Recursives in the wild: engineering authoritative DNS servers

The Domain Name System (DNS) is a critical part of the internet infrastructure and maps domain names to IP addresses in a distributed way. DNS queries can form a noticeable part of web latency [1], which is why we investigated how DNS operators like SIDN are able to reduce DNS response times.

Data analysis

We currently run 8 separate servers for .nl, of which 5 are unicast and 3 use anycast across more than 80 sites. Recursive resolvers can choose from any of the 8 servers to send their queries to. Previous research [2] has shown that the recursive resolvers have different strategies for selecting a name server. Some take the round trip time (RTT) of a server into account, others choose a server randomly. However, they did not estimate how prevalent these strategies are on the internet.Therefore, we ran our own measurement with 9000 RIPE Atlas probes querying a test domain, using 7 different name server setups with up to 4 servers spread across the world.

Key findings

We discovered that the up to 69% of recursive resolvers send the majority of queries to the fastest responding name server. However, there is always a share of queries that are sent to the slower responding authoritative as well. Also, in some scenarios, 41% of recursive resolvers do not prefer the fastest responding authoritative. This can increase the reliability and security, but also has the consequence that still many queries are not served as quickly as possible.

Conclusion

That observation led us to the conclusion that DNS operators should not rely on the selection strategies of recursive resolvers but should actively optimise their own set-ups to decrease the response times. For example, a request from a recursive resolver in the U.S. to a unicast name server located in the Netherlands will always take at least 70 ms to be answered, due to the sheer distance between the two continents. However, from our measurements we now know that recursive resolvers in the U.S. will still send a significant share of their queries to this authoritative, despite the fact that there are authoritatives in the same country.Thus, we recommend that all of a DNS operator's name servers should be deployed as an anycast service, with sites equally spread across the world. With a set-up like that, it does not matter which name server a recursive selects. The routing protocol BGP will (hopefully) make sure that it gets directed to a name server site nearby, which can answer the query as fast as possible.

Use for .nl

We discussed our finding with our operations team and recommended phasing out our unicast name servers and replacing at least some of them with well-connected anycast name servers. We will keep our readers posted about further developments.

Technical report

We have released a technical report with our detailed findings. The report is publically available at this site.

Joint work

The technical report has been produced jointly by Moritz Müller (SIDN Labs), Giovane C. M. Moura (SIDN Labs), Ricardo de O. Schmidt (University of Twente), and John Heidemann (USC/ISI). The datasets underpinning the paper were measured with RIPE Atlas and are available at http://traces.simpleweb.org/ and at https://ant.isi.edu/datasets/.

References

[1] A. Singla, B. Chandrasekaran, P. Godfrey, and B. Maggs. The internet at the speed of light. In Proceedings of the 13th ACM Workshop on Hot Topics in Networks, pages 1–7. ACM, Oct. 2014.[2] Y. Yu, D. Wessels, M. Larson, and L. Zhang. Authority Server Selection in DNS Caching Resolvers. SIGCOMM Computer Communication Review, 42(2):80–86, Mar. 2012.

Comments

Moritz-Muller

Moritz Müller

Research engineer

+31 26 352 55 00

moritz.muller@sidn.nl

  • Tuesday 5 March 2019

    News

    Could DNSSEC have protected the DNS against recent attacks?

    Thumb+DNSSEC

    ICANN called for the adoption of DNSSEC

    Read more
  • Tuesday 16 July 2019

    News

    SIDN Annual Report 2018: vigorously pursuing our mission

    ar 2018 520x520

    Read our online annual report

    Read more
  • Monday 28 May 2018

    News

    SIDN provides private cloud for subsidiary Connectis

    Thumb-private-cloud

    This is one of the synergy benefits

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.