SlideShare a Scribd company logo

Authoritative Nameserver Selection and Recursive Resolvers

APNIC, profile picture
APNIC

APNICs Chief Scientist, Geoff Huston, presented on 'Authoritative Nameserver Selection and Recursive Resolvers' at ICANN 82 Community Forum held from 8 to 13 March 2025 in Seattle, Washington.

Internet
1 of 42
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Authoritative Nameserver Selection and Recursive Resolvers Geoff Huston APNIC Labs ICANN 82, March 2025
Nameserver Questions • When configuring nameservers for a domain, or evaluating the various service offerings from nameserver platform providers there are some common questions: • How many nameservers is“right” • Can you have too many nameservers? If so, what number is“too many”? • Unicast vs Anycast? Can I mix them together? • What’s a“good”unicast configuration? • What’s a“good”anycast configuration? • What TTL should I use? • All of these questions are fine, but they need a context. The context here is the behaviour of DNS recursive resolvers.
Nameserver Questions • When presented with multiple authoritative nameservers / multiple IP addresses how do recursive resolvers behave? Once we have a handle on the answer to this question, we can then look at the next one:… • How do we maximize performance and resilience in authoritative nameserver configurations?
The RFC’s say: RFC1034: “The sorting [of nameservers]… may involve statistics from past events, such as previous response times and batting averages.” Batting averages????
Our Measurement • Use a domain with four unicast authoritative nameservers • Direct client systems to resolve unique DNS names using these nameservers • Track queries to each nameserver from each visible recursive resolver
Our Measurement • Use a domain with four dual-stack unicast authoritative nameservers Frankfurt Mumbai Singapore 112ms 267ms 205ms Atlanta 208ms 154ms 60ms
What are we expecting to see? We anticipate seeing a “strong” preference to query the authoritative server with the lowest response time, and a regular querying of all other authoritative servers to see if their response times have changed.
Some Lab Tests: Bind 9 • Observing Bind 9 against the four nameservers using 1 query per second (test resolver is located in au) The resolver tests the other authoritative servers to ensure that its is “attached” to the fastest server. This ‘other server’ test appears to be irregular, with a slight bias towards the second-closest server
Some Lab Tests: Unbound • Observing Unbound against the four nameservers using 1 query per second (test resolver located in au) Unbound is not so clearly attached to the closest server (ap) and also queries Mumbai and Atlanta consistently. The non-selected resolver (Frankfurt) is queried irregularly
Some Lab Tests: Google 8.8.8.8 • Observing Google 8.8.8.8 against the four nameservers using 1 query per second (stub resolver located in au) The Google resolver appears to query all instances regularly. There appears to be a slight preference to use the Singapore (ap) server
Some Lab Tests: Cloudflare 1.1.1.1 • Observing Cloudflare’s 1.1.1.1 resolver against the four nameservers using 1 query per second (stub resolver located in au) There is a visible preference to use the servers located in Singapore (ap) and Mumbai (in)
There is no common recursive resolver behaviour In this small sample set we are not seeing a common behaviour across recursive resolvers • To optimize resolution performance the recursive resolver would prefer to direct most of its queries to the authoritative server that responds in the shortest time • However, the resolver would also like to track all other servers to ensure that its preferred choice of server is still optimal • It is not clear what units of time are used compare servers’ response performance, as some resolvers appear to treat a subset of servers with diverse query/response times as equivalent
Let’s scale up the measurements • We’ll use an ad-based measurement platform to enrol some 25M stub resolvers per day and observe the interaction between the various recursive resolvers used by these stub resolvers and their behaviour against these four unicast authoritative servers
What we see – 1 Hour Profile This is a resolver operated by Bharti Airtel in India: • It appears to spread its query load roughly equally across the servers in Mumbai, Frankfurt and Singapore • But none to Atlanta!
