ICG Blog

 Segregation of Duties: DNS, Domain Registration & Hosting

Managing risk is an important subject for any business, and to continue our series of discussions around risk management strategies for web assets, I want to spend a bit of time regarding DNS and domain registrations.  In Computer Science there is a common term, Separation of Concerns, that defines architecture recommendations for software development with a focus on modularity in design.  When looking at your Domain Registrations, DNS Entries and hosting it is important to employ a similar strategy to avoid potential risks in the future.


DNS, Domains, & Hosting, An Overview

Before I dig too far into the conversation here I want to make sure to clearly identify the separation that I am speaking about when it comes to separating concerns and what the individual responsibilities are for each party.


Domain Registrar

The company that provides Domain Registration services is the company responsible for your ownership of the domain name in question.  Your annual fee for domain registration secures the rights to use the domain name and often the domain registrar has the ability to add additional services, up-to, and potentially including hosting.  Without a domain registrar you would not be able to have a website.


You might think of GoDaddy or Network Solutions when you think of big name providers in this arena.


Dynamic Name Server (DNS)

The role of a DNS service is to provide the mapping between your domain name and the actual IP address of the server that is hosting your content.  Each domain will have multiple DNS entries that control where web content, e-mail, FTP and other types of requests are routed. 



The most commonly understood portion of this is your hosting provider, who actually gives you a server, or server resources to store your web applications on to serve their content to the public.  In some cases your hosting provider might be your DNS Service AND Domain Registrar.


How Can I Be Exposed?

With a basic understanding of the different pieces of the puzzle I'll start to explain some areas that can grant exposure to risks etc.  Each of the following are scenarios that IowaComputerGurus has worked with clients on, so these are not hypothetical situations.


Domain Registration Held Hostage

If you use the same vendor for Hosting and Domain registration and for whatever reason you need to migrate to a new provider, you still need the cooperation of the existing vendor to make the move.  As such they can delay this process, thankfully not truly stopping it, but it does cause a major pain and hassle.


The risks here include increased hosting costs because you are not able to make a quick cut over and lost time/wages for time spent resolving the situation.


DNS Entry Loss

Depending on your situation for hosting you might not have direct access to manage/view/backup your DNS entries.  These entries all contain key definitions that although they can be re-created if needed, require research and time to do so. When they are gone, your server will not be able to serve requests, e-mails will not go through, etc.  We have seen cases of lost entries when migrating from one Shared Hosting plan to another, when transferring from one vendor to another, and in the case of critical hardware failure.


DNS Propagation Delays for Migrations

Another risk that you can be exposed to is if you use your Hosting provider to control your DNS you must actually update your domain registration when you want/need to switch to a different hosting provider.  This type of update is subject to a propagation delay which can be up to 72 hours in length, although typically here in the US it is typically less than 24 hours.  During this period of time though users could be directed to either of your hosting plans.  If this happens on an active or e-commerce site major cleanup or restrictions on functionality could ensure.


How Should I Separate These Responsibilities?

In our experience it is best to have true separation of concerns and use three different vendors for each of the services.  In the following we will discuss a bit on who/how we do things as of today.


Domain Registration

All of our domain registration requests are currently managed through GoDaddy.  They have one responsibility and that is to secure our domain names.  We pay the $10-12/year/domain to register and they simply point the domain over to our Hosted DNS Service.  This becomes completely independent of our hosting and the only time any change would be needed here is if we modified our DNS provider.


Hosted DNS

All of our DNS needs are handled by DNSimple, from here we define the links to our various hosting accounts.  We have central administration for all DNS entries regardless of the hosting provider which allows us to easily switch things around.  If we need to move one domain from hosting provider A to hosting provider B we can do it with a simple entry update and the final transition is typically completed in minutes.  (The last time we did this it took 4 minutes to make the transition from one provider to the other.)


There are various other providers out there that offer this type of services.  The key benefit here is that these vendors have redundant systems and are going to manage your DNS entries for you and even if your server recycles or similar you will have those entries pointing users to the proper location.  (If you follow the link above, you can get 1 month free at DNSimple).



This is where we actually use multiple vendors.  We have a number of sites that are our own as well as many client sites that we manage.  Therefore we might use various vendors depending on the needs of the specific project.  The wonder of this situation is that the hosting provider is just that and transitions can be made easily so we can up-size or down-size a site quickly by switching plans or providers and only need to be worried about the site content.



The final piece here that I didn't directly discuss but fits well into this is the management of Email.  Just like hosting, email is something that can be offloaded to a third-party service independent of your hosting provider.  We strongly recommend this practice as well and we use Google Apps for our accounts.  This adds an additional layer of redundancy for the mission critical e-mail application.



Your website might very well be one of your biggest assets, keeping it secure and your rights to manage and configure it properly should be something that is on the top of the to-do list.  Feel free to share your comments and processes below.


This post has been cross-posted to my personal blog.


Update for Shared Hosting Users

It has been brought to my attention that in certain cases you will want to check with your hosting provider if using Hosted DNS and a shared hosting account as IP addresses can change.  You will want to verify that your hosting provider can notify you before IP Address changes so that you do not run into issues with them moving the site around and DNS not being updated.

Posts By Category