You put the site behind a CDN, locked the origin firewall to the edge ranges, tuned rate limits, and slept better. Then someone floods your DNS instead, and none of that matters, because nobody can resolve your name to reach any of it.
DNS is the piece almost nobody load-checks for resilience. And the most common failure is boring: every authoritative nameserver sitting with one provider.
Why one provider is the whole risk
If all your NS records point at a single DNS host, that host is a single point of failure for your entire domain. A DDoS against it, or just a bad day in their control plane, and every name under you goes dark at once. The blast radius is total, and it happens upstream of everything you spent time hardening.
The fix is old and well known: run authoritative DNS across two providers on different networks. The problem is that almost nobody checks whether they actually did, because it is invisible until the day it isn't.






