All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Anycast DNS providers that support secondary DNS, <=$70/year
I'm currently self-hosting my own DNS servers using three VPSes on BuyVM's anycast network, plus two VPS in Australia. I host some sites that primarily serve Australians, so for those domains I'm using the two servers in Australia. For all other sites, I'm using the BuyVM anycast + one server in Australia as the two DNS servers. One hole in BuyVM's anycast network is that they don't have any servers anywhere in APAC so response time aren't ideal outside of the USA and Europe.
I used to use the anycast servers for other use cases, but these days I'm only using them for DNS. With BuyVM adding a new location (Miami), the cost of anycast with them will be at least $80/year (4 x $20/year VPSes), and at that point I may as well just switch back to an actual DNS provider.
The thing is that I like controlling my domains through my own tooling. I can easily search through all zones to find where particular IPs are referenced (haven't seen any providers that do cross-zone search in their UI), I can presign zones with DNSSEC, I have scripts to do bulk edits, etc. So I'm looking for providers that allow usage as secondary DNS servers, receiving updates from my server via NOTIFY + AXFR requests.
I used to use ClouDNS, and they're fine, but their anycast network is... something. As I write this, pings to pns8.cloudns.net from Australia and South Africa are both going to Los Angeles, even though they have servers in both locations (SIS Group in Australia, Hetzner in South Africa): https://dnstools.ws/ping/pns8.cloudns.net/. 🤔🤔🤔🤔
G-Core and entryDNS look interesting, but neither allow usage as secondary servers.
I'm currently doing a free trial with DNSMadeEasy. Their network is extremely fast, and their pricing is really not as bad as I thought it would be for an "enterprise" provider. $5/month for 25 zones, 7500 records and 10m queries per month. The fact that my domain uses the same nameservers as Square.com and other major sites (ns{5-7}.dnsmadeeasy.com) gives me some confidence in them.
Any recommendations for other services to try? Just looking for providers under $70/year that use an anycast network and support usage as secondary DNS.
Thanks!
Comments
@ruben's https://ifog.ch/de/web/dns maybe? I'm not sure about that part, though:
Ideal entry into "Why don't you use IPv6?"
More like "Why doesn't ClouDNS maintain their network properly"... Vultr has no trouble getting it right: https://dnstools.ws/ping/ns1.vultr.com/
When I used CloudNS, I'd create support tickets for issues like that. They'd fix it, but then a few months later it'd break again. I gave up on it. I actually moved away from them for my Australian domains first, since more often than not it was sending Australian users to their Los Angeles servers, both over IPv4 and IPV6, defeating the purpose of an anycast network! Using my own VPSes in Australia was actually giving users a better experience.
I had been using dnsmadeeasy as secondary dns, but I'm not really convinced so far about the update speed when you do updates via NOTIFY + AXFR requests, so I'll be watching this thread closely as I haven't found a perfect solution.
For what it's worth, I haven't had issues with that with DNSMadeEasy. They're doing the AXFR within the same second I send the NOTIFY, and within 2-3 seconds it's already propagated across their servers. Make sure you're changing the SOA serial on updates.
I had issues configuring it since I'm using a "hidden master" on an IPv6 address and their interface only takes IPv4 addresses as the master IP, but I emailed their support and they could manually add an IPv6 master (+ it's on their roadmap to support it in the UI)
That sounds good, will have to check again. SOA serials are incremented, will have to check if it is the primary dns provider that is sending out the NOTIFYs too late.
About cloudns: if they use the same maxmind data for their anycast routing that they use for their geodns service, yes, that is hassle to have them update their data, they need weeks to get new or updated maxmind data into their systems...
The other thing is that the IPs you have to notify are different to the IPs you use for the nameservers. The nameservers are anycast while the IPs to notify are regular unicast IPs. I'm handling that in PowerDNS using the
also-notifymetadata for the zone.If you don't notify the right IPs, it'll only refresh based on the refresh period in your SOA record.
Everybody hates them but Hurricane Electric allow you to use them as secondary. NOTIFYs refresh within a few minutes though not seconds. I've been playing with hidden master myself. I'd love something faster but free trumps $5/mo in my use case.
Why?
Oh cool, I didn't know!
HE works well as a secondary. Supports DNSSEC signed on the primary. I use HE as a secondary for many domains and personally I like it.
I think the reason others don't is partly because they check that a NS record points to HE.net before accepting the domain, so if you're only using one DNS provider (which is a mistake) then it can leave a hole during the switch.