What we see – 12 Hour Profile This resolver passed 2 queries to the server located in Atlanta just 2 times in this 12 hour period From this graph it is not evident if there is any preference between the other three nameservers – but maybe summary numbers can be more informative
A one-week profile of this resolver Server Queries Attachment Time (secs) Longest attached Interval (secs) Atlanta 87 1 0 Singapore 611,992 202,012 725 Frankfurt 581,799 183,051 637 Mumbai 300,751 32,153 580 How many seconds did the resolver “latch” onto this server? What was the longest period spent asking ONLY this server A large recursive resolver, located in India, appears to prefer distant servers that are located in Singapore and Frankfurt over a server located in Mumbai
8 Day Profile of 100 Resolvers The 100 recursive resolvers that processed the largest number of queries in an 8-day period (1 Dec – 8 Dec) The size of the point indicates the relative amount of time the resolver appears to “latch” onto an individual server Most queries Fewer queries
What proportion of Resolvers show “Attachment Preference”? • Use the most active 1,000 recursive resolvers • Define an “attachment preference” as maintaining an authoritative server selection for more than 60% of the time • 616 out of these 1,000 recursive resolvers show a strong attachment preference • Define “NO attachment preference” as having the major attachment for no more than 40% of the time • 53 out of the 1,000 recursive resolvers show a no attachment preference
How “good” is this attachment preference? • Do recursive resolvers who have a strong attachment end up attaching to the server that is “nearest” to them? • Let’s combine ping RTT measurements with these resolver / server measurements
For example: 2a01:e00:ffff:53:2::13 is a recursive resolver operated by free.fr in France RTT Measurements for this resolver. The ping measurements for this resolver are: Atlanta – 95.3ms Singapore - 307.5ms Frankfurt – 9.8ms Mumbai – 241.6 ms This resolver (located in Paris, France) was observed to query the Atlanta server 70% of the time, a resolver that was 85ms further “away” than the closest resolver (located in Frankfurt)
Results • Of the 661 recursive resolvers that showed strong “attachment” for a single resolver (queried one server more than 60% of the time) • 498 recursive resolvers responded to ping requests • Of these 498 resolvers: • 199 resolvers chose the server that had the lowest ping time • The other 299 chose a more distant server • The average additional RTT between the chosen server and the closest server for these 299 resolvers was 142.3ms
Distribution of “Mismatch Times” There is a strong signal of a time mismatch of <= 150ms Is this indicative of some form of rounding of the resolvers’ internal recursive-to- authoritative delay timers of to a unit of 150 ms increments?
What is this data telling us? • You can’t rely on the preference algorithm used by today’s recursive resolvers to make an optimal selection across a dispersed set of unicast servers that will select the fastest authoritative server i.e. even if you do a great job of deploying diverse unicast nameservers, recursive resolvers will likely muck it up and make sub-optimal selections of their“preferred”nameserver!
How should you deploy a set of nameservers? Assuming that you want to optimize both performance and availability… • A distributed collection of unicast nameservers is not going to give the best possible result • Many recursive resolvers are not only poor at latching on to the fastest nameserver, but they latch onto a more distant nameserver, giving a worse resolution performance for non-cached name resolution • Perhaps a better approach is to use anycast nameservers • What do other domains do for their nameserver configuration?
Let’s look the Root Zone • A small set of relatively intensely used domains whose performance and reliability is (supposedly) critical
Profile of the Use of Nameservers Root Zone: • TLDs: 1,445 • Authoritative Nameservers: 5,998 • Average Nameservers per TLD: 4.2 • Distribution of Nameservers per TLD show strong preference for 4 or 6 nameserver names • Dual Stack Nameservers: 5,687 • IPv4-only Nameservers: 321 • IPv6-only Nameservers: 3
Unicast vs Anycast – Root TLD Nameservers • Unique IP addresses of nameservers: 9,014 • Unicast IP addresses: 587 • “Limited” Anycast addresses: 5,868 (rtt variance > 150ms) • “Diverse”Anycast IP addresses: 2,559 (rtt variance < 150ms)
Unicast vs Anycast • TLDs served by only unicast nameservers: 8 • TLDs served by a mix of unicast and anycast servers: 378 • TLDs served by anycast servers only: 1,067 • TLDs served only by diverse anycast: 289 • TLDs served only by limited anycast: 202 • TLDs served by limited and diverse anycast: 576
