Interview with Mark Jeftovic, CEO of easyDNS

LuxSci has been partnered with easyDNS to provide DNS and domain registration services to its customers since 1999. Due to our sales volume, we have an “Enterprise DNS” portal that both LuxSci Support and its clients can access to manage their domains. LuxSci has stuck with easyDNS for all of these years due to their excellent support, the high quality of the DNS services, and the friendly and helpful attitude of easyDNS management. LuxSci also believes that by partnering with easyDNS, we are able to provide our clients with the best and most robust DNS services available. This is mission critical, because if your DNS is down, so is your business.

Currently, LuxSci offers DNS and domain registration services to its customers as an add-on to its email and web hosting services.  Our prices are extremely competitive and the service includes the features you could get with easyDNS directly, together with LuxSci’s acclaimed technical support: we will manage all of your DNS and domain registration settings and assist you with any changes which minimizes the chance of error.  We also provide the option for you to self manage your DNS 24/7 using your own login access.

Mark Jeftovic, one of the original founders and architects of easyDNS, is now the sole owner of the company. LuxSci is bringing you this interview so that you can become better acquainted with easyDNS and why we selected them for mission critical services.

Mark, can you give us a brief synopsis of easyDNS’s history as a company?

We originally had another company. Back around 1994-1996 we were doing a lot of custom web development and we were one of the first companies doing dynamically generated websites with SQL backends. As such, whenever we picked up a new client, it usually meant we had to move their website onto our servers because the LAMP environment (Linux-Apache-MySQL-PHP) was still somewhat rare in those days.

We invariably ran into problems trying to get the DNS modified and encountered lock-in (or lock-out) with our client domains. It became clear that these people were paying for their own domain names, but had no access to them and no control over their fate. They were completely at the mercy of their ISPs, their webhosts or other third-parties.

The idea originally was to build a management panel so that our customers could manage their own domains “from the comfort of their own web browser” as we used to say. We started building the system around 1996 and by 1998 we were ready to launch it. Once we did so, it took on a life of it’s own, and by around 2000 we had all but folded the previous company and were concentrating on easyDNS fulltime.

Of course, around 2000 ICANN came along and opened up the domain registration side of things to competition, so we became an OpenSRS reseller and in 2001 CIRA did the same up here for .CA, so we became a CIRA certified registrar. In 2003 we became directly accredited with ICANN.

How many domains in how many countries does easyDNS support?

Last year we acquired Zoneedit, one of the other original DNS providers on the Internet, so when you count Zoneedit and easyDNS domains under management we’re somewhere north of 300,000 now, with customers in over 100 countries. We answer about a billion DNS queries per day.

easyDNS provides users with several different DNS servers, such as dns1.easydns.com, dns2.easydns.net, and dns3.easydns.org. What is behind these domain names in terms of servers and geographic locations? Why the different top level designations (com, net, org, etc.)?

These are prone to shifting, overlap and re-organizations, but at the moment:

DNS1.EASYDNS.COM is a four node anycast strand with nodes in San Jose, Chicago, Amsterdam and Tokyo

DNS2.EASYDNS.COM is using Cloudflare’s anycast CDN, I really couldn’t tell you how many nodes that actually is. We always want multiple DDoS mitigation solutions, so about a year ago we switched away from Prolexic and moved over to Cloudflare.

DNS3 is a mixed anycast cluster with our own deployments and few nodes with our main DDoS mitigation provider, Staminus. We have hardware located directly within Staminus scrubbing centers in California, New York and Amsterdam. The rest of the nodes are deployed using HostVirtual’s network. During a DDoS we drop the HV announcements and route everything through Staminus

DNS4.EASYDNS.INFO is another separate vendor., Community DNS out of the UK. They provide DNS services to a lot of country code TLDs and DNS4 is a 6-node anycast deployment on their network.

How does having DNS servers in different countries improve DNS services for customers?

Well when it comes to DNS, redundancy is a good thing. Having your nameservers spread around (even without anycast) is good because when different parts of the network go down or have problems you always have a server *somewhere* that any given part of the network can send queries to. This works best when you colocate in the multi-homed datacenters – so it’s rare that a given datacenter is ever cut off from the Internet entirely.

The way the DNS algorithm works, a nameserver initially asks all of your nameservers for the answer to a lookup and then measures the response times. It then directs future queries to the nameserver that answered the fastest (there’s more to it but this is the gist of it). When you have your nameservers spread out around the world you get a natural kind of diffusion to your DNS queries.

Then once you add anycast to the mix (where your multiple nameservers answer to the same IP address) you kind of get this same effect “squared”: when the remote nameserver does that first lookup to see “which one of your nameservers is the fastest”, the initial query will go to the member of the anycast node which has the shortest path to it in the routing tables, so you get the best pick twice: the “closest” node from the anycast strand, and then whichever anycast strand answered first.

The reliability and resilience of a DNS service are perhaps its most important features. Over the past few years, there have been many significant distributed denial of service attacks and other attacks against easyDNS and others; it seems that the intensity and frequency of these attacks has been increasing. Why do you think DDoS attacks on DNS providers is on the rise and do you see this trend continuing?

