DNS down in Anonymous attack

domain-name-system ddos domain-registrar godaddy anonymous

As I'm writing this our company website and the web-service we developed are down in the big GoDaddy outage resulting from an Anonymous attack (or so says Twitter).
We used GoDaddy as our registrar and we use it for DNS for some domains.

Tomorrow is a new day - what can we do to mitigate such outages?
Simply moving to, say, Route 53 for DNS might not be enough.
Is there any way to remove this single point of failure?


You can eliminate this single point of failure by using two DNS providers.
It might also be feasible to run your own DNS server on one of your servers.
GoDaddy allows you to do zone transfers from their servers (IIRC premium DNS is required for this).

Get a second DNS provider which allows you to run a slave server (or run it yourself).
Adjust NS/Nserver records so they point to both providers and you are done.


(1) Ways to stay "unaffected" if the domain registrar's servers (NOT just the domain) themselves are DDOSed, if any.

the registrar's servers only matter if you are using them for DNS (or hosting or other services, obviously). Once your domain is registered, the records go into the root registry and you don't need your registrar to be on line for your domain to work. If they are your only DNS provider then you want to consider adding more than one.

(2) "How to have more than one DNS service provider for a domain?

(for this part you do need your registrar online, so you can enter the changes through them) In your domain registry account, add multiple authoritative DNS servers hosted by multiple providers. This will probably require NOT using the registrar's DNS service so that you can enter the 3rd party servers. (eg with godaddy you can't use their "domain control" in addition to 3rd party providers, you have to choose "my domain is hosted elsewhere" to set your dns)


1) Don't keep all your eggs in one DNS basket. If you're big enough to be thinking anycast and CDN why are you using a single provider like GoDaddy? Diversify your DNS providers.

2) Anycast. Check out this blog to see how a provider mitigated a DDOS of up to 65Gbps. http://blog.cloudflare.com/65gbps-ddos-no-problem

Related

Number of file descriptors: different between /proc/sys/fs/file-nr and /proc/$pid/fd?
Why are 32-bit application pools more efficient in IIS? [closed]
nginx: Why I can't put proxy_set_header inside an if clause?
Rsyslog is not working properly, it does not log anything
Clear Directory with Salt State File
Where to get root CA certificates for Windows Server now that Microsoft no longer updates them?
Consulting: Organizing site/environment documentation for customers? [closed]
How to fix corrupt packet error for with rsync for (relatively) large files?
How to use update-alternatives per user
How to share nginx log's without sudo to another user?
Nginx regex vhost pattern ends up as PHP server name
fstab entry to mount NFS with password