• United States

DNS in the cloud: Why and why not

May 21, 201810 mins
Hybrid CloudInternetNetworking

The upside can be better performance and resiliency with a down side of dire business impact if the DNS service provider suffers a catastrophic outage.

internet web browser
Credit: Thinkstock

As enterprises consider outsourcing their IT infrastructure, they should consider moving their public authoritative DNS services to a cloud provider’s managed DNS service, but first they should understand the advantages and disadvantages.

Advantages of Cloud DNS


Cloud DNS providers have fully redundant and geographically diverse networks and DNS server infrastructure that provides reliability and fault-tolerance. Enterprises commonly lack redundancy in their DNS infrastructure because they use DNS servers that do not share synchronized distributed zone information.  The enterprise must ensure that this service is redundant, because if a their non-redundant DNS servers were to fail there would be significant business impacts.  If the enterprise network lacks internal and internet redundancy and the network fails, then the reachability of their DNS infrastructure is also compromised.  If your current DNS servers are not highly redundant, then a cloud DNS service would provide higher resiliency to failure.

Enterprises often maintain authoritative DNS servers on their Internet perimeter networks and allow them to be globally reachable over TCP port 53 and UDP port 53.  If an organization’s authoritative DNS servers are in one location, and they are servicing a global environment, then there is added latency for resolvers around the world that are distant from that location to fulfill queries. Significantly better performance would be achieved using a cloud DNS provider with numerous geographically diverse DNS servers using anycast, which provides high availability and performance by routing traffic to the “nearest” of a group of destinations.

Cloud DNS providers leverage anycast to create a highly scalable and redundant DNS infrastructure.  There would be extensive costs for an enterprise to build out this level of redundancy using anycast and BGP routing on their own.

Support for DNSSEC

Domain Name System Security Extensions (DNSSEC) provides a cryptographic method of authenticating DNS records and helps protect against many of the common DNS security issues.  Most enterprises haven’t yet adopted DNSSEC because of their lack of familiarity with its configuration and its benefits.  Enterprises may lack DNS servers that make it easy to establish DNSSEC configurations and, periodically automatically deal with key rotation and updating.  If a DNS administrator forgets the annually-performed key-rotation steps, mistakes can be serious.  The cloud DNS provider may automatically enable DNSSEC or make it far easier to implement DNSSEC and perform automatic key rotation.

DNS DDoS protection

If an enterprise were to deploy its own DNS servers, it would not have the capacity to absorb any significant-size DDoS attack on its DNS servers.  It would be cost-prohibitive for an enterprise to deploy highly scalable infrastructure required to absorb such an attack.  Resiliency against DNS DDoS attacks would improve when using a cloud DNS provider that has greater ability to absorb the attack, scale up with the attack or mitigate the attack quickly.  Cloud DNS providers have higher bandwidth links, diverse resources and the ability to scale up resources automatically based on transaction volume.

Improved security

Because DNS is an Internet-facing service, the enterprise must constantly monitor the security of this server, keep it patched and make sure it doesn’t become an open DNS resolver.  A cloud DNS provider would keep their redundant DNS servers continually patched, scanned, secured and monitored. 

Advanced traffic routing

Cloud DNS providers also offer advanced traffic routing capabilities that may not be possible with an enterprise’s current on-premises DNS servers.  For example, AWS’s Route 53 cloud DNS service offers different advanced traffic-routing policies such as simple failover, round-robin, latency-based routing, geographic DNS and geo-proximity routing.  For an enterprise to create this same functionality it would need to invest in geographically diverse DNS servers and sophisticated load-balancing functions at each site.

Potential cost savings

Using a cloud-managed DNS serivce may save money compared to an enterprise purchasing redundant physical servers, licensing an operating system and staffing to maintain and configure DNS.  If DNS servers are in need of a hardware or software upgrade, then this might be the compelling event to defer a capital expenditure of new DNS servers and switch to using a cloud-managed DNS service.

Better configuration/change tools

Enterprises may lack the ability to make DNS changes quickly with their current systems, and they may not have the ability to easily have software-driven automatic changes made based on some triggering event.  Enterprises typically have internal IT processes that require submitting a support ticket to the DDI team anytime an addition or change is needed.  Cloud DNS providers have software-programmable interfaces and scripts to handle the automatic creation and updating of DNS records.  You can use their APIs to configure dynamic additions or changes to your DNS resource records.

Better monitoring, visibility, reporting

Many enterprises may take their DNS servers for granted and not fully understand the dependency their entire IT infrastructure has on DNS.  Enterprises may lack monitoring visibility and performance and operational metrics from their existing on-premises DNS systems.  Typical on-premises DNS servers may not have useful reporting or useful insights into DNS resolutions.  Cloud DNS providers do a much better job of performing 24X7X365 monitoring and maintenance of their revenue-generating infrastructure. 