AS Diversity • In the root zone there are just 6 TLDs where all the zone’s nameservers are held in a single AS (and only 1 in a diverse anycast configuration) • On average each TLD has 10.1 distinct IP addresses of nameservers • On average each TLD has nameservers located in 3.4 origin Ases
Tranco Top 1M Name set 20% 63%
Nameserver Distribution • 119,544 domains, or 12% of the total domain set, are each served by a (different) single IP address! • 44,229 domains are served by just two IP addresses • 13,498 domains are served by just three IP addresses. At the other end of this distribution, there are two IP addresses that each serve 13,278 domains and a further four IP addresses that serve some 12,400 domains.
Platform Concentration Domains AS AS name, CC 364,918 13335 CLOUDFLARENET, US 109,766 16509 AMAZON-02, US 51,642 44273 GODADDY-DNS, DE 23,539 397239 SECURITYSERVICES, US 15,212 16276 OVH, FR 14,155 15169 GOOGLE, US 13,710 8075 MICROSOFT, US 11,637 24940 HETZNER-AS, DE 10,731 37963 ALIBABA-CN-NET, CN 10,198 21342 AKAMAI-ASN2, NL 9,775 16552 TIGGEE, US 8,263 8560 IONOS-AS, DE 7,881 62597 NSONE, US
Platform Type Unicast-only platform 205,204 Mixed Unicast and Anycast platforms 80,442 Anycast-only platform 562,364 Diverse Anycast 369,254 Limited Anycast 102,882 Mixed Diverse and Limited Anycast 90,228 Outside of Cloudflare’s service portfolio few domains Are served using a large-scale diverse anycast nameserver configuration There is still a significant “legacy” group of domains served by unicast nameserver platforms
Observations (1/3) • DNS recursive resolvers do not, on average, make an accurate selection of the “fastest” nameserver • Which negates any potential performance benefits of a nameserver deployment approach of a geographically diverse collection of unicast nameservers • Many recursive resolvers appear to use a timer with a granularity of around 150ms to select the“fastest”nameserver
Observations (2/3) • Anycast nameserver deployments can produce better outcomes, but the effectiveness of this approach depends on the density of the anycast constellation • Limited density anycast constellations may produce sub-optimal outcomes for some clients
Observations (3/3) Resilience can be provided through the use of multiple anycast service platforms • How many such platforms is“optimal”is an open question • More is not necessarily incrementally better, which leads to a suggestion of the use of 2 or 3 diverse anycast platforms, depending on the level of failover resilience you are after
Questions?
Overflow Slides
Recent(ish) work “Recursives in the Wild: Engineering Authoritative DNS Servers” Muller, Moura, Schmidt, Heidemann, 2017 https://ant.isi.edu/~johnh/PAPERS/Mueller17b.pdf “To meet their goals of minimizing latency and balancing load across NSes and anycast, operators need to know how recursive resolvers select an NS, and how that interacts with their NS deployments.” “… all name servers in a DNS service for a zone need to be consistently provisioned (with reasonable anycast) to provide consistent low latency to users.”
Recent(ish) work “Secure Nameserver Selection Algorithm for DNS Resolvers” Zhang, Liu, Song, Huque, October 2024 https://datatracker.ietf.org/doc/draft-zhang-dnsop-ns-selection/ “Nameserver selection algorithms employed by DNS resolvers are not currently standardized in the DNS protocol” The document contains an informal description of the selection algorithms used in a number of commonly used recursive resolvers (Bind 9, Unbound, Knot, PowerDNS, Microsoft DNS)
Unicast vs Anycast How many of these IP addresses are carried in an anycast cloud? • Query the IP address from a diverse set of locations(Atlanta, Frankfurt, Sao Paulo, Singapore, Australia) • If the Name Server ID (NSID) is constant when queried from a diverse set of queries, then its reasonable to assume that the server’s IP address is not part of an anycast cloud (as we anticipate that different anycast instances will give a different NSID response) • If the variance of DNS query times is not sufficiently large, then its reasonable to assume that the server’s IP address is part of an anycast service cloud.
BUT - DNSSEC • The combination of multiple diverse nameserver providers, a DNSSEC-signed domain name, and online signing introduces some operational fragility, particularly when managing key rollover and algorithm rolls • This is still a not well charted space and operational incidents that impact TLD availability still occur

