The Wisdom of Separation Between Systems

In true Nubby Admin form, I just learn the hard way why separating systems from unnecessary dependencies on eachother is a Good Thing. Specifically, separating your DNS providor from your web host. I knew it theoretically, but had not yet lerned it experientially. Think about this for a moment: If two things are conjoined in some way, the likelihood that the failure of one will affect the other is high.

At one of the places I do work for, the webhost not only handles their website, but also the entire domain’s DNS records. MX Records, SRV record for Outlook Anywhere, the Phone System’s record, everything. The other morning, I logged into Outlook only to receive a strange certificate error:

There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site [my domain]. Outlook is unable to connect to the proxy server. (Error Code 10)

Pinging remote.[mydomain].com came back with a different IP address than it should have. My pulse quickened, expecting the worst. Did someone get into our web hosts’s control panel? Have they hijacked our site? Is it redirecting to some [email protected] campaign? Can I at least get a cheap R0l3x watch out of the deal?

I logged into our Plesk control panel… only to be told our account was suspended. I figured that our hosting company had objected to our hacked website erupting spam all over the intertubes. I called the webhost’s support number and was greeted by a staffer that embodied all of the enthusiasm of a three-toed sloth attempting to fight his way out of a medically induced coma.

After some discussion, and him apparently IM’ing an admin, it turns out we were over our limit for storage on the server. Sweet. Due to that, our entire hosting account was disabled. Including DNS. Double-sweet.

After getting our account reactivated long enough to jettison some files, all was well. However, I learned a valuable lesson and methinks I’ll be switching DNS authority over to our registrar, Network Solutions to separate an unnecessary dependency. Yes, we used Network Solutions as a registrar but that was before I was involved with this organization so there is no blood on my hands.

Have you ever had a system fail and bring down another system that you weren’t anticipating? How did you dig out of that hole and what did you do to break that dependency?


  1. Brandon Burton

    April 30, 2010 at 10:47 am

    I would suggest you try to drum up the budget and use a wholly separate provider for your DNS hosting, such as UltraDNS, DynDNS, or even get a cheap hosting account with Dreamhost and put your DNS on them.

    Ideally a provider with an API so you can automate stuff.

    If you can swing it, the DynECT stuff is pretty sweet.

    Hope that helps,



  2. Wesley.Nonapeptide

    April 30, 2010 at 1:35 pm

    @Brandon: This office used Network Solutions as their registrar, but uses their webhost for DNS. I think I’ll simply start using NetSol as my DNS provider since that’s the easiest and doesn’t require any outlay of money.

    However, in searching around I found a few managed DNS providers that interested me, namely UltraDNS (as you mentioned) and Zonomi. DynDNS puts me off with their prices… for everything. I had reason to look into their SMTP services and was disgusted at the prices.

    You intrigue me with your mention of an API. Do you have an example of a service that provides this? How have you used it yourself? Can I just whip up a PowerShell / Python / [awesome scripting language here] script to pull my zones down? I’ve actually thought about hosting my own secondary DNS servers onsite just in case.


  3. […] of monitoring. The post, titled The Wisdom of Specificity in Monitoring and Alerting. After an outage was caused due to his service provider making some DNS changes due to disk usage issues, Wesley […]


  4. Mike Clark

    May 7, 2010 at 12:23 pm

    I am all for separating DNS from other service providers, just because DNS is so critical to all functions. Now I know you took a shot at NetSol, but other than their prices, I’ve had mostly good luck with them. The only downside is when they get DDoS’d once or twice a year. The only comparable DNS provider I’ve ever come across in terms of stability has been DNSMadeEasy. They’re cheap, reliable, and don’t get picked for DDoS attacks.


    • Wesley.Nonapeptide

      May 7, 2010 at 12:37 pm

      Thanks for the tips Mike! NetSol gets DDoS’d? Wow, I hadn’t heard that. Guess I haven’t been paying attention because a simple search brought back some fairly recent stories.

      DNSMadeEasy looks nice. 100% uptime SLA? That’s bold. I’ll research them further. Thanks again!


Leave a Reply

Your email address will not be published. Required fields are marked *

Follow TheNubbyAdmin!

follow us in feedly

Raw RSS Feed:

Contact Me!

Want to hire me as a consultant? Have a job you think I might be interested in? Drop me a line:

Contact Me!

Subscribe via Email

Your email address is handled by Google FeedBurner and never spammed!

The Nubby Archives

Circle Me on Google+!

Photos from Flickr

Me on StackExchange

The IT Crowd Strava Group