|
@@ -0,0 +1,95 @@
|
|
1
|
+---
|
|
2
|
+date: 2017-08-16
|
|
3
|
+title: A look at the DNS habits of the top 100k websites
|
|
4
|
+url: /2017/08/16/top-sites-dns-providers/
|
|
5
|
+---
|
|
6
|
+
|
|
7
|
+I was thinking about switching DNS providers recently, and found myself
|
|
8
|
+`whois`ing random domains and looking at their nameservers. One thing lead
|
|
9
|
+to another and I ended up doing a survey of the nameservers of the top
|
|
10
|
+100,000 sites according to Alexa.
|
|
11
|
+
|
|
12
|
+### Most popular providers
|
|
13
|
+
|
|
14
|
+The top providers by a large margin were, unsurprisingly, Cloudflare and AWS
|
|
15
|
+Route 53. Between them they accounted for around 30% of the top 100k sites.
|
|
16
|
+The top 10 providers overall were:
|
|
17
|
+
|
|
18
|
+| Provider | Country | Sites |
|
|
19
|
+| --------------- |---------------|------:|
|
|
20
|
+| Cloudflare | United States | 19% |
|
|
21
|
+| AWS Route53 | United States | 10% |
|
|
22
|
+| GoDaddy | United States | 4% |
|
|
23
|
+| DNSPod | China | 3% |
|
|
24
|
+| Dyn | United States | 2% |
|
|
25
|
+| Akamai | United States | 2% |
|
|
26
|
+| DNS Made Easy | United States | 2% |
|
|
27
|
+| Hi China | China | 1% |
|
|
28
|
+| UltraDNS | United States | 1% |
|
|
29
|
+| Namecheap | United States | 1% |
|
|
30
|
+
|
|
31
|
+You have to search fairly deep to find a provider that's not American or
|
|
32
|
+Chinese: OVH (France), Gandi (France again) and RU Center (Russia) all come
|
|
33
|
+in at around 0.5% of the top sites.
|
|
34
|
+
|
|
35
|
+One thing I found particularly interesting was the relatively small number of
|
|
36
|
+sites that use Google's hosted DNS service -- out of the 100,000 sites only
|
|
37
|
+0.4% appear to use Google Cloud DNS. That's 25 times fewer than are using
|
|
38
|
+Route 53.
|
|
39
|
+
|
|
40
|
+#### Different strokes for different folks
|
|
41
|
+
|
|
42
|
+This graph shows the relative frequency of some of the big providers for
|
|
43
|
+sites in different positions in the top 100,000 list:
|
|
44
|
+
|
|
45
|
+<img src="/res/images/dns/providers.png" alt="Graph showing popularity of DNS providers across sites grouped by position">
|
|
46
|
+
|
|
47
|
+There are a few interesting transitions that can be seen here. The very large
|
|
48
|
+sites tend to manage their own DNS, as can be seen with the large
|
|
49
|
+'Self-hosted/other' number in the top 100 category. As you move down into the
|
|
50
|
+top thousand, you get to sites that still have significant requirements but
|
|
51
|
+don't quite have the need to run their own DNS infrastructure; here you can see
|
|
52
|
+Akamai peak, and Cloudflare usage jump up an order of magnitude.
|
|
53
|
+
|
|
54
|
+As you travel further down the list, DNS becomes a much more mundane affair
|
|
55
|
+and you see 'premium' providers such as NS1, Dyn and Verisign drop off, and
|
|
56
|
+commodity providers such as GoDaddy start to soar. Cloudflare remains a popular
|
|
57
|
+option for these sites thanks, I imagine, to its generous free plan.
|
|
58
|
+
|
|
59
|
+### Resilience
|
|
60
|
+
|
|
61
|
+In October 2016, Dyn was subject to
|
|
62
|
+[a large DDoS attack](https://en.wikipedia.org/wiki/2016_Dyn_cyberattack) that
|
|
63
|
+cripped a significant number of major websites. There are two main ways that
|
|
64
|
+individual sites can mitigate such an attack: they can host DNS themselves (in
|
|
65
|
+which case it's as vulnerable to a DDoS attack as the rest of their
|
|
66
|
+infrastructure), or they can use multiple DNS providers effectively hedging
|
|
67
|
+their bets.
|
|
68
|
+
|
|
69
|
+There's one other potential issue that may affect DNS resilience: the
|
|
70
|
+reliability of the TLD's nameservers. Shortly after the Dyn outage, the
|
|
71
|
+majority of the nameservers for the `.io`, `.ac` and `.sh ` TLDs went down.
|
|
72
|
+If your nameservers were under one of those TLDs, clients would again be unable
|
|
73
|
+to reach them. The easiest way to reduce the risk of this happening is to have
|
|
74
|
+namesevers under multiple TLDs.
|
|
75
|
+
|
|
76
|
+As you would expect, the use of these techniques tend to be more common with
|
|
77
|
+the higher ranking sites:
|
|
78
|
+
|
|
79
|
+<img src="/res/images/dns/resilience.png" alt="Graph showing use of resilience techniques by site position">
|
|
80
|
+
|
|
81
|
+#### Most popular pairings
|
|
82
|
+
|
|
83
|
+Of those sites that do use multiple providers, there are some fairly common
|
|
84
|
+pairings:
|
|
85
|
+
|
|
86
|
+<img src="/res/images/dns/provider-pairings.png" alt="Chart showing frequency of pairings of top providers">
|
|
87
|
+
|
|
88
|
+Dyn is obviously frequently paired with a number of providers. In fact, of all
|
|
89
|
+the top 100k sites using Dyn 40% also use a different provider. They're second
|
|
90
|
+only to NS1, who despite having smaller absolute numbers, appear alongside one
|
|
91
|
+of their competitors on 72% of the sites that use them.
|
|
92
|
+
|
|
93
|
+NS1 also suffered from [DDoS attacks](https://nsone.statuspage.io/incidents/g9fkrhqr7wnv)
|
|
94
|
+over the summer of 2016. It seems that after a major outage, customers wisely
|
|
95
|
+tend to hedge their bets and introduce a backup provider.
|