More Related Content

PDF
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
PDF
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
PDF
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
PDF
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
APNIC
 
PDF
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
PDF
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
APNIC
 
PDF
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
APNIC
 
PDF
DNS-OARC 38: The resolvers we use
APNIC
 
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
APNIC
 
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
APNIC
 
DNS-OARC 38: The resolvers we use
APNIC
 

Similar to Authoritative Nameserver Selection and Recursive Resolvers (20)

PDF
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
PDF
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
PDF
DNS Measurements
AFRINIC
 
PDF
OARC 31: NSEC Caching Revisited
APNIC
 
PPTX
Computer Networks & internet protocols.pptx
jesudossai2
 
PDF
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
PDF
Client Drivers and Cassandra, the Right Way
DataStax Academy
 
PDF
OARD 30: What part of 'NO' is so hard for the DNS to understand?
APNIC
 
PPTX
Fastest Servlets in the West
Stuart (Pid) Williams
 
PDF
RIPE 86: DNSSEC — Yes or No?
APNIC
 
PPTX
Zookeeper Tutorial for beginners
jeetendra mandal
 
PDF
Re-Engineering the Root of the DNS
APNIC
 
PDF
Testing Rolling Roots
APNIC
 
PDF
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Dakiry
 
PDF
Oleksandr Khotemskyi - Serverless architecture and how to apply it in Automa...
Web Tech Fun
 
PPT
Load Test Drupal Site Using JMeter and Amazon AWS
Vladimir Ilic
 
PPTX
Test talk academy apachejmeter-120521121306-phpapp02
veeru madduri
 
PDF
Presto at Tivo, Boston Hadoop Meetup
Justin Borgman
 
PDF
2 technical-dns-workshop-day1
DNS Entrepreneurship Center
 
PPTX
IPv6 and the DNS, RIPE 73
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
DNS Measurements
AFRINIC
 
OARC 31: NSEC Caching Revisited
APNIC
 
Computer Networks & internet protocols.pptx
jesudossai2
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Client Drivers and Cassandra, the Right Way
DataStax Academy
 
OARD 30: What part of 'NO' is so hard for the DNS to understand?
APNIC
 
Fastest Servlets in the West
Stuart (Pid) Williams
 
RIPE 86: DNSSEC — Yes or No?
APNIC
 
Zookeeper Tutorial for beginners
jeetendra mandal
 
Re-Engineering the Root of the DNS
APNIC
 
Testing Rolling Roots
APNIC
 
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Dakiry
 
Oleksandr Khotemskyi - Serverless architecture and how to apply it in Automa...
Web Tech Fun
 
Load Test Drupal Site Using JMeter and Amazon AWS
Vladimir Ilic
 
Test talk academy apachejmeter-120521121306-phpapp02
veeru madduri
 
Presto at Tivo, Boston Hadoop Meetup
Justin Borgman
 
2 technical-dns-workshop-day1
DNS Entrepreneurship Center
 
IPv6 and the DNS, RIPE 73
APNIC
 
Ad

More from APNIC (20)

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
APNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
APNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
PDF
Make DDoS expensive for the threat actors
APNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
The Internet - By the numbers, presented at npNOG 11
APNIC
 
Transmission Control Protocol (TCP) and Starlink
APNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
Make DDoS expensive for the threat actors
APNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
Ad

Recently uploaded (20)

PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
Database Information System - Management Information System
faizhossain3
 
PDF
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPT
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PPTX
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPT
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
PPTX
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Ethics in Information System - Management Information System
faizhossain3
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Database Information System - Management Information System
faizhossain3
 
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
artificial intelligence overview of it and more
yafotin445
 
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
Internet___Basics___Styled_ presentation
poonam62133
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 

