DNS is so straightforward, so easily distributed, and so fundamental, that I'm always astounded when it's a single point of failure for so many operations.
I wonder how many of the affected companies do have redundant appservers and load balancers, but missed this piece of the puzzle...
dns is less easily distributed when fancy features like ALIAS (which dnsimple is widely known for) are in the mix. and wide distribution isn't enough to win vs truly volumetric attacks. it takes a lot of ports and compute to absorb 100Gbps+ attacks which are not uncommon against major providers.
DNSimple is widely know for the ALIAS pseudo-"record" because they invented it[1].
Small wonder that a proprietary syntactical sugar leaves you at the mercy of select vendors?
As for volumetric attacks: your point is correct, but is irrelevant if you're using multiple vendors, and a specific, single vendor is the target, like it appears here. Your other authoritative servers would be unaffected.
good luck finding any major online property or infrastructure that isn't making use of some kind of proprietary syntactical dns sugar. it doesn't mean you can't span providers, but it does mean it takes a lot more work to do so.
anyway, you're not wrong, the best approach to mitigate this kind of thing is to leverage multiple dns networks. but doing so is not easy unless the application is still using dns like it was in 1995, and that is increasingly rarely the case.
Using a WWW subdomain with CNAMEs accomplishes effectively the same thing as using ALIAS on an apex domain name, and doesn't rely on anything out-of-spec or proprietary, making it easier to serve redundantly. (Did you ever wonder why google.com and facebook.com redirect to www?)
(Or is there more to ALIAS than that, which wasn't on the page in GP? Happy to be corrected if so)
you're correct about ALIAS (although practically, it doesn't matter: people are going to use the apex whether it's proper or not at this point). i'm more referring to other complex usually-proprietary capabilities of big dns providers, especially traffic routing features. routing semantics are generally not translatable across providers, and if you're using dns based routing (as most cdns, major web properties, etc are) then doing multi-network dns gets a lot harder. if you're amazon, you write and maintain a bunch of code to span providers. if you're not, the barrier to multi-network is high if you're doing more than static dns.
You're right, but people want to get fancy with hosting at the apex (domain.com), even though it kills important functionality (CNAMES) forcing the adoption of hacks (ALIAS and ANAME records).
I'm surprised more places don't run their own DNS. It's not that difficult to do and it means you don't have to rely on another third party for service.
Well if this is an attack to get at one of DNSSimple's customers, running your own DNS would be a much easier target. Which is to say that if you were the target, you would already be hard dead by now rather than struggling as DNSSimple deploys defenses.
I agree though that it is a pretty simple service to run for a small domain.
If you're being targetted directly, then all of your services need to be DDOS proof, not just DNS. The more third parties you add, the more likely you are to be taken out by accident. If you have your own web server, you should dump Bind or PowerDNS on it and write a zone file. Problem solved.
Not that difficult for whom? Great if you have the in-house resources to devote to managing your own DNS (and can't put them to better use elsewhere), but that is not the case for the vast majority of us. The fact that so many of us use PaaS companies like Heroku should be a pretty big indicator that most platform-related engineering is not going to happen in-house under a certain scale.
If you can figure out DNS on any hosting service's page, you can do it in multiple places.
You could pay GoDaddy, Amazon Route 53, and DNSSimple to all host your records, for example... Management would be slower and manual, but people without resources for "managing your own DNS" won't be changing records that frequently anyways.
The odds of all three going down at once should help your uptime, yes?
Not that difficult for somebody who is a sysadmin or developer. I would hope that services like Heroku offer DNS too, but I wouldn't know. If your site is already hosted at Heroku, it would be better for them to deal with your DNS so that you don't introduce additional third parties. That is my point.
I wonder how many of the affected companies do have redundant appservers and load balancers, but missed this piece of the puzzle...