I don't know about you, but I have observed so many DNS mishaps in my day, and also have observed that developers and non-devs consistently fail to have a succinct mental model of how to set DNS properly for a website.
There are lots of services that make setting DNS easier than ever, but I'm kind of surprised so many people still have to think directly in terms of CNAMES, APEX DOMAINS, and all the direct domain knowledge of DNS.
Can't we have a higher level abstraction that compiles to DNS with more safety guards? Sure, let me dip into DNS when I need to, but why are DNS settings tables still such a normal thing?
I write Ruby code so I don't have to write C code. I'm sure there are attempts in DNS abstraction, but the fact that I haven't come across them means they are probably still too leaky or just not mainstream.
Thoughts on the matter?
Top comments (20)
I always get extra nervous whenever adjusting DNS settings. Not only is there typically no way to preview changes, but you're always warned that "DNS propagation may take 24-48 hours." Thus, you could unintentionally cause a critical-path bug that can't even be rectified immediately.
I started this #explainlikeimfive question a little while back on the specific topic of TTL:
Explain DNS TTL Like I'm five
Peter Kim Frank ・ Dec 18 '17 ・ 1 min read
It honestly not that bad. I'm yet to see any operation that going to take 24-48 hours. Even delegation to a set of different servers rarely takes longer than an hour.
How often do you adjust DNS settings that MAY cause critical bugs?
Maybe I just learned it too long ago, but I have not found DNS all that bad to work with, excepting the up to 24 hrs changes. Being able to set low TTLs can help with that but you first have to wait out the original TTL.
The thing that bugs me most about DNS currently is privacy.
I don’t personally find it that hard, but I was just interacting with someone who needed to set up DNS and needed help and they were making mistakes and it really made me think that it’s still designed for the sensibilities of tech folks and not normal people.
Totally agree I had the very same discussion with my team this week regarding this. I had situation with the sendgrid addon on heroku not working for me. Had to figure out SPF & DKIM and how to point DNS and that just for setting up SendGrid. God! How did we get here, there has to be a better way right?
I remember once I was trying to set up a subdomain (or whatever maybe the correct nomenclature) to point to a different IP address, and nothing I did seemed to work. I gave up in the end, as it wasn't important.
I wonder what kind of setup you had to do for that person. There are many articles that cover basic DNS stuff (A, NS, MX) so I think non-tech people should not have any problems learning a bit before they do stuff. Most DNS providers have good articles for that stuff as well.
Yes I agree that it is confusing for non-tech folks. I had to help friends and family many times when DNS got involved.
Yeah. For devs it's not so bad, but I'm just not sure why it can't be abstracted away more easily for most folks. It's a shame about the web that so many parts of getting online independently are still so technical and such a maintenance burden.
I'm not saying there are easy answers... It's a fundamental problem people keep trying to solve over and over and over again.... But DNS seems like it could be abstracted a little better than it is.
@peter @ben
In AWS you have Route53 that manages your domain.
RecordSets allow you to apply changes to your DNS table.
You can use CloudFormation to write changes to your DNS table.
You can use CloudFormation ChangeSets where it requires a manual review step.
Route53 has a built-in tool to test if you have configured things correctly, and via the AWS SDK you can write a script that could rollback your changes.
Also, you might be used to using GUIs but there are many providers where you can supply DNS records as one big text file. This is where you can overlay lots of automation.
I always do a premium DNS service provider like Cloudflare or Digitalocean. Be careful when you use default old generation GoMommy services..
If you registered your domain with GoMommy, then create a account with Cloudflare (free) then point your NS record to Cloudflare.
The propagation time on Cloudflare is very low unlike other DNS servers.
After made any record changes use a dns preparation checker to check the dns status before attempting to verify with Google or other tools.
Because once google found the the dns is not propagated, then it will take some time to clear their cache or if it's urgent then you need to contact Google support team. They will provide a special link for retry...
Also, to generate wildcard domain SSL certificates using Let'sEncrypt, use Certbot. They have a list of DNS providers, which provide API token based DNS creation for automated verification and renewal.
It is really straightforward to automate and abstract DNS related task with Terraform, or other similar configuration tools. With this setup you only need to provide domain name for each deployment.
The main drawback, it will be platform/cloud dependent. Also the person creating initial configuration will still need to "speak DNS".
I think one possible solution would be to remove the DNS tables from the equation, if/when needed. It would require some collaborations but for example, why can't Google Workspace use oauth and an API to update the MX records at my domain registrar?
A lot of automation actually does happen at the hosting level with tools like cPanel if you host your nameservers and everything there, but frequently we need our services tied to multiple servers so it's only have the equation.
I think Google does do this depending on the registrar. I know Google Workspace can log into your GoDaddy account to add its verification code and MX records.
But IIRC GoDaddy provides an API for DNS management. I don't remember if I've seen that with other registrars, although my experience has primarily been with GoDaddy.
Meh. At some point you should understand what you're doing shouldn't you?
Although several service providers are having more and more complete DNS APIs. By example AWS lets you do anything from buying domains to configuring geo-DNS.
I'm guessing that if we standardized those APIs between providers we could start having deployment systems and various providers (like email providers or sending gateways) to be able to configure your domain name automatically.
At Devopedia, we're looking for authors/volunteers who can contribute the following articles: DNS Security, DNS Load Balancing, DNS Debugging, DNS Hosting Services, DNS Server Software
Thanks.
Why would you want to abstract something that already is very simple?
Great question and topic for innovation!
P.S. Big fan of your thought provoking questions! Keep them coming