DNS outages

Patrick W. Gilmore patrick at
Sun Nov 14 13:59:51 CST 2010

On Nov 14, 2010, at 2:28 PM, Brandon Kim wrote:

> Isn't using considered outsourcing? 
> In fact, I'd probably feel better not outsourcing to a big shop who is such a big target.....a little security through obscurity doesn't hurt.... =)

All you have done is trade one hope (big shop is big enough to sustain an attack) for another hope (little shop which can't handle any DoS doesn't get DoS'ed).

Security through obscurity is not useless, but it is not a complete solution.  Some places are big targets but are massive enough to not go down.  Some places are small but still spend the time, effort, and money to keep their systems up.  It is more than just how big a target you are.  These days, any piss-ant hax0r can command 10s of 1000s of bots, and get pissed at any little site (domain / hostname / etc.) for any reason.  Everyone needs to be prepared.

A little research will tell you who has and who does not have the ability to support your needs.  Then you make a business decision about how much downtime costs vs. how much uptime costs.

Or you can host your own two name servers in the same rack of the same colo with two adjacent IP addresses in a /24 owned by the hosting center.  That's about as "obscure" as you can get.  Then see how your security through obscurity works. :)


>> Subject: Re: DNS outages
>> Date: Sun, 14 Nov 2010 14:03:27 -0500
>> From: esanborn at
>> To: fw at; at
>> CC: nanog at
>> Yes, however does not allow their customers to list both their DNS servers and a customer's DNS server. End result is when the outage on their servers occurs you need to modify the config on their website so that it points back to your private DNS servers. Propagation delays are a pain....
>> ----- Original Message -----
>> From: Florian Weimer <fw at>
>> To: Brandon Kim < at>
>> Cc: nanog group <nanog at>
>> Sent: Sun Nov 14 13:48:55 2010
>> Subject: Re: DNS outages
>> * Brandon Kim:
>>> Times like this, makes you curious what kind of infrastructure
>>> has? How does one protect against DDOS?
>> You can outsource your DNS, but you better retain a server locally on
>> your network, so that you suffer less from that particular shared
>> toothbrush.

More information about the NANOG mailing list