In our white paper for Proactive Nameservers we show a graph that depicts the instensity of DDOS attacks over time and predicts 1.2 TB (Terrabyte) attacks by 2020. I think that’s optimistic when you consider that last year’s NTP reflection attacks were already hitting 300 GB/sec.

This is why we felt like the most intelligent way to survive DDoS attacks is to work on obtaining and maintaining a “DNS mosaic” that is always at least a little different from any given DDoS attack vector. It works in all cases where you are NOT the DDoS target (and the fact is, most of the damage caused by DDOSes is collateral damage. Assuming you’re not in a “high risk” segment (like gambling), you are far more likely to be affected by a DDOS against somebody else using one of your critical vendors than by a DDoS targeting you directly.

DNS will always be a popular target because quite simply nothing happens without it. Take out the target’s nameservers and you’ve taken out the target.

How does easyDNS ensure that it can continue to provide services in the face of DDoS attacks?

We use multi-provider redundancy for both DDoS mitigation AND even our own DNS (see next question).

Our mantra is that if you absolutely, positively must give 100% DNS availability at all times, the magic bullet for attaining that is to use multiple DNS solutions, and then have a coherent strategy for maintaining current zone data across them and having the ability to switch between them on-the-fly.

So that’s what we do. We have a patent-pending service called “Proactive Nameservers” which is basically failover at the nameserver level: instead of failing over a hostname within a given zone when it goes down, we watch the nameservers instead. If they go down or degrade, we automatically flip the nameserver delegation to a set of backup nameservers that were just sitting there waiting to go.

We use Amazon Route 53 and Zoneedit for our own backups (you can have pretty much as many backup pools as you want). Whenever we get DDOS-ed we simply add a pile of nameservers to our delegation, or switch out to them entirely. Again, this is entirely automated but it works great. Even during some pretty bad DDoS attacks over the years where easyDNS production nameservers were severely impacted, the easyDNS control panel and ancillary services (like email & forwarding) remained online and accessible to customers.

What other things can customers do to protect themselves against the affects of DDoS attacks on DNS providers?

The next level of redundancy beyond geographical and network redundancy is multi-provider or multi-vendor redundancy. As I described above, we use that ourselves by building integrations into other DNS vendors we use and that our customers can use.

Hence: you can syndicate your zones across multiple DNS providers like having both easyDNS, and Amazon Route 53 at the same time but controlling it all through one control panel. We also have beta integrations for Linode.com, Digital Ocean and Google’s cloud DNS.

The next step if you really want to get fancy is to monitor and automate the switching between various nameserver pools and vendors. That’s our proactive nameservers solution (which we also call “Plan B DNS” http://www.planB.works )

DNS “poisoning” attacks have been in the news a lot. Has easyDNS seen issues related to DNS poisoning? What do you think the future holds in terms of protecting users from such attacks?

The DNS poisoning attacks are directed against recursive nameservers or resolvers, not against authoritative DNS servers. That’s not to say it isn’t our problem. We support DNSSEC so customers can protect themselves against that by signing their zones.

But I’ve observed the lower hanging fruit these days is simply hacking into your provider’s management console, either through a software weakness or by social engineering, and simply taking over the target DNS from there. For that reason we always recommend turning on full account event alerts and 2-factor authentication wherever available.

DNS Security (DNSSEC) is something that can protect and authenticate DNS queries; but it has not really gained traction in practical use.  Does easyDNS support DNSSEC?  What do you see as the future for DNSSEC or other technologies that may solve the same problem?

We support DNSSEC, we view it as a necessary development in the DNS evolution but comes fraught with it’s own set of “gotchas”. Most notably I personally feel that bad key rollovers cause more damage to zones than actual cache poisonings have. They certainly seem more frequent.

Many domain registrars such as Network Solutions also “throw in” DNS services to their clients. What are the advantages of easyDNS over the likes of these?

Well the joke I always make is “free DNS usually includes free downtime”. For almost everybody else, webhosts, ISPs, even registrars, DNS is an afterthought. They’ve got a couple unpatched crapboxes in a closet on the same backbone running some out of date nameserver and nobody gives it a second thought until they blow up and everything goes down. It’s a very precarious state of affairs given how vital DNS is to pretty well everything you’re going to do on the Internet, which gave rise to our motto: “DNS is something nobody notices until it stops working”.

There are other premium DNS companies out there such as “UltraDNS” that compete for partnership with service providers like LuxSci. What do you see as easyDNS’s edge over such companies?

We’ve been hearing lately that we’ve got much more competitive pricing which is refreshingly strange to hear since we’re usually described as “expensive but worth it” when compared to the bargain-basement registrars that sell domains for ridiculously low prices and “throw in the DNS”. We’ve got the anycast DNS, we’ve got the multiple DDOS deployments, but it doesn’t cost you an arm and leg to get into the game and get these DNS best practices the way it might somewhere else.

Does easyDNS have any significant new features of services that are coming soon?

The main new things are the DNS integrations, and proactive nameservers – of which the latter is quite unique because we are quite literally the only company doing it in the world.

We just finished our second version of our GeoDNS implementation. It’s live testing now with PHP.net and it should be ready to roll this fall.

We’re working on a few other products as well but it’s too early in the process to talk about them.