118-introduction-to-anycast-dns
This is the first article in series on the topic of deploying Anycast DNS. The purpose of this series of articles is to share some ideas, recipes, and information on how to deploy Anycast in your environment. The first thing we need to do is explain what Anycast is. Anycast is the use of routing and addressing policies to affect the most efficient path between a single source and several geographically dispersed targets that "listen" to a service within a receiver group. In Anycast, the same IP address space is used to address each of the listening targets (DNS servers in our case). Layer 3 routing dynamically handles the calculation and transmission of packets from our source (DNS Client) to its most appropriate (DNS Server) target.
The diagram below shows an example of Anycast DNS. A single DNS client workstation, configured with the Anycast DNS IP address of 10.10.10.10, is shown performing DNS resolution against its "closest" of three DNS name servers deployed using the same Anycast IP address.
The client's DNS resolver can resolve against any one of the three DNS servers shown above.
According to the drawing above, layer 3 routing would send our DNS client's packets through router R1 due to the routing topology. Should router R1 or Server A fail, our DNS client's packets would automatically be rerouted to the next nearest DNS server via routers R2 and R3, and so forth. Additionally, the route to our server A, would be removed from the routing tables, thus preventing further use of that nameserver. Server A won't be used until it is restored and the IP Anycast address routes reinjected to the network. In our series we'll go more in depth into Anycast DNS by showing recipes for configuring Anycast using static routes, RIP version 2, OSPF, and BGP, and provide the pros and cons of each.
Anycast, Unicast, Multicast?
Unicast is one source that can "talk" to a service that is advertised or hosted on one (1) node configured with a globally unique IP address. The source will always talk to that target node when configured and told to do so. Traditional DNS deployments use unicasting. DNS clients are configured with different combinations of unicast addresses of DNS servers that are deployed.
Anycast is one source that can "talk" to a service that is advertised or hosted on multiple nodes configured with the same IP Address. Layer 3 routing will route the packets to the "nearest" target based upon topology.
Multicast is one-to-many. Multicast consists of a source that delivers a service to multiple
nodes using a Multicast Group Address. The main difference in Multicast and Anycast is that
the source is a transmitter of a service and it is distributed via layer 3 using specially allocated
IP Address group addressing. A common use of multicast is streaming audio where the audio
is published via Multicast Addressing and clients pick up the routed stream as a channel.
The basic requirements for Anycast DNS
The following list is a basic set of requirements and recommendations for supporting Anycast DNS:
- Injection of Anycast IP address(es) into the routed network - This can be accomplished
using either static routes or using routing protocols such as RIP, OSPF, or BGP.
- Host-based routing software that supports one of the major routing protocols such as Quagga Routing Software
- Clients should be configured to resolve DNS queries via the Anycast address(es)
- Nameservers should listen to DNS requests on the Anycast IP addresses
- Nameservers should be configured with at least one Anycast IP address on a loopback interface. Additionally, the server should be configured with a management IP which can be
either a physical or an additional loopback interface.
- At least one physical IP must be defined for the exchange of routing information, as well
as, system access and maintenance in the absence of the routes to the Anycast IP address(es).
- Nameservers should be configured to use the physical or management IP addresses for
zone-transfers, zone updates, and/or query-source because replies might go to a different
server than intended.
What are the benefits of Anycast DNS?
Benefit Description
Increased Reliability Anycast improves reliability of DNS through the placement of multiple geogr
Load Balancing Dynamic layer 3 routing of Anycast IP Addresses will effectively load balanc Improved Performance Packets destined for Anycast DNS servers will be routed to the "nearest" se Enhanced Security Geographically dispersed DNS servers that operate using the same IP addr
Successfully launched DoS and/or DDoS attacks will typically be localized a Localized Impact of DoS Attacks
Anycast DNS can dramatically simplify the configuration of all DNS client res Simplified Client Configuration
Increased Availability A DNS Anycast server that becomes unavailable due to failure or routine ma What are the drawbacks of using Anycast?
