It may be just an ad for easyDNS' Proactive Nameservers [1] product but it provides a roadmap for one possible solution to this type of problem. From a quick reading of the marketing info, the solution can be summarized as "Provision, Monitor, and Fail-Over DNS Name Servers across multiple DNS-as-a-Service providers". The question I have is whether the following constraint is artificially introduced or not:
> We must be your domain registrar for this to work...
IIRC, Netflix OSS published some tools quite some time ago to support multiple DNS providers but I don't know/remember if they tackled the availability problem. The question comes down to build vs buy and whether the solution is general enough to warrant an Open Source Software solution.
They want to be the registrar to be able to update your NS records. But ... that's not really important nor needed (So the answer to your question yes, it's likely artificial). Just use two anycast-ed IPs/domains. (Like Cloudflare.)
The magic happens at BGP level.
I considered CF as a domain registrar, but they don't allow setting the NS records. So you must use them. (They basically use sane no-nonsense domain registration as a way to gain leads for their main product. Pretty smart actually, because it's a great high-level add-on for their main product, but they just went ahead and made that the bait for everyone.)
Anyway, ideally, if you add 2 separate sets of NS servers to your NS records then you eliminated this SPoF, great. Sure, it's your job to keep them updated, and in sync (preferably, to avoid problems like half of your users landing on a different CNAME/IP/etc).
And recursive nameservers will handle the failover.
easyDNS has to be the registrar because only your registrar can change your nameserver delegation with the registry. This is, in essence, the registrar's job. To maintain your domain record and info, including nameserver delegation, with the registry.
You could do it with BGP, but it is non-trivial and you need your own ASN to do that.
But you can just add multiple DNS providers yourself. I mean you can add the namservers of both easyDNS and cloudflare. EasyDNS just automates this.
In theory they could simply create a few subsidiaries, let's call them saferDNS1,2,3 and have them build completely different redundant DNS architectures, and add then add the resulting nameservers.
That said, it'd be good to see an actual domain that uses this "proactive" feature to see what easyDNS is doing.
I'm not a DNS expert, so... It's not really that simple is it? If you have multiple nameservers I thought they get equal weight, don't they?
So if you have Cloudflare + (ex:) NS1, and you're using Cloudflare for caching, you need your NS1 records to return Cloudflare proxied IPs normally, but origin IPs under failure conditions. That's a lot of infrastructure.
It also fails completely if you're relying on Cloudflare for DDoS protection and IP obfuscation because a failure means your origin IPs get exposed. That's assuming Cloudflare DNS being down means Cloudflare proxying is down too. It might not be the case, but I think you'd have to plan for it.
Then there's also Cloudflare's detection of nameservers. I haven't tried it with more than Cloudflare's nameservers set for a domain, but if your domain doesn't actively use their nameserver they'll drop your site from their system. So, at the very least, you can't use Cloudflare as a secondary DNS provider (at least the last time I checked).
I was talking about just the DNS layer, but ... you can periodically check what IP Cloudflare would return and return that. (There's also the apex-CNAME record type, ALIAS or DNAME, I don't remember right now, but PowerDNS supports it, and you can set up the resolver to use CF's NS.)
Of course CF doesn't support anything like this, but it works well (because they use quasi fixed, static anycasted IPs for the HTTP(S and TCP?) proxying/load-balancing too), even if it's hacky as hell.
If they have any active verification of nameservers, and if they disable the proxies if they detect something bad, then ... it won't work obviously :)
But technically there's nothing amazing in being a registrar of a domain. So both CF and easyDNS are just stubborn in the name of user experience (consistency).
... all in all, working around any SPoF (reliably) will usually require exponentially more resources/engineering/care.
I meant that easyDNS should handle the BGP for its clients, without requiring their clients to use them as registrars.
There's HE.net's free DNS, and though they don't explicitly advertise as, it's anycasted. (Check via https://tools.keycdn.com/ping , try 216.66.80.18 [ns5.he.net].)
> The only requirement to use Proactive Nameservers is that we have to be your registrar, because we need to connect to the registry to update your nameserver delegation.
So I guess technically this could be achieved with an API for your domain settings.
> IIRC, Netflix OSS published some tools quite some time ago to support multiple DNS providers but I don't know/remember if they tackled the availability problem.
The classic way of doing this is AXFR (your own DNS server is a "hidden master" and the DNS providers are the slaves).
The problem is you won't be able to have redundancy at the registrar level, but that has historically at least been less of an issue.
> We must be your domain registrar for this to work...
IIRC, Netflix OSS published some tools quite some time ago to support multiple DNS providers but I don't know/remember if they tackled the availability problem. The question comes down to build vs buy and whether the solution is general enough to warrant an Open Source Software solution.
[1] https://easydns.com/dns/proactive-nameservers/