DNS question

Sat Jun 18 05:36:15 IDT 2011

On 06/18/2011 02:34 AM, Amos Shapira wrote:

> I wasn't suggesting that you should make money from it but if you want 
> a *reliable* highly available DNS setup then you might be better off 
> paying someone else to do that for you instead of having this 
> liability on top of what you are actually get paid for.
> I know that setting up a secondary DNS server could be a 5 minute 
> exercise in the right hands (and I suppose this applies to you), but 
> when things break you could end up stopping work on more important 
> stuff (from business perspective) to find and fix a problem someone 
> else could look at for you for a relatively small sum.
>
I should just point out something. I don't think you said it, but 
someone might understand it from your words:

Anycast does not improve reliability of the DNS system for almost any 
normal use case.

Anycast was designed to work around the size limitations of a DNS 
request. DNS can use either TCP or UDP. UDP is considerably faster, as 
the actual request-response is very short, and the three way handshake 
is, therefor, a high price to pay. As such, correct setup of a DNS 
system will try to limit TCP transactions to domain transfers and 
nothing else.

In order to assure a UDP transaction, the response must be no bigger 
than about 512 bytes (actual number might be slightly higher or lower - 
do not remember). This means that an "NS" query (which is your DNS?) can 
reply a maximum of 13 servers per domain. This is not a problem for, 
e.g., lingnu.com, but might be a problem for . (root) or .com. The 
solution found was to report only 13 IP addresses, but to have more than 
13 servers serve those addresses via anycast. This leverages the global 
routing table's ability to find a reasonably shortest path to the 
destination IP address, but not insist that all instances actually be 
served by the same actual server. This, obviously, only works if the 
transaction is composed of one request packet and responded to by one 
reply packet. In other words, for DNS, this only works if the 
transaction is, indeed, UDP.

If you host your own domains, anycast is, most likely, not the solution 
for you. First, it is exceedingly unlikely that you will have more than 
13 domain name servers serving your domain, which means that you can 
actually provide 5 different IPs. The DNS system has a failover AND load 
balancing system built into each and every client that performs query, 
and thus actually providing different 5 different IP address works just 
as well than providing one IP address that is served by 5 different servers.

In fact, it works better. Using anycast alone (i.e. - advertising just 
one IP address) has several modes of failure simply not there for the 
standard system. If the network goes down, it might take a few minutes 
for the world wide BGP tables to catch up to that fact. During that 
time, your domain will be off line. If the actual server is down, but 
the network is up, queries still reach it and are never handled, again 
resulting in an off line domain. If all 5 servers are advertised the 
clients will perform round robin between all five, resulting in equal 
distribution of the load. If just one IP address is advertised then, 
failure non-withstanding, a specific client will almost always query the 
same server, resulting in load distribution that is geographically 
split. In most cases, that is a less even split than the round robin the 
other option provides.

In other words, Amos, if your company is doing anycast for DNSes, they 
are, most likely, wasting a valuable /22 IPv4 address range.

Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com