[elp]

My $dayjob is at a domain registry operator.

Find out if your provider will allow you to add your own nameservers and allow zone transfers to them. Most will but find out because you REALLY don't want to synchronize changes manually.

You don't need anything fancy, add one or two of your own nameservers. Something at Hetner, OVH, DO, AWS etc are all fine. You only need small basic Linux box with Knot, NSD, or Bind installed and a gig or 2 of memory.

Don't worry about Powerdns if you only have a couple domains. Its not worth the extra setup for a secondary then.

Make sure you do not allow recursive queries to the rest of the world (Bind) and make sure you turn on the rate limiting to be safe. As a first step that will really help. Obviously longer term you want move the nameservers away from your current provider and either outsource the management or set up the primary yourself. The general rule we recommend is at least 3 nameservers preferably on multiple continents.

This setup is very robust and will stop everything short of a serious DDOS attack. If that's a real concern then you need to outsource to a specialist. I like and have used netnod.se and Packet Clearing house (https://www.pch.net/) but they are very much not free.

If you are going to do all the DNS yourself then Powerdns is great, but get someone with DNS skills locally to give you real advice.

[m3047]

I gave this a +1, although I have some reservations. As long as they take care of the basics, it's a grind but they can "learn on the job" without putting themselves or others in harm's way.

Being an open recursor isn't as bad as being an open (email) relay. They'll learn about Response Rate Limiting the first time they get used in a reflection attack. And so on.

If they install a web interface to manage DNS all bets are off (what manages the management interface?).

The Basics:

* Having a strong allergic reaction to anyone using the words "simply" or "just".

* Setting up SSH with at least two of a password, a key, IP address restrictions.

* Not allowing dynamic updates until you know what you're doing with security and access controls.

* Keeping patches / software up-to-date.

* Editing zone files / configs by hand.

If they can do those things, then the machine will only be listening on two ports (53 and whatever they put SSH on).

[johnklos]

The default for BIND is to only allow recursion on local networks, not just for anyone. I'd be very surprised if other popular DNS software simply openly recurses for anyone.