my-manageable-zone.com
Let's say you have a DNS server with public IP address of 205.251.197.174
and you planned it to be an authoritative zone for my-manageable-zone.com
. Basically, you have two options in preparing the DNS server to become a nameserver:
- Self-hosted: you can create an A-record subdomain under the same zone; or
- Outsourced: you can create an A-record subdomain from other zone
Self-hosted
Record set inside my DNS server
Record | Record type | Value |
---|---|---|
ns-1.my-manageable-zone.com. |
A | 205.251.197.174 |
my-manageable-zone.com. |
NS | ns-1.my-manageable-zone.com. |
Outsourced
Record set inside some other DNS server
Record | Record type | Value |
---|---|---|
ns-1.some-other-zone.com. |
A | 205.251.197.174 |
Record set inside my DNS server
Record | Record type | Value |
---|---|---|
my-manageable-zone.com. |
NS | ns-1.some-other-zone.com. |
Real world
I looked online on what people are practicing with regards to nameservers. Basically, in the command-line I tried something like:
dig +short NS google.com
dig +short NS nsa.gov
dig +short NS cloudflare.com
dig +short NS mit.edu
Results
google.com | nsa.gov | cloudflare.com | mit.edu |
---|---|---|---|
ns2.google.com. |
a11-66.akam.net. |
ns3.cloudflare.com. |
use5.akam.net. |
ns1.google.com. |
a24-65.akam.net. |
ns4.cloudflare.com. |
use2.akam.net. |
ns3.google.com. |
a1-107.akam.net. |
ns5.cloudflare.com. |
asia2.akam.net. |
... | ... | ... | ... |
In the real world, it is actually a healthy mix of self-hosted and outsourced. What are the things to look out for when implementing self-hosted or outsourced?
UPDATE
I stand corrected on the terminologies. What I refer to as "self-hosted" actually means In-bailiwick and whenever I said "outsourced" that actually means Out-of-bailiwick.
If you are serious about your domain name you should not rely on any single DNS provider but have 2 of them. You can not pick them arbitrarily and hope it will work, it needs to be fully coordinated between the two, but it is possible, even to have full DNSSEC support.
No matter which DNS provider you choose, you will have problems one day. If your domain is really important (and the services on it) you should use multiple DNS providers.
You are not used the correct terminology for what you describe. I welcome you to read RFC 8499 about DNS Terminology. You will see that what you describe is in-bailiwick nameservers (
ns.example.com
being nameserver forexample.com
) or fully external nameservers.You seem to be more concerned with the naming, or at least that is how I read your question, than really where the service is provided, because this is almost orthogonal: no matter if your nameservers are in-bailiwick or not, technically they can be under your control and maintenance or not.
You won't find any sole piece of advice for any case, both have advantages. I would however strongly suggest not to go in the "in-bailiwick" case, until you fully understand the DNS and how it works and specially when it intersects with the registration plane, because for in-bailiwick nameservers you need to maintain glues at the registry, through the registrar of the domain, and this unfortunately is often a pain point.
If you use external nameservers, regarding naming (there are other considerations: they should not be hosted in the same datacentre, not all be behind the same AS - except if anycast is into play - or the same IP block, etc.), you should make sure to have nameservers using names in multiple registries (so not only multiple TLDs, if you take
com
andnet
both TLDs are at the same registry).All big serious DNS providers give that option to their clients and on top of that the set of nameservers may differ from one zone to another or one client to another for better isolation and possibly different level of services.
Also, once you do that, you create a transitive dependency. The level of security of your domain is tied to the level of security of the domain name used for the naming of the nameserver authoritative on your domain name.
For example, if you want to do DNSSEC, it is fine in your zone, but then if the authoritative nameservers of your zone are themselves in zone NOT DNSSEC enabled, it lowers the real security of your zone.
Outsourced should provide the redundancy and lower overhead cost of procuring and maintaining DNS servers by paying your subscription. Not personally dealt with them, so i can't speak to for the companies that provide these services, but should you need to update records you are on their time, of when they accomplish it. By having your own, you have full control to build out subdomains and bring it online when you choose. Its more of a question of who owns the SOA for the domain and the initial responses. I had one where they rolled up our SOA and key external records, which was fine until we had to do an upgrade for our exchange servers. At which point we were held at a stopping point until they updated the MX records for the domain. So really you can go with either, just if you outsource you must plan accordingly when conducting upgrades and replacements of public facing servers or adding new public facing capabilities. Whats more important cost and resources? Or speed at which you can respond to a changing environment?