DNS Infrastructure Setup

We deploy authoritative DNS with a primary-secondary topology across multiple providers (Route 53 + Cloudflare, or self-hosted BIND/PowerDNS). Zone transfers keep secondaries in sync. DNSSEC gets configured with automated key rotation — DS records propagated to the parent zone. TTL values are tuned per record type: short TTLs for records that change during deployments, longer TTLs for stable infrastructure.

Internal services resolve to private IPs inside your VPC, public IPs outside. We configure split-horizon DNS using views (BIND) or private hosted zones (Route 53/Cloud DNS). This eliminates hairpin NAT, reduces latency for internal traffic, and keeps internal service names out of public DNS. CoreDNS in Kubernetes gets customized to forward specific domains to internal resolvers.

Blackbox exporters probe DNS resolution from multiple locations — catching regional outages and propagation delays. Query latency, NXDOMAIN rates, and SERVFAIL counts feed into Prometheus. Alerts fire on resolution failures, DNSSEC validation errors, and zone transfer failures. You know about DNS issues before your users hit 'Cannot resolve hostname' errors.

We handle zone migration with zero downtime — lowering TTLs before cutover, running both old and new authoritative servers in parallel, and verifying resolution from multiple global locations. You get documented zone files, DNSSEC key management procedures, and runbooks for common DNS operations (adding records, rotating keys, handling provider failures).