Authoritative Nameserver Selection and Recursive Resolvers

  • 1. Authoritative Nameserver Selection and Recursive Resolvers Geoff Huston APNIC Labs ICANN 82, March 2025
  • 2. Nameserver Questions • When configuring nameservers for a domain, or evaluating the various service offerings from nameserver platform providers there are some common questions: • How many nameservers is“right” • Can you have too many nameservers? If so, what number is“too many”? • Unicast vs Anycast? Can I mix them together? • What’s a“good”unicast configuration? • What’s a“good”anycast configuration? • What TTL should I use? • All of these questions are fine, but they need a context. The context here is the behaviour of DNS recursive resolvers.
  • 3. Nameserver Questions • When presented with multiple authoritative nameservers / multiple IP addresses how do recursive resolvers behave? Once we have a handle on the answer to this question, we can then look at the next one:… • How do we maximize performance and resilience in authoritative nameserver configurations?
  • 4. The RFC’s say: RFC1034: “The sorting [of nameservers]… may involve statistics from past events, such as previous response times and batting averages.” Batting averages????
  • 5. Our Measurement • Use a domain with four unicast authoritative nameservers • Direct client systems to resolve unique DNS names using these nameservers • Track queries to each nameserver from each visible recursive resolver
  • 6. Our Measurement • Use a domain with four dual-stack unicast authoritative nameservers Frankfurt Mumbai Singapore 112ms 267ms 205ms Atlanta 208ms 154ms 60ms
  • 7. What are we expecting to see? We anticipate seeing a “strong” preference to query the authoritative server with the lowest response time, and a regular querying of all other authoritative servers to see if their response times have changed.
  • 8. Some Lab Tests: Bind 9 • Observing Bind 9 against the four nameservers using 1 query per second (test resolver is located in au) The resolver tests the other authoritative servers to ensure that its is “attached” to the fastest server. This ‘other server’ test appears to be irregular, with a slight bias towards the second-closest server
  • 9. Some Lab Tests: Unbound • Observing Unbound against the four nameservers using 1 query per second (test resolver located in au) Unbound is not so clearly attached to the closest server (ap) and also queries Mumbai and Atlanta consistently. The non-selected resolver (Frankfurt) is queried irregularly
  • 10. Some Lab Tests: Google 8.8.8.8 • Observing Google 8.8.8.8 against the four nameservers using 1 query per second (stub resolver located in au) The Google resolver appears to query all instances regularly. There appears to be a slight preference to use the Singapore (ap) server
  • 11. Some Lab Tests: Cloudflare 1.1.1.1 • Observing Cloudflare’s 1.1.1.1 resolver against the four nameservers using 1 query per second (stub resolver located in au) There is a visible preference to use the servers located in Singapore (ap) and Mumbai (in)
  • 12. There is no common recursive resolver behaviour In this small sample set we are not seeing a common behaviour across recursive resolvers • To optimize resolution performance the recursive resolver would prefer to direct most of its queries to the authoritative server that responds in the shortest time • However, the resolver would also like to track all other servers to ensure that its preferred choice of server is still optimal • It is not clear what units of time are used compare servers’ response performance, as some resolvers appear to treat a subset of servers with diverse query/response times as equivalent
  • 13. Let’s scale up the measurements • We’ll use an ad-based measurement platform to enrol some 25M stub resolvers per day and observe the interaction between the various recursive resolvers used by these stub resolvers and their behaviour against these four unicast authoritative servers
  • 14. What we see – 1 Hour Profile This is a resolver operated by Bharti Airtel in India: • It appears to spread its query load roughly equally across the servers in Mumbai, Frankfurt and Singapore • But none to Atlanta!
  • 15. What we see – 12 Hour Profile This resolver passed 2 queries to the server located in Atlanta just 2 times in this 12 hour period From this graph it is not evident if there is any preference between the other three nameservers – but maybe summary numbers can be more informative
