@
wlanboy, if you don't have the global presence of servers yourself to
implement your own, self-hosted DNS infrastructure (which is recommendation #1, BTW), then
HE.net is certainly a good, no frills provider, as you point out.
The nice thing about
HE.net is that they also provide for quality resolution of your in-addr.arpa zones too. There's a limit to the number of zones as is with any of the providers offering free service), but it's more than enough to handle most small enterprises.
I've been using
zoneedit.com for well over a decade, for several projects and customers, and slaves; here and there. Boy they sure used to have an ugly interface, but they changed that about 3 or 4 years ago. They were actually one (and still are) of the most fully featured providers after the implosion of ml.org and granitecanyon - for those of you who have actually been breathing long enough to remember those two major, or at least pioneering, players
A lot of people talk about cloudflare, but I've never used them and I'm not really all that familiar with them, except there was a bunch of less than complimentary mention of them at the old scroogled site I believe.
I tend to steer customers away from places like
OpenDNS and
UltraDNS, and a few others. I just never cared for the taste in my mouth after working with them - Especially
UltraDNS, who I've had some close workings with prior to their major push onto the market back when.
OpenDNS blocks a lot of stuff, so if that's what you're looking for, then she's your girl. More for media hype than anything else, but still a major plus, is that
OpenDNS issued a press release announcing this
HERE. Anyone who really knows anything about DNS at all can tell you that DNSSEC is garbage trash that doesn't deliver what it supposedly promises to, hasn't protected (and won't) anyone from the types of cache poisoning or the Kaminsky flaw and others that BIND seems to always be vulnerable to, and that that damage from DNS amplification attacks is actually exacerbated and "
amplified' when DNSSEC is enabled.
DNSCurve = Good, DNSSEC = BAD BAD BAD (And no, I'm not a Bernstein fanboi and I don't like
djbdns, but I do agree with him that
CNAME RRs are almost always stupid and lame - use a fricken' A record!).
In fact, DNSSEC is about taking away choice and freedom, a product resulting from nefarious and insidious agendas endeared by Paul Vixie, Verisign, the Evil ICANN,
WIPO, and others with something to gain at
your expense, while the DoC and the
NTIA push about paper from one desk to the next saying, What, me worry?"
Another point of fact, the only real two Auth DNS Servers out there that have implemented DNSSEC are BIND and
Unbound, and only
Unbound did a good job IMNSHO. BIND still has proven to be a hole as big as a truck while most of the other daemons out there like
PowerDNS or
MaraDNS/Deadwood are as secure as a 600 pound danforth anchoring a 6 foot dinghy.
DNSSEC is like a 600 pound gorilla jumping up and down in that dinghy.
Okay, I shouldn't have gone off on that tangent. Sorry about that, but I've been doing DNS since before we actually debuted it in 1985, and some things just sicken me.
Back to the topic at hand then...
A couple of fav commercial DNS Providers of mine are, and have been for years,
afraid.org and
no-ip.com. For both of them I can vouch that they are stable, reliable, and responsive services, and give them a A+ rating
dyndns.orgdisappeared unceremoniously a year or two ago, being replaced, probably with just a rebranding campaign, by
dyn.com - they were supported in all those crappy home routers (people should use
pfSense instead), so they prolly felt they could make such a move.
I personally have no problem recommending
afraid.org,
no-ip.com and
zoneedit.com without any hesitation, and
HE.net for at least their reverse DNS services - if you don't have your own network of DNS servers to use, of course. And even then, you can get slave services from them.
I hope that helps
Kindest regards,
