This is the first article in series on the topic of deploying Anycast DNS. The purpose of this series of articles is to share some ideas, recipes, and information on how to deploy Anycast in your environment. The first thing we need to do is explain what Anycast is. Anycast is the use of routing and addressing policies to affect the most efficient path between a single source and several geographically dispersed targets that "listen" to a service within a receiver group. In Anycast, the same IP address space is used to address each of the listening targets (DNS servers in our case). Layer 3 routing dynamically handles the calculation and transmission of packets from our source (DNS Client) to its most appropriate (DNS Server) target.
The diagram below shows an example of Anycast DNS. A single DNS client workstation, configured with the Anycast DNS IP address of 10.10.10.10, is shown performing DNS resolution against its "closest" of three DNS name servers deployed using the same Anycast IP address.
The client's DNS resolver can resolve against any one of the three DNS servers shown above. According to the drawing above, layer 3 routing would send our DNS client's packets through router R1 due to the routing topology. Should router R1 or Server A fail, our DNS client's packets would automatically be rerouted to the next nearest DNS server via routers R2 and R3, and so forth. Additionally, the route to our server A, would be removed from the routing tables, thus preventing further use of that nameserver. Server A won't be used until it is restored and the IP Anycast address routes reinjected to the network. In our series we'll go more in depth into Anycast DNS by showing recipes for configuring Anycast using static routes, RIP version 2, OSPF, and BGP, and provide the pros and cons of each.
Anycast, Unicast, Multicast?
Unicast is one source that can "talk" to a service that is advertised or hosted on one (1) node configured with a globally unique IP address. The source will always talk to that target node when configured and told to do so. Traditional DNS deployments use unicasting. DNS clients are configured with different combinations of unicast addresses of DNS servers that are deployed.
Anycast is one source that can "talk" to a service that is advertised or hosted on multiple nodes configured with the same IP Address. Layer 3 routing will route the packets to the "nearest" target based upon topology.
Multicast is one-to-many. Multicast consists of a source that delivers a service to multiple nodes using a Multicast Group Address. The main difference in Multicast and Anycast is that the source is a transmitter of a service and it is distributed via layer 3 using specially allocated IP Address group addressing. A common use of multicast is streaming audio where the audio is published via Multicast Addressing and clients pick up the routed stream as a channel.
The basic requirements for Anycast DNS
The following list is a basic set of requirements and recommendations for supporting Anycast DNS:
- Injection of Anycast IP address(es) into the routed network - This can be accomplished using either static routes or using routing protocols such as RIP, OSPF, or BGP.
- Host-based routing software that supports one of the major routing protocols such as Quagga Routing Software
- Clients should be configured to resolve DNS queries via the Anycast address(es)
- Nameservers should listen to DNS requests on the Anycast IP addresses
- Nameservers should be configured with at least one Anycast IP address on a loopback interface. Additionally, the server should be configured with a management IP which can be either a physical or an additional loopback interface.
- At least one physical IP must be defined for the exchange of routing information, as well as, system access and maintenance in the absence of the routes to the Anycast IP address(es).
- Nameservers should be configured to use the physical or management IP addresses for zone-transfers, zone updates, and/or query-source because replies might go to a different server than intended.
What are the benefits of Anycast DNS?
