I thought I knew a lot about DNS, but the Dyn DDoS last October showed me that I had much more to learn. I spent the following month deep-diving to figure out how to implement resilient DNS properly: reading RFCs, Googling, asking questions of pros, and performing real-world experiments when no one knew the answers. In this talk, I’ll share what I learned and how I learned it.
Opinions on how to react to a DDoS against your nameservers vastly differ. Some companies lowered the TTL for their in-zone NS records to make it easier to add a new nameserver in a crisis. I’ll show you my empirical proof that this doesn’t work.
Adding a redundant DNS server in advance is a good solution, but it can be much harder than it sounds. What can you do if your DNS records are heavily dynamic and your provider doesn’t offer AXFR support? I’ll go through the options.
Even if you’re a seasoned DNS pro, I aim to surprise you with my discoveries.
Lex has 7 years of experience keeping large services running, including Linden Lab’s Second Life, DeviantArt.com, and Heroku. While originally trained in computer science, he found that he most enjoyed applying his software engineering skills to operations. A veteran of many large incidents, he has strong opinions on incident response, retrospectives, on-call sustainability, and good development and release processes.
Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?
Join the conversation here (requires login)
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org