Today I was cleaning out some files from my MacBook and came across this text file that I had copied from an old Reddit post regarding how to structure your DNS and the do’s and don’ts. I figured I’d share it on my blog for others to read.
Again, I don’t own the rights to this post nor know the author of the post. I hope this helps others.
Don’t put all your DNS in one basket. I recommend he.net for some free slaves, dyn.com are good (when they are not being hammered by script kiddies), pick a third. If you have your own infrastructure, that’s nice, but still, get some off-net slaves with trusted networks. You can quite happily go spin up some nameservers with rackspace and amazon and some other places and it costs you only a little bit to run them, and buys you a lot of redundancy in your DNS.
Have long TTLs for your NS records, and the A records for the nameservers.
Make sure every nameserver listed has a stub entry in the root.
If you’re a .com, put your nameservers in .com. Don’t use a .net nameserver. It just adds unnecessary latency to the initial lookup.
Use a hidden master. This is where all the slaves will slave from, it should not be listed in the zone file, or listed as authoritative in the root, and it should have iptables ACLs that only allow port 53 AXFR from the slaves.
Configure the zone to have a very long lifespan if the master is unavailable for a while. That means set the expiry field in the SOA to something like 1 month.
Bonus pro tip: Don’t use BIND. There are other options for authoritative DNS. I like PowerDNS for my hidden masters. I like Unbound for my caching recursive servers. If you’re going to pay money for your DNS servers, Nominum’s products are bulletproof, if expensive.
Source: been working with DNS for 20 years. Ran Authoritative and caching DNS for several large ISPs in several countries including England and Australia.