Millions of web sites suddenly became unreachable on Monday due to severe DNS-related problems at GoDaddy. Whether this was the result of a hack, or an internal problem, or a combination of both remains a hot topic, but today we're going to ask a more pragmatic question: Could your domain survive a DNS attack or failure?
You may already have a robust, reliable web application infrastructure, but if a DNS problem prevents people on the Internet from connecting to your site, then it hardly matters how good the rest of your system is.
The key to a robust DNS infrastructure is diversity. You want to have several different DNS servers, running on completely different networks, operated by completely different organizations. That way, there is no single point of failure, and even if one of your critical DNS providers goes down or is under attack, web browsers can still locate and connect to your web site. CA Veracode.com didn't have enough DNS diversity, and we were affected by the GoDaddy problem -- a situation we're already working to remedy.
We've put together a quick tool that lets you check your domain's DNS survivability; it checks your domain's authoritative DNS servers for good network diversity and good operator diversity.
Here's what a great DNS setup (for "linode.com") looks like; note the excellent network diversity and operator diversity. With a setup like this, no single DNS attack or failure would make "linode.com" unreachable.