  • 16. A one-week profile of this resolver Server Queries Attachment Time (secs) Longest attached Interval (secs) Atlanta 87 1 0 Singapore 611,992 202,012 725 Frankfurt 581,799 183,051 637 Mumbai 300,751 32,153 580 How many seconds did the resolver “latch” onto this server? What was the longest period spent asking ONLY this server A large recursive resolver, located in India, appears to prefer distant servers that are located in Singapore and Frankfurt over a server located in Mumbai
  • 17. 8 Day Profile of 100 Resolvers The 100 recursive resolvers that processed the largest number of queries in an 8-day period (1 Dec – 8 Dec) The size of the point indicates the relative amount of time the resolver appears to “latch” onto an individual server Most queries Fewer queries
  • 18. What proportion of Resolvers show “Attachment Preference”? • Use the most active 1,000 recursive resolvers • Define an “attachment preference” as maintaining an authoritative server selection for more than 60% of the time • 616 out of these 1,000 recursive resolvers show a strong attachment preference • Define “NO attachment preference” as having the major attachment for no more than 40% of the time • 53 out of the 1,000 recursive resolvers show a no attachment preference
  • 19. How “good” is this attachment preference? • Do recursive resolvers who have a strong attachment end up attaching to the server that is “nearest” to them? • Let’s combine ping RTT measurements with these resolver / server measurements
  • 20. For example: 2a01:e00:ffff:53:2::13 is a recursive resolver operated by free.fr in France RTT Measurements for this resolver. The ping measurements for this resolver are: Atlanta – 95.3ms Singapore - 307.5ms Frankfurt – 9.8ms Mumbai – 241.6 ms This resolver (located in Paris, France) was observed to query the Atlanta server 70% of the time, a resolver that was 85ms further “away” than the closest resolver (located in Frankfurt)
  • 21. Results • Of the 661 recursive resolvers that showed strong “attachment” for a single resolver (queried one server more than 60% of the time) • 498 recursive resolvers responded to ping requests • Of these 498 resolvers: • 199 resolvers chose the server that had the lowest ping time • The other 299 chose a more distant server • The average additional RTT between the chosen server and the closest server for these 299 resolvers was 142.3ms
  • 22. Distribution of “Mismatch Times” There is a strong signal of a time mismatch of <= 150ms Is this indicative of some form of rounding of the resolvers’ internal recursive-to- authoritative delay timers of to a unit of 150 ms increments?
  • 23. What is this data telling us? • You can’t rely on the preference algorithm used by today’s recursive resolvers to make an optimal selection across a dispersed set of unicast servers that will select the fastest authoritative server i.e. even if you do a great job of deploying diverse unicast nameservers, recursive resolvers will likely muck it up and make sub-optimal selections of their“preferred”nameserver!
  • 24. How should you deploy a set of nameservers? Assuming that you want to optimize both performance and availability… • A distributed collection of unicast nameservers is not going to give the best possible result • Many recursive resolvers are not only poor at latching on to the fastest nameserver, but they latch onto a more distant nameserver, giving a worse resolution performance for non-cached name resolution • Perhaps a better approach is to use anycast nameservers • What do other domains do for their nameserver configuration?
  • 25. Let’s look the Root Zone • A small set of relatively intensely used domains whose performance and reliability is (supposedly) critical
  • 26. Profile of the Use of Nameservers Root Zone: • TLDs: 1,445 • Authoritative Nameservers: 5,998 • Average Nameservers per TLD: 4.2 • Distribution of Nameservers per TLD show strong preference for 4 or 6 nameserver names • Dual Stack Nameservers: 5,687 • IPv4-only Nameservers: 321 • IPv6-only Nameservers: 3
  • 27. Unicast vs Anycast – Root TLD Nameservers • Unique IP addresses of nameservers: 9,014 • Unicast IP addresses: 587 • “Limited” Anycast addresses: 5,868 (rtt variance > 150ms) • “Diverse”Anycast IP addresses: 2,559 (rtt variance < 150ms)
  • 28. Unicast vs Anycast • TLDs served by only unicast nameservers: 8 • TLDs served by a mix of unicast and anycast servers: 378 • TLDs served by anycast servers only: 1,067 • TLDs served only by diverse anycast: 289 • TLDs served only by limited anycast: 202 • TLDs served by limited and diverse anycast: 576
