absolutely, completely, totally indispensable and very easy to maintain, yet it can render entire datacenters completely irrelevant when it breaks or becomes unavailable — which is why you probably shouldn’t be running your own external DNS.

Most companies have an external presence that’s run from a colocation facility or Web hosting shop. Others will host their own Web site at their own location (but probably shouldn’t). Either way, running full master DNS on your own servers isn’t a great idea. On the other hand, hosting provider and ISP DNS management tools are generally less than stellar. What’s the solution? Run a stealth master DNS server.

[ For more on the perils of DNS, read Roger Grimes’ take on the DNS cache exploit discovered by Dan Kaminsky last year. ]

I’ve been doing exactly this for years for many public sites with great success. All you need is a DNS server running on one of your own hosted boxes and a hosting provider that supports stealth master configurations. Not all do, but most actually prefer this scheme.

To run a stealth master, your server(s) contain master zones for whatever domain names you wish. Your hosting provider’s big DNS boxes are then slaved to your master for those zones. However, the NS records for those domains only reference your provider’s DNS servers, not yours. The end result is that all DNS queries are handled by your hosting provider, yet you retain complete control over the domain records — when you make a change on your DNS server, notices are sent to the hosting provider’s servers and are updated nearly instantly. It’s the best of both worlds.

In this scenario, you all but guarantee that no matter what state your hosted servers (and external infrastructure like e-mail, VPN, and whatnot) are in, DNS will live on. Thus, if your hosted servers are having problems, your employees can still connect to vpn.company.com. If your local Internet connection is disrupted, your Web site is still available. Also, you’re not piping DNS queries down your own circuits or using up portions of your hosted server bandwidth limits with DNS.

Naturally, there are caveats to this plan, but they’re minimal. If your hosting provider’s DNS goes belly up (like Peer1/ServerBeach a week ago Sunday), you’re SOL. But those situations are few and far between, and the likelihood of your own servers having problems is greater than that of your hosting provider, simply because its servers get top priority under any circumstances and yours don’t. Generally, providers also employ full-time admins to manage the entirety of their DNS framework.

For very many companies, running external DNS just isn’t worth it, but in this case, you can have your cake and eat it too — and it’s no more difficult than hosting it yourself.

This story, “Why you should use stealth master DNS,” was originally published at InfoWorld.com. Follow the latest developments in networking at InfoWorld.com.