You didn't say how many domains/records/lookups you expect. NS1 have a great network and UI, but rapidly get expensive (like $8 per 1M lookups).
Oracle DNS has a horrible UI, but they support secondary, pricing is OK, anycast speed is pretty good including Australia. Can be cheaper than AWS depending on your specs.
If you're willing to do a bit of tinkering, you could also consider fly.io. My primary is running pdns (which I think you do too?) and then I deploy a secondary running pdns on fly.io's anycast network (which has a Sydney POP). Free tier includes 3 locations of your choice and can add more for $1.94/mo each. You need to do a bit of legwork with the config to handle failovers properly and keep things secure, but this has the advantage that you can AXFR zones from the primary that contain LUA records, and can handle those lookups on the secondary, giving you failover/geoDNS/anycast relatively cheaply.
I think the check of nameservers only effect HE if you add it as primary if you add it a slave zone after you click validate and sent a notify it serves the zone without the domain nameservers pointing to it.
Oracle DNS is a mixed bag if you're account gets allocated a nameservers on ex-Dyn ASN anycast routing is fine, but if the assigned nameserver is on Oracle ASN the routing is crap I've found multiple providers in Europe in UK NL DE that gets routed to Jerusalem ipv4 or India ipv6 not exactly the best pop for any of them country.
Route 53 seems not very expensive
I honestly don't know. Just what I've seen every time someone mentions HE for DNS. They work fine for me.
Good to know - for a long time they didn't have DNSSEC support at all; so just giving it a try now...
No, you can only add it as a slave if there is an existing delegation to one of the he name server (at the registry level, not just an NS record in the zone on the primary).
I added a domain a few days ago to HE as slave without changing the the nameservers to HE the zone was working on HE I could dig domain @ns1.he.net, I know in the past you need to have HE listed as nameservers for domain to add but not nowadays.
well, just now I got "You must delegate to one or more of the slave nameservers." if I try to add a slave.
You're correct got the same message when I just try to add a new domain weird I managed to add a few domains a few days ago without any HE servers listed as NS for the domain, the check must of been broken when I added the domains.
I've currently got 63 domains and 1248 records, but maybe 15 of them are important? I can keep the others on my own non-anycast servers or move them to something free.
This is from one of my live servers:
13,648,212 queries over 2.8 months = ~4,874,361 queries per month. However, I'm not sure how many of these are legitimate requests to my domains, and how many are just people scanning for vulnerabilities (eg. open DNS resolvers that can be used for amplification attacks). People do a LOT of security scans across the web.
Yeah, NS1 pricing will kill you with that usage. So scratch them off the list.
Rage4?
Their pricing hits you on the number of domains. Even their published €100/month plan includes only one domain. Unless they set up a custom plan, 15 domains is at least €30/month. Great service, but price counts against it.
There is also Linode DNS, which has support for secondary DNS. It will require you to have at least 1 VM which costs USD 5 per month, USD 60 per year. Unlimited queries, and as far as I know, would fit your requirement for 25 zones. No idea about number of records, however.
So I did a bit of looking around on DNSMadeEasy's website, and apparently the business plan has an overage of $6/1M lookups, so it's quite in the same category in NS1. Pre-purchased lookups are a bit cheaper at $2.5/M lookups for their 10M/month for a year.
At these rates, it's probably better to AWS's Route53 or Google Cloud DNS, both of which are cheaper at $0.4/M lookups without a precommitment. If the advanced features aren't required, one could also look at DNSimple with 5 domains at $6/mo with unlimited queries.
Their $60/yr plan includes 10M/month, so I don't think the overage should come into play if on that plan.
They are using cloudflare for their DNS. Looks really good.
https://atlas.ripe.net/measurements/34332119/#probes
https://atlas.ripe.net/measurements/34332118/#probes
Linda DNS isn't without problems. From experience, they have had their share of occasional problems with AXFR updates, slowness, non-availability. Having used services of Linode DNS, DNSMadeEasy, Route53, Google Cloud DNS, HE.net, ClouDNS, my preference is still to self-host despite not having anycast.
Also looking for moving my secondary dns to a anycast provider.
At the moment I'm using Cloudns as primary and Hetzner Free DNS as secondary.
For what I have looked around, it seems the best option would be to use dnsmadeeasy as primary and cloudns as secondary. dnsmadeeasy is a little bit expensive.
This