While there are many benefits to Anycast, there are potentially some drawbacks. One could
argue that Anycast is:
1. More complex to deploy
2. Anycast is more expensive in terms of deployment time, money, and use of IP address
space
3. Anycast DNS is more difficult to manage and troubleshoot
4. Monitoring Anycast is also more difficult
Most of these objections will be addressed in subsequent articles in this series.
Default DNS resolver behavior
DNS client resolvers can be configured with multiple DNS name server targets. Resolvers vary based upon operating systems and have different time outs. Common DNS resolver behavior is
to use the first server in the list. The client resolver will make a distinction between a negative response and no response. In the event the resolver doesn't receive any response (positive or negative), it will typically wait a time out value, before it will switch to the second server in the resolver list. The next time the resolver has to perform a look up though, it won't "remember"
that the first server in the list was non-responsive. On subsequent queries the resolver will start querying with the first server in the list even though it is unavailable. We'll see the same time out
as it switches to the next name server in the list. Depending on the operating system of the
client this could be 1-5 seconds as it "rotates" through the resolver list each time, attempting the failed server.
How Anycast DNS improves on this behavior
Anycast DNS virtually eliminates this issue. Our DNS client resolver is configured with Anycast
IP Address(es) that map to a group of Anycast DNS servers. As shown above, if one of the Anycast DNS servers in the list were to go down, routing would redirect the requests to an alternate Anycast DNS that is configured in the same Anycast Group. The failover process is
handled by the routing protocol used in the deployment of Anycast. In some cases the delay or time out to the resolver is negligible and undetectable from an end-user perspective.
What other services are suitable for Anycast?
Core Network Services or CNS, such as DNS, NTP, Radius, and Kerberos are services that can easily be deployed using the same strategies that we'll outline in our series of recipes. While TCP applications have been shown to function under Anycast, they are connection or session oriented and can be more temperamental with routing changes and updates. Applications using single question and responses over UDP are better suited because they are connectionless services.
Conclusion
Anycast DNS is a tremendous way to improve the performance and resiliency of your DNS architecture whether you are an ISP or private enterprise. In this overview we've shown at a high-level what Anycast is and how it works in theory. Our next article will be the first of several recipes on how to actually configure Anycast using static routes. Additionally, we'll discuss the pros and cons of using static routing as a means to achieving an Anycast DNS design. Resources
Wikipedia - Anycast
https://www.sodocs.net/doc/7d5248629.html,/wiki/Anycast
Anycast Addressing on the Internet by John Kristoff
https://www.sodocs.net/doc/7d5248629.html,/papers/k5-anycast/index.html
Deploying IP Anycast - Presentation Resource Page at CMU
https://www.sodocs.net/doc/7d5248629.html,/pres/anycast/
Deploying IP Anycast - Ken Miller CMU Network Group NANOG29 - Oct. 2003
https://www.sodocs.net/doc/7d5248629.html,/pres/anycast/anycast.pdf
On the Use of Anycast in DNS - Sandeep Sarat, Vasieios Pappas, Andreas Terzis 2004
https://www.sodocs.net/doc/7d5248629.html,/~sarat/AnycastPoster.pdf
Best Practices in DNS Anycast Service-Provision Architecture Bill Woodcock Gaurab Raj Upadhaya - March 2006
https://www.sodocs.net/doc/7d5248629.html,/resources/sanog8/sanog8-dns-service-architecture-gaurab.pdf
Anycast & DNS by Shaurya Rastogi
https://www.sodocs.net/doc/7d5248629.html,/classes/AY2009/cs4270_fall/4270-shaurya-rastogi-DNS-anycast.ppt
Configuring Anycast DNS
https://www.sodocs.net/doc/7d5248629.html,.au/meetings/2006-07/anycast-dns.pdf
Best Practices in IPv4 Anycast Routing v1.0 by Bill Woodcock August, 2002
https://www.sodocs.net/doc/7d5248629.html,/resources/sanog5-woody-anycast-v10.pdf Anycast DNS: The Secret to High Availability Whitepaper by Secure64 https://www.sodocs.net/doc/7d5248629.html,/anycast_DNS