[mjec]

Pardon my ignorance, but why don't companies run their own nameservers?

I get why you don't want to run email - it's highly reputation driven. But as far as I can tell, running nameservers is no harder than running webservers or DB servers. HA is potentially even easier, because the system was designed that way from day zero.

I'm not suggesting I'd run one for my personal website, but twitter and github are already managing distributed networks for this. What are the services Dyn and others provide that are so invaluable?

[majke]

The complex DNS products exist for a reason. For one they can do really good geo-routing. This makes your services go faster for a global audience.

Then, some of the big companies use multiple CDN's. You might want to use one CDN provider in Asia and another in Europe. Furthermore, you may want to select CDN not only on geo-routing dimension, but on arbitrary criteria. Imagine that you had a fixed budget for, say, cloufront, and wanted to route to them as much as you could, but never exceed your budget. Modern DNS services allow all this complex of scenarios.

Furthermore, running your own DNS infrastructure is far from obvious these days. In May 2015 I gave this talk on defending DNS from DDoS:

https://idea.popcount.org/2015-05-11-oarc---dealing-with-dns...

Draw your own conclusions, but I'd say that running your own DNS makes you _more_ exposed to DDoS and extortion than using someone else's DNS infrastructure.

[eeeeeeeeeeeee]

I've run my own dns infrastructure for a medium sized company. It could get attacked. And you better be sure your providers are OK with the bandwidth usage or they will shut you down. You could be down for hours. If you are targeted it could be very bad.

Amazon and providers like Dyn have Anycast so routing will normally be faster than what most companies would want to spend on their own dns systems. And they can absorb most large attacks. Not to mention that uptime for route 53 is near 100% usually and is pretty cheap. I don't think you could build something cheaper for yourself that offered similar features to route 53.

[neom]

Getting good, consistent, well routed, fast and secure DNS Is harder than you'd think. Dyn typically sing speed as the main selling point for their DNS product, they do this through a large distribution of domain name servers geographically and anycast. Many hosts (like say, DigitalOcean) run their own DNS but use something like CloudFlare Virtual DNS on top. Personally I was surprised so many large sites trusted Dyn, Route 53 is a more robust product for production and scale. In the past, I've seen hosting providers switch to Dyn, give them load, cripple them, and have to scramble to revert away. I'm not at all surprised his happened, even given the uptick in botnet traffic globally.

[scurvy]

Route 53 aint all that. We approached them about handling our customer's domains, and they said no way. They didn't have the capacity. Granted, this was 2 years ago, but Dyn has a much better reputation (still) than Route 53.

[ropiku]

It's not that hard but DynDNS can offer a much higher performance, reliable and advanced service. They use anycast with a lot more servers than it's practical for each company to manage. They also offer advanced georouting, failover, etc.

In the face of a DDoS I'm not sure a custom nameserver network would do much better than a company who does that for a living. The only advantage is that attacks would have to target individual services (which did happen other times).

[Yodoshi]

Latency, Ops, Cost, specialised features like latency based routing (nearest datacentre to the user making a request).

It comes down to the same reasons as someone using the cloud or a cdn, why spend more running it yourself (staff, equipment etc) instead getting someone who's who job it is to run that specific piece of software to the absolute best of their ability.

It's just not a core competency of almost all companies.

[driverdan]

The simple answer is that running DNS servers at scale is as hard as running anything else at scale. The cost of having someone else do it for you is often much lower than doing it yourself.

[wav-part]

I have an opposite question. Why does anyone even need to run their own non-cache nameserver ?

My current understanding of dns infra is, We have root nameservers which takes record change request, apply to itself and send it to other listening root nameservers & cache nameservers. The dns root nameservers would be extremely ddos resilient, more than any other kind of servers. Considering millions of dollars get spent per year on domain keeping, its fair to expect it too.