A while back I ceased to host my own DNS. This was in part because I knew fewer people I could set up secondarying agreements with, in part because running your own DNS infrastructure isn’t really sensible any more – but mainly because I don’t feel any great desire to do serious amounts of sys admin in my spare time. So I like many other people moved to the free DNS service provided by my domain registrar. You get what you pay for though, there’s nothing wrong with the DNS service but it doesn’t really meet my needs either. In this day and age I really should have my DNS on IPv6 and be implementing DNSSEC. Especially if I’m going to object to other people not doing so. The search was on then for an affordable (for small business/personal use) DNS service that offered a service suitable for today’s internet. My list of requirements beyond just your basic DNS service isn’t huge:
- IPv6 native DNS servers
- DNSSEC support with automatic signing, and preferably automatic updating of the root servers
- 2FA support
- Easy to transfer domains away
- Reasonable security on their own infrastructure
(i.e. Do they implement DMARC, DNSSEC etc. on their domains)
After a bit of searching, working through several “best of lists”, several lists of “how to set up DNSSEC” and asking friends I didn’t have a very long list. If they didn’t have DNSSEC support easily findable then I left them off the list. Most of them that had DNSSEC support documents said “we don’t support it”. In case you’re wondering why I consider their use of DNSSEC to be so important there are basically two reasons. Firstly if they’re saying DNSSEC is good and are offering it as a service but aren’t using it themselves I can’t help but suspect their support for it may not be that great. Secondly even if I enable DNSSEC I’m still dependent on their infrastructure, so if that’s not secure then it greatly reduces the effectiveness of my efforts. Think of it like a bank where your strong box has a lock but it’s not kept in a secure vault but on a shelf in the foyer. Anyway onto my short list and what I found.
So after a quick bit of research (using my DNS quality tool) a quite depressing picture emerged. Of all of the registrars advertising that they support DNSSEC (not many to start with) only 5 of them are actually using it themselves. In fact most of them aren’t using many DNS security features at all. Which working on the principle of weakest links makes most of them useless for improving my own DNS security. At least they all have thier name servers on IPv6 though.
Having only heard of one of the DNS providers that actually uses DNSSEC, I obviously had to dig a little deeper. This is where I’ll probably get accused of being overly fussy. I can cope with that as just having DNSSEC isn’t the be all and end all of a DNS provider.
Cloudflare are of course currently one of the big beasts in the DNS world. There’s no doubt they are well established and have serious infrastructure, and as their DNS service starts from free it’s a difficult proposition to argue against. However given some of the things I’ve said about them previously I’d be a bit hypocritical to use them and I really don’t want to assist in centralising the internet that much. If you don’t object to Cloudflare for other reasons and don’t need your DNS provider and domain registrar to be the same they’re a sound choice. Though they are first and foremost a CDN provider, but for most use cases that probably doesn’t matter, and if you’re using their CDN you may as well use their DNS.
At first glance xyzulu.hosting appears to tick the most boxes, but hosting isn’t exactly a well established TLD. The Xyzulu domain was only registered in 2016 and everything that can be redacted is redacted. The lack of contact information on their website also doesn’t really speak of respectability. Their own DNS is hosted on unbranded cloudflare servers, and their domain is registered via synergywholesale.com which suggests they’ve bundled together the resale of two different vendors. There are two advantages to using Xyzulu rather Cloudflare directly: your DNS and domain registration are in the same place, and XYzulu will handle updating the key signing keys for you.
I’m not a fan of companies that have words like “crazy” in their name, at least not if I’m after something that’s boringly reliable. The Crazydomains domain has been around since 1999 though which is good – but then things kind of go downhill. Their domain whilst is signed use servers in the ds.network domain for DNS, the ds.network domain isn’t signed. All of the information about ds.network is redacted though it appears to have been registered by Crazydomains in their own right as a domain registrar. Owned by Dreamscape Networks Europe the parent companies domain also isn’t DNSSEC signed. So looks rather like there’s just a thin veneer of security glues on top of their infrastructure. They do at least have contact information on their website but as their DNS servers aren’t secured by DNSSEC I’m going to have to disqualify them.
Mythic beasts come in close behind Cloudflare on how they run their own DNS, missing only a published DMARC policy. Domain registration wise they seem to be a TuCows reseller and they’ve had their domain registered since 2000, which is forever in internet years. They run their own DNS servers in a suitably widespread set of networks, and actually publish proper contact details on their website. Without actually signing up and kicking the tyres it all looks really rather good. The only note of concern might be about the size of the company being a “privately owned hosting ISP with a focus on a no-nonsense service backed by excellent technical support”. As I’m not an enterprise customer that’s not a huge concern, unless the founders decide they want to retire suddenly.
That just leaves Gkg who bill themselves as the “DNSSEC friendly registrar”, so it’s a shame they haven’t implemented all of the other security records. They use their own name servers and have the domain registered via themselves which is nice to see, as is non-redacted contact information in the whois record. The domain was registered in 1997 which gives them the oldest domain in the bunch, and from their company information they’ve a very impressive pedigree. Really there’s nothing to not like about Gkg, would just be nice if they published CAA and DMARC records.
What to make of it all
Once more I’m disappointed that so many DNS provider and registrars aren’t signing their own domains and thus securing their infrastructure – especially then they’re providing DNSSEC to their customers. After all if the domain registrars and DNS hosting companies can’t manage to do DNSSEC what hope do the rest of us have. So who to use? Well if you’ve no objection to being part of the great recentralization then Cloudflare are a solid choice. Adding the Xyzulu layer to Cloudflare also isn’t the worst idea, at least not if you’re happy to over look their lack of transparency. Mythic Beasts get an honourable mention and are certainly worth considering especially if you’re based in the UK. The top choice though must be Gkg. With the longest established track record, and very solid DNS pedigree as well as a social conscience there’s really nothing to not like – now if only they would publish those two missing records.
I haven’t looked at the user interfaces, been able to get data on service up-times, customer support quality or any of that other good stuff. So this is a very superficial comparison in many ways. So do your own research and decide what’s most important for yourself. That said if you want to enable DNSSEC to protect your DNS – I would give serious consideration to how much that protection is weakened if the infrastructure it’s running on isn’t DNSSEC protected itself.