|Increased Reliability||Anycast improves reliability of DNS through the placement of multiple geographically dispersed servers at the same IP address. The redundancy of these DNS servers makes the service more highly available and reliable.|
|Load Balancing||Dynamic layer 3 routing of Anycast IP Addresses will effectively load balance DNS queries especially over equal cost route paths.|
|Improved Performance||Packets destined for Anycast DNS servers will be routed to the "nearest" server in the topology. This helps ensure that DNS clients are querying their local servers first before using remote servers based upon routing and topology.|
|Enhanced Security||Geographically dispersed DNS servers that operate using the same IP address makes the DNS service more resilient to DoS and/or DDoS attacks because its much tougher to launch attacks on hosts that use duplicated IP address schemes that reside in different parts of the network.|
|Localized Impact of DoS Attacks||Successfully launched DoS and/or DDoS attacks will typically be localized and only affect a portion of the entire Anycast DNS group.|
|Simplified Client Configuration||Anycast DNS can dramatically simplify the configuration of all DNS client resolvers. It's possible to use the same nameserver IP Addresses for ALL DNS client resolvers. Configuring DHCP templates for dynamically configured hosts, as well as, imaging or hand-configuring static configured IP clients would be dramatically simplified.|
|Increased Availability||A DNS Anycast server that becomes unavailable due to failure or routine maintenance will have very little impact on name resolution service because the service routes are withdrawn from the routing tables. Routing will divert this traffic to new alternate best path servers in the Anycast group.|
What are the drawbacks of using Anycast?
While there are many benefits to Anycast, there are potentially some drawbacks. One could argue that Anycast is:
- More complex to deploy
- Anycast is more expensive in terms of deployment time, money, and use of IP address space
- Anycast DNS is more difficult to manage and troubleshoot
- Monitoring Anycast is also more difficult
Most of these objections will be addressed in subsequent articles in this series.
Default DNS resolver behavior
DNS client resolvers can be configured with multiple DNS name server targets. Resolvers vary based upon operating systems and have different time outs. Common DNS resolver behavior is to use the first server in the list. The client resolver will make a distinction between a negative response and no response. In the event the resolver doesn't receive any response (positive or negative), it will typically wait a time out value, before it will switch to the second server in the resolver list. The next time the resolver has to perform a look up though, it won't "remember" that the first server in the list was non-responsive. On subsequent queries the resolver will start querying with the first server in the list even though it is unavailable. We'll see the same time out as it switches to the next name server in the list. Depending on the operating system of the client this could be 1-5 seconds as it "rotates" through the resolver list each time, attempting the failed server.
How Anycast DNS improves on this behavior
Anycast DNS virtually eliminates this issue. Our DNS client resolver is configured with Anycast IP Address(es) that map to a group of Anycast DNS servers. As shown above, if one of the Anycast DNS servers in the list were to go down, routing would redirect the requests to an alternate Anycast DNS that is configured in the same Anycast Group. The failover process is handled by the routing protocol used in the deployment of Anycast. In some cases the delay or time out to the resolver is negligible and undetectable from an end-user perspective.
What other services are suitable for Anycast?
Core Network Services or CNS, such as DNS, NTP, Radius, and Kerberos are services that can easily be deployed using the same strategies that we'll outline in our series of recipes. While TCP applications have been shown to function under Anycast, they are connection or session oriented and can be more temperamental with routing changes and updates. Applications using single question and responses over UDP are better suited because they are connectionless services.
Anycast DNS is a tremendous way to improve the performance and resiliency of your DNS architecture whether you are an ISP or private enterprise. In this overview we've shown at a high-level what Anycast is and how it works in theory. Our next article will be the first of several recipes on how to actually configure Anycast using static routes. Additionally, we'll discuss the pros and cons of using static routing as a means to achieving an Anycast DNS design.
Wikipedia - Anycast
Anycast Addressing on the Internet by John Kristoff
Deploying IP Anycast - Presentation Resource Page at CMU
Deploying IP Anycast - Ken Miller CMU Network Group NANOG29 - Oct. 2003
On the Use of Anycast in DNS - Sandeep Sarat, Vasieios Pappas, Andreas Terzis 2004
Best Practices in DNS Anycast Service-Provision Architecture Bill Woodcock Gaurab Raj Upadhaya - March 2006
Anycast & DNS by Shaurya Rastogi
Configuring Anycast DNS
Best Practices in IPv4 Anycast Routing v1.0 by Bill Woodcock August, 2002
Anycast DNS: The Secret to High Availability Whitepaper by Secure64