Last year we launched a free DNS hosting for Mail.Ru for Business, and recently it came out of beta testing. Today I want to tell you how we did it, what technical decisions were made, and a little about how we were launched to the entire audience.

We carefully listen to the wishes of our users and keep records of all the users. In this list, DNS hosting stably held in the first lines. As a result, we solved two tasks: we implemented an additional service, which was requested by many, and added another way to verify the domain for new customers. In addition, after the transition to our DNS hosting, all the DNS records necessary for mail operation are added automatically.

Choosing a DNS server

When choosing a DNS server, we focused on speed, consumed resources and usability. I really wanted him to work with the database out of the box. Considered BIND, NSD and PowerDNS.
')
BIND is the most popular server, it has good documentation, and you can probably find the answer to any question about it. However, he does not know how to work with the database out of the box. Of course, there is a DLZ patch, but the latest update dates back to 2013. Does not differ high performance.

NSD is the undisputed leader in speed and consumed resources, but it does not know how to work with anything except files. In practice, this means that you need to write a script that periodically takes all the records from the database, writes them to a file and makes reload NSD.

PowerDNS has good performance, moderately uses server resources. It has a lot of useful and not very native patches. Able to work with PostgreSQL out of the box.

Ultimately, when choosing between high performance NSD and good performance and ease of operation, PowerDNS won PowerDNS.

It is a pleasure to work with PowerDNS: you make changes to the database, and he picks them up. In addition, since all the data is taken from the database, it is not necessary to set up the master-slave on the side of PowerDNS, but you can transfer their replication to the base.

Name history

To confirm the domain, we issue two NS records - for example, moscow.ens.mail.ru and spb.ens.mail.ru. Where did the cities come from? To explain this, you first need to talk about the problem we were trying to solve.

We tried to make registration at Mail.Ru for Business easy and convenient. Now it works as follows. Suppose you own the domain bestcompanyever.ru and want to register. You add the domain bestcompanyever.ru on our website, we give you a couple of domains for NS records. After you register them, you will be able to manage your mail and DNS records.

However, it is possible that two people will try to register bestcompanyever.ru at the same time. For such cases, an algorithm is needed that will reveal the real owner of the domain and grant him the right to manage the mail and the DNS server for this domain.

The simplest solution is to give names in a standard format: dns1.mail.ru, dns2.mail.ru, etc., and use a unique combination of entries for identification. For example, the first user who added bestcompanyever.ru is offered to register dns7.mail.ru and dns23.mail.ru, and the second one - dns3.mail.ru and dns84.mail.ru. Then we check which pair of NS records is registered for the domain, and on the basis of this we determine who the real owner is. It would seem that a great system - but there is a nuance. Often users, having received, for example, dns3 and dns84 as their records, prescribe everything else in this range: dns3, dns4, dns5, dns6, etc. This does not give any bonuses: the only thing that the user receives as a result of such actions , Is an error when verifying the domain. To avoid such situations, we give out names where the sequence is not obvious. To do this, we used the names of cities. Now we have two lists of 50 cities.



Anyone who registers with Mail.Ru for Business receives one entry from each list. This gives 2500 unique combinations, which guarantees an unambiguous identification of the domain owner, even if several people try to register one domain.

After registration is complete, server names lose their technical meaning. Regardless of which of the addresses will receive the request, we will always give the requested records.

Bust

In theory, an attacker could start the procedures for registering the same domain under 2500 accounts and get all possible variations of NS-name pairs. When the real owner of the domain would come and start the registration procedure, he would get a couple of those already occupied by the intruder. And then after adding them to the registrar and automatic verification, we would activate the domain registered to the attacker.

Of course, this scenario is complex, expensive, and in general there are not so many domains that would be worth the trouble to suffer so much. We solved this problem as follows: we added a limit on the number of unconfirmed domains with one name, and for each domain a unique pair is guaranteed to be generated.

Taking this opportunity, I want to remind you that Mail.Ru Group has a vulnerability scanner . If you, an inquisitive reader, find bugs in DNS hosting (as well as in general on biz.mail.ru), you can earn plus money and money by submitting an application.

Feature system

All new functionality is enabled for users through the feature system. This allows you to flexibly roll out functions, choosing which users to give access to them. Thus, we can check new features in production without showing them to everyone. If necessary, you can include features for specific users, domains or a certain percentage of the audience.

In the case of DNS hosting, we had a list of users who very, very much wanted to try it. They were included in the closed beta group. This step allowed us to identify the bugs associated with rare cases, as well as fix a few problems in the usability of the interface.

At the end of the closed beta test, we began to open access to the hosting to all users: first 10%, then 50%, and a week later - to all our clients.

Instead of conclusion

We have created a fast and reliable DNS hosting and are not going to stop there. In the near future we plan to launch DNSSEC. We continue to improve our hosting and love it when we are criticized. So I ask all those who have already used it to tell in the comments that you want to improve or add to the hosting.

And if you have not had time to try our service - leave comments. The first 100 habrayusers will receive a promotional code for registering a free domain in the .ru zone with a connected mail and DNS service.

Sources

blog.cloudflare.com/whats-the-story-behind-the-names-of-cloudflares-name-servers