DNS in the cloud: Why and why not

The upside can be better performance and resiliency with a down side of dire business impact if the DNS service provider suffers a catastrophic outage.

internet web browser

As enterprises consider outsourcing their IT infrastructure, they should consider moving their public authoritative DNS services to a cloud provider’s managed DNS service, but first they should understand the advantages and disadvantages.

Advantages of Cloud DNS


Cloud DNS providers have fully redundant and geographically diverse networks and DNS server infrastructure that provides reliability and fault-tolerance. Enterprises commonly lack redundancy in their DNS infrastructure because they use DNS servers that do not share synchronized distributed zone information.  The enterprise must ensure that this service is redundant, because if a their non-redundant DNS servers were to fail there would be significant business impacts.  If the enterprise network lacks internal and internet redundancy and the network fails, then the reachability of their DNS infrastructure is also compromised.  If your current DNS servers are not highly redundant, then a cloud DNS service would provide higher resiliency to failure.

Enterprises often maintain authoritative DNS servers on their Internet perimeter networks and allow them to be globally reachable over TCP port 53 and UDP port 53.  If an organization’s authoritative DNS servers are in one location, and they are servicing a global environment, then there is added latency for resolvers around the world that are distant from that location to fulfill queries. Significantly better performance would be achieved using a cloud DNS provider with numerous geographically diverse DNS servers using anycast, which provides high availability and performance by routing traffic to the “nearest” of a group of destinations.

Cloud DNS providers leverage anycast to create a highly scalable and redundant DNS infrastructure.  There would be extensive costs for an enterprise to build out this level of redundancy using anycast and BGP routing on their own.

Support for DNSSEC

Domain Name System Security Extensions (DNSSEC) provides a cryptographic method of authenticating DNS records and helps protect against many of the common DNS security issues.  Most enterprises haven’t yet adopted DNSSEC because of their lack of familiarity with its configuration and its benefits.  Enterprises may lack DNS servers that make it easy to establish DNSSEC configurations and, periodically automatically deal with key rotation and updating.  If a DNS administrator forgets the annually-performed key-rotation steps, mistakes can be serious.  The cloud DNS provider may automatically enable DNSSEC or make it far easier to implement DNSSEC and perform automatic key rotation.

DNS DDoS protection

If an enterprise were to deploy its own DNS servers, it would not have the capacity to absorb any significant-size DDoS attack on its DNS servers.  It would be cost-prohibitive for an enterprise to deploy highly scalable infrastructure required to absorb such an attack.  Resiliency against DNS DDoS attacks would improve when using a cloud DNS provider that has greater ability to absorb the attack, scale up with the attack or mitigate the attack quickly.  Cloud DNS providers have higher bandwidth links, diverse resources and the ability to scale up resources automatically based on transaction volume.

Improved security

Because DNS is an Internet-facing service, the enterprise must constantly monitor the security of this server, keep it patched and make sure it doesn’t become an open DNS resolver.  A cloud DNS provider would keep their redundant DNS servers continually patched, scanned, secured and monitored. 

To continue reading this article register now