Opened 8 months ago

Last modified 12 days ago

#29394 assigned task

Find another authoritative DNS provider

Reported by: ln5 Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Child Tickets

Change History (9)

comment:1 Changed 8 months ago by anarcat

i've looked around for a few of those... what are the criteria?

what's the rationale for now hosting our own DNS anyways?

in $previous_job, we setup VM exchanges with other organizations to spread the service around, it worked well and also made for extra PoPs for running monitoring, bouncers and other stuff...

comment:2 Changed 6 weeks ago by anarcat

Owner: changed from ln5 to anarcat

we're in talks with greenhost about this, will followup

comment:3 Changed 12 days ago by anarcat

Owner: changed from anarcat to tpa

not sure which step to take next here, Greenhost doesn't have GeoDNS for their DNS service and don't think anycast is worth it. also, they don't have a good API for external DNS service, so it's not a good option for us right now.

giving this back to the pool so someone else can look into this.

comment:4 Changed 12 days ago by arma

The notes don't give much hint what our goals or constraints or requirements are.

Why don't we just run our own dns?

Or if it's got to be external, maybe riseup will add our zone to one of their servers. Or I can serve it from moria.

comment:5 Changed 12 days ago by anarcat

this ticket is also not clear to me, but from what i gathered, the concern here is DDOS protection.

comment:6 Changed 12 days ago by cypherpunks

you should have these on your requirement list:

  • DNSSEC (must have)
  • 2 factor authentication
  • API access
  • hidden master support?
  • global Anycast

Did you look into www.rcodezero.at?

comment:7 Changed 12 days ago by ln5

The list in https://trac.torproject.org/projects/tor/ticket/29394#comment:6 is good. Just add "free of cost" too.

For background:

From the Brussels notes, linked in description:
Right now, we do our own authoritative DNS. We would like to move away from that. We added dnsnode in-zone. We should add at least a second provider, and then retire our hosts. Then, we should update the delegation(s) in the parent(s).

dnsnode provides anycasted authoritative DNS, from many locations. Besides making it hard to kick our names off the internet by dosing our silly servers, users need to traverse a lesser part of the internet in order to reach DNS data for us.

We want another one like dnsnode before we shut down our own servers.

comment:8 Changed 12 days ago by anarcat

so i know about all this, and i want a poney too. :) the question is more "why". the brussels notes and this ticket don't say why we want to stop running our own DNS servers clearly.

comment:9 Changed 12 days ago by ln5

In no particular order

  1. protect our dns service against being dosed by others
  2. protect us against having to deal with our dns servers being used for dosing others
  3. get rid of a service we're not best at and don't have to run ourselves
Note: See TracTickets for help on using tickets.