DNS question

DNS question

Amos Shapira amos.shapira at gmail.com
Sat Jun 18 07:45:09 IDT 2011


On 18 June 2011 12:36, Shachar Shemesh <shachar at shemesh.biz> wrote:

> On 06/18/2011 02:34 AM, Amos Shapira wrote:
>
>  I wasn't suggesting that you should make money from it but if you want a
>> *reliable* highly available DNS setup then you might be better off paying
>> someone else to do that for you instead of having this liability on top of
>> what you are actually get paid for.
>> I know that setting up a secondary DNS server could be a 5 minute exercise
>> in the right hands (and I suppose this applies to you), but when things
>> break you could end up stopping work on more important stuff (from business
>> perspective) to find and fix a problem someone else could look at for you
>> for a relatively small sum.
>>
>>  I should just point out something. I don't think you said it, but someone
> might understand it from your words:
>
> Anycast does not improve reliability of the DNS system for almost any
> normal use case.
>

Well, one anecdote I read was that after the root servers were taken out by
a DDoS attack a few years ago all of them but one or two were converted to
be served through anycast and due to the nature of anycast could be replaced
by entire clusters of servers distributed across many more geographical
locations. The next DDoS on the root servers took out only the two servers
which weren't converted yet.

I'm pointing this as an example were Anycast can help you survive a DDoS
attack on your infrastructure.

>
> Anycast was designed to work around the size limitations of a DNS request.
> DNS can use either TCP or UDP. UDP is considerably faster, as the actual
> request-response is very short, and the three way handshake is, therefor, a
> high price to pay. As such, correct setup of a DNS system will try to limit
> TCP transactions to domain transfers and nothing else.
>

Anycast was invented for anything which can take advantage of it. DNS just
happens to be the most natural use for it (you can't run TCP through Anycast
addresses and I doubt that NTP can use it even though it's a UDP-based
protocol).


>
> In order to assure a UDP transaction, the response must be no bigger than
> about 512 bytes (actual number might be slightly higher or lower - do not
> remember). This means that an "NS" query (which is your DNS?) can reply a
> maximum of 13 servers per domain. This is not a problem for, e.g.,
> lingnu.com, but might be a problem for . (root) or .com. The solution
> found was to report only 13 IP addresses, but to have more than 13 servers
> serve those addresses via anycast. This leverages the global routing table's
> ability to find a reasonably shortest path to the destination IP address,
> but not insist that all instances actually be served by the same actual
> server. This, obviously, only works if the transaction is composed of one
> request packet and responded to by one reply packet. In other words, for
> DNS, this only works if the transaction is, indeed, UDP.
>
> If you host your own domains, anycast is, most likely, not the solution for
> you. First, it is exceedingly unlikely that you will have more than 13
> domain name servers serving your domain, which means that you can actually
> provide 5 different IPs. The DNS system has a failover AND load balancing
> system built into each and every client that performs query, and thus
> actually providing different 5 different IP address works just as well than
> providing one IP address that is served by 5 different servers.
>
> In fact, it works better. Using anycast alone (i.e. - advertising just one
> IP address) has several modes of failure simply not there for the standard
> system. If the network goes down, it might take a few minutes for the world
> wide BGP tables to catch up to that fact. During that time, your domain will
> be off line. If the actual server is down, but the network is up, queries
> still reach it and are never handled, again resulting in an off line domain.
> If all 5 servers are advertised the clients will perform round robin between
> all five, resulting in equal distribution of the load. If just one IP
> address is advertised then, failure non-withstanding, a specific client will
> almost always query the same server, resulting in load distribution that is
> geographically split. In most cases, that is a less even split than the
> round robin the other option provides.
>

That's not my impression - all the anycast DNS servers I looked at (GoDaddy
and Neustar/UltraDNS) give you two (2) IP addresses to advertise for your
domain. These addresses are routed differently depending on where the
traffic is coming from. You can put as many or as few servers as you like
behind them.

If a cluster serving these IP addresses goes down then:
1. BGP convergence could happen within a minute from my experience.
2. A properly configured network monitors each cluster and can push
advertisements to remove it from the BGP routing table faster.

On the other hand - when a DNS client has to initiate iteration through a
randomly shuffled list of servers and wait for each one to time out things
can get worse.

(BTW - a friend of mine who used DNS for load balancing among servers in the
same location noticed that due to MS DNS server's weird implementation of
re-sorting DNS query results the "first" server in his cluster was loaded
more than the rest).

Another point in favour of fewer IP addresses and taking advantage of smart
routing is that it means that you can increase the TTL on your DNS records
which in turn reduces the load on your DNS servers and increases throughput
since the same IP addresses will be relevant for longer and can be served
from external caches closer to the end users.


> In other words, Amos, if your company is doing anycast for DNSes, they are,
> most likely, wasting a valuable /22 IPv4 address range.
>

We don't. I gave us as an example for a "small fish" who can still own our
own AS and IP address block (and play with BGP) and still not doing it but
rather off-load this headache to external providers who cover this for us.
In contrast Hetz' business is even smaller (no offence intended) but he
seems to prefer to spend his time on setting up and maintaining his own
network of external secondary DNS servers.

Amazon, Microsoft and a few other big names also think like us and use
UltraDNS instead of their own DNS network.


> Shachar
>

--Amos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20110618/e76fefe0/attachment.html>


More information about the Linux-il mailing list