Does DNS Host matter much?

Currently, I am moving from nexcess, which hosts/control my DNS with my registrar (godaddy) pointing to nexcess’ nameserves. Moving to cloudways, my next move is to get my DNS host/controller setup. I don’t know that I’ve been a big fan of godaddy over the years, but I do have my domains there so it would make sense to simply setup my new DNS there.

Does it matter much where this part of the process happens? If not, great, I can move forward. If it would be recommended to adjust where the registrar and or DNS is at then please let me know. :slight_smile:

Interesting question. If you’d asked me this question 6 month ago I would have said something like:

I don’t really see the point in moving your DNS nameservers away from your Domain Registrar unless they have a really bad interface.

However, I’m currently in the process of migrating to Cloudflare for a number of reasons. One of which is DDOS protection, where Cloudflare will filter out suspect traffic before it even hits your web server. But in order for this service to work, you need to migrate your DNS nameservers over to them.

Interesting. I was considering using sucurri, however if cloudfare will do a similar job then maybe that would be the way to go.

I don’t want to “hijack” Don’s thread.

Sucuri is actually integrated with Cloudways, so they’re pretty much directly recommending the service. It is a WAF with site scanning for malware etc…

With the cloudfare setup, do you (customers) get the little cloudfare loading screen every time you visit the site you have cloudfare setup with or is that something that is only done on the higher end plans? People have very little patience these days and I would imagine that would make some people leave before it even loads.

Edit: do you utilize other security software such as lynis? The security aspect has me a bit interested at this point.

I can’t remember what plan were on. But this can be Enabled/Disabled manually. Or can be triggered for certain rules (if I recall correctly). Cloudflare is known for that loading screen and we were totally off-put by this until we realised it wasn’t a mandatory feature.

I’m not familiar with Lynis. Because of the size of our company, we have an Enterprise Grade Hosting Service that utilises security measures (that we don’t have to micro-manage). Plus, we also have an external auditor run through checks so that we remain PCI Compliant. A lot of the stuff I can’t get into for obvious reasons (e.g. NDA).

One thing I would definitely look into though is a File Integrity Monitor. It can be setup to notify you if any FileSystem changes are made (e.g. Magento directory). That way, if your server was ever compromised then you’d know about it. Having said that, I believe most Magento compromises are Database related anyway, so a FIM wouldn’t help with that.

I don’t want to turn this into a Security Post as it’s off-topic to the original title… But Official PCI Security Standards Council Site has some really good (if not overwhelming) documentation to help highlight what boxes you should be checking.

Thanks, you’ve definitely given me some food for thought.

Would you recommend managing DNS over at cloudfare even if you may not end up using their service ( may us Sucuri)? I just signed up and it auto-populated all DNS records for the site, which was very nice.

I can’t imagine there would be much of a difference or communication delay by using different DNS managers.

I’m not sure it really matters in the long run. Obviously if you leave Cloudflare then you’ve got to move your DNS again. Whereas if you leave it with the Domain Provider then you’ll probably never have to touch it.

I’ve been looking through the backend of cloudfare. There is a TON of stuff you can do at the DNS level. I had no idea.

Most DNS management, ie godaddy, or over at nexcess is simply just editing records and that is all. Do you have any recommendations for settings in cloudfare?

Nope, not yet. Haven’t implemented it yet. I’m unlikely to touch much.

That’s kind of what I was finding as I was digging through much. I think you can just change over without changing anything and be ok. Granted your DNS records need to be there. I really liked how they auto populated the DNS records. I’ll need to double check, but that was very handy. I think they have an import/export option too. Unfortunately, other DNS management places don’t seem to have an import/export feature.

Quick question about cloudflare. Since I already have an SSL certificate on my server, can I set crypto to “Off” or should I leave it enabled?

I’ll let you know once I’ve implemented it, as I don’t know what it is you’re referring to. Probably a July project for me.

I just submitted a ticket with cloudflare asking this. We have a cert through geotrust, so we really don’t need them to be applying additional encryption. I’m almost inclined to believe that it should be set to off/none.

I’ll post back when they reply, which who knows when that will be. I may utilize their pro plan in order to gain access to the WAF to provide some additional protection on the M2 install. I’m still on the fence about which direction to take this aspect of the project as Sucuri provides scanning and removal of any malware issues along with their WAF and it $200 a year, which seems very reasonable to me.

I’ve done a bit more reading/research and I will be moving DNS over to cloudflare. Cloudflare DNS response times are very good and you can simply bypass their proxy service by simply clicking on the little orange cloud in the records section. Doing this will allow them to be ONLY DNS resolver.

I’m sure I may use them for other services down the road, but currently that is all I need. I don’t want to mess with CDN as you need to have a good plan for the URL structure of delivered content that can be indexed by the search engines. This will be looked at further down the road and it really isn’t too terribly important for me right now.

I think I’ll be changing the nameservers friday night when traffic is slower and I can fix or change back anything if there are issues. I don’t expect there to be, but that’s the last thing I want to deal with over the week.

I looked over everything and decided to make the change tonight. It went well. Figured there wasn’t much to go wrong as long as the records were the same and the proxy was bypassed and it was just acting as a resolver as my previous DNS host was doing.

That shaved 25ms off my DNS lookup.

1 Like

Keep me posted on any other features you find useful.

I certainly will keep you posted if I use it for more than just DNS resolution.