DEV Community

Ben Halpern
Ben Halpern Subscriber

Posted on

Why do we still speak in direct DNS?

I don't know about you, but I have observed so many DNS mishaps in my day, and also have observed that developers and non-devs consistently fail to have a succinct mental model of how to set DNS properly for a website.

There are lots of services that make setting DNS easier than ever, but I'm kind of surprised so many people still have to think directly in terms of CNAMES, APEX DOMAINS, and all the direct domain knowledge of DNS.

Can't we have a higher level abstraction that compiles to DNS with more safety guards? Sure, let me dip into DNS when I need to, but why are DNS settings tables still such a normal thing?

I write Ruby code so I don't have to write C code. I'm sure there are attempts in DNS abstraction, but the fact that I haven't come across them means they are probably still too leaky or just not mainstream.

Thoughts on the matter?

Top comments (20)

Collapse
 
peter profile image
Peter Kim Frank

I always get extra nervous whenever adjusting DNS settings. Not only is there typically no way to preview changes, but you're always warned that "DNS propagation may take 24-48 hours." Thus, you could unintentionally cause a critical-path bug that can't even be rectified immediately.

I started this #explainlikeimfive question a little while back on the specific topic of TTL:

Collapse
 
secure_daily profile image
Artem

DNS propagation may take 24-48 hours.

It honestly not that bad. I'm yet to see any operation that going to take 24-48 hours. Even delegation to a set of different servers rarely takes longer than an hour.

Collapse
 
defman profile image
Sergey Kislyakov

How often do you adjust DNS settings that MAY cause critical bugs?

Collapse
 
kspeakman profile image
Kasey Speakman

Maybe I just learned it too long ago, but I have not found DNS all that bad to work with, excepting the up to 24 hrs changes. Being able to set low TTLs can help with that but you first have to wait out the original TTL.

The thing that bugs me most about DNS currently is privacy.

Collapse
 
ben profile image
Ben Halpern • Edited

I don’t personally find it that hard, but I was just interacting with someone who needed to set up DNS and needed help and they were making mistakes and it really made me think that it’s still designed for the sensibilities of tech folks and not normal people.

Collapse
 
guledali profile image
guledali

Totally agree I had the very same discussion with my team this week regarding this. I had situation with the sendgrid addon on heroku not working for me. Had to figure out SPF & DKIM and how to point DNS and that just for setting up SendGrid. God! How did we get here, there has to be a better way right?

Collapse
 
mellen profile image
Matt Ellen-Tsivintzeli • Edited

I remember once I was trying to set up a subdomain (or whatever maybe the correct nomenclature) to point to a different IP address, and nothing I did seemed to work. I gave up in the end, as it wasn't important.

Collapse
 
defman profile image
Sergey Kislyakov

I wonder what kind of setup you had to do for that person. There are many articles that cover basic DNS stuff (A, NS, MX) so I think non-tech people should not have any problems learning a bit before they do stuff. Most DNS providers have good articles for that stuff as well.

Collapse
 
kspeakman profile image
Kasey Speakman

Yes I agree that it is confusing for non-tech folks. I had to help friends and family many times when DNS got involved.

Thread Thread
 
ben profile image
Ben Halpern

Yeah. For devs it's not so bad, but I'm just not sure why it can't be abstracted away more easily for most folks. It's a shame about the web that so many parts of getting online independently are still so technical and such a maintenance burden.

I'm not saying there are easy answers... It's a fundamental problem people keep trying to solve over and over and over again.... But DNS seems like it could be abstracted a little better than it is.

Collapse
 
andrewbrown profile image
Andrew Brown 🇨🇦

@peter @ben

In AWS you have Route53 that manages your domain.
RecordSets allow you to apply changes to your DNS table.

You can use CloudFormation to write changes to your DNS table.
You can use CloudFormation ChangeSets where it requires a manual review step.

Route53 has a built-in tool to test if you have configured things correctly, and via the AWS SDK you can write a script that could rollback your changes.

Collapse
 
andrewbrown profile image
Andrew Brown 🇨🇦 • Edited

Also, you might be used to using GUIs but there are many providers where you can supply DNS records as one big text file. This is where you can overlay lots of automation.

Collapse
 
riyasrawther profile image
Riyas Rawther

I always do a premium DNS service provider like Cloudflare or Digitalocean. Be careful when you use default old generation GoMommy services..
If you registered your domain with GoMommy, then create a account with Cloudflare (free) then point your NS record to Cloudflare.

The propagation time on Cloudflare is very low unlike other DNS servers.
After made any record changes use a dns preparation checker to check the dns status before attempting to verify with Google or other tools.
Because once google found the the dns is not propagated, then it will take some time to clear their cache or if it's urgent then you need to contact Google support team. They will provide a special link for retry...

Also, to generate wildcard domain SSL certificates using Let'sEncrypt, use Certbot. They have a list of DNS providers, which provide API token based DNS creation for automated verification and renewal.

Collapse
 
secure_daily profile image
Artem

It is really straightforward to automate and abstract DNS related task with Terraform, or other similar configuration tools. With this setup you only need to provide domain name for each deployment.
The main drawback, it will be platform/cloud dependent. Also the person creating initial configuration will still need to "speak DNS".

Collapse
 
andrewscofield profile image
andrewscofield

I think one possible solution would be to remove the DNS tables from the equation, if/when needed. It would require some collaborations but for example, why can't Google Workspace use oauth and an API to update the MX records at my domain registrar?

A lot of automation actually does happen at the hosting level with tools like cPanel if you host your nameservers and everything there, but frequently we need our services tied to multiple servers so it's only have the equation.

Collapse
 
jsn1nj4 profile image
Elliot Derhay

I think Google does do this depending on the registrar. I know Google Workspace can log into your GoDaddy account to add its verification code and MX records.

But IIRC GoDaddy provides an API for DNS management. I don't remember if I've seen that with other registrars, although my experience has primarily been with GoDaddy.

Collapse
 
xowap profile image
Rémy 🤖

Meh. At some point you should understand what you're doing shouldn't you?

Although several service providers are having more and more complete DNS APIs. By example AWS lets you do anything from buying domains to configuring geo-DNS.

I'm guessing that if we standardized those APIs between providers we could start having deployment systems and various providers (like email providers or sending gateways) to be able to configure your domain name automatically.

Collapse
 
arvindpdmn profile image
Arvind Padmanabhan

At Devopedia, we're looking for authors/volunteers who can contribute the following articles: DNS Security, DNS Load Balancing, DNS Debugging, DNS Hosting Services, DNS Server Software

Thanks.

Collapse
 
zilti_500 profile image
Daniel Ziltener

Why would you want to abstract something that already is very simple?

Collapse
 
prashanthr profile image
Prashanth R.

Great question and topic for innovation!
P.S. Big fan of your thought provoking questions! Keep them coming