this post was submitted on 20 Jun 2023
29 points (100.0% liked)

Selfhosted

40860 readers
632 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

If you register a domain with Cloudflare or Route 53, and that service goes down, do your records stay active in the DNS servers? What if the DNS servers go down, I know a lot of people use 8.8.8.8, so if Google's server goes down, then DNS fails?

What are the potential point of failures for having your own domain?

top 14 comments
sorted by: hot top controversial new old
[–] [email protected] 19 points 2 years ago (2 children)

If the DNS server for your Domain goes down the records should still be saved in all the other DNS servers around the world. They will stay the same as they were before you domain's DNS server wen't down. While your DNS server is down you won't be able to change where the Domain points. While your registration server is down you will not be able to transfer or sell your domain.

[–] [email protected] 7 points 2 years ago

Correct, but not the whole story.

If your registrar goes down, and you have your authoritative DNS anywhere else, then literally nothing happens. They just register the domain for you and give you an interface to pass your 'glue' records up to the TLD root servers.

If those glue records point to on-site DNS, or anything that is not your registrar's DNS servers, then your registrar being down is inconsequential other than that you would not be able to update your glue records, or renew your domain.

A separate question of "what happens if my authoritative servers go down", is answered above.

The two are not one in the same, though they can be.

[–] [email protected] 5 points 2 years ago (1 children)

You should actually be able to transfer and sell - that's handled at the tld.

Also, there's a lifetime to that cache, so if it's down long enough it'll become unreachable.

[–] [email protected] 2 points 2 years ago* (last edited 2 years ago) (4 children)

I've never really understood the whole TTL thing. Will the domain essentially point to nothing if the TTL runs out while the DNS server is down or will it default to older record?

EDIT: also, I was unaware that you could strait bypass domain registrars and deal directly with the TLD owners...

[–] [email protected] 3 points 2 years ago

The record will expire and, in this scenario, effectively become non-existent.

Once upon a time TTLs we’re rather long so temporary outages were less impactive. These days TTLs of less than a minute are common to accommodate redundancy. It doesn’t do want good to have redundant systems if DNS keep pointing at the downed system during an outage.

[–] [email protected] 1 points 2 years ago

It will most likely point to nothing. DNS servers can have performance improvements of sending the stale data while fetching it from the main source in order to be quicker, even though this is technically not correct. But in many cases the associated IP will not have changed anyway.

[–] SheeEttin 1 points 2 years ago

It depends on the implementation and configuration of the resolver you're asking. RFC 8767 allows serving stale data, if the TTL has expired but new data cannot be fetched.

[–] [email protected] 1 points 2 years ago

If the TTL runs out and is unable to reach an authoritative NS, it will yield an error saying that it cannot resolve the domain. If the library catalog is down, you know the book you want is there, you just don't know the location.

I didn't intend to imply that you can deal directly with the TLD. You could, theoretically, but they typically don't have the organization to dream with individual registrants. That's the job of registrars, who interface through their own software that does calls to the TLD's APIs.

[–] [email protected] 10 points 2 years ago* (last edited 2 years ago)

If the registrar goes down that means you will not be able to change your NS and glue records with the TLD (com.).

If you are also using your registrar's authoritaive DNS servers and those are down, it means your website will likely be entirely unreachable regardless of what recursive DNS servers someone is using. If you are using someone else's authoritative DNS servers (such as Cloudflare, Route53, Dyn, Google Cloud, etc.) your registrar going down would not cause immediate problems.

If Google recursive DNS servers go down, it means anyone using those servers will be unable to find any website they wish to visit, including yours. Basically as far as most normal users would be able to tell their internet just stops working. There are many popular options for public recursive DNS including Google (8.8.8.8), Cloudflare (1.1.1.1), Quad9 (9.9.9.9), OpenDNS, AdGuard, and more. Not all recursive DNS operators host authoritative servers, and if they do the infrastructure for the two services are often different because they have different uses and needs.

Google's 8.8.8.8 servers are recursive, they do not host the data, they only look it up and cache it. The recursive servers talk to the authoritative servers. This is what a recursive DNS server does when you try to visit example.com. assuming it doesn't have any of this data cached:

  1. Figures out where com.'s DNS servers are by querying the special root zone (.) DNS servers (that are expected to be known by all recursive DNS servers and change incredibly infrequently) for the NS records for com.. The root zone DNS servers may also respond with "glue" records indicating the IP addresses of the com. DNS servers.
  2. Figures out where example.com.'s DNS servers are by querying the DNS servers found in step 1 for the NS records for example.com.. The com.'s DNS servers may also respond with "glue" records indicating the IP addresses of the example.com. DNS servers.
  3. Figures out what IP address(es) host example.com. by querying the DNS servers found in step 2 for the A and/or AAAA records for example.com.
[–] [email protected] 8 points 2 years ago (2 children)

Your domain is "hosted" (in this context, the DNS entries, not the actual content) on one or, ideally, more DNS servers that are known as the authoritative servers for your domain. You can look those up by searching the SOA (start of authority) and NS (nameserver) records for it.

Downstream servers may keep those and other records in cache for a while, usually guided by the TTL (time to live) entry. Once that expires, however, they need to refresh the data from the authoritative servers.

When those are unreachable, that cannot do so, and your domain is de facto unreachable for the internet at large, regardless of your own server actually being up.

You can still reach them by surfing to the actual IP instead, and/or hardcoding the DNS name in your local hosts file or your local DNS server/resolver. That is, of course, not visible to the internet at large.

You could host your own DNS servers to mitigate somewhat, but keep in mind that every level above your domain also needs to know which server is authoritative - my tuxera.be used to be self hosted, so the .be root servers had to know what the SOA for tuxera was.

Honestly, it's not something to worry about. I didn't keep up with changes in DNS security, so i switched to route53 (Amazon). I've been considering switching again to hetzner.de where i have some servers anyway.

DNS is pretty lightweight (relatively speaking), so it's probably the last thing to go down if a registrar is in trouble; you'd have plenty of warning signs beforehand.

(Yes, for pedantry, technically a registrar doesn't even have to offer DNS at all, they just handle ownership and administration at the top level domain, but most do anyway)

[–] gccalvin 2 points 2 years ago

Thanks for the detailed explanation! I made a domain on Route 53 recently, but I'm trying to migrate it to NameCheap so I can do DDNS through my Unifi UDM SE as I think I'd need to set up a lambda function to get DDNS working through a script for Route 53. Would rather have it integrated into the router os if possible. Do you have a static IP or are you using DDNS?

[–] [email protected] 1 points 2 years ago

I wish I could find it, but there was an interesting conference talk from AWS about route53 and how it was built with resilience in mind. If it goes down AWS has a problem. So they made sure that this is a very unlikely scenario.

[–] [email protected] 2 points 2 years ago (1 children)

There's a difference between your domain registrar and the authoritative DNS servers for your domain. For example, I register domains with Hover, but host the DNS at AWS. If Hover were to go down, I don't see how that would have any impact on my DNS. If AWS's Route53 were to go down, then my DNS is only as good as what's cached out there on the Internet.

[–] [email protected] 1 points 2 years ago* (last edited 2 years ago)

What are the potential point of failures for having your own domain?

Forgot to answer this. My advice would be to pick a good DNS provider.

It doesn't have to be the company which registered your domain. A good provider will generally have more than two authoritative DNS servers, will generally have them in separate top-level domains (e.g., .com, .net, .uk, etc.), and may even be running Anycast, which makes them even more resilient.

load more comments
view more: next ›