Find another authoritative DNS provider

"Shop around and figure out prices"

cf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#DNSproviders

added component::internal services/tor sysadmin team owner::tpa priority::medium severity::normal status::assigned type::task labels

i've looked around for a few of those... what are the criteria?

what's the rationale for now hosting our own DNS anyways?

in $previous_job, we setup VM exchanges with other organizations to spread the service around, it worked well and also made for extra PoPs for running monitoring, bouncers and other stuff...

we're in talks with greenhost about this, will followup

Trac:
Owner: ln5 to anarcat

not sure which step to take next here, Greenhost doesn't have GeoDNS for their DNS service and don't think anycast is worth it. also, they don't have a good API for external DNS service, so it's not a good option for us right now.

giving this back to the pool so someone else can look into this.

Trac:
Owner: anarcat to tpa

The notes don't give much hint what our goals or constraints or requirements are.

Why don't we just run our own dns?

Or if it's got to be external, maybe riseup will add our zone to one of their servers. Or I can serve it from moria.

this ticket is also not clear to me, but from what i gathered, the concern here is DDOS protection.

you should have these on your requirement list:

• DNSSEC (must have)
• 2 factor authentication
• API access
• hidden master support?
• global Anycast

Did you look into www.rcodezero.at?

The list in https://trac.torproject.org/projects/tor/ticket/29394#comment:6 is good. Just add "free of cost" too.

For background:

From the Brussels notes, linked in description: Right now, we do our own authoritative DNS. We would like to move away from that. We added dnsnode in-zone. We should add at least a second provider, and then retire our hosts. Then, we should update the delegation(s) in the parent(s).

dnsnode provides anycasted authoritative DNS, from many locations. Besides making it hard to kick our names off the internet by dosing our silly servers, users need to traverse a lesser part of the internet in order to reach DNS data for us.

We want another one like dnsnode before we shut down our own servers.

so i know about all this, and i want a poney too. :) the question is more "why". the brussels notes and this ticket don't say why we want to stop running our own DNS servers clearly.

In no particular order

1. protect our dns service against being dosed by others
2. protect us against having to deal with our dns servers being used for dosing others
3. get rid of a service we're not best at and don't have to run ourselves