  • 29. AS Diversity • In the root zone there are just 6 TLDs where all the zone’s nameservers are held in a single AS (and only 1 in a diverse anycast configuration) • On average each TLD has 10.1 distinct IP addresses of nameservers • On average each TLD has nameservers located in 3.4 origin Ases
  • 30. Tranco Top 1M Name set 20% 63%
  • 31. Nameserver Distribution • 119,544 domains, or 12% of the total domain set, are each served by a (different) single IP address! • 44,229 domains are served by just two IP addresses • 13,498 domains are served by just three IP addresses. At the other end of this distribution, there are two IP addresses that each serve 13,278 domains and a further four IP addresses that serve some 12,400 domains.
  • 32. Platform Concentration Domains AS AS name, CC 364,918 13335 CLOUDFLARENET, US 109,766 16509 AMAZON-02, US 51,642 44273 GODADDY-DNS, DE 23,539 397239 SECURITYSERVICES, US 15,212 16276 OVH, FR 14,155 15169 GOOGLE, US 13,710 8075 MICROSOFT, US 11,637 24940 HETZNER-AS, DE 10,731 37963 ALIBABA-CN-NET, CN 10,198 21342 AKAMAI-ASN2, NL 9,775 16552 TIGGEE, US 8,263 8560 IONOS-AS, DE 7,881 62597 NSONE, US
  • 33. Platform Type Unicast-only platform 205,204 Mixed Unicast and Anycast platforms 80,442 Anycast-only platform 562,364 Diverse Anycast 369,254 Limited Anycast 102,882 Mixed Diverse and Limited Anycast 90,228 Outside of Cloudflare’s service portfolio few domains Are served using a large-scale diverse anycast nameserver configuration There is still a significant “legacy” group of domains served by unicast nameserver platforms
  • 34. Observations (1/3) • DNS recursive resolvers do not, on average, make an accurate selection of the “fastest” nameserver • Which negates any potential performance benefits of a nameserver deployment approach of a geographically diverse collection of unicast nameservers • Many recursive resolvers appear to use a timer with a granularity of around 150ms to select the“fastest”nameserver
  • 35. Observations (2/3) • Anycast nameserver deployments can produce better outcomes, but the effectiveness of this approach depends on the density of the anycast constellation • Limited density anycast constellations may produce sub-optimal outcomes for some clients
  • 36. Observations (3/3) Resilience can be provided through the use of multiple anycast service platforms • How many such platforms is“optimal”is an open question • More is not necessarily incrementally better, which leads to a suggestion of the use of 2 or 3 diverse anycast platforms, depending on the level of failover resilience you are after
  • 39. Recent(ish) work “Recursives in the Wild: Engineering Authoritative DNS Servers” Muller, Moura, Schmidt, Heidemann, 2017 https://ant.isi.edu/~johnh/PAPERS/Mueller17b.pdf “To meet their goals of minimizing latency and balancing load across NSes and anycast, operators need to know how recursive resolvers select an NS, and how that interacts with their NS deployments.” “… all name servers in a DNS service for a zone need to be consistently provisioned (with reasonable anycast) to provide consistent low latency to users.”
  • 40. Recent(ish) work “Secure Nameserver Selection Algorithm for DNS Resolvers” Zhang, Liu, Song, Huque, October 2024 https://datatracker.ietf.org/doc/draft-zhang-dnsop-ns-selection/ “Nameserver selection algorithms employed by DNS resolvers are not currently standardized in the DNS protocol” The document contains an informal description of the selection algorithms used in a number of commonly used recursive resolvers (Bind 9, Unbound, Knot, PowerDNS, Microsoft DNS)
  • 41. Unicast vs Anycast How many of these IP addresses are carried in an anycast cloud? • Query the IP address from a diverse set of locations(Atlanta, Frankfurt, Sao Paulo, Singapore, Australia) • If the Name Server ID (NSID) is constant when queried from a diverse set of queries, then its reasonable to assume that the server’s IP address is not part of an anycast cloud (as we anticipate that different anycast instances will give a different NSID response) • If the variance of DNS query times is not sufficiently large, then its reasonable to assume that the server’s IP address is part of an anycast service cloud.
  • 42. BUT - DNSSEC • The combination of multiple diverse nameserver providers, a DNSSEC-signed domain name, and online signing introduces some operational fragility, particularly when managing key rollover and algorithm rolls • This is still a not well charted space and operational incidents that impact TLD availability still occur