Disadvantages of Cloud DNS

DNS managed-service crashes

An outage of the DNS provider’s infrastructure can cause disastrous consequences for its customers’ businesses.  Because all of an enterprise’s IT applications rely on network availability and DNS resolution, if the DNS fails, none of their business applications work.  This could have disastrous financial implications.  A couple of years ago, the DNS provider ChangeIP had a multi-day outage that left its customers unable to resolve DNS.  Most cloud DNS providers have SLAs, but there may not be sufficient penalties or consequential damages that could cover an enterprise’s financial risk.

Possible increased latency

If a DNS resolver is “far away” from a company from a network-topology perspective, then this adds latency to each client connection requiring a DNS resolution that is not cached locally.  To minimize latency and improve end-user application experience (UX), it is best to have the DNS resolver near the DNS client.  Having an on-premises DNS service that internal DNS clients can reach quickly can improve application response times for both internal and external applications.

Geolocation problems

There can be problems with geolocation, if your DNS resolver is not close to you. Then Content Delivery Networks (CDNs) may direct you to connect to a server that is closer in proximity to your DNS resolver (rather than your actual location).  For example, if an international enterprise is using a U.S.-based cloud DNS resolver service, this could cause problems for geographic content for their sites on other continents.  Users on other continents will appear to be coming from the U.S. when connecting to content systems that use geographic proximity based on the IP address and location of the DNS resolver.  All the users in other continents could be forced to traverse the globe as they are directed to U.S. located content and experience higher latency and poor application response.

Undermining current DNS investments

If an organization has already invested in a sophisticated DNS-, DHCP- and IP-address-management (DDI) system, then there is financial justification to leverage the current DDI infrastructure.  Enterprises may have invested in redundant DNS infrastructure that uses a synchronized distributed database supported by a redundant network.  Enterprises may have invested in DDI infrastructure that has programmatic interfaces, software automation, secure DNS services, DNSSEC automation with monitoring visibility and reporting.

Loosening of DNS integration

Having DDI management fully integrated into a single platform has operational advantages.  Routing and addressing go hand-in-hand. Organizations carefully plan their IP addressing and DHCP scopes for their network topology, and DHCP leases are granted.  DDI systems perform dynamic DNS and provide a single management interface for these integrated functions.  DDI systems provide operational visibility to IP-address usage and offer valuable management of addressing resources.  When you separate out the external authoritative DNS into a separate non-integrated cloud-based service, then you give up some of the benefits of tightly integrated DDI functions.

Loss of complete DNS-configuration control

Some cloud-managed DNS servers may not give you complete control of the DNS configuration.  If the cloud-managed DNS service has only a rudimentary web interface allowing only a subset of resource-record type,s and your organization has highly complex DNS requirements, then this might not be a fit.  One-size may not fit all, so you would need to determine if you have specific requirements that can be met with a cloud DNS provider.

Examples of Cloud DNS Providers

Today, there are many different cloud DNS providers.  There are numerous dynamic DNS services available for free or for a nominal fee.  There are cloud DNS providers that allow you to use a web interface to configure highly resilient and geographically diverse authoritative DNS resolvers.  Cloud DNS providers have high bandwidth dual-protocol Internet connectivity to diverse data centers that house redundant and scalable DNS server infrastructure.  Cloud DNS providers have anycast addressing and dynamic routing already configured to their name services. 

When shopping for a DNS service provider, enterprises should inquire about these optional features and prioritize the features that they require.  There are cloud DNS providers that provide added security features such as DDoS protection, packet scrubbing and anti-spoofing.  Cloud DNS providers can make it trivially easy to implement DNSSEC for your domain and configure your DNSSEC resource records.  Cloud DNS providers may have RESTful APIs and programmable interfaces that aid in automation of configuration.

Here are the names of some cloud-managed DNS service providers: Akamai , Amazon Route 53, Cloudflare DNS, ClouDNS, DNSMadeEasy, Google Cloud DNS, Infoblox NIOS in the cloud, Microsoft Azure DNS, Neustar (acquired UltraDNS), NS1 Managed DNS, Oracle (acquired Dyn), Rackspace DNS – Cloud Control Pane, Verisign Managed DNS.

Comparing Performance

Before you make a choice of cloud managed DNS provider, you may be interested in comparing the performance of these company’s offerings.  There have been studies performed and evaluations of the various providers.  These surveys are often made from the perspective of the individual making the DNS performance measurements.  The location of the source of these tests may not accurately represent what your enterprise location and Internet geography is like.

You may elect to perform some of your own measurements from your own locations to get an approximation of what your performance may actually be when you select a cloud DNS provider.  There are several useful tools you can use to help you take these measurements:

(Scott Hogg is a co-founder of, an IPv6 consulting and training firm, and has over 25 years of cloud, networking and security experience.)