@jerry I use Hurricane Electric’s free DNS service. I run a hidden primary that syncs with them, and they provide five named secondaries. Full support for #DNSSEC, because it’s not 1998 anymore. https://dns.he.net
@jerry ah, so you are under a ddos attack.
Cheapest Anycast for the bulk is a requirement IMHO, but I would use a registrar's NS server as one NS with a long TTL (It can be a fun way to fingerprint an attack). In my ideal world, I'd have another authNS capable server on standby to rotate in when under attack to collect data.
I use Dynadot as my registrar, for probably about 15 years. Their prices are a little higher than some others but I couldn't be more satisfied with the service: it just works, no outages I can remember (certainly at least no major ones), on the rare occasion I needed something they've been very responsive, and no marketing emails or anything like that. In this case I have zero regrets about my decision to prioritize quality over price.
My DNS zone records are at Linode because that's where I host my servers, and they do totally fine, but that one was a choice of convenience more than anything else.
@jerry Gotcha, well in that case it probably doesn't make sense to put too much weight on my feedback - while I'm happy with both companies, I don't know how things would be different if I were using them at the scale you deal with.
@jerry I had the same issue when Google Domains announced their pending transfer to Squarespace. I moved all my domains to Namecheap after reading a bunch of articles. Google Domains' UI made it easy and simple. And any google cloud stuff changed entries managed by Google Domains. Same with AWS Route53, but without paying monthly for zone records. Updates to Google Domains and Route53 seem to have almost no time-to-live. Unlimited aliases were great.
GoDaddy was great 20 years ago but they've added so much cruft to their site to try and generate new revenue streams that when I helped a non-technie setup their domain, they were so confused as to throw up their hands.
Namecheap is approaching that level of cruft with WhiteGlove™ DNS, Wordpress, and Private Email offerings but they're not there yet. It took a couple hours for Namecheap changes to propagate to AT&T's DNS servers. I had to add a weird @ record to get my web site's A record to work.
@jerry I host at Linode (which is now Akamai) and they do my DNS also. I have long used Namecheap for buying domains (they didn't used to be a domain registrar but I think they may be now) and IIRC they do DNS service too.
@jerry PairDomains is simple and only changed hands once (customer since 2001). Hover.com is part of Tucows so they'll be around for a while because of OpenSRS.
I haven't investigated NS server network diversity, but I might shop for anycast authNS at the same time just in case.
@jerry@jahanson@trusty it might end up being less than that at our origins which is where we currently calculate volume from. Even then we're talking $10 a month at that volume.
@kmj I had an attack a few months back that caused me to move to bunny.net. I previously had 3 dedicated nameservers, but started getting hammered with ~500M-1B dns requests per day and I couldn’t add servers fast enough to keep things working.
@jerry
I have a central blocklist which is rolled out to the firewalls in front of them. This helped me to come out of a similar situation. The question is, have they hammered you, which would cause the attack to move to the new servers, or was it a not driven attack against some IP.