Every six months, somebody on the team makes the case that we should outsource our authoritative DNS. The argument is always the same: providers like Route 53 and NS1 are good, they're reliable, and DNS isn't our differentiator. Every time, we say no. Here's why.
What we'd give up
DNS is the first thing your visitors hit. The latency from a user's resolver to the authoritative server is part of every cold page load. When we control that hop, we can co-locate it with our edge PoPs and serve it from the same anycast prefix as the rest of our infrastructure.
If we outsourced, we'd be paying a third party to run a service that's already in our blast radius — every DNS outage they had would look like one of ours. That's a soft dependency we don't want.
What it costs us
Running an authoritative DNS that handles 40 billion queries a day is not free. We employ two engineers full-time who do nothing else. Hardware, peering, abuse handling, DNSSEC key management — all of it adds up to roughly the same monthly spend as if we'd outsourced. The math is a wash.
When the build vs. buy math is close, the deciding factor is usually whether the system is on your critical path. DNS is. So we build.
Where we'd reconsider
If we ever serve customers in regions where we don't have PoPs, the latency case for self-hosting weakens. At that point a hybrid model — our DNS for primary regions, a partner for the long tail — would probably make sense. We're not there yet.