Should large enterprises self-host their own authoritative DNS?
In a recent post, we outlined the pitfalls of self-hosted authoritative domain name systems (DNS) from the perspective of a startup or midsize business configuring a DIY system using BIND DNS or other open source tools. The main idea is that every company reaches a point where it outperforms a self-hosted, home-grown authoritative DNS system. Whether it’s features, cost, reliability, or resources, most businesses naturally need a third-party managed DNS service.
Nevertheless, there is a certain class of large enterprises where self-hosted authoritative DNS operates according to a different kind of logic. With a global presence and enough scale to tackle even complex technology projects in-house, these types of companies often focus on building resolutions instead of purchasing products from other companies.
Advantages of self-hosting for large businesses
There are several reasons why large companies might want to build and host their own authoritative DNS service.
Specific functional requirements: Large companies often want to provide applications, services, and content in a customized way. This can be anything from hyper-specific routing of DNS queries to system-level support for unique application architectures to regulatory compliance requirements.
Use existing resources: If a business already has servers and technical resources deployed at scale across the globe, using that space to provide authoritative DNS often seems like the logical next step.
control: Some companies don’t want to rely on a vendor, especially for business-critical items like authoritative DNS. Other companies have “build” cultures that value developing internal approaches that foster technical capabilities.
theory vs reality
This is a good reason, at least in theory, to self-host your DNS at scale. What we’ve found in talking to large companies across a variety of industries is that the benefits of self-hosted authoritative DNS are often not realized. The logic behind self-hosting looks good in PowerPoint, but doesn’t provide any real business value.
Here are some areas where the reality of self-hosted authoritative DNS doesn’t match the theory:
resilience: For any large business, downtime can be critical to the bottom line. This is why most authoritative DNS administrators insist on secondary or failover options in the event of a disaster. Self-hosted authoritative DNS rarely includes this feature. It is too resource-intensive to build and maintain ancillary systems as a form of insurance.
weak architecture: The most authoritative DNS infrastructures are built on BIND and typically require a Rube Goldberg script system to operate. Over time, the complexity of those scripts can become difficult to maintain as new features and operational requirements are taken into account. One wrong move, such as a single coding error, can easily bring down your entire authoritative DNS infrastructure and take your customer-facing site offline. For large, complex enterprises, unstable BIND architecture and scripts can be particularly risky.
technical debt: Running authoritative DNS on your own can easily build up a significant backlog of feature requests. This is especially true if your DevOps, NetOps, or CloudOps teams work to deadlines. Let’s face it, most of these DNS features will be delivered on a much longer timeline than your application development team requires.
expense: Large, self-hosted enterprises may do the math and conclude that building, deploying, and maintaining an authoritative DNS system is worth the investment. But in reality, these decisions are usually made without a deliberate cost-benefit analysis. In the long run, the expenses are and The hidden opportunity costs of self-hosted authoritative DNS tend to outweigh the perceived financial benefits.
employee turnover: DIY architecture only works as long as the person (or team) who created it stays with the company. If that person leaves the company for any reason, the institutional knowledge of how the DIY architecture was built remains. Some companies reach a point where they are afraid to change anything because it could easily lead to downtime incidents that are difficult to recover from.
automation: BIND has no application programming interface (API) and is not built to support any form of automation. DIY architectures are typically not built to support standard automation platforms like Ansible or Terraform. It is nearly impossible to tweak DIY architecture using third-party tools. If you have a DIY authoritative DNS, you may suffer from manual changes that slow your application development efforts to a crawl.
Managed DNS makes sense
As a provider of managed DNS solutions, we are certainly biased. However, in our view, the disadvantages of self-hosted authoritative DNS clearly outweigh the advantages, even (or especially) for larger companies that typically build their own systems natively. When you consider the long-term costs of maintaining an authoritative DNS system, including both CapEx hardware and OpEx personnel, a managed DNS solution makes economic sense.
Managed DNS solutions also help IT teams do more with less. When you consider the management time required to operate an authoritative DNS network at scale, there is much more value in deploying those resources to other strategic priorities. Having operated the authoritative DNS on behalf of a significant portion of the Internet for a decade, we know how expensive and arduous a task it can be.
Handling DNS Migration Risk
We get it. Change is difficult. Even when large enterprises are ready to move from a self-hosted authoritative DNS architecture, they are often reluctant to take on the significant risks that come with migrating to a managed DNS service. Once your existing DNS tools are ingrained into your company’s technology DNA, it can be difficult to even think about the complex web of dependencies that will need to change.
This is where secondary DNS provides a lifeline. Any managed DNS service, such as NS1, can operate as a standalone platform or failover option alongside a self-hosted authoritative DNS system. Building a secondary DNS layer allows administrators to migrate application workloads over time, testing the functionality of managed systems and gradually untangling complex connections to internal systems.
Running a secondary DNS as a test environment will give you greater confidence in the advanced features that a managed DNS service offers, such as traffic steering, APIs, DNS data analysis, and other elements that provide clear value but are not available in most self-hosted services. I lose. service.
Are you ready to switch from self-hosted authoritative DNS?
Get DNS with more features: IBM NS1 Connect
Was this